PRIVACY POLICY

Elionova AG
Last updated: [March 3, 2026]

1. Introduction

Elionova AG (“Elionova”, “we”, “us”, or “our”) is committed to protecting personal data in accordance with applicable data protection laws, including:

The Swiss Federal Act on Data Protection (revFADP)
The EU General Data Protection Regulation (EU) 2016/679 (“GDPR”)
Other applicable international data protection laws

This Privacy Policy applies to:

https://www.elionova.com (the “Website”)
https://cloud.eliodx.com (the “Cloud Platform”)
Associated devices, software, and infrastructure operated by Elionova AG

2. Identity of the Controller

Elionova AG
Passage du Cardinal 13B
1700 Fribourg
Switzerland
UID: CHE-188.353.395
Email: info@elionova.com

For Website-related activities, Elionova acts as Data Controller.

For Cloud Platform services, Elionova typically acts as Data Processor on behalf of its customers, who determine the purposes and means of processing research data.

3. Scope of Application

This Privacy Policy distinguishes between:

Website data processing (Controller role)
Cloud Platform data processing (Processor role)

The legal basis and responsibilities differ depending on context.

PART I – WEBSITE PROCESSING (Controller)

4. Categories of Personal Data Collected

When you access or interact with the Website, we may process:

4.1 Contact and Communication Data

Name
Email address
Company affiliation
Message content

4.2 Technical and Usage Data

IP address
Browser type
Device information
Referring URL
Date and time of access

4.3 Cookie and Analytics Data

Cookie identifiers
Session information
Aggregated website usage statistics

5. Legal Basis for Website Processing

Where GDPR applies, processing is based on:

Art. 6(1)(b) GDPR – Pre-contractual measures
Art. 6(1)(f) GDPR – Legitimate interests (security, communication, service improvement)
Art. 6(1)(a) GDPR – Consent (analytics and non-essential cookies)

Under Swiss law, processing is conducted in accordance with revFADP principles of lawfulness, proportionality, and transparency.

6. Purpose of Processing

Website data is processed to:

Respond to inquiries
Provide product information
Improve website performance
Maintain system security
Comply with legal obligations

7. Data Retention (Website)

We retain Website personal data:

For the duration necessary to respond to inquiries
For contractual or pre-contractual purposes
For legal compliance
For security log retention (limited duration)

Analytics data is retained according to provider settings (typically up to 24 months).

PART II – CLOUD PLATFORM PROCESSING

8. Role Allocation

For the Cloud Platform:

Customer = Data Controller
Elionova AG = Data Processor

Elionova processes data strictly in accordance with documented customer instructions and the Data Processing Agreement (DPA).

9. Categories of Data Processed in the Cloud

Elionova may process the following on behalf of customers:

9.1 Account Data

User name
Email address
Organization
Authentication credentials

9.2 Technical Logs

IP addresses
Access timestamps
System activity logs

9.3 Research Data

Scientific test data
User-generated identifiers entered by customers

Elionova does not intentionally collect or determine patient identities.

If customers upload personal data, they remain solely responsible for its lawfulness.

10. Legal Basis (Cloud Platform)

Elionova processes data as a Processor under:

Art. 28 GDPR
Applicable Swiss data protection law

The lawful basis for research data processing is determined by the Customer.

11. Technical and Organizational Measures (TOMs)

Elionova implements appropriate safeguards pursuant to Art. 32 GDPR, including:

Hosting in AWS European regions
Encryption in transit (TLS)
Secure password hashing
Role-based access controls
Infrastructure monitoring
Network security protections
Audit logging

Security measures are reviewed periodically and updated in line with industry standards.

12. Sub-Processors

Primary infrastructure provider:

Amazon Web Services (AWS), European Regions

AWS acts as a sub-processor under contractual safeguards compliant with GDPR.

Elionova remains responsible for its sub-processors.

13. International Transfers

Cloud data is hosted within AWS European regions.

If data transfers outside the EU/EEA occur, appropriate safeguards under Art. 46 GDPR will be implemented, including Standard Contractual Clauses where required.

14. IP Address Logging

IP addresses are processed for:

Security monitoring
Fraud prevention
Incident detection
Service integrity

Legal basis:
Art. 6(1)(f) GDPR – Legitimate interest

IP logs are retained only as long as necessary for security and compliance purposes.

15. Data Subject Rights

Under GDPR and Swiss law, individuals have the right to:

Access personal data (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection (Art. 21 GDPR)
Lodge complaints with supervisory authorities

Requests may be submitted to:
info@elionova.com

For research data uploaded by customers, requests should be directed primarily to the Customer acting as Controller.

16. Data Breach Notification

In the event of a personal data breach affecting Cloud Platform data, Elionova shall notify the relevant Customer without undue delay in accordance with GDPR requirements.

17. Data Deletion

Upon termination of services:

Data shall be deleted or returned according to Customer instructions
Retention may occur where required by law

18. Research Use Only (RUO)

Elionova services and devices are provided for research use only unless otherwise explicitly stated.

They are not intended for diagnostic or clinical decision-making purposes.

19. Automated Decision-Making

Elionova does not perform automated decision-making or profiling within the meaning of Art. 22 GDPR.

20. Changes to This Policy

We reserve the right to update this Privacy Policy at any time.

The current version will be available on the Website with an updated “Last updated” date.