This data protection policy (“Policy”) informs you how we (Reaction Biology Corporation) process your Personal Data when you visit our website, order our products, or receive marketing materials from us. “Personal Data” is any information relating to an identified or identifiable natural person (a data subject), such as your name, physical address, IP or email address that we receive either directly from you, or from our affiliated companies. While this Policy refers to the EU General Data Protection Regulation (“GDPR”), we provide the same standard of protection for Personal Data from individuals outside of the European Economic Area (“EEA”).
Who is responsible for the data collection on this website?
The party responsible for the processing of the Personal Data (data controller) is: Reaction Biology Corporation One Great Valley Parkway, Suite 2 Malvern, PA 19355 Attn: Customer Service Phone: +1 877.347.2368 Email: email@example.com
How do we collect your data?
Some Personal Data are collected when you provide them to us to perform our services to you or sell our products online to you. This could be the case, for example, for Personal Data that you provide via an online contact, email contact, or order form. Other data sets are collected automatically by our IT systems through cookies etc. when you visit the website. These data are primarily technical data such as the browser and operating system you are using or when you accessed the page. These data are collected automatically as soon as you enter our website.
Server log files
When using the website for information purposes only (i.e. without registration), we only collect the Personal Data that your browser transmits to our server. When you visit the website, we collect the following data, which are technically necessary for us to enable you to visit the website and to ensure stability and security (legal basis is Art. 6 (1) lit. f GDPR). These data sets are:
These data sets will not be combined with data from other sources. The temporary storage of your IP address is necessary in order to enable the delivery of our website to your device. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. In these purposes lies our legitimate interest in data processing. The IP addresses are retained for 30 days. Error logs, which log erroneous page views, are deleted after 7 days. In addition to the error messages, these logs include the accessing IP address and, depending on the error, the website accessed. What do we use your data for and where do we store them? We process the personal data of our users only to the extent necessary for the provision of a functional website, its contents, and to provide our services. We process the personal data of our users unless an exception applies due to applicable law. Some of the data are used to analyze how visitors use the site. We do not use your personal data for profiling. What is the legal basis for data processing under the Policy? Insofar as we obtain the prior consent of the data subject for processing of personal data, Art. 6 (1) lit. an EU General Data Protection Regulation (“GDPR”) is the legal basis. If the processing of personal data is necessary for the performance of an agreement to which the data subject is a party, Art. 6 (1) lit. b GDPR is the legal basis. This also applies to processing operations required to carry out pre-contractual measures. If the processing of personal data is required to fulfill a legal obligation that our company is subject to, Art. 6 (1) lit. c GDPR is the legal basis. If the processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interest, fundamental rights, and fundamental freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR as the legal basis for processing. How do we receive Personal Data from our affiliated companies in the EEA? All Personal Data covered by this Policy is stored with us in the United States. We may receive your Personal Data from our affiliated companies or directly from you (e.g. by contacting us via telephone or email) for the purposes listed in this Policy. In order to provide an adequate level of data protection, we have a (controller-to-controller) data transfer agreement with our EEA-based affiliates in place (Art. 46 GDPR) and also incorporated the Standard Contractual Clauses (SCCs) issued by the EU Commission implementing decision 2021/914 of 4 June 2021. Please contact us if you would like to receive more information about these data transfers. What are our Analytics and third-party tools? When visiting our website, statistical analyses may be made of your surfing behavior by cookies, pixels or similar analytical tools. The analysis of your surfing behavior is usually anonymous, i.e. we will not be able to identify you from this data. You can object to this analysis or prevent it by not using certain tools. Detailed information and how you are able to object to the processing can be found in Sections 5 to 10 on cookies and tracking in this Policy below. Promotional emails from us (opt-out) We will only send you promotional materials if we have your prior consent or if we have received your e-mail address from you in connection with the sale of a good or service and use the email address for direct mail advertising of your own similar goods or services. In both cases, we will always provide you with a possibility to opt-out of such email marketing or to withdraw your consent by writing us at any time at no cost for you. Please note that data transmitted via the internet (e.g. via email communication) may be subject to security breaches. We do not warrant complete protection of your Personal Data from third-party access during and after the transmission.
To the extent that we process your personal data, you are entitled to the following rights:
You can request confirmation from us as to whether we process personal data related to you. If this is the case, you can request information from us about the following:
You have the right to demand information as to whether or not your personal data is transferred to a third country or an international organization. In this context, you have the right to request the appropriate guarantees in accordance with Article 46 GDPR with regard to the transmission.
You have the right to request the immediate correction/completion if your personal data processed by us is incorrect or incomplete.
Mandatory deletion You are entitled to request that we delete your personal data immediately provided that one of the following reasons applies:
Exceptions The right of deletion does not apply provided that the processing is required
Under the following conditions, you are entitled to request a restriction of the processing of your personal data:
If the processing of your personal data has been restricted, this data – with the exception of its storage – may only be processed with your consent or for the assertion, exercise or defense of legal claims, or to protect the rights of another natural or legal person or for reasons of substantial public interests of the Union or a Member State can be processed. If the restriction of processing itself has been restricted as a consequence of the above-mentioned requirements, we will inform you before the restriction is lifted.
You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on Article 6(1)(a) or (b) or Article 9(2) GDPR.
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1) lit. f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from your particular situation. Your personal data will then no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion or defense of legal claims.
To the extent the processing of your personal data is based on your consent pursuant to Art. 6(1) lit. a GDPR or Section 25 (1) TTDSG, you may withdraw your consent at any time with effect for the future by sending an email to firstname.lastname@example.org.
Regardless of other legal remedies, you have the right to file a complaint with the responsible supervisory authority if you are of the opinion that the processing of your data violates provisions of the GDPR.
This site uses SSL encryption for security reasons and for the protection of the transmission of confidential content, such as the inquiries you send to us as the site operator. You can recognize an encrypted connection in your browser’s address line when it changes from “http://” to “https://” and the lock icon is displayed in your browser’s address bar. If SSL encryption is activated, the data you transfer to us cannot be read by third parties.
Should you send us questions via the contact form, we will collect the data entered on the form, including the contact details you provide, to answer your question, and any follow-up questions. We do not share this information without your permission. We will, therefore, process any data you enter onto the contact form only with your consent pursuant to Art. 6 (1) lit. a GDPR. You may revoke your consent at any time. An informal email making this request is sufficient. The data processed before we receive your request may still be legally processed. We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Any mandatory statutory provisions, especially those regarding mandatory data retention periods, remain unaffected by this provision.
You can register on our website in order to access additional functions offered here and to offer our products (user account). On our Website, we have a contact form available, which we use for electronic contacts. If a user enters into contact with us through this form, the personal data entered in the input mask are transmitted to us and stored. The input data will only be used for the purpose of using the respective site or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise, we will not process your registration. To inform you about important changes such as those within the scope of our site or technical changes, we will use the email address specified during registration. We will process the data provided during registration only based on your consent pursuant to Art. 6 (1) lit. a GDPR or if the processing is necessary for the fulfillment of a contract with the user. The personal data will be deleted or fully anonymized if they are no longer necessary for this purpose You may revoke your consent at any time with future effect by informing us via mail or email email@example.com. The data processed before we receive your request may still be legally processed. Even after the end of the contract, there may be a need for us to store personal data of the contracting party in order to comply with contractual or legal obligations. We will continue to store the data collected during registration for as long as you remain registered on our website or is necessary to provide you with the purchased products. Statutory retention periods (e.g. for bookkeeping and tax reasons) remain unaffected.
We transmit personally identifiable data to third parties only to the extent required to fulfill the terms of your contract, for example, to companies entrusted to deliver goods to your location or banks or credit card companies entrusted to process your payments. We will also use your address and names for sending you invoices. Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent. The basis for data processing is Art. 6 (1) (b) GDPR, which allows the processing of data to fulfill a contract or for measures preliminary to a contract.
If you would like to receive our newsletter, we require a valid email address as well as information that allows us to verify that you are the owner of the specified email address and that you agree to receive this newsletter. No additional data is collected or is only collected on a voluntary basis. We only use this data to send the requested information and do not pass it on to third parties. We will process any personal data you enter onto the contact form or that you send to us to contact us only (1) with your consent (Art. 6 (1) lit. a GDPR), or (2) if the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Art. 6 (1) lit. b GDPR). We may process your email address to send you our newsletters to the extent permitted by law. This allows us to send you these newsletters if (1) we have received the email address in connection with the sale of goods or services, (2) we use the address for direct advertising for our own similar goods or services, and (3) you have not objected to the use. In any event, you can revoke consent to the storage of your data and email address as well as their use for sending the newsletter at any time, e.g. through the “unsubscribe” link in the newsletter or by sending an email to us firstname.lastname@example.org. The data processed before we receive your request may still be legally processed. We will process the data provided for the newsletter to distribute the newsletter until you cancel your subscription when said data will be deleted. Data we have stored for other purposes (e.g. email addresses for the member’s area) remain unaffected.
This site uses the Google Maps map service via an API. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This allows us to display interactive maps directly on the website and enables you to use the map function conveniently. To ensure data protection on this website, Google Maps is deactivated when you first enter this website. A direct connection to Google’s servers is only established when you independently activate Google Maps (consent according to Art. 6 (1) lit. a GDPR). This prevents your data from being transferred to Google when you first enter the page. After activation, Google Maps will store your IP address. This information is generally transmitted to a Google server in the USA and stored there. The operator of this website has no influence on this data transfer after the activation of Google Maps. Further information about handling user data, can be found in the data protection declaration of Google at https://www.google.de/intl/de/policies/privacy/
Our customer data are managed using Salesforce Marketing Cloud, a service provided by Salesforce.com Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States of America, and its German subsidiary salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich (hereinafter collectively referred to as “Salesforce”). Salesforce Marketing Cloud is a CRM system which makes it possible, e.g., to manage existing and potential customers and customer contact details, and to organize our sales, marketing campaigns and communication processes. Beyond that, the use of the CRM system allows us to analyze our customer-related processes. The customer data are stored on Salesforce’s servers. During this process, personal data may also be transferred to servers operated by Salesforce in the United States. The legal basis for the use of Salesforce’s services is Art. 6(1) lit. f GDPR. We have a legitimate interest in ensuring that our customers are managed and communicated with as efficiently as possible. Provided that we have asked for your consent, your data will be processed exclusively on the basis of Art. 6(1) lit. a GDPR. Insofar as your consent also extends to the storage of cookies or the access to any information on your device (e.g. device fingerprinting) as outlined in the TTDSG (German Federal Act on Privacy in Telecommunications and Telemedia), your data will furthermore be processed on the basis of Sec. 25 Sec. 1 TTDSG. You may revoke your consent at any time. Salesforce has Binding Corporate Rules (BCR) in place which were approved by the French Data Protection Authority. The provisions of the BCR are binding at company level and intended to legitimize the intra-group transfer of personal data between the Salesforce group companies to third-party countries outside the EU and EEA. The BCR can be found at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/Salesforce-Processor-BCR.pdf. Further details regarding the processing of personal data when using Salesforce’s services can be found in Salesforce’s Data Protection Impact Assessment (DPIA) available at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Privacy/dpia-and-salesforce-services.pdf and in Salesforce’s data privacy notice available at https://www.salesforce.com/de/company/privacy/. We have entered into an agreement on the commissioned processing of personal data in accordance with Art. 28(3) GDPR with Salesforce (Data Processing Addendum) which can be found at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf. Through the Data Processing Addendum, Salesforce undertakes that it will only process the data based on our instructions and in accordance with the provisions of the GDPR and to ensure the protection of the rights of the affected data subjects. The Data Processing Addendum also incorporates the standard contractual clauses (EU/2021/914) issued by the European Commission in accordance with Art. 46(2) lit. c) GDPR for establishing the appropriate safeguards prescribed by the provisions of the GDPR for the transfer of personal data outside the EU and EEA. [Version of November 2022]