Privacy Policy

This Privacy Policy governs the collection, processing and storage of data that results from the use of our websites. In dealing with the collected data, we observe the valid legal regulations of the Federal Republic of Germany and the European General Data Protection Regulation (GDPR) as well as the following obligations.

The following table of contents will take you directly to the corresponding data protection passages.

Table of contents:

1. Privacy at a glance
2. Hosting of this website
3. General information, mandatory information and your rights
   1. Note to the responsible office
   2. Revocation of your consent to data processing and right of objection against data collection in special cases and against direct advertising (Art. 21 GDPR)
   3. Right of appeal to the competent supervisory authority
   4. Right to data transferability
   5. SSL or TLS encryption
   6. Information, deletion and correction
   7. Right to limitation of processing
   8. Passing on of data in general
   9. Objection to the use of published contact data on this website
4. Data collection on our website
   1. Cookies
   2. Consents for cookies and third-party services
   3. Logging of script failures and attacks on this website
   4. Server log files
   5. Request by e-mail, telephone or fax
   6. Collection of personal data, use of (contact) forms
   7. Processing of data (customer and contract data)
   8. Data transfer upon conclusion of contract for online shops, dealers and dispatch of goods
5. Plugins and tools
   1. Maps from Google Maps map service
6. Concluding notes

General notes on data collection on this website

The following notes give a simple overview of what personal information is collected and what happens to it when you visit our website. Personal data is any data that personally identifies you (e.g. address, e-mail addresses, user behavior, and IP address).

Detailed information on data protection and further details can be found in the following texts.

Who is responsible for data collection on this website?

The data processing on this website is carried out by the website operator. You can find their contact details in this privacy policy under point 3.1.

How do we collect your data?

Your data will be collected on the one hand, that you tell us. This may be data that you e.g. enter in a contact form, send us by e-mail or communicate by phone.

Other data is collected automatically when visiting the website through our IT systems. This is especially technical data (e.g. your internet browser, operating system or time of the page request). The collection of this data happens automatically as soon as you enter our website.

What do we use your automatically collected data for?

These data are collected to ensure a flawless delivery of the website.

What rights do you have regarding your data?

At any time you have the right to obtain free information about the origin, recipient and purpose of your stored personal data. You also have a right to request the correction, blocking or deletion of this data. For this purpose and for further questions about data protection, you can contact us at any time at the address given in the imprint. Furthermore, you have a right of appeal to the competent supervisory authority.

Furthermore, you have the right to request, under certain circumstances, the restriction of the processing of your personal data. For details, please refer to the Privacy Policy under point 3.7 „Right to limitation of processing“.

External Hosting

This website is hosted by an external service provider (Hoster). The personal data collected on this website are stored on the servers of the hoster. This can be mainly IP addresses, contact requests, Meta and communication data, contract data, contact data, names, website accesses and other data generated via a website, trade.

The use of the Hoster is for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).

Our hoster will only process your data to the extent that this is necessary to fulfill its performance obligations and our instructions in relation to these data.

Conclusion of a contract for order processing

In order to ensure data protection-compliant processing, we have concluded a contract for order processing with our hoster.

As the operator of this website, we take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

If you use this website, various personal data will be collected. Personal information is information that could be used to identify you personally (e.g. name, address, e-mail addresses, user behavior, and IP address). This Privacy Policy explains what information we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that the transmission of data on the Internet in general (for example in the case of communication by e-mail) may have security gaps.

3.1 Note to the responsible office

The responsible office regarding data processing on this website is:

Telefon: +49 365 77347180
E-Mail: info@xnapharma.com

Responsible entity is the natural or legal person who, alone or together with others, decides on the purposes and means of processing personal data (e.g. e-mail addresses, etc.).

3.2 Revocation of your consent to data processing and right of objection against data collection in special cases and against direct advertising (Art. 21 GDPR)

right of revocation

Many data processing operations are only possible with your express consent or a justified interest pursuant to Art. 6 para. 1 lit. f GDPR.

You can revoke your consent at any time. For this purpose, send an informal message by e-mail to info@xnapharma.com. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right of objection against data collection in special cases and against direct advertising (Art. 21 GDPR)

If the data processing is based on Art. 6 para. 1 lit. e or f GDPR, you have the right at any time, for reasons, that arise from your particular situation, to object to the processing of your personal data; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this data protection declaration. If you file an objection, we will no longer process your personal data concerned, unless, we can provide compelling justification for the processing of your interests, rights and freedoms prevail or the processing serves to assert, exercise or defend them of legal claims (objection according to Art. 21 para. 1 GDPR).

If your personal data is processed for direct marketing purposes, you have the right to do so, to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling in so far as it is connected with such direct advertising. If you object, your personal data will no longer be used for direct marketing purposes. (objection under Art. 21 para. 2 GDPR).

If you wish to exercise your right of objection, simply send an e-mail to info@xnapharma.com.

3.3 Right of appeal to the competent supervisory authority

In the event of breaches of data protection law, the person concerned has a right of appeal to the competent supervisory authority. The responsible supervisory authority for data protection issues is the data protection officer of the federal state in which our company is based.

In concrete terms, this applies to the federal state of Thüringen:

Thuringian State Commissioner for Data Protection and Freedom of Information

Dr. Lutz Hasse

Häßlerstraße 8
99096 Erfurt

Telefon: 03 61/57 311 29 00
Telefax: 03 61/57 311 29 04

E-Mail: poststelle@datenschutz.thueringen.de
Homepage: http://www.tlfdi.de

3.4 Right to data transferability

You have the right to have data which we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another person responsible, this will only take place if it is technically feasible.

3.5 SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

3.6 Information, deletion and correction

You have the right to obtain free information about your stored personal data, their origin and recipients and the purpose of data processing and, if necessary, a right to correction or deletion of this data at any time within the scope of the applicable legal provisions. You can contact us at any time at the above address if you have any further questions on the subject of personal data.

3.7 Right to limitation of processing

You have the right to request that the processing of your personal data be restricted. You can contact us at any time at the address given in the imprint. The right to restrict processing exists in the following cases:

• If you dispute the accuracy of your personal data stored with us, we usually need time to check this. For the duration of the examination, you have the right to request the restriction of the processing of your personal data.
• If the processing of your personal data was / is unlawful, you can request the restriction of data processing instead of deletion.
• If we no longer need your personal data, but you do so in order to exercise it, defence or assertion of legal claims, you have the right, to request the restriction of the processing of your personal data instead of deletion.
• If you have filed an objection pursuant to Art. 21 para. 1 GDPR, there has to be a balance between your interests and ours. As long as we're not sure, whose interests prevail, you have the right to demand the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data - apart from their storage - may only be used for the following purposes with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another party. natural or legal person or on grounds of an important public interest of the European Union or of a Member State.

3.8 Passing on of data in general

Your personal data will not be transmitted to third parties for other purposes than those listed below.

We will only pass on your personal data if:

• you have given your express consent (Art. 6 para. 1 lit. a GDPR),
• the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
• in the case that a legal obligation exists for the transfer pursuant to Art. 6 para. 1 lit. c GDPR, as well as
• this is legally permissible and is necessary for the processing of contractual relationships with you pursuant to Art. 6 para. 1 lit. b GDPR.

In cases in which data processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR, our legitimate interest is stated.

3.9 Objection to the use of published contact data on this website

We would like to point out that we object in advance to the use of the contact data published on these websites for commercial purposes, unless we have expressly agreed to it. This includes in particular: the storage in data processing systems for the purpose of data trading and the use for general advertising purposes (e.g.: unsolicited sending of information material and advertising brochures by post or e-mail). The operator of this website expressly reserves the right to take legal action in the event of unsolicited advertising information, such as spam e-mails.

4.1 Cookies

Some websites use so-called cookies. Cookies do not cause any damage to your computer and do not contain any viruses. Cookies serve to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

In general, cookies enable your browser to be recognized the next time you visit the website (permanent cookies). So-called session cookies are automatically deleted as soon as you close your browser. In some cases, cookies from third-party companies may also be stored on your device when you visit our website (third-party cookies). These enable us or you to use certain services of the third party company. In the following text you will learn which cookies we use for which purpose and/or under point „Plugins and tools“.

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them. Other cookies are used to store convenience settings and other cookies are used to evaluate user behaviour or display advertisements.

You can set up your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, to exclude the acceptance of cookies for certain cases or generally, as well as to activate the automatic deletion of cookies when closing the browser. When cookies are deactivated, the functionality of this website may be limited.

Cookies that are required accomplish the electronic communication processes or to provide certain functions desired by you (e.g. shopping basket function, to remain logged in or memory function or settings) are stored according to Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for technically error-free and optimized provision of his services.

Insofar as cookies are used by third-party companies or for analysis purposes, we will inform you of this separately within the framework of this data protection declaration and, if necessary, request your consent.

The following cookies are stored by our website:

A session cookie

This cookie is generated when you visit this website. It will be deleted automatically as soon as you close your browser after visiting the website.

This session cookie is a technically necessary first-party cookie.

This cookie stores the session ID of your browser on our web server. This allows server-side data to be stored in the session, which enables optimal operation of the website. This data includes, for example

• Technical data of your browser (e.g. troubleshooting mode, suspected malware client)
• Data of previous captchas / security graphics (e.g. of contact forms)
• Commands last executed on the website (random IDs) to avoid accidental duplicate execution
• Data of the previously visited page on this web page

The session cookie does not contain any personal data.

The basis for storing and processing this cookie is a legitimate interest of the website operator pursuant to Art. 6 para. 1 lit. f GDPR for the technically error-free provision of its services.

A permanent cookie (first-party-cookie)

This cookie is created when you visit this website. It remains on your computer for 365 days and is automatically deleted afterwards. After deletion, this cookie will be recreated when you visit this website again.

Your visit preferences, website- and data-protection-settings are stored in this cookie. These settings are e.g.

• the status of awareness of the general cookie notice,
• the selected font size (zoom level),
• Individual data protection settings selected separately by you (Consent for the integration of e.g. GoogleMaps, Facebook plugins, tracking plugins, YouTube videos, etc. into this website)
• your login status, if this website has an internal or protected area.

If this cookie is deleted, your selected data protection settings will also be deleted. Therefore, in this case, the settings must be made again by you via this data protection note.

This permanent cookie does not contain any personal data.

The basis for storing and processing this cookie is a legitimate interest of the website operator pursuant to Art. 6 para. 1 lit. c and lit. f GDPR. Because it ensures the technically error-free provision of the information on this website. In addition, we offer you convenience functions and the opportunity to activate individual third-party plug-ins on this website.

Other cookies

If other cookies (e.g. cookies to analyse your surfing behaviour) are stored, these are mentioned separately in this data protection declaration.

4.2 Consents for cookies and third-party services

This website uses simpilio®'s cookie-consent-technology to to store your consent to use certain cookies and third-party-services on your device and to document these in accordance with data protection regulations.

Functionality

Via the Consentmanager (data protection menu on the left side of the screen), the cookie notice banner, this data protection notice or directly at the position of the plugins in the webpage you can give your consent to embed plugins/services into this website.

Your consent will be stored together with your IP address, the time of consent and the text that you have seen, on the web server in accordance with data protection regulations. At the same time, your consent or revocation will be stored for the respective services in a permanent cookie for later page visits.

Services to which you have consented will henceforth be automatically integrated into the website.

Revocation

You have the option of using the Consentmanager (data protection menu on the left side of the screen) or this data protection notice at any time, to revoke your previously given consent for the future, until a new consent is given. Your revocation will be stored on the web server with the same data as with the consent.

If you delete the cookies from this website, the consent must be given again.

The use of this technology is done in order to comply with the legally required consents for the use of cookies and third-party services to catch up. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.

4.3 Logging of script failures and attacks on this website

The hoster of this website automatically collects and stores information about script failures and attacks on this website in a database. This data is given by your browser. The following data is stored:

• IP address
• Useragent (character string that provides information about the requesting browser and the operating system)
• internal categorization of the client (robot yes or no?)
• referrer URL
• Request destination incl. sent parameters (fields marked as password in the system are made unrecognizable)
• Date and time of the server request
• Access method to the web server
• in case of script crashes, additionally the script environment and the affected part of the source code

This data is automatically deleted after 7 days.
These data will not be combined with other data sources.

The basis for storing and processing this data is a legitimate interest of the website operator and the host according to art. 6 par. 1 lit. b and lit. f GDPR. The reason for this is the contractual obligation of the hoster to provide the website technically. If necessary, the hoster will evaluate this protocol to ensure the stability and security of the website furthermore. Possible legal or technical measures in response to an attack cannot be ruled out here. We also reserve the right to report the attack to early warning systems. In addition, the website operator has a legitimate interest in the technically error-free provision of its contents and services.

4.4 Server log files

The hoster of this website automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are for example:

• Browser type and browser version
• operating system used
• referrer URL
• Host name of the accessing computer
• Time of the server request
• IP address

These data will not be combined with other data sources.

The purpose of this data collection is

• for the automated generation of simple usage statistics of the website by the web server (no tracking) and
• for the evaluation of attacks on this website to get an overall picture of parallel running technical inquiries (evaluation only takes place in case of need).

These log files are stored for 30 days and then automatically deleted.

The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. Furthermore, Art. 6 para. 1 lit. f GDPR gives the website operator and the hoster a legitimate interest to collect data about attacks on this website and to determine possible load peaks in order to ensure the security and stability of this website in the future as well.

4.5 Request by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We do not pass these data on without your consent.

The processing of these data is based on Art. 6 para. 1 lit. b GDPR, if your request is related to the execution of a contract or if it is necessary to carry out pre-contractual measures. In all other cases, the processing is based on your consent (Article 6 (1) a GDPR) and/or on our legitimate interests (Article 6 (1) (f) GDPR), since we have a legitimate interest in the effective processing of requests addressed to us.

The data sent by you to us via contact requests remain with us until you request us to delete, revoke your consent to the storage or the purpose for the data storage lapses (e.g. after completion of your request). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

4.6 Collection of personal data, use of (contact) forms

When collecting personal data, we abide the principle of data avoidance and data economy, i.e. when contacting us, for example via an appropriate form, personal data will only be collected and stored to the necessary extent.

If you send us enquiries using the contact form, your details from the enquiry form, including the contact data you provided there, will be stored for the purpose of processing the enquiry and in the event of follow-up questions. We will not pass on this data without your consent.

The processing of this data is carried out on the basis of Art. 6 para. 1 lit. b DSGVO, insofar as your request is connected with the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f DSGVO) or on your consent (Art. 6 para. 1 lit. a DSGVO), provided that this has been requested. You can revoke this consent at any time. Please send an informal message by e-mail to info@xnapharma.com. The legality of the data processing processes carried out up to the revocation remains unaffected by the revocation.

The data entered by you in the contact form will remain with us until you request us to delete, your consent for storage is revoked or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular retention periods - remain unaffected.

4.7 Processing of data (customer and contract data)

We collect, process and use personal data only to the extent necessary for the establishment, content design or change of the legal relationship (inventory data). This is done according to Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We collect, process and use personal data about the usage of our Internet pages (usage data) only to the extent necessary to enable or invoice the user for the use of the service.

The collected customer data will be deleted after completion of the order or termination of the business relationship. Legal retention periods remain unaffected.

4.8 Data transfer upon conclusion of contract for online shops, dealers and dispatch of goods

We only transfer personal data to third parties if this is necessary in the context of contract processing, for example to the company entrusted with the delivery of the goods or the bank entrusted with the payment processing. A further transmission of the data will not take place or only if you have expressly consented to the transmission. Your data will not be passed on to third parties without your express consent, for example for advertising purposes.

The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

Maps from Google Maps map service

Our website uses plugins in the form of maps, satellite photos and route planning from Google Maps. These can be used by you to calculate routes. The provider of this service is Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland.

To warrant data protection on this website, you will find that Google Maps has been deactivated when you visit this website for the first time. A direct connection to Google’s servers will not be established until you have activated Google Maps autonomously at your end (i.e. given your consent pursuant to Art. 6 Sect. 1 lit. a GDPR). This will prevent the transfer of your data to Google during your first visit to our website.

Once you have activated the service, Google Maps will store your IP address. As a rule, it is subsequently transferred to a Google server in the United States, where it is stored. The provider of this website does not have any control over this (and maybe other) data transfer once Google Maps has been activated.

For more information about the handling of user data, please consult the Data Privacy Declaration of Google under the following link: https://policies.google.com/privacy?hl=en&gl=en.

Google Maps is embedded on this website only after you have given your consent. By clicking on the following button you can agree to the use of Google Maps and later also object to it.

Status of Google Maps: in-/active.
Do you want to en-/able Google Maps?

Your consent or objection will be stored in a cookie and documented in accordance with data protection regulations.

Up-to-dateness and amendment of this data protection declaration

This data protection declaration is currently valid from 05.11.2020.

We reserve the right to adapt this data protection declaration to new circumstances and changed general conditions (legal or actual nature). You can call up and print out the current data protection declaration at any time on the website.