Privacy Policy

Privacy Policy

General

Data protection is an important concern of Immunic Therapeutics, including Immunic, Inc., Immunic AG and Immunic Australia Pty Ltd (hereinafter collectively referred to as “Immunic”). Therefore, data is processed exclusively in compliance with the applicable data protection regulations (e.g., GDPR, BDSG-n.F.).

We collect and process personal data if you provide us with this data and we are entitled to collect, use and process it on the basis of a consent granted by you or on the basis of a statutory provision.

If we receive personal data from you from other companies, you will be informed about this as soon as possible, at the latest during the first contact. This data will also only be stored and processed on the basis of legal regulations.

Responsible Body (Controller)

The responsible party (controller) within the meaning of the data protection laws, in particular the EU General Data Protection Regulation (GDPR), is:

Immunic AG
Lochhamer Schlag 21
82166 Gräfelfing
Germany
Phone: +49 89 2080 477 00

Immunic AG is the EU Representative of Immunic, Inc. (1200 Avenue of the Americas, Suite 200, New York, NY 10036, USA) and Immunic Australia Pty Ltd. (58 Gipps Street, VIC 3066 Collingwood, Australia). Immunic AG is therefore the contact person vis à-vis European privacy supervisors and data subjects, in all matters relating to processing of personal data to ensure compliance with GDPR.

If you have any questions about data protection, please send us an email to: privacy@imux.com.

If you want to write to us by mail, please use the above-mentioned address.

Responsible person according to §5 Telemediengesetz (TMG):
Dr. Daniel Vitt

Personal Data

Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”).

We collect and process personal data, such as your name, email address, company or telephone number, if you provide us with this data when registering for our Investor Alert newsletter and for sending press releases, or if you provide us with this data in any other way. We do not process any personal data when using the website for purely informational purposes, except for data that is technically collected automatically when you visit the website (see log data).

When conducting clinical studies, we process anonymized patient data.

We process the above-mentioned personal data for the following purposes:

• Conducting clinical trials (monitoring, publication);
• Distributing Investor Alert newsletters or press releases regarding current information about our company;
• Communicating about services, projects or other company-related topics, e.g., to process your inquiries;
• Planning, executing and managing the (contractual) business relationship, e.g., to process orders for products and services, to collect payments, for accounting, billing and debt collection purposes and to perform deliveries, maintenance activities or repairs;
• Maintain and protect the security of our products and services and our websites by preventing and detecting security risks, fraudulent activity, or other criminal activity or activity undertaken with the intent to cause harm;
• Compliance with legal requirements (e.g., tax and commercial retention obligations) or existing obligations to conduct compliance screenings (to prevent white-collar crime or money laundering);
• Compliance with national laws, for example defense, exercise or assertion of legal claims.

The processing of personal data is necessary to achieve the above purposes. The legal basis for the data processing is – unless expressly stated otherwise – Article 6 (1) (f) of the GDPR or your expressly given consent pursuant to Article 6 (1) (a) of the GDPR.

Insofar as the above data is to be further processed for a purpose other than the original purpose of collection, you will be informed of this prior to further processing. In this way, you have the opportunity to object to the processing of your data for another purpose.

As a matter of principle, your data will not be made available to third parties for use unless you have given your consent to this or we are legally entitled and/or obliged to pass on this data.

Data subject rights: Right to information, correction, deletion or restriction of the processing of your personal data, right to object and right to data portability.

Upon request, we will inform you in writing, in accordance with the applicable law, whether and which personal data we process in our company. If, despite our company’s efforts to ensure data security and accuracy, incorrect information has been stored, we will correct it at your request.

You also have the right to request the restriction of the processing of personal data by our company. In addition, you may request to receive the data you have provided to our company in a structured, common and machine-readable format. You may also object to the data processing of personal data by our company.

You also have the right to request the deletion of your personal data, provided that this does not conflict with statutory retention periods. We delete the data if we no longer need it for the purpose for which we collected and processed it, or if you revoke the consent you have given and there is no other legal basis for the further processing of your data. In addition, we delete this data if the processing has been unlawful for reasons unknown to us or if you have objected to the processing and there are no overriding legitimate interests for the processing. Your data will also be deleted if we are legally obliged to do so. Our company has also implemented technical measures to notify all recipients of your data of your request for deletion or rectification. This applies only in the event that we have disclosed or made public such data. Deleted shall be all links, copies and replications of your personal data.

If you have consented to the processing of your personal data, you have the right to revoke your consent at any time with effect for the future. The revocation of consent does not render the data processing unlawful for the past.

The transfer of data to our company is voluntary. However, this data is necessary for the further conclusion of the contract or to answer your inquiries. If you do not wish to disclose your data, the contract may not be concluded or your inquiries may not be answered. The provision of the data is necessary for the conclusion of the contract.

You also have the right to complain to the competent supervisory authority about data processing by our company.

The data protection authority responsible for our company is:

State Office for Data Protection Supervision, Promenade 27 (Schloss), 91522 Ansbach, Germany Web: http://www.lda.bayern.de

Storage Period

If no explicit storage period is specified at the time of collection (e.g., as part of a declaration of consent), the personal data will be deleted insofar as it is no longer required to fulfil the purpose for which it was stored, unless legal retention obligations (e.g., commercial and tax retention obligations) prevent deletion.

Data Security

We take technical and organizational security measures to protect the data we store and process in our company against manipulation, loss of confidentiality, destruction and against access by unauthorized persons. The security measures of our company are continuously improved according to the technological development.

Contact Form

If you submit inquiries to us via our contact form, the information provided in the contact form as well as any contact information provided therein will be stored by us in order to handle your inquiry and in the event that we have further questions. We will not share this information without your consent.

The processing of these data is based on Art. 6(1)(b) GDPR, if your request is related to the execution of a contract or if it is necessary to carry out pre-contractual measures. In all other cases the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6(1)(f) GDPR) or on your agreement (Art. 6(1)(a) GDPR) if this has been requested; the consent can be revoked at any time.

The information you have entered into the contact form shall remain with us until you ask us to eradicate the data, revoke your consent to the archiving of data or if the purpose for which the information is being archived no longer exists (e.g., after we have concluded our response to your inquiry). This shall be without prejudice to any mandatory legal provisions, in particular retention periods.

Requests by Email or Telephone

If you contact us by email or telephone, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We do not pass these data on without your consent.

These data are processed on the basis of Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is required for the performance of pre-contractual measures. In all other cases, the data are processed on the basis of our legitimate interest in the effective handling of inquiries submitted to us (Art. 6(1)(f) GDPR) or on the basis of your consent (Art. 6(1)(a) GDPR) if it has been obtained; the consent can be revoked at any time.

The data sent by you to us via contact requests remain with us until you request us to delete, revoke your consent to the storage or the purpose for the data storage lapses (e.g., after completion of your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Investor Alert Newsletter

We distribute Investor Alert newsletters (for example press releases, filings in accordance with U.S. SEC regulations, or daily stock price updates for Immunic’s stock (NASDAQ: IMUX)) to registered interested parties at regular intervals. If you have registered to receive this information, we collect and process your personal data exclusively for sending the Investor Alert newsletter.

For an effective registration, name and a valid email address are required. In order to verify that a registration is actually made by the owner of an email address, we use the “double-opt-in” procedure. For this purpose, the order for the Investor Alert newsletter, the sending of a confirmation email and the receipt of the response requested herewith are logged. The data is used exclusively for sending the newsletter and is not passed on to third parties.

You can revoke your consent to the storage of your data and its use for the newsletter dispatch at any time. You will find a corresponding link in each newsletter. In addition, you can also communicate your corresponding wish at any time via the contact options provided at the end of this document.

Press Releases

We periodically send press releases and/or information on certain current Immunic topics (for example, information on the status of our drug development programs and other research and development results, information on legal, regulatory, financial markets or company-related topics) to registered interested parties. If you have registered to receive this information, we will collect and process your personal data solely for the purpose of sending this information or press releases.

For an effective sending of press releases, name and a valid email address are required. The data will be used exclusively for sending press releases and will not be passed on to third parties.

You can revoke your consent to the storage of your data and its use for sending press releases at any time. You will find a link to this effect in every press release. In addition, you can communicate your corresponding wish via the contact options in the corresponding emails or via the contact options indicated at the end of this document.

Log Data

When you access our company’s homepage, your internet browser automatically transmits the following data (hereinafter referred to as “log data”) to the web server used for technical reasons, which our company records in log files:

• Name of the website accessed;
• Date and time of the retrieval;
• Amount of data transferred;
• Message about successful retrieval;
• Browser type and version;
• The operating system of the user;
• Referrer URL (the previously visited page);
• IP address and the requesting provider;
• Status codes.

This exclusively is information that does not allow any conclusions to be drawn about the natural person. This information is necessary to clarify any abuse or fraud. The log data is evaluated in anonymous form purely for statistical purposes in order to optimize our company’s Internet presence and the technology behind it.

Cookies

So-called “cookies” are small text files that are offered/stored in the user’s browser. Cookies can be used by websites to make a user’s experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

No cookies are used on our www.imux.com website.

External Social Media Sites

In General

We do not collect or process any data from your use of the services mentioned below. However, should you contact us via one of the sites or post comments on these sites, the data you enter with the respective service will be processed insofar as it is made available to us and, in the case of comments, included in our offer.

1. a) Facebook

We link from our website to services of Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA (hereinafter referred to as “Facebook”). For this purpose, we use a button in Facebook design. When you click on this button, the page you called up is transferred to Facebook and you are redirected to Facebook accordingly.

Facebook then receives the information that your browser has accessed the corresponding page of our website; even if you do not have a Facebook account or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there. If you are logged in to Facebook, Facebook can directly assign your visit to our website to your Facebook account.

Please note that the exact data processing at Facebook is beyond our knowledge.

If you do not want Facebook to assign the data collected via our website to your Facebook account, you must log out of Facebook before visiting our website. For the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, please refer to Facebook’s privacy policy.

Facebook Channel

We operate our own Facebook channel: https://www.facebook.com/ImmunicInc/.

If you use this, please note the following: the service is offered on the technical platform and by means of the services of Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA.

For the data processing through our Facebook channel, there is a joint responsibility within the meaning of Art. 26 DSGVO of Facebook and Immunic. You can access and view the relevant agreement between Facebook and us here.

We would like to point out that you use our Facebook channel and its functions on your own responsibility and that we have no influence on the processing of data by Facebook. This applies in particular to the use of interactive functions (e.g., commenting, sharing, rating).

When you visit our Facebook page, Facebook collects, among other things, your IP address and other information that is present on your computer in the form of cookies. This information is used to provide us, as the operator of the Facebook page, with statistical information about the use of the Facebook page. Facebook provides more detailed information on this here.

The data collected about you in this context is processed by Facebook Ireland Ltd. and may be transferred to countries outside the European Union. Facebook describes in general terms what information it receives and how this information is used in its data usage guidelines. There you will also find information on how to contact Facebook and on how to change your settings for advertisements.

In what way Facebook uses the data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties, is not conclusively and clearly stated by Facebook and is not known to us.

1. b) X (Formerly Twitter)

We link from our website to services of X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; the data controller for individuals living outside the United States is Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07, Ireland. (hereinafter referred to as “X”). For this purpose, we use a button in X design. When you click on this button, the page you called up is transferred to X and you are forwarded to X accordingly.

X then receives the information that your browser has called up the corresponding page of our website (even if you do not have an X account or are not currently logged in to X). This information (including your IP address) is transmitted by your browser directly to an X server in the USA and stored there.

Please note that the exact data processing by X is beyond our knowledge.

If you do not want X to assign your data to your account, you must log out of X before visiting our website. For more information, please see X’s privacy policy.

X Channel

We operate our own X channel: https://twitter.com/ImmunicInc.

If you use our X channel, please note the following: We use the technical platform and services of X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA for the services offered.

We would like to point out that you use the offered X services and its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g., sharing, rating).

The data collected about you when using the service is processed by X Corp. and may be transferred to countries outside the European Union. This includes, among other things, your IP address, the application you use, information about the terminal device you use (including device ID and application ID), information about websites you have visited, your location and your mobile phone provider.

This data is assigned to the data of your X account or your X profile. We have no influence on the type and scope of the data processed by X, the way it is processed and used, or the transfer of this data to third parties. Information about which data is processed by X and for which purposes can be found in X’s privacy policy as well as via the option to view your own data at X.

Furthermore, you have the option of requesting information via the X data protection form or the archive requirements. You have options to restrict the processing of your data in the general settings of your X account as well as under the item “Privacy and security”. In addition, for mobile devices (smartphones, tablet computers), you can restrict X’s access to contact and calendar data, photos, location data, etc. in the settings options there. However, this depends on the operating system used. More information on these points is available on the following X support pages:

– support.twitter.com/articles/105576

– https://support.twitter.com/search?utf8=%E2%9C%93&query=datenschutz

Via X buttons or widgets embedded in websites and the use of cookies, it is possible for X to record your visits to these websites and assign them to your X profile. Based on this data, content or advertising can be offered tailored to you. Information on this and the available setting options can be found on the following X support pages:

– https://support.twitter.com/articles/20171570

– https://support.twitter.com/articles/20170520

We would like to point out that you use the service offered here and its functionalities on your own responsibility. This applies in particular to the use of interactive functions, such as sharing.

1. c) LinkedIn

We link from our website to services of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter referred to as “LinkedIn”). For this purpose, we use a button in LinkedIn design. When you click on this button, the page you called up is transferred to LinkedIn and you are redirected to LinkedIn accordingly. If you call up the page and are logged in to your LinkedIn account at the same time, LinkedIn can directly assign the visit to our website to your LinkedIn account.

Please note that the exact data processing at LinkedIn is beyond our knowledge.

If you do not want LinkedIn to assign your data to your account, you must log out of LinkedIn before visiting our website.

For information on the purpose and scope of data collection and the further processing and use of data by LinkedIn, as well as settings options for protecting your privacy, please refer to LinkedIn’s privacy policy.

LinkedIn Channel

We operate our own LinkedIn channel: https://de.linkedin.com/company/immunic-therapeutics.

If you use our LinkedIn channel, please note the following: We rely on the technical platform and services of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA for the messaging service offered.

We would like to point out that you use the offered LinkedIn service and its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g., sharing, rating).

The data collected about you when using the service is processed by LinkedIn Corporation and may be transferred to countries outside the European Union. This includes, among other things, your IP address, the application you use, information about the terminal device you use (including device ID and application ID), information of accessed websites, if applicable, your location and your mobile phone provider.

1. d) Xing

We link from our website to services of XING AG, Dammtorstraße 30, 20354 Hamburg, Germany (hereinafter referred to as “XING”). For this purpose, we use a button in XING design. When you click on this button, the page you called up is transferred to XING and you are redirected to XING accordingly. If you call up the page and are logged in to your XING account at the same time, XING can directly assign the visit to our website to your XING account.

Please note that the exact data processing at XING is beyond our knowledge.

If you do not want XING to assign your data to your account, you must log out of XING before visiting our website.

For further information, please refer to XING’s privacy policy.

XING Channel

We operate a XING channel: https://www.xing.com/pages/immunicag.

If you use our XING site, please note the following: We use the website of XING AG, Dammtorstraße 30, 20354 Hamburg, Germany for the service offered there.

We would like to point out that you use the service offered here and its functionalities on your own responsibility. This applies in particular to the use of interactive functions, such as sharing.

We ourselves do not collect or process any data from your use of the service. However, should you contact us via the site or post comments, the data you enter with the service will be processed insofar as it is made available to us and, in the case of comments, included in our offer.

For more details, please refer to the XING’s privacy policy.

1. e) YouTube

We link from our website to services of YouTube, LLC, a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (hereinafter referred to as “LinkedIn”). For this purpose, we use a button in YouTube design. When you click on this button, the page you called up is transferred to YouTube and you are redirected to YouTube accordingly.

YouTube then receives the information that your browser has accessed the corresponding page of our website; even if you do not have a YouTube account or are not currently logged in to YouTube. This information (including your IP address) is transmitted by your browser directly to a YouTube server and stored there. If you are logged in to YouTube, YouTube can directly assign your visit to our website to your YouTube account.

Please note that the exact data processing at YouTube is beyond our knowledge. Immunic’s use of YouTube does not imply any endorsement of that medium, of YouTube itself or its privacy policy. Immunic recommends that all users inform themselves about YouTube’s data processing regulations and protect their privacy as best as possible.

If you do not want YouTube to assign the data collected via our website to your YouTube account, you must log out of YouTube before visiting our website. For the purpose and scope of the data collection and the further processing and use of the data by YouTube, as well as your rights in this regard and setting options for protecting your privacy, please refer to YouTube’s privacy policy.

YouTube Channel

We operate our own YouTube channel: https://www.youtube.com/channel/UC-d9CktxCXwbNIi9UZEUUBg.

If you use our YouTube channel, please note the following: We rely on the technical platform and services of YouTube, LLC, a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland for the messaging service offered.

We would like to point out that you use the service offered here and its functionalities on your own responsibility. This applies in particular to the use of interactive functions, such as sharing.

We ourselves do not collect or process any data from your use of the service. However, should you contact us via the site or post comments, the data you enter with the service will be processed insofar as it is made available to us and, in the case of comments, included in our offer.

For more details, please refer to the YouTube’s privacy policy. Please also note the privacy tips for YouTube.

Plug-Ins and Analysis Tools

Matomo

This website uses the open-source web analysis service Matomo, provided by InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand (hereinafter referred to as “Matomo”).

Through Matomo, we are able to collect and analyze data on the use of our website-by-website visitors. This enables us to find out, for instance, when which page views occurred and from which region they came. In addition, we collect various log files (e.g., IP address, referrer, browser, and operating system used) and can measure whether our website visitors perform certain actions (e.g., clicks, etc.).

The use of this analysis tool is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the analysis of user patterns, in order to optimize the operator’s web offerings and advertising. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

For analysis with Matomo, we use IP anonymization. Your IP address is shortened before the analysis, so that it is no longer clearly assignable to you.

We have configured Matomo in such a way that Matomo will not store cookies in your browser.

We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.

Ninja Firewall

We have integrated Ninja Firewall on this website. The provider is NinTechNet Limited, Unit 1603, 16th Floor, The L. Plaza 367 – 375 Queen‘s Road Central Sheung Wan, Hong Kong (hereinafter referred to as “Ninja Firewall”).

Ninja Firewall protects our website against undesirable access or malicious cyber-attacks. For this purpose, Ninja Firewall collects IP address, request, referrer, and the time of page access. Ninja Firewall is installed locally on our servers and does not transmit any personal data to the provider of the tool or other third parties.

We have enabled IP anonymization for Ninja Firewall, so that the tool only collects the IP address in a shortened form.

The use of Ninja Firewall is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the most effective protection of his website against cyberattacks.

SSL Encryption

To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g., SSL) via HTTPS.

Questions to the Data Protection Officer

If you have any questions about data protection, please email us at privacy@imux.com.