Legal Disclosure

1. Introduction

Welcome to the Symmetrian informational website (hereinafter, “the website”). This Privacy Policy describes how the European Patient Advocacy Institute (EPAI), as the data controller, collects, uses, stores, and protects the personal data of users of this website. 

This website serves solely to provide information about the future Symmetrian platform. This Privacy Policy applies exclusively to the information collected via this website and not to the Symmetrian platform once launched. 

Should you have any questions regarding the processing of your personal data via this website, you can contact us at: info@symmetrian.org.

2. Data Controller

The entity responsible for processing your personal data collected through this website is: European Patient Advocacy Institute (EPAI) gUG [registered with the Handelsregister München (Chamber of Commerce Munich) under number HRB 235098 and registered offices at Am Rothenanger 1 B, 85521 Riemerling, Germany]. Contact email for privacy matters related to this website: info@symmetrian.org. 

General EPAI email (for other matters): info@patientadvocacy.eu

3. Collected Data

We collect two types of data through this website: 

a) Technical Data collected automatically: When you visit our website, our servers automatically record technical information necessary to display the content correctly and ensure stability and security. This data includes: 

• Your IP address 

• Date and time of access 

• Requested resource (page visited) 

• Status of the request 

• Amount of data transferred and duration of transmission 

• Approximate origin/location of your request 

• Name and version of your browser. This data is recorded in server log files and may be analysed in an aggregated and anonymous form for statistical purposes to improve the website. We may also process this data to detect and track unlawful use if there are concrete indications thereof 

b) Data you provide voluntarily: We collect the personal data you provide directly to us via the contact form available on the website to express your interest in participating in the pilot programme for the Symmetrian platform (“Pilot Programme”). The data collected is: 

• Name 

• Email address 

• Organisation you belong to (optional) 
• Country of residence (optional)  
• Comments/Questions (optional) 

4. Purposes and Legal Bases for Processing

We process your personal data for the following specific purposes and under the following legal bases, in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR): 

a) Website Operation, Security, and Optimisation: 

• Data processed: Technical Data (see section 3a). 

• Purpose: To enable your access to the website, ensure its correct technical functioning, maintain the security of our systems, and detect potential misuse. Additionally, to statistically analyse usage to optimise the website. 

• Legal Basis: Article 6(1)(f) GDPR – Our legitimate interest in operating a secure, functional, and optimised website. 

b) Managing your expression of interest in the Pilot Programme: 

• Data processed: Data provided voluntarily (Name, Email, Organisation, Country, Comments/Questions – see section 3b). 

• Purpose: To register your interest and to contact you exclusively to invite you to participate in the Symmetrian platform pilot programme when it becomes available. 

• Legal Basis: Article 6(1)(a) GDPR – Your explicit consent, given when you voluntarily submit the form with your details for this specific purpose. You can withdraw your consent at any time (see section 9). 

c) Website Analytics (Google Analytics): 

• Data processed: IP address, website browse and usage data (pages visited, duration, etc.), device and browser information. 

• Purpose: To understand how users interact with our website to improve it and optimise its content and structure. 

• Legal Basis: Article 6(1)(a) GDPR – Your explicit consent, which will be requested and managed via our cookie banner or management tool before these technologies are activated. (Note: The use of Analytics is not strictly necessary for the basic functioning of the site and therefore requires consent).

5. Data Recipients and Third-Party Processors

We do not sell or rent your personal data. However, we may share your information with service providers acting as data processors on our behalf, under strict instructions and with appropriate contractual safeguards (Data Processing Agreements), for the purposes described below: 

• Hosting Provider: Our website is hosted on United Domains GmbH with servers located in the Federal Republic of Germany (within the European Economic Area – EEA). The hosting provider, United Domains, may have technical access to data (including logs) as part of their services. 

• Web Form Plugin Provider: The plugin used for the contact form is MetForm, a WordPress contact form builder. MetForm processes the data you enter (name, email, organisation, country, comments) to transmit it to us and stores your submissions in our WordPress and HubSpot database (located in Germany)

• Google Analytics (Google LLC): Google processes data such as IP address and usage information for web analytics (if you provide consent). Google LLC is certified under the EU-U.S. Data Privacy Framework, which has been recognised by a decision of the European Commission as providing adequate protection. As a result, personal data transfers from controllers and processors in the EU to certified organisations in the United States may take place without the need for further authorisation. Read more about Google privacy policy.

• Contact Management/CRM Tools:
  • These tools are used to manage the list of individuals interested in the Pilot Programme. The data you provide in the contact form (name, email, organisation, country, comments/questions) is stored in our HubSpot account to be accessed and processed by n8n and finally organized and stored in the CRM software of our ClickUp account. These providers comply with GDPR and that adequate safeguards, such as SCCs are in place (see their policies below). 
  • HubSpot 
  • n8n 
  • ClickUp 

  We will only share the data strictly necessary for each purpose. 

6. International Data Transfers

As mentioned in section 5, the use of Google Analytics involves transferring personal data to the United States, which is carried out under the appropriate safeguards required by GDPR (see more details in section 5). Other main processing activities (hosting, initial receipt of form data) take place within the European Economic Area (Germany).

7. Data Retention Period

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected: 

• Technical Data (Server Logs): It will be stored for a maximum period of eight (8) days for security and error detection purposes, after which it will be permanently deleted or anonymised. 

• Pilot Programme Interest Form Data: It will be retained until the purpose for which it was collected has been fulfilled (contacting you for the pilot programme), or until you withdraw your consent. We will periodically review the need to retain this data and delete it once you have fulfilled the purpose, and your data is no longer required.

Google Analytics Data:

• The retention period for this data depends on the settings configured in Google Analytics and your preferences managed via our cookie tool. Please refer to Google’s privacy/cookie policy for more details.

We may retain certain data for longer periods if required by a legal obligation (e.g., tax or accounting regulations, if applicable) or for the defence against possible legal claims, always ensuring it is blocked and accessible only for those specific purposes. 

8. Cookies and Similar Technologies

This website uses cookies. Some are technically necessary for the site’s operation, while others (like those for Google Analytics) require your prior consent. You will find detailed information about the cookies we use, their purposes, and how to manage your preferences (accepting or rejecting non-essential cookies) via our cookie banner and our specific Cookie Policy (accessible through the GDPR Cookie Compliance plugin). 

9. Your Rights as a Data Subject

As the data subject, GDPR grants you the following rights, which you can exercise by contacting us at info@symmetrian.org: 

• Right to be informed (Art. 13 GDPR): When personal data is collected directly from the data subject, to be provided with the following information:  
  • The identity and contact details of the controller or its representative.  
  • The contact details of the DPO, where applicable.  
  • The purposes for processing. 
  • The legitimate interests pursued by the controller or a third party under Article 6(1)(f).
  • The recipients of the personal data.
  • Information about envisaged data transfer outside the EU if applicable.
  • Data storage periods.
  • Rights of the data subject.
  • Existence of automatic decision making if applicable.
• Right to Access (Art. 15 GDPR): To request confirmation of whether we process your personal data, access to that data, and information on the purposes of processing, categories of data, recipients (including those in third countries), storage duration, your data subject rights (including the right to lodge a complaint and the right to obtain a copy of your data), the source of the data (if not collected from you), and any automated decision-making.
• Right to Rectification (Art. 16 GDPR): To request the correction of your personal data if it is inaccurate or incomplete. 

• Right to Erasure (‘Right to be Forgotten’) (Art. 17 GDPR): To request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, if you withdraw your consent (and there is no other legal ground), if you object to processing based on legitimate interest and there are no overriding grounds, or if it has been unlawfully processed. If you exercise this right and there is no other legal basis to retain it, your data will be deleted or anonymised.    

• Right to Restriction of Processing (Art. 18 GDPR): To request that we temporarily suspend the processing of your data in certain circumstances (e.g., while its accuracy or the legitimacy of an objection is verified). 

• Right to Object (Art. 21 GDPR): To object to the processing of your data based on our legitimate interest (Art. 6(1)(f) GDPR), on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds which override your interests. You have an absolute right to object to processing for direct marketing purposes (although we do not use the data from the contact us form for direct marketing). 

• Right to Data Portability (Art. 20 GDPR): To receive the personal data you have provided to us, which is processed by automated means based on your consent, in a structured, commonly used, and machine-readable format, and to transmit it to another controller if it is your wish. 

• Right to Withdraw Consent (Art. 7(3) GDPR): To withdraw your consent at any time for processing based on it (such as submitting the contact us form or using Google Analytics). Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent by contacting us at info@symmetrian.org or, for cookies, via the cookies management tool.

10. Absence of Automated Decision-Making

We inform you that this website does not use methods involving automated decision-making, including profiling, which produce legal effects concerning you or similarly significantly affecting you, as defined in Article 22 of the GDPR.    

11. Links to Other websites

This website may contain links to third-party websites. Our Privacy Policy applies only to our website. If you click on a link to another website, we recommend you to read their own privacy policy. 

12. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your data infringes data protection regulations, or if you are not satisfied with the response to a request you have made to exercise your rights, you have the right to complain to a competent supervisory authority. Given that EPAI have activities or representation in Bavaria and the hosting is in Germany, the corresponding Bavarian authority is:    

Bavarian State Office for Data Protection Supervision 
Promenade 27 
91522 Ansbach 
Germany 

You may also complain to the supervisory authority in your EU country of residence, place of work, or place of the alleged infringement. Contact details for all EU/EEA supervisory authorities are available at: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

13. Changes to the Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal requirements. We will notify you of any material changes by posting the new policy on this page and updating the effective date. We encourage you to review this policy periodically.