PRIVACY AND COOKIE POLICY
DATA PROTECTION POLICY

INTRODUCTION

This Data Protection Policy describes the measures implemented by RIVOPHARM SA, a Swiss company headquartered in Paradiso (CH), in terms of Personal Data Processing with respect to the use of the website www.rivopharm.ch / www.rivopharm.com (the “Website”) and of any resource connected to it. According to this Data Protection Policy, pursuant to and in accordance with Article 4 par. V of the Federal Act on Data Protection (LPD, Legge federale sulla protezione dei dati) and, if applicable, pursuant to and in accordance with Article 13 and Article 14 of the European Regulation EU 679/2016 (GDPR), any personal data provided or otherwise collected while using the Website will be processed in compliance with the principles laid out by the abovementioned regulations. Please note that, in compliance with Article 3 GDPR, the GDPR is only applicable in case of the following:

This document is structured as follows:

The Terms of Use of the Website are detailed in a separate document available at this link. It is understood, however, that the Terms of Use are thoroughly integrated and referred to in this Privacy Policy.

A. WEBSITE OWNER AND CONTACT DATA

The Website is owned by RIVOPHARM SA, Manno (CH).
Any communication addressed to the company shall be in writing and will be considered valid and effective once received, if sent by ordinary post, or upon delivery of the read receipt if sent via email.

Contact Data:
Address: RIVOPHARM SA, Centro Insema, 6928 Manno (CH)
Phone: +41 (0)91 605 66 66
Email: info@rivopharm.ch

B. ACCEPTING AND REVIEWING THE TERMS AND CONDITIONS

By using the Website, you agree to the current Terms and Conditions applicable upon access to the Website. You can see the most recent update by clicking on the dedicated link at the bottom of the Website. The Website owner has the right to update this document at any time and at its sole discretion, notably following the evolution of the applicable law. It is hence your responsibility to verify accurately the status of the Terms and Conditions before accessing the Website.

C. PERSONAL DATA PROTECTION POLICY

Data Controller
The Data Controller is RIVOPHARM SA, Centro Insema, 6928 Manno (CH), represented by the members of its Board of Directors and its Management, in accordance with the signature rights established by the Board of Directors and resulting from the Commercial Register of the Canton of Ticino (link). To contact the Controller, please refer to the Contact Data included in Paragraph A. Any communication regarding personal data protection can be addressed to privacy@rivopharm.ch.

Applicable Law on Data Processing
As a Swiss private company located in Switzerland, the Controller shall process your personal data pursuant to the Federal Act on Data Protection (“LPD”, RS 235.1). Provided that, by principle, RIVOPHARM SA does not process any personal data falling into the scope of the GDPR (cf. par. A), should the EU Regulation however be applicable, as an exception, RIVOPHARM SA provides the Data Subject with the protection laid out by the aforementioned GDPR (particularly, as regards the rights included in Articles 12-23). You can read the complete text of the GDPR by clicking on this link.

Personal Data Definition and Categories
Personal data consist in any information regarding an identified or identifiable natural person (Personal Data). Sensitive information, such as information about the private sphere; social welfare benefits; race and ethnicity; political, religious as well as philosophical beliefs; trade union affiliation; biometric or health-related information; information about one’s psychic, mental or physical state; any data regarding convictions and crimes committed or connected to security measures, are entitled to a higher degree of protection. The Controller does not need, nor do they ask, you to provide any Personal Data entitled to such level of protection. Therefore, we recommend you not to provide willingly any sensitive information through the Website and the resources connected to it (LinkedIn, email, contact form).

Purposes and Lawfulness of the Processing
The Controller shall process Personal Data with respect to the purposes summarised in the following table:

Purpose of the Processing

Legal basis

Data Storage Period

Browsing this Website on the Internet

Legitimate interest; compliance with contractual obligations

1 year max; see Cookie Policy

Legitimate interest; Data Subject’s request

1 year

Generally, 10 years

Legitimate interest; compliance with contractual obligations

Contact or information request; job application

Organisational, administration, financial and accounting activities and customer/user data management, regardless of the nature of the processed data. Particularly, the purposes of internal organisational activities.

The Controller collects and processes all Personal Data necessary to enable and optimise your Website browsing experience. Among these data there is information about Website usage, such as the IP address of your device; your position; your mobile device unique identifier; your session duration; links you clicked on; your browser features, such as type, language, installed plug-ins, etc.; cookies; etc. These data are processed automatically for the sole purpose of allowing Website browsing, considering the potential introduction of new features, improving the quality of the services offered, measuring Website usage and improving its availability. The information processed through the Website includes Personal Data you provide, especially via LinkedIn, the online form or the email, for any communication purpose or in case you were requested to do so. Through the Website, we will not process nor send any advertising content or messages based on your online behaviour. Nor will we engage in any profiling activity or track your use of web resources or the email. Furthermore, we will not sell, nor lease, market and/or lend any Personal Data to third parties through the Website. Given the unsafe nature of the email and the fact that it lacks any guarantee in terms of privacy protection, we recommend that you do not transfer via email any information and/or documents including private and/or confidential information, with special regard to medical information. The Website owner is available to provide you, upon request, with secure electronic communication channels should the need for transmitting sensitive information arise.

Data Provision Obligation
With the exception of browsing data, you are free to choose to provide your Personal Data. Providing data is optional or required depending on the specific purpose of the processing. Failure to provide requested data will have the effect of preventing us from fulfilling your request or you from using the services offered by the Data Controller.

Transferring Data to a Third Country and/or an International Organisation
Personal Data may be transferred abroad, that is outside of Switzerland, limited to, however, the European Union or countries that provide an appropriate level of data protection, with respect to Swiss law, in accordance with the List compiled by the Federal authorities or the competent European authorities regarding data processing subject to the GDPR. The Data Subject is entitled to receive a copy of the data transferred. In the event of data transferred to extra-European countries, particularly to the United States, where the level of data protection is deemed inadequate, Personal Data may only be transferred to natural persons, institutions or companies that have subscribed to specific international agreements and/or instruments regulating Personal Data protection, e.g. the Swiss-U.S. / EU-US Privacy Shield. The Data Subject will be entitled to be informed about the level of protection affecting the Personal Data transfer by addressing RIVOPHARM SA in written form.

Personal Data Storage Period
Personal Data are stored on the Website for as long as it is necessary to fulfil the purpose for which data were collected in the first place, respectively to the extent to which there is a storage requirement set out by the law–normally 10 years. Once the purpose of collecting Personal Data is fulfilled, respectively once the storage requirement set out by the law expires, the Controller shall permanently and safely delete said data or, alternatively, attend to the anonymisation thereof. You may request the Data Controller a detailed policy on Personal Data storage via email. Alternatively, you may review it at our company head office.

Newsletter
The Controller will inform you of any updates as regards its activities free of charge by means of a Newsletter. You will only receive the Newsletter upon registration to the service by providing your email address. You can unsubscribe from the mailing list at any time and effective immediately by clicking on the “unsubscribe” link at the bottom of each email. Failure to subscribe to the Newsletter or unsubscribing from the mailing list does not in any way prevent you, in total or in part, from browsing the Website. The Controller will not track the behaviour of its Newsletter subscribers nor will it engage in any profiling activity in their respect. Besides, the Controller does not transfer any data to third parties, with the exception of the newsletter service provider, who receives the subscribers’ email addresses for the purpose of managing the Newsletter. Said provider must be located in Switzerland, in the EU or in the United States (in this case only provided that it has subscribed to the US-CH / EU Privacy Shield.)

Processors, Recipients or Recipient Categories, Access to Data
The Personal Data you provide may be disclosed to Recipients who will process them as appointed Processors and/or as natural persons acting under the Controller’s or the Processor’s authority. If acting autonomously, these individuals become proper Data Controllers. With the exception of data disclosed to comply with legal requirements, data may also be disclosed to the following categories of Recipients:

With regards to managing the Website and its related resources–especially Newsletter, backups, web design, graphics, maintenance, translation, hosting and Internet access–RIVOPHARM SA relies on external providers of goods and/or services operating in Switzerland, the European Union (EU) and/or in the United States. More specifically, the Website is hosted by Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103; cf. Privacy Policy (link). External providers can access the data only to the extent that is strictly needed to attend to their tasks accurately and efficiently, once they have agreed, by convention, to maintain confidentiality
and not to make any use of said Personal Data. You can see the complete list of Data Processors at our company head office.

Email Communications and Risks
We would like to draw your attention to the following: (i) the email does not guarantee the transferred data will remain intact nor confidential; (ii) many email service providers are located or their data are hosted in countries that do not provide appropriate personal data protection, such as the United States–please see the official downloadable updated list here; (iii) using an email service results in transferring data to and letting them be stored in a country that does not provide appropriate data protection. You authorise the Data Controller and its assistants to transfer via regular email, that is non- certified and non-encrypted email, documents and/or other information, including those referring to personal and/or confidential data, using the email address you provided when answering to the request you made via phone or email. Fully aware of the abovementioned risks, you will not hold the Controller liable for any instance of unauthorised access by third parties to personal and/or5 confidential documents and/or information transferred or received via email by the Controller and/or its governing officers and assistants.

Links to Third-Party Resources
The Website includes links to websites, services and other Internet resources owned by third parties. The Controller shall not be liable for the content, security and availability of these websites and resources. Particularly, the Controller shall not verify nor make any representations or warranties pertaining to the privacy and data protection policies of any third party.

Security
The Website security is granted by adopting the appropriate measures reasonably required under the circumstances and proportionate to the risks against unauthorised access, usage, transfer, changes as well as loss or destruction of Personal Data. These measures are technical, physical or organisational in their nature. However, considered the status of the Internet as an “open network”, the Controller is not in a position to make any representations or warranties, nor shall it
do so, that data will not be intercepted or collected by unauthorised third parties.

Users’ Rights
With the limitations set out by the LPD, any Data Subject can:

If the Data Processing falls into the territorial scope pursuant to Article 3 GDPR, the Data Subject can execute the rights described in Articles 15, 16, 17, 18, 19, 20, 21, 22 GDPR, by addressing the Data Controller or Processor. You can, at any time, request the Data Controller access to your Personal Data, as well as correction, deletion or limitation to the processing thereof, as well as to object to the processing thereof and to exercise your right to data portability. In the even data are processed in accordance with Article 6 par. I lett. a) or Article 9 par. II lett. a) GDPR, you have the right to withdraw your consent at any time without compromising the legitimacy of the processing based on the consent you had given before the withdrawal thereof. You have the right to file a complaint to the Supervisory Authority. In the event of a data portability request, the Data6 Controller shall provide you any data about you in a structured, commonly used and machine-readable form, subject to Article 20 par. III and IV GDPR.

D. COOKIES

Introduction
This section describe the Website policy as regards users’ personal data processing and the use of so-called cookies.

Technical Definition
A cookie is a text file that is placed on your browser by a web page or app server during your web browsing activity. Thanks to cookies, these websites or servers are able to recognise your browser both while you browse and afterwards. Cookies contribute to improving your online experience, for example by storing your preferences over time or by preventing you from having to login again any time you navigate to another page. Cookies may also be used to monitor your online behaviour, consequently affecting your privacy.

Types of Cookies
There are different types of cookies. With respect to the subject who places the cookies on your system, if it is the owner of the website you are browsing, then the cookie is a first-party cookie; if it is placed by an external website or server, it is called third-party cookie. With respect to the duration of a cookie, session cookies are necessary for logging into a website, therefore they are deleted when you close your browser. Persistent cookies are stored on your device even after you closed your browser and until they expire. With respect to the purpose of a cookie, a distinction should be made between technical and profiling cookies. The former category allows you to browse the Web and for the requested service to be delivered. These cookies are not used for any other purpose and are normally managed by the owner of the website you are browsing. Analytics or statistical cookies are similar to technical cookies in so far as they are used by the website owner to collect aggregated information about the how many users have browsed the website and how they interact with it. Profiling cookies are generally third-party cookies used to assemble a user profile based on their online behaviour and habits, in order to show them custom ads.

Representation on Cookies by the Owner of the Website
This Website only implements technical session cookies, particularly to personalise the Website set up, keeping the browsing activity active, analyse the traffic flow and the user usage and to take care of the administration of the system. Collected data are processed anonymously and are not disclosed to any third party.
The Website does not implement profiling and/or tracking cookies.

Possibility to Disable or Clear Cookies and Technical Consequences
You may setup your browser so that it is notified when a cookie is received or so that it blocks cookies–either all of them or according to the cookie type or even according to the website cookies come from. If you decide to block all cookies, your decision affects also technical cookies and may result in serious limitations to using the Website. You may also clear cookies from your browser’s cache as well as set up your browser so that it automatically clears cookies when you close the program (recommended option). By default, browsers automatically accept cookies. You can find instructions on how to disable or clear cookies on your browser’s developers’ website. Please refer to the following instructions for7 the most common browsers: Microsoft Internet Explorer and Edge; Google Chrome; Apple Safari; Mozilla Firefox and Opera.
To reduce risks of online tracking, you can also do the following:

E. APPLICABLE LAW AND COURT JURISDICTION

The legal relationship between you and the Website owner with regard to accessing and using the Website and any resource connected to it is governed by Swiss substantive law, excluding international private law regulations. Both parties agree on the District Court in Lugano (TI) as the exclusive court jurisdiction for all controversies arising from or simply related to the use of the Website. The Website owner also reserves the right to appeal to the competent court where the headquarter, the branch or the user’s permanent address is located.

Effectively as of: October 8 th , 2018