Privacy policy

Privacy policy

The protection of your personal data is important to us. We therefore only process your data on the basis of the statutory provisions.

The information here describes how Institut AllergoSan Pharmazeutische Produkte Forschungs- und Vertriebs GmbH, its affiliated companies and any medical companies serviced or supported by one of the above companies (“we”), process personal data and personal interests collected from you (“data”).

1. Processing your data

When you provide us with data upon concluding a contract with us (e.g. purchasing one of our products or entering into a contract to attend an event) or sending us an enquiry (e.g. a question about a product or a query out of personal interest), we exclusively use that data – unless you have given your consent to more extensive data processing – for the purposes that are necessary to perform the contract or to answer your enquiry (Article 6(1)(b) of the General Data Protection Regulation (GDPR)). If you give your consent according to Article 6(1)(a) GDPR, and only if you give your consent, we may also use your data that you have provided to us with such consent for other purposes, such as sending scientific information in newsletters, etc. The exact purpose can be found in the respective declaration of consent. You give your consent to processing your personal data voluntarily. You can refuse such consent without any negative consequences for you. You can withdraw your consent at any time, but please note that any data processing which is required to perform contracts or statutory obligations may continue to be carried out by us even after such consent is withdrawn. Your data may be lawfully processed by us until your withdrawal has been received.

2. Sending your data to recipients

With your consent, your data is sent to the companies named in your declaration of consent that are affiliated with us, as well as to medical companies serviced or supported by us. These companies may also process your data only to the extent to which you have consented. We also outsource some data processing to external service providers. Your data is only made accessible to such processors to the extent that is required for their service. Processors are also subject to the strict requirements of data protection law and are bound to comply with the purposes of processing contractually specified to them by us, i.e. they must not use your data for other purposes.

We make your data accessible to the following processors:

  • IT service providers that we use (e.g. for data storage)
  • Logistics service providers (e.g. parcel services)
  • Communication service provider (e.g. fax and postal services)
  • Credit institutions for payment purposes
  • Tax advisers
  • Legal representatives or courts, if required

Some of these recipients are located outside the European Union (EU) or process your data outside the EU. We only transfer your data to countries for which the EU Commission has decided that there is an adequate level of data protection comparable to that in the EU. Your data is not disclosed to third parties for commercial use, unless you explicitly consent to such disclosure in a separate declaration.

3. Duration of storage

We only retain your data for as long as we consider reasonably necessary to fulfil the above purposes and as permitted by applicable law. In any case, we store your data for as long as statutory retention obligations apply or the limitation periods for potential legal claims have not yet expired.

4. Data processing when using our website

a. Access data saved in server log files

You can visit our websites without providing any personal details. We only store access data in server log files, such as the name of the requested file, date and time of retrieval, volume of data transferred and the requesting provider. The data is only analysed to ensure uninterrupted operation of the website and to improve our online presence and does not allow us to identify you. No personal data is processed by these websites without your active participation. Where personal data is collected on our websites (e.g. name, address, email address), this is always voluntary and requires a form to be actively filled out and submitted. This data is only used only by us to send information directly to you that you have explicitly requested by the exact purpose can be found in the respective declaration of consent).

b. Contacting us

If you contact us via the contact form on the website or by email, the data you provide is used exclusively to process your enquiry and is not processed for other purposes without your explicit consent.

c. Cookies

Our website uses cookies. Cookies are small text files, which are stored on your end device by means of your browser. They do not cause any damage. We use cookies to make our website user-friendly and design it according to your interests. Some cookies remain stored on your end device until you delete them. They allow us to recognise your browser on your next visit. If this is not what you want, you can configure your browser so that it will inform you about the setting of cookies and you can allow this only in the specific case. The functionality of our website may be restricted if you deactivate cookies.

d. Web analysis tools

Our website uses functions provided by various web analytics services, which are described below. We have concluded a corresponding processing agreement in each case with the providers. The data is processed on the basis of the statutory provisions of Section 165(3) of the Austrian Federal Telecommunications Act (TKG) and of Article 6(1)(a) (consent) and/or (f) (legitimate interest) GDPR. Our interest under GDPR (legitimate interest) is to improve our offering and our website.

i. Google Analytics

Google Analytics is a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies to help the website analyse how users use the site. Your IP address is collected, but immediately pseudonymised (by deleting the last 8 bits). This means that it is only possible to determine your approximate location. The information generated as a result is transferred to the provider’s servers and stored there. Google uses this information on our behalf to analyse your use of our websites and compile reports on website activities, as well as for other services. Google retains user data for a period of 50 months. You can prevent this by configuring your browser not to store cookies. In addition, you can prevent Google from collecting the data created by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at: http://tools.google.com/dlpage/gaoptout?hl=en. You can find more information about Google’s terms of user and privacy policy at: http://www.google.com/analytics/terms/en.html and https://www.google.de/intl/en/policies/.

ii. Google AdWords

We use Google Ads, an analytics service provided by Google, including Conversion Tracking. Google Ads places a "conversion cookie" on your device when you click on an ad placed by Google. These cookies only valid for 30 days and are not used to identify you personally. If you visit certain pages on our website, we and Google can see that you have clicked on the ad and have been redirected to this page. The information obtained by the conversion cookies is used to generate statistics that tell us the total number of users who have clicked on the ad placed by Google and have accessed a page that has a conversion tracking tag.

In addition to Conversion Tracking, we also use the Remarketing, Affinity Audiences, Custom Affinity Audiences, In-Market Audiences, Similar Audiences, and Demographic Targeting and Geographical Targeting features.

Using Google’s Remarketing feature, we reach users who have already visited our website and can display our ads according to their interests. Google AdWords also determines the common interests and characteristics of the users of our website based on user behaviour on websites in Google’s ad network ("display network") in the last 30 days and using the context-based search engine. Based on this information, AdWords then finds potential new customers for marketing purposes, whose interests and characteristics are similar to those of the users of our website. For the above web analytics tools, Google uses Standard Contractual Clauses (pursuant to Article 46(2) and (3) GDPR) as the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or for data transfer to those countries. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Via these Clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the European Commission. You can find the decision and the relevant Standard Contractual Clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

The creation of a new (third) Privacy Shield should be mentioned in this regard. The adequacy decision for the EU-US Data Privacy Framework has already been adopted by the European Commission (2023/4745 of 10 July 2023). The decision stipulates that the US shall ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new Framework. On the basis of the new adequacy decision, personal data can still be transferred securely from the EU to US companies participating in the Framework without needing to introduce additional data privacy safeguards. You can find more information about the terms of use and data protection for Google Ads at: http://www.google.com/policies/technologies/ads/. For more information about the data processed when using Google Analytics, see the privacy policy at: https://policies.google.com/privacy?hl=en.

iii. Microsoft Clarity

We use the Microsoft Clarity service (https://clarity.microsoft.com, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) to analyse the use of our website statistically. Using Microsoft Clarity, we can analyse user behaviour (mouse movements, clicks, scrolling, etc.) on our webpages and optimise our website. The information that is collected, such as IP address, location, time or frequency of visits to our website, is sent to Microsoft (normally on servers in the EU and the USA) and stored there.

For the web analytics tools, Microsoft uses Standard Contractual Clauses (pursuant to Article 46(2) and (3) GDPR) as the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or for data transfer to those countries. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Via these Clauses, Microsoft undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the European Commission. You can find the decision and the relevant Standard Contractual Clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en. The Microsoft terms of data processing, which comply with the Standard Contractual Clauses, are available at: https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses.

The creation of a new (third) Privacy Shield should be mentioned in this regard. The adequacy decision for the EU-US Data Privacy Framework has already been adopted by the European Commission (2023/4745 of 10 July 2023). The decision stipulates that the US shall ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new Framework. On the basis of the new adequacy decision, personal data can still be transferred securely from the EU to US companies participating in the Framework without needing to introduce additional data privacy safeguards. For more information about the data that is processed using Microsoft Clarity, see the privacy policy at: https://privacy.microsoft.com/en-GB/privacystatement.

iV. Facebook
We use the Facebook pixel from Facebook on our website, which is operated by Facebook Ireland Limited, 4 Grand Canal Quare, Dublin 2, Ireland (“Facebook”).

We have implemented code on our website for this purpose. The Facebook pixel is a snippet of JavaScript code that loads a collection of functions that Facebook can use to track your user actions, if you have come to our website via Facebook ads.

For example, if you purchase a product on our website, the Facebook pixel is triggered and stores your actions on our website in one or more cookies. These cookies enable Facebook to match your user data (customer data such as IP address and user ID) with the data from your Facebook account. Using the Facebook pixel, Facebook can define visitors to our online offering as a target group for displaying ads (“Facebook Ads”). Accordingly, we use the Facebook pixel to display the Facebook Ads we place only to those Facebook users who have also shown an interest in our online offering or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we send to Facebook. Using the Facebook pixel, we also want to ensure that our Facebook Ads match the potential interests of users and are not annoying. This allows us to analyse the effectiveness of Facebook Ads further for statistical and market research purposes by understanding whether users have been redirected to our website after clicking on a Facebook ad (“Conversion”). The data that is collected is anonymous and not visible to us and can only be used for displaying ads.

Using the Facebook pixel, our advertising measures can (overall) be better tailored to your wishes and interests. This means that Facebook users – if they have enabled personalised advertising – are shown appropriate advertising. Facebook also uses the collected data for analytical purposes and to display its own ads. Depending on interaction or individual user behaviour, different cookies are set on our website.

If you are logged in to Facebook, you can change your settings for ads yourself at: https://www.facebook.com/adpreferences/adisers/?entry_product=ad_settings_screen. If you are not a Facebook user, you can manage your usage-based online advertising at: https://www.youronlinechoices.com.

Facebook uses Standard Contractual Clauses (pursuant to Article 46(2) and (3) GDPR) as the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer to those countries. Via these Clauses, Facebook undertakes to comply adequately with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the European Commission. You can find the decision and the relevant Standard Contractual Clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

The Facebook terms of data processing, which comply with the Standard Contractual Clauses, are available at: https://www.facebook.com/legal/terms/dataprocessing.

The creation of a new (third) Privacy Shield should be mentioned in this regard. The adequacy decision for the EU-US Data Privacy Framework has already been adopted by the European Commission (2023/4745 of 10 July 2023). The decision stipulates that the US shall ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new Framework. On the basis of the new adequacy decision, personal data can still be transferred securely from the EU to US companies participating in the Framework without needing to introduce additional data privacy safeguards.

If you want to find out more about data protection at Facebook, we recommend that you read the company's own privacy policy at https://www.facebook.com/policy.php.

We also use Facebook Conversions API, which is a server-side event tracking tool, on our website. The service is provided by the American company Meta Platforms Inc. Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) is responsible for the European area.

V. TikTok

On our website, we use the TikTok pixel provided by TikTok (for the EU: TikTok Information Technologies UK Limited, Aviation House, 125 Kingsway Holborn, London, WC2B 6NH). This is code that we have implemented on our website. This code is used to establish a connection with the TikTok servers to track behaviour on our website, if you give your explicit consent when you visit our website. For example, when you purchase a product on our website, the TikTok pixel is triggered and stores your actions on our website in one or more cookies. You may withdraw your consent at any time with effect for the future.

Personal data such as your IP address, your email address and other information such as device ID, device type and operating system may also be sent to TikTok. TikTok uses email details or other login or device information to identify the users of our website and link their actions to a TikTok user account.

Personal data such as your IP address, your email address and other information such as device ID, device type and operating system may also be sent to TikTok. TikTok uses email details or other login or device information to identify the users of our website and link their actions to a TikTok user account.

TikTok uses Standard Contractual Clauses (pursuant to Article 46(2) and (3) GDPR) as the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer to those countries. Via these Clauses, TikTok undertakes to comply adequately with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the third country. These clauses are based on an implementing decision of the European Commission. You can find the decision and the relevant Standard Contractual Clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

Efforts to create a UK Data Protection Act should be mentioned in this regard. The adequacy decision for the EU-UL Data Privacy Framework has already been adopted by the European Commission (2021/1772 of 28 June 2021). The decision stipulates that the UK shall ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to UK companies under the new Framework. On the basis of the new adequacy decision, personal data can still be transferred securely from the EU to UK companies participating in the Framework without needing to introduce additional data privacy safeguards. TikTok's privacy policy is available at: https://www.tiktok.com/legal/new-privacy-policy?lang=en-GB.

VI. ActiveCampaign

We also use the ActiveCampaign service for various purposes. ActiveCampaign is a US software company with a branch in Ireland. Contact: ActiveCampaign, Inc., 1 N Dearborn St., 5th Floor, Chicago, Illinois 60602, USA.

ActiveCampaign is an integrated software solution that we use to cover different aspects of our online marketing. These include: email marketing, reporting, contact management (e.g. user segmentation & CRM), landing pages and contact forms.

Our registration service allows visitors to our website to learn more about our company, download content and make available their contact information and other demographic information. This information and the content of our website are stored on the servers of our software partner, ActiveCampaign. We may use them to contact visitors of our website and determine which of our company’s services are of interest to them. All information that we collect is subject to this privacy policy. We use all the information that is collected exclusively to optimise our marketing measures.

More information about the ActiveCampaign privacy policy is available at: https://www.ActiveCampaign.com/legal/privacy-policy.

More information from ActiveCampaign about the EU privacy rules is available at: https://www.ActiveCampaign.com/legal/gdpr-updates/privacy-shield

More information about the cookies used by ActiveCampaign is available at: https://www.ActiveCampaign.com/legal/cookie-policy.

The following data in particular may be collected and processed by ActiveCampaign as part of the effort to optimise our marketing measures:

  • Geographical location
  • Browser type
  • Navigation information
  • Referrer URL
  • Performance data
  • Information about use of the app
  • Mobile app data
  • Login information for the ActiveCampaign subscription service
  • Files displayed locally
  • Domain name
  • Pages viewed
  • Aggregated use
  • Version of the operating system
  • Internet service provider
  • IP address
  • Device identifier
  • Duration of visit
  • Where the app was downloaded from
  • Operating system
  • Events that occur within the app
  • Access times
  • Clickstream data
  • Device model and version

We are also using ActiveCampaign in the future to provide contact forms. This means using the ActiveCampaign service to make online forms available to you. For this purpose, we share your data to ActiveCampaign, which processes the data exclusively on our behalf. Please see the corresponding ActiveCampaign privacy policy. Please note here: if you contact us using contact forms, personal data may be sent to service providers in third-party countries. The security of the data transferred is generally safeguarded using Standard Contractual Clauses, which ensure that the processing of personal data is subject to a level of security corresponding to that under GDPR. If the Standard Contractual Clauses are an insufficient guarantee to establish an adequate level of security, your acknowledgement of the privacy statement for the contact forms is deemed to be consent within the meaning of Article 49(1)(a) GDPR, which allows data transfer to third countries.

The creation of a new (third) Privacy Shield should be mentioned in this regard. The adequacy decision for the EU-US Data Privacy Framework has already been adopted by the European Commission (2023/4745 of 10 July 2023). The decision stipulates that the US shall ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new Framework. On the basis of the new adequacy decision, personal data can still be transferred securely from the EU to US companies participating in the Framework without needing to introduce additional data privacy safeguards. If you do not want ActiveCampaign to collect and process the above data, you can refuse your consent or withdraw it at any time with effect for the future. The personal data is stored for as long as it is required to fulfil the purpose of processing. The data is deleted as soon as it is no longer required to fulfil the purpose.

e. Newsletter

You can subscribe to our newsletter via our website. To subscribe, we need your declaration that you consent to receiving the newsletter. We also collect and process information that is provided voluntarily relating to personal data and areas of interest so that we can provide you with targeted information. You can cancel your subscription to the newsletter at any time.

4. Data processing when using our website

Under applicable data privacy law, you have the following rights (subject to the conditions of the applicable law):

  • the right to request information about whether and which data we have stored about you and to receive copies of such data;
  • the right to request that your data, which is inaccurate or incomplete or not processed in accordance with the law, is rectified (corrected) or completed;
  • the right to request the erasure (deletion) of your data if there is no legally recognised basis preventing deletion (statutory retention periods);
  • the right to request that we restrict the processing of your data under the following conditions: -you contest the accuracy of your personal data; -instead of erasure (deletion) of unlawfully processed data, you request that their use is restricted; -you need processed data for the establishment, exercise or defence of legal claims; -when exercising the right to object, for the duration of the verification of whether legitimate grounds require further data processing;
  • the right under certain circumstances, to object to the processing of your data or to withdraw consent previously given to processing (the lawfulness of data processing carried out by us until your withdrawal of consent is not affected hereby);
  • the right to request transfer of data;
  • the right to know the identity of third parties to whom your data is sent; and
  • the right to lodge a complaint with the competent data protection supervisory authority.

    6. Right to object and right to withdraw consent

    You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. This applies in particular if your data is processed on the basis of legitimate interest. In this case, we shall no longer process your personal data unless there are compelling legitimate grounds for processing that outweigh your interests, rights and freedoms.

    You also have the right to withdraw your consent to the processing of your personal data at any time. Please note that withdrawing your consent does not affect the lawfulness of the processing carried out prior to withdrawal.

    To exercise your right to object or your right to withdraw consent, you can contact us using the contact details provided in our privacy policy. We will process your enquiry as quickly as possible and reply.

    6. Our contact details

    If you have questions about the processing of your data or you want to exercise your rights as data subject, please contact us:


    Institut AllergoSan Pharma GmbH

    Gmeinstraße 13

    8055 Graz

    Email: datenschutz@allergosan.at

    For access requests, please also send a copy of a valid photo ID for the purposes of identification.