DATA PRIVACY POLICY

Scope

This Data Privacy Policy applies globally and is relevant to our customers, prospective customers, suppliers, service providers, employees, trainees, and job applicants.

Objective

The EU-General Data Protection Regulation (GDPR) governs the processing of personal data 2016/679, dated 27 April 2016, as well as Law 78-17 of 6 January 1978 (as amended) and accompanying implementation texts. We may collect and process your personal data as part of our operations. Out of respect for your privacy, we have created this Data Privacy Policy to transparently describe how we use your data, explain your rights, and detail the legal protections in place.

This policy is accessible online and may change at any time. Please review the online version regularly, especially before engaging with our services. The latest revision date appears at the top of this policy.

Relationship to Subsidiaries and Affiliated Companies

Pharmact Holding Inc. is a holding company that solely manages intellectual property rights and licensing activities. We do not sell products or provide commercial services directly to customers.

This Data Privacy Policy therefore applies only to the processing of personal data carried out by Pharmact Holding Inc. in the course of its own corporate functions (such as licensing, corporate administration, or HR-related processes).

Each subsidiary or affiliated company of Pharmact Holding Inc. (e.g., Pharmact Pharmaceuticals GmbH, RECELURA UG & Co. KG, or other) is a legally independent entity and acts as its own data controller under applicable data protection laws. These companies maintain their own data privacy policies, which apply to their specific operations, products, and services.

If you interact directly with one of our subsidiaries or affiliates, please consult the privacy policy published by that company. Pharmact Holding Inc. is not responsible for and does not govern the data protection practices of its subsidiaries or affiliated companies.

Contacting Subsidiary or Affiliated Companies

Please note that each subsidiary or affiliated company of Pharmact Holding Inc. is a separate legal entity and the controller of its own personal data processing.
Requests regarding data information, correction, or declarations relating to a specific subsidiary or affiliate must be submitted directly to that company, using the contact information provided in its respective privacy policy. Pharmact Holding Inc. cannot respond to or process such requests on behalf of its subsidiaries or affiliates.

Please contact the relevant subsidiary or affiliate directly, using the contact details provided in its respective privacy policy. Requests addressed through our contact webpage can only be processed where Pharmact Holding Inc. is the data controller.

Formal Notification for Healthcare Practitioners and Research Specialists

This notice outlines how Pharmact Holding Inc. processes personal data from healthcare professionals and researchers during interactions such as meetings, participation in programs, events, and communications. We may also collect data from sector-specific companies, public sources, and partners. Collected data may include:

  • Personal details (marital status, name, contact information).
  • Professional information (education, specialization, CV, official functions).
  • Information about your interactions with us and use of our services.
  • Communication preferences, browsing data, IP addresses, cookies.
  • Financial and banking information for payments or reimbursements.
  • National identity, passport, or tax numbers.

If you do not provide the required data, we may be unable to offer services, enter contracts, or meet legal obligations (which will be communicated to you).

Two specific information notices have been prepared in addition:

  • An information notice on personal data, directed at health professionals or those working in health and research.
  • An information notice on personal data, relating to health vigilance monitoring.

Key Concepts

Personal Data

Personal data refers to any information relating to an identified or identifiable individual, directly or indirectly. Identification may use an identifier like a name, ID number, customer code, social security number, email, web cookie, login, phone number, or date of birth.  It can also encompass elements specific to a person’s physical identity, such as biometric photographs, fingerprints, or handwriting. An individual can be identified using a combination of date of birth, address, and biometric data.

Data Processing

Processing includes any operation or sets of operations performed on personal data, whether automated or not. This covers collection, recording, organization, storage, adaptation, modification, retrieval, consultation, use, transmission, dissemination, alignment, interconnection, blocking, erasure, or destruction.

Data Processor

A processor is any individual or entity, including public authorities or other bodies, which processes personal data on behalf of, under the instruction of, or under the authority of the data controller.

Controller

The controller determines the purposes and means of processing and is responsible for implementing appropriate technical and organizational measures to ensure and demonstrate compliance with applicable regulations.

Pharmact Holding Inc., registered at Zugerstrasse 76B, CH-6340 Baar, Switzerland (CHE-101.500.286), is the Data Controller for your personal data.

Data Controller contact details are available on our website.

The Processing of Your Personal Data

Purposes for Collecting Personal Data

We collect and process personal data during our business to deliver high-quality services in a secure environment. Only data that is adequate, relevant, and limited to what is necessary for the specified purposes is collected. Data collection is essential for fulfilling pre-contractual measures, contracts, and assignments between you and Pharmact Holding Inc., as well as for legal, regulatory, and contractual compliance. We may also process personal data to protect our legitimate interests, including in the context of litigation or legal matters involving the company or its subsidiaries.

Without personal data, we may not be able to fulfill requests or provide subscribed services.

Collection Methods and Timing

Data processing is required to execute pre-contractual actions, create estimates, and fulfil contracts. For purposes beyond the contract, personal data may be collected based on your explicit, informed consent, evidenced by a positive action such as ticking a box on a form. When collecting data through third parties, such as health professionals or contractual partners, we ensure you are informed of our commitments and your rights.

Categories of Recipients

Internal departments within Pharmact Holding Inc. (such as finance, legal, HR…) and, where strictly necessary, subsidiaries or affiliates in cases where a direct business or legal relationship makes such sharing required. In such cases, each entity remains an independent data controller.

Transfer of Personal Data Outside the EEA

Personal data can be transferred outside the European Economic Area (EEA) to service providers and customer service departments.  These transfers are regulated by European Commission standard contractual clauses, internal corporate policies, or alternative mechanisms that guarantee sufficient data protection.

Retention Periods

Personal data is stored for the period required to achieve the purposes for which it was collected.  This is three years after the end of our relationship with you, but may be longer in certain cases (e.g., litigation or regulatory compliance). After use, data is deleted or anonymized.  Anonymization permanently removes identifying information from personal data.

Data Protection Commitment

Pharmact Holding Inc. is committed to safeguarding personal data through the integration of robust technical and organisational measures at every stage of product, service, website, and application development. Our security protocols are designed to protect data from intrusion, loss, alteration, and unauthorised disclosure. All data transfers are encrypted using Secure Socket Layer (SSL) technology to enhance protection during exchange.

While these measures provide strong security, absolute protection against hacking or illegal disclosure cannot be guaranteed. If there is a high risk to your rights and freedoms, affected individuals will be informed as quickly as possible.

Our employees receive training in proper data handling and must adhere to company policies and relevant regulations. We work exclusively with third parties who maintain privacy standards equivalent to our own and restrict access to the minimum data necessary to fulfil contractual requirements. Data exchanges utilise secure protocols, and subcontractors undergo regular audits to ensure compliance. Access to our IT systems is limited to authorised personnel only, and no personal data is shared with business partners without your prior consent and the opportunity to object.

Pharmact Holding Inc. ensures data protection by incorporating appropriate technical and organizational measures from the design stage of products, services, websites, and applications. Data is safeguarded from intrusion, loss, alteration, and unauthorized disclosure.  Transfers are encrypted via Secure Socket Layer (SSL) protocol. Even with these measures, total protection from hacking or illegal disclosure is not possible.  In the event of a personal data breach, we will notify the competent supervisory authority as fast as feasible.

Notification of Personal Data Breaches

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours or as soon as possible, what ever will be realistic possible. This ensures that any incident involving the loss, alteration, or unauthorised disclosure of personal data is addressed in accordance with regulatory requirements. Timely notification is an essential part of our commitment to data protection, helping to safeguard your rights and facilitate appropriate remedial action.

Employees receive data handling training and must follow company rules and regulations.  We work only with third parties who meet privacy standards and limit access to essential data. Secure protocols are used for data exchange, and subcontractors are subject to regular audits. Our IT systems are accessible only by authorized personnel. No personal data is disclosed to business partners without your prior consent and the opportunity to object.

Your Rights Regarding Personal Data

Under applicable regulations, you have the following rights, which can be exercised via our website:

  • Access to your personal data.
  • Rectification of existing personal data.
  • Deletion of your personal data provided this does not conflict with regulatory or contractual obligations.
  • Portability of your data (retrieval in a structured, commonly used, machine-readable format).
  • Objection to the processing of your data.
  • Restriction of processing to verify accuracy, oppose deletion, or defend legal claims.

Consent may be withdrawn at any time.

  • The right to determine what happens to your data after your death.
  • Submitting a complaint to the competent supervisory authority in accordance with GDPR.

Cookies

Definition

According to the EDPB (EUROPEAN DATA PROTECTION BOARD), a cookie is a small computer file, or tracer, deposited and read, for example, when visiting a website, reading an email, or using software or applications, regardless of device type. The term covers HTTP cookies, Flash cookies, results of fingerprinting, web bugs, and any other unique identifier created by software or an operating system.

Use of Cookies

Certain cookies are exempt from requiring user consent, as they either do not process personal data or are essential for providing requested services.  The use of other cookies requires your prior consent. You may prevent cookies from being stored or read by deleting them or adjusting your browser settings.

Browser and Device Settings

Your browser and device settings may affect your website experience and access to certain services. You can manage cookie preferences at any time. We are not responsible if some website features do not work when cookies are disabled or deleted.

Browser Configuration

Most browsers accept cookies by default, but you may block them or set notifications for new cookies. Refer to your browser’s help menu for instructions. Links to cookie management guides for popular browsers are available.

Smartphone Privacy Settings

You can reset your Ad ID and adjust privacy settings on your smartphone. Instructions are available for Android systems.

Analytical Cookies

You may set your browser to reject third-party cookies or block specific suppliers. Options include browser plug-ins and services like Google Adwords, YouronlineChoices, and XITI for cookie management.

Use of Personal Data

Your data may be utilized for the following purposes:

  • Setting up, monitoring, and evaluating activities, such as training or information campaigns.

  • Responding to questions and information requests.

  • Conducting market research, satisfaction surveys, or monitoring interest in information provided.

  • Establishing scientific collaborations or research.

  • Managing databases to personalize and monitor interactions.

  • Inviting participation in congresses, professional and scientific meetings, and training events.

  • Analysing and predicting profiles to personalize communications and improve services (including profiling).

  • Consolidation and economic management control within Pharmact Holding Inc. and, where legally required, its subsidiaries or affiliates.

  • Meeting legal obligations, such as vigilance (monitoring and reporting adverse events, product claims, and safety), transparency, anti-corruption, and eligibility verification for certain products or services.

  • Fulfilling contractual obligations, such as setting up contracts, remunerating services, reimbursing expenses, implementing projects, managing travel, and participation in research.

  • Sending consented personalized messages and newsletters.

Recipients of Personal Data

Data may be disclosed to the following parties, depending on the specific context:

    • Authorized personnel of Pharmact Holding Inc. (for corporate functions) or, where applicable, independent affiliates in the context of their own responsibilities. Each entity remains an independent controller.

    • Regulatory and professional bodies for transparency requirements.

    • Regulatory authorities, protection committees, or other bodies for legal processes.

    • Third parties acting as subcontractors or health sector service providers.

    • Other healthcare professionals in collaborative projects.

    • Companies involved in development, distribution, or marketing through group subsidiaries, and in mergers or acquisitions

Data Retention

Personal data is held for the period required to meet the purposes outlined in this notice and to comply with applicable legal and regulatory obligations. Typically, this is up to three years after the end of our relationship but may be longer in certain cases. Data is deleted or anonymized when it is no longer required. Personal data may also be transferred outside the European Union when necessary, subject to appropriate safeguards.

Rights Regarding Personal Data

You have the right to:

  • Access your personal data.
  • Rectify existing data.
  • Data portability (retrieve data in a structured, commonly used, machine-readable format).
  • Object to processing.
  • Restrict processing to verify accuracy, oppose deletion, or defend rights in court.
  • Withdraw consent at any time where applicable.
  • Give instructions regarding your data after death.
  • Lodge a complaint with the National Commission for Data Processing and Liberties.

Requests related to information, correction, or event declarations should be submitted via our designated webpage, provided that Pharmact Holding Inc. is the data controller.

Information on health care monitoring

This notice is addressed to people whose data are processed for health surveillance, including pharmacovigilance monitoring. Affected persons can be reporters, such as health professionals, members of professional associations, representatives of health authorities, or directly affected individuals who report adverse health events.

Personal Data Used by Pharmact Holding Inc.

Personal data can be collected directly from the exposed person or indirectly through a third-party report. This data may include:

    • Information necessary to assess the adverse health event (e.g., age, birthdate, sex, weight, height, anonymized codes).

    • Product identification details (type, serial number, etc.).

    • Health data (treatments, examination results, adverse reactions, medical history, risk factors, prescription methods, management details).

    • Additional data (work life, tobacco or alcohol use, medical product use, lifestyle, and behavior).

    • Contact details of the notifier and, where relevant, the healthcare professional’s details.

.An adverse event reported directly by an affected individual may lift the anonymity of their identity.

Purpose of Processing

Data is managed in accordance with health vigilance protocols, encompassing the collection, recording, analysis, monitoring, documentation, transmission, and storage of information pertaining to adverse events associated with products licensed by Pharmact Holding Inc. and made available on the market by subsidiaries such as Pharmact Pharmaceuticals GmbH. Contact management may involve communication with the notifier or relevant healthcare professionals in compliance with medical confidentiality.

Processing is carried out to fulfill legal requirements, for reasons of public interest, and to ensure adherence to quality and safety standards for healthcare and related products.

Recipients of Personal Data

Depending on the purpose, data may be disclosed to:

  • Vigilance managers and their teams.

  • Audit staff for regulatory compliance.

  • Personnel in charge of complaints management.

  • Subcontractors working on behalf of the relevant Pharmact group company.

  • Pharmact subsidiaries or affiliates involved in vigilance processes, each as independent controllers.

  • Third parties whose products may be involved, excluding directly identifying data of the affected individual.

  • Healthcare professionals involved in the case or able to provide further details.

  • National and international public health bodies, excluding directly identifying data.

Data Retention

Data is stored for the period required by applicable regulatory requirements. If retention is not otherwise specified, it may be maintained for up to seventy years following the withdrawal of the relevant product from the market.

Additional Clauses for Cosmetic Products, Proprietary Enzyme, and UK GDPR Compliance

Cosmetic Products and Proprietary Enzyme-Based Ingredients

Cosmetic products containing proprietary hyaluronidase enzyme are developed, manufactured, and marketed by Pharmact group subsidiaries (such as Pharmact Pharmaceuticals GmbH). Pharmact Holding Inc. does not distribute products but licenses intellectual property. These cosmetic products, intended solely for skin care and aesthetic purposes, are regulated by EU, UK, and comparable international standards. They do not make therapeutic claims.
Personal data for cosmetic products is collected and processed per vigilance requirements, including documenting and assessing Serious Undesirable Effects as defined by law. Data concerning cosmetic vigilance is maintained separately from pharmaceutical vigilance information to comply with distinct legal frameworks.

UK GDPR Compliance

In the UK, personal data relating to the marketing or distribution of products by Pharmact group companies is processed under the UK GDPR and the Data Protection Act 2018, overseen by the ICO. International transfers rely on safeguards such as the International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses. All products marketed or distributed in the UK by group companies comply with vigilance, labeling, and consumer protection requirements.

Joint Medical and Cosmetic Use of Proprietary Hyaluronidase Enzyme

The proprietary hyaluronidase enzyme licensed by Pharmact Holding Inc. serves dual purposes in both medical and cosmetic applications.

  • In cosmetic formulations, this enzyme is strictly designated as a non-medical and non-therapeutic ingredient, used solely for aesthetic purposes.

  • In medical contexts, subsidiaries such as Pharmact Pharmaceuticals GmbH handle all regulatory and vigilance obligations under pharmaceutical law.

Disclaimer on Responsibilities within Pharmact Group

Pharmact Holding Inc. does not market, distribute, or sell pharmaceutical or cosmetic products. All such operational activities are carried out exclusively by independent subsidiaries or affiliated companies, such as Pharmact Pharmaceuticals GmbH.

References in this policy to regulatory, vigilance, or product-related processing should therefore be understood as relating to those entities. Pharmact Holding Inc. acts solely as licensor and intellectual property rights holder and cannot be held operationally responsible for product-related compliance.