Privacy Policy

Privacy Statement

If you visit our website, request information via our website, contact us by phone, or request some other service from us, we record personal data of you. We are careful with the processing and protection of your personal data. We respect and uphold the laws and regulations in the field of the protection of personal data, such as the General Data Protection Regulation (GDPR). In this privacy statement, you can read how we deal with your personal data.

This statement applies only to the platforms that are owned by Ventus Therapeutics, which is not responsible for the privacy practices of other sites and (online) resources available on our platforms. If you have any questions about this privacy policy or have a complaint about the way in which we deal with your personal data, you can contact DPO Consultancy, our Data Privacy Representative, at dpr@dpoconsultancy.nl.

What is personal data and what is meant by processing of personal data?

Personal data is any information about an identified or identifiable natural person. Each piece of information with which a person can be identified, directly or indirectly, is personal data. This could include, for example, your name, contact details, and any other information that is or can be linked to you, including your email address, location information, login code, etc.

What falls under processing of personal data is defined as any act or set of acts related to or performed on personal data.

Who is the controller of your personal data?

Ventus Therapeutics is responsible for the processing of your personal data. This means that Ventus Therapeutics determines the purpose and means of the processing itself and that Ventus Therapeutics is responsible for regulatory compliance. Our Data Privacy Representative assists Ventus Therapeutics as the controller of your personal data and can be reached at dpr@dpoconsultancy.nl.

Why do we use your personal data?

• to get in touch with you;
• to send information to you;
• for informing and advising;
• for the handling of complaints and compliments; and/or
• to be able to defend our company in legal disputes and defend our legal rights.

If you no longer wish to receive information from Ventus Therapeutics, you are always free to unsubscribe from our email list via the link at the bottom of our emails to you.

Why are we allowed to process your personal data?

According to legislation, in particular the GDPR, Ventus Therapeutics may only process personal data if one of the legal bases applies:

1. after obtaining consent from the person whose personal data we process;
2. in the context of the formation and / or execution of an agreement;
3. to comply with the law; and
4. in connection with the legitimate interests of Ventus Therapeutics, where Ventus Therapeutics ensures that the impact on your privacy is as limited as possible.

For example, personal data may be processed:

1. when we receive a request for information from you;
2. when we are making you an offer or executing a contract with you;
3. for legal purposes (including accounting treatment, tax obligations, and obligations in connection with court orders or other mandatory laws and regulations); and/or
4. to keep a database of customers or people we have interacted with.

How long do we keep your personal data?

Ventus Therapeutics does not store personal data longer than necessary for the purposes for which the data are processed, and in any case, for as long as specific regulations require. The retention periods for cookies are listed in the cookie statement, found here.

How do we obtain your personal data?

We obtain your personal data such as your name and contact information when you provide it to us, such as when you request information from us, interact with us via our website, email us, call us, and/or meet us in person. We also obtain information about you if you apply for a job opening at our company or show interest in the job opening by interacting with us.

Your rights as a data subject

Data subjects have the following rights with regard to their personal data and its processing:

• Right of access (Art. 15 GDPR) by the data subject to obtain information about how their personal data is processed, including:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in a non-EU member country that has adopted a national law implementing GDPR (a “third country”), and information on the respective safeguards in place relating to the transfer to the third country;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information to their source; and/or
• the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The data subject shall also be provided with a copy of the personal information in a commonly used electronic form, upon request.

• Right to rectification (Art. 16 GDPR) of inaccurate personal data, as well as, taking into account the purposes of the processing, the right to have incomplete personal data completed.

• Right to erasure (be forgotten) (Art. 17 GDPR) of personal data where:

1. the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject has withdrawn consent and there are no other legal grounds for the processing;
3. the data subject exercises the right to object and there are no compelling legitimate grounds for processing;
4. the personal data has been unlawfully processed; and/or
5. the personal data has to be erased for compliance with a legal obligation applicable to Ventus Therapeutics.

• Right to restriction of processing (Art. 18 GDPR) (i.e., data will be blocked from normal processing but not erased) where:
• the data subject contests the accuracy of the personal data, for a period enabling us to verify the accuracy;
• the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the personal data is no longer necessary for the purposes of the processing, but is required by you for the establishment, exercise, or defense of legal claims; and/or
• the data subject has exercised the right to object, pending verification whether Ventus Therapeutics has legitimate grounds that override those of the data subject.

• Right of data portability (Art. 20 GDPR). Where processing is based on consent or on a contract, the data subject shall have the right to obtain a copy of the data in a structured, commonly used, and machine-readable format and the right to transmit that data to another controller without hindrance.

• Right of objection (Art. 21 GDPR) to the processing of personal data based on Ventus Therapeutics’ legitimate interests, provided that there are no compelling legitimate grounds for the processing that would override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

• Right not to be subject to automated individual decision-making, including profiling (Art. 22 GDPR). This right does not apply when processing is based on explicit consent.

• Right to withdraw consent (Art. 7 GDPR). Where processing is based on consent, the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of the processing prior to such withdrawal.

Subscribing to our Email List

You can subscribe to the email notification list of Ventus Therapeutics. Through these emails, we will keep you updated about our company and relevant news and events. In every email update that you receive, there is a link via which you can unsubscribe from receiving future updates.

What personal data is collected by Ventus Therapeutics?

We collect the following information about you:

• Name(s);
• Company name;
• Business email; and
• Information we receive via our contact forms or via email correspondence

With whom and why do we share your personal data?

We use third parties to manage our website. It is possible that these third parties have access to your personal data. If that is the case, we take appropriate measures to ensure that your data is adequately secured and used exclusively for the intended purposes. Your personal data will under no circumstances be sold to these third parties by Ventus Therapeutics. Ventus Therapeutics may:

1. Pass on and receive your personal data within Ventus Therapeutics: We can exchange your (personal) data between the various employees within the organization, insofar as this is necessary in view of the purpose of the data processing.

• Pass on and receive your personal data outside Ventus Therapeutics if there is a legitimate purpose: The purpose of processing your personal data may involve sharing personal data with other organizations. Insofar as there is no explicit consent or legal obligation, this exchange of information will only take place based on the execution of the agreement between you and Ventus Therapeutics or when Ventus Therapeutics has a legitimate interest.

• Not use your personal data commercially: Ventus Therapeutics will not sell your personal data to third parties without your permission.

Personal data of EU residents transferred outside the European Economic Area.

We ensure that our third parties do not simply process your data outside the European Union. If this does happen, we will have agreements in place with this party in order to ensure the proper level of protection of the GDPR is secured. Furthermore, we will not disclose the information you provide to other parties, unless it is necessary (i) in the context of the performance of your agreement with us, (ii) if it is legally required or permitted, (iii) if you consent, or (iv) if we have a legitimate interest in doing so.

Security

Ventus Therapeutics has taken appropriate technical and organizational measures to protect the personal data against loss or against any form of unlawful processing. Ventus Therapeutics has established an information security policy and taken physical, organizational, and electronic measures with due observance thereof. Your data is transmitted over secure connections over the internet. We contractually commit third parties who are engaged in the management and development of the website to respect the confidentiality of your data.

View, delete, and change: what are your privacy rights?

You have the right to access your personal data, the right to request correction, limitation, or removal of your personal data, and the right to also request the transfer of your data. Finally, you can object to the use of your data.

If the processing of your data is based on permission, you can withdraw it at any time. You can send your written requests or questions related to privacy-related matters to our Data Privacy Representative, DPO Consultancy, at dpr@dpoconsultancy.nl. In order for our DPR or Ventus Therapeutics to correctly identify you, we will call you and ask you verification questions. You will then receive an answer from us within 30 days.

You are also entitled to submit a complaint about the use of your data with your national Data Protection Authority.

Changes

We reserve the right to make changes to this privacy statement. Therefore, check the Privacy Statement regularly for the latest version of our privacy policy.

Questions?

If you have any questions about our privacy policy, please contact us via our Data Privacy Representative, DPO Consultancy, at  dpr@dpoconsultancy.nl.

This privacy statement was last modified on July 6, 2023.