Privacy Policy

Privacy Notice

Effective date: 10.05.2026

Version: 1.0

1. At a glance

This Privacy Notice explains how EIT Health InnoStars e.V. (InnoStars) processes personal data when you visit our website, contact us, or interact with the website features.

This notice covers the website at https://www.innostars.org, including its subdomains and language versions, unless a separate privacy notice is provided for a specific project, event, platform or programme.

We process data only on a defined legal basis (consent, contract, legal obligation, or legitimate interest), share it only where necessary, and keep it only as long as needed.

For data-protection enquiries or to exercise your rights, contact info@innostars.org. You may also lodge a complaint with a supervisory authority – for InnoStars, this is the Bavarian Data Protection Authority (BayLDA).

2. Who is responsible for your data

Controller: EIT Health InnoStars e.V.

Registered address: Mies-van-der-Rohe-Str. 1C, 80807 Munich, Germany

Privacy contact: info@innostars.org

3. How we process personal data

3.1. Website operation and security

When you visit our website, technical data are processed automatically so that the website can be delivered to your device, kept secure, and protected against misuse.

This may include:

  • IP address
  • date and time of access
  • requested page or file
  • referring page
  • browser type and version
  • operating system
  • response status
  • volume of data transferred
  • server logs, error logs and security-event logs

We process this data to provide the website, maintain availability, diagnose errors, prevent misuse and protect the security of our systems.

The legal basis is Article 6(1)(f) GDPR: our legitimate interest in providing a secure, stable and functional website.

Our website is hosted by a professional hosting provider that provides hosting and related technical services to us and acts as our processor under Article 28 GDPR.

The provider may use authorised sub-processors for infrastructure, cloud, security, email-delivery, support and related technical services. A current list of sub-processors is available on request. Where personal data are transferred outside the European Economic Area, appropriate safeguards such as Standard Contractual Clauses or other permitted transfer mechanisms apply.

We may also use website security tools to protect the website against misuse, malicious requests, brute-force attacks and other security threats. These tools may process IP addresses, login attempt data, firewall data and related technical security logs. The legal basis is Article 6(1)(f) GDPR: our legitimate interest in maintaining the security and integrity of the website.

Server logs are retained only for as long as necessary for website delivery, security, troubleshooting and abuse prevention, and are then deleted or anonymised unless longer retention is required to investigate a security incident or establish, exercise or defend legal claims.

3.2. Cookies and similar technologies

Our website uses cookies and similar technologies, such as local storage, pixels, tags and embedded third-party content. We use these technologies for the following purposes:

  1. strictly necessary functions, such as website security, page loading, caching, form functionality, session management and remembering technical settings;
  2. analytics and performance measurement, to understand how the website is used, which content is relevant, how users navigate through the site and where engagement drops; and
  3. embedded third-party content, where you choose to load it, such as maps, videos or external media.

Strictly necessary technologies are used without your consent where they are required to provide the website or a feature requested by you. The legal bases are Section 25(2) TDDDG and Article 6(1)(f) GDPR: our legitimate interest in operating a secure and functional website.

Analytics, performance-measurement and embedded-content technologies are used only after you give your consent through our consent-management platform. The legal bases are Section 25(1) TDDDG and Article 6(1)(a) GDPR.

Depending on your choices and the technologies enabled, we may process technical and usage data relating to your visit and interactions, including identifiers and information about your device and browser, information derived from your network connection, information about how and when you interact with the website and its content, information about content you choose to load or play, and your consent status. The specific categories collected by each technology are listed in our Cookie Policy.

Some of these technologies may involve transfers of personal data outside the European Economic Area. Where this is the case, we rely on appropriate safeguards such as an adequacy decision of the European Commission, the EU-U.S. Data Privacy Framework where the recipient is certified, Standard Contractual Clauses and supplementary measures where required.

You can change or withdraw your consent at any time, with effect for the future, by clicking the consent-management icon in the website footer. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. We retain a record of your consent choices, including the relevant consent status, timestamp and consent identifier, in order to demonstrate compliance with Article 7(1) GDPR.

For further details, including the current list of cookies and similar technologies, providers, purposes, categories, retention periods, international-transfer mechanisms and any joint-controllership relationships where applicable, please refer to our Cookie Policy at https://innostars.org/cookie-policy/.

3.3. Contact enquiries

If you contact us by email, through a contact form, or by using contact details published on the website, we process the information you provide to respond to your enquiry.

This may include:

  • name
  • organisation
  • role or function
  • email address
  • telephone number, if provided
  • message content
  • correspondence history

We process this data to respond to your enquiry, communicate with you, understand your organisation’s interests, and follow up where appropriate.

The legal basis is Article 6(1)(b) GDPR where your enquiry relates to a possible contract, collaboration or service request, and Article 6(1)(f) GDPR where we have a legitimate interest in responding to professional enquiries and maintaining stakeholder relationships.

Enquiry data are retained for as long as needed to handle the enquiry and any follow-up, and then deleted or archived according to our internal retention rules, unless a longer period is required for legal, contractual or legitimate business reasons.

4. Special-category data

Please do not send health data, patient data, clinical data, genetic data, biometric data, trade-union data, political opinions, religious beliefs or similar sensitive information through general website channels unless we have expressly requested it under a separate notice and secure process.

If a future project or website feature requires the processing of special-category data, we will provide separate privacy information and apply the additional safeguards required for that activity.

5. Recipients, processors and partners

We share personal data only where necessary for the purposes described in this notice.

Recipient categories may include:

  • website hosting provider;
  • IT support and website security providers;
  • cookie-consent management provider;
  • analytics and performance-measurement providers;
  • embedded-content providers, where you choose to load maps, videos or external media;
  • email and communications providers;
  • professional advisers, where necessary;
  • auditors, statutory advisers and tax advisers, where engaged by us;
  • successor organisations or legal entities involved in a restructuring, merger, transfer of activities or change of legal form, where necessary;;
  • public authorities, where required by law.

6. International transfers

We aim to use providers located in the European Economic Area or in countries recognised as providing an adequate level of data protection.

Some of our service providers or their sub-processors may process personal data outside the European Economic Area. This may include transfers connected with analytics, performance measurement, embedded content, website security, hosting support or related technical services.

Where personal data are transferred outside the European Economic Area, we use appropriate safeguards such as adequacy decisions, the EU-U.S. Data Privacy Framework where the recipient is certified, Standard Contractual Clauses, supplementary measures or other mechanisms permitted by data-protection law.

7. Retention

We keep personal data only for as long as necessary for the purposes for which they were collected, unless a longer period is required for legal, tax, accounting, grant, audit, reporting, dispute or enforcement, contractual, security or legitimate-interest reasons.

For the launch website, the main retention rules are:

  • website and security logs: retained only as long as necessary for security, troubleshooting and abuse prevention;
  • necessary cookie and technical-setting data: retained only for as long as needed to provide the relevant website function, maintain security or remember essential technical settings;
  • contact enquiries: retained for as long as needed to handle the enquiry and any reasonable follow-up;
  • consent records: retained as long as necessary to demonstrate compliance with Art. 7(1) GDPR, in line with the retention period stated in our Cookie Policy.

Where a specific project, event, platform or programme requires different retention rules, those rules will be explained in the relevant notice.

8. Provision of personal data

Providing personal data through the website is generally voluntary. However, certain technical data are processed automatically when you access the website because they are necessary to deliver and secure it. If you contact us and do not provide the information needed to respond, we may not be able to handle your enquiry.

9. Your rights

Under GDPR, you have the following rights:

  • Right of access (Art. 15) — you can ask us to confirm whether we process your data, and to provide a copy;
  • Right to rectification (Art. 16) — you can ask us to correct inaccurate data;
  • Right to erasure (Art. 17) — you can ask us to delete your data, where one of the grounds in Article 17(1) applies;
  • Right to restriction (Art. 18) — you can ask us to restrict processing, where one of the grounds in Article 18(1) applies;
  • Right to data portability (Art. 20) — where the processing is based on consent or contract and is automated, you can ask us to provide your data in a structured, commonly used, machine-readable format;
  • Right to object (Art. 21) — you can object at any time to processing based on legitimate interests, including profiling; for direct marketing, your right to object is unconditional;
  • Right to withdraw consent (Art. 7(3)) — you can withdraw your consent at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact info@innostars.org. We will respond within one month of receipt of the request, in accordance with Article 12(3) GDPR. We may extend this period by a further two months where necessary, taking into account the complexity and number of requests.  We may need to verify your identity and clarify your request before responding.

You may lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

The supervisory authority currently identified as competent for InnoStars is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — https://www.lda.bayern.de

10. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

11. Updates

We may update this Privacy Notice to reflect changes in our website, website features, systems, service providers or legal requirements. Material changes will be communicated through the website and, where appropriate, by direct notice. The current version will be published on this page with an effective date.