Privacy Policy
Last Updated: January 2024
This Privacy Policy sets out the steps that IO Biotech ApS (“IO Biotech”, “we”, “us”) takes to ensure that any Personal Data provided to us when you visit our website (www.iobiotech.com) (the “Site”), contact us via the Site, subscribe to our newsletter or otherwise interact with us is kept secure and confidential and is used only for the purposes for which it is provided. This Privacy Policy does not apply to Personal Data collected:
- by us (or our vendors), offline or through any other means including, should you enroll or otherwise participate in a clinical trial sponsored by us in which case we will provide you with a separate privacy notice; or
- about job applicants or our employees – which, in certain jurisdictions, is governed by separate privacy notices; and/or
- by any third party, including through any application or content (including advertising) that may link to or be available from the Site.
IO Biotech acts as controller for the processing activities described in this Privacy Policy. “Personal Data” as used in this Privacy Policy means any information that identifies an individual or from which an individual is identifiable.
Please read this Privacy Policy carefully in order to understand how we process your Personal Data. If you have any questions regarding IO Biotech’s processing of your Personal Data, please contact our Data Protection Officer (see Section 12 below).
This Privacy Policy addresses the following topics:
- Categories of Personal Data
- Purposes and legal bases for processing
- Sharing of Personal Data
- Retention period
- Your data privacy rights
- International Transfers
- Other websites
- Changes to the Privacy Policy
- Contact Us
1. Categories of Personal Data
1.1 We collect and process the following types of Personal Data:
- Personal identifiers and contact details such as your name, email address and Internet Protocol (IP) address;
- Internet or other electronic activity information such as your browser type and operating system, the websites you visited before and after visiting the Site, the pages you view and links you click on within the Site, information about your interactions with e-mail messages, such as the links clicked on and whether the messages were received, opened, or forwarded; and Standard Server Log Information; and
- Supplier Personal Data if you are a supplier or service provider of IO Biotech, we may also collect your job role and title and if you are an individual (e.g., a sole trader), your bank account details.
- Any other information you voluntarily provide to us e.g., when you contact us.
1.2 Sources of Personal Data
We collect Personal Data directly from you when you visit our Site, when you contact us via the Site, request information about our business or clinical trials, where you subscribe to receive our newsletter, where you interact with us as a supplier or service provider, or a representative, and when you otherwise voluntarily provide us with your Personal Data.
As is now common with most websites, our Site uses cookies and may use other online tracking tools (e.g., web beacons) to automatically collect information about your IP address, your use of the Site, or other websites you may visit after ours. Cookies are small data files generated by a website and saved by your web browser. They are used to help users navigate websites efficiently as well as to provide information to the owner of the websites. To find out more about what cookies we use and how we use them, please consult our Cookies Policy [here].
2. Purposes and legal basis for processing
We use and process your Personal Data for the purposes and legal bases set out below:
| Categories of Personal Data | Use/Purpose | Lawful Basis |
| Personal identifiers | Communicating with you, providing you with information about our business, and customer service. | IO Biotech has a legitimate interest to operate its Site, communicate with you upon your request and keep records in case of complaints / legal claims (Article 6(1)(f), GDPR) |
| Internet or other electronic activity information | Administer, analyze, improve, and personalize our Site (including, testing, troubleshooting and research). | IO Biotech has a legitimate interest in providing the Site and processing Personal Data to see if and how its Site can be improved, so that it can offer you a better user experience in the future (Article 6(1)(f), GDPR) |
| Personal identifiers | Contact you with respect to products and/or services offered by us which we believe may interest you (including direct marketing) unless you advise us that you do not wish to receive marketing or market research communications from us | If applicable law requires that we receive your consent before we send you certain types of marketing communications, we will only send you those types of communications after receiving your consent (Article 6(1)(a), GDPR). If you wish to stop receiving marketing or market research communications from us, you can unsubscribe via the link at the bottom of the relevant marketing e-mail or contact us using the contact details below
IO Biotech has a legitimate interest to carry out direct marketing in certain instances (Article 6(1)(f), GDPR) |
| Personal identifiers and Supplier Personal Data | To manage our suppliers and service providers, including procurement, contract management and payment of invoices | IO Biotech may be required to process personal data for the performance of its contract with you (Article 6(1)(b), GDPR)
IO Biotech has a legitimate interest to manage its business (Article 6(1)(f), GDPR) |
| Personal identifiers and Internet or other electronic activity information | To ensure network and information security, including monitoring authorized users’ access to our Site for the purpose of preventing cyber-attacks, unauthorized use of our systems and Site, prevention or detection of crime and protection of Personal Data. | IO Biotech has a legitimate interest in ensuring its systems / Site are secure and that individuals are using its systems / Site correctly and in compliance with its Terms of Use (Article 6(1)(f) GDPR) |
| Personal identifiers, Internet or other electronic activity information and Supplier Personal Data | Carrying out audits and internal investigations, to investigate and resolve complaints, to comply with data subject requests and to respond to breaches. | IO Biotech has a legitimate interest to manage its business and to ensure that all investigations and proceedings etc. are managed efficiently and effectively (Article 6(1)(f), GDPR)
IO Biotech may have a legal obligation to do so e.g., to respond to a data subject request (Article 6(1)(c), GDPR) |
| Personal identifiers, Internet or other electronic activity information and Supplier Personal Data | Preparing for and acting in relation to enquiries, investigations, legal claims, or proceedings, by governmental, administrative, judicial, or regulatory authorities, including civil litigation | IO Biotech has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)
IO Biotech may have a legal obligation to do so (Article 6(1)(c), GDPR) |
| Personal identifiers, Internet or other electronic activity information and Supplier Personal Data | In connection with a potential asset or stock acquisition of IO Biotech, or the outsourcing or insourcing of services provided by employees, providing reasonable diligence material to a third party, or meeting any disclosure obligations as required by law | IO Biotech has a legitimate interest to manage its business (Article 6(1)(f), GDPR) |
You have a right to object to the processing of your Personal Data where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
Consequences of not providing Personal Data: Where we need to collect the abovementioned categories of Personal Data by virtue of a legal obligation and you do not provide this Personal Data when requested, we may not be able to comply with our legal obligations or provide you with the services requested. In such case, we may have to terminate our relationship with you.
3. Sharing of Personal Data
We make Personal Data available to our business partners, including IT suppliers that stores and process Personal Data on our behalf. Such business partners and suppliers are subject to IO Biotech’s instructions regarding the storing and processing of Personal Data. Further, it is IO Biotech’s responsibility that the storing and processing is in accordance with the data privacy legislation.
We also share your Personal Data as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property, or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. We also share your Personal Data with third parties to help detect and protect against fraud or data security vulnerabilities. And we may transfer your Personal Data to a third party in the event of a sale, merger, reorganization of our entity or other restructuring.
4. Retention period
We store Personal Data for as long as necessary to fulfil the purposes described above. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of the Personal Data, the purposes for which we process the Personal Data and whether we can achieve those purposes through other means. We also consider the applicable legal requirements and the extent to which it is necessary to process the Personal Data. In exceptional cases (e.g., in pending litigation matters or where the law requires us to) your Personal Data may need to be kept for longer periods of time.
5. Your data privacy rights
You have the following rights with regard to Personal Data which we process about you, which may be subject to limitations and/or restrictions:
- You have the right to request access to the Personal Data we process about you.
- You have the right to request us to rectify any Personal Data that might be incorrect, as well as the right to request us to restrict the processing of your Personal Data.
- You may request to receive a copy of your Personal Data that you provided to us or have this disclosed to a third party, in a structured, commonly used, and machine-readable format, if our processing of such Personal Data is based on your consent or a contract that you concluded with us (data portability).
- You have the right to request that we erase your Personal Data or object to the processing of your Personal Data.
- You have the right to withdraw consent to the processing of your Personal Data at any time.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
6. International Transfers
IO Biotech will, for the purposes identified above, transfer Personal Data to recipients as referred to above, that are located in countries outside the European Economic Area (“EEA”)/ UK, including the US, and which are not considered to provide an adequate level of data protection by the European Commission or the UK Government respectively (as applicable). Personal Data will only be transferred from the EEA/UK to a recipient in a country which is not considered to provide an adequate level of data protection when the transfer is made in compliance with applicable data protection and privacy laws (e.g., by entering into standard contractual clauses (“SCCs”) with the recipient, relying on the recipients Binding Corporate Rules, or by or relying on the recipient’s self-certification to the EU-U.S. Data Privacy Framework (or UK Extension thereof). Transfers may also take place in reliance on a derogation such as, where the transfer is necessary for performance or a contract or the establishment or defense of legal claims).
IO Biotech has entered into standard contractual clauses (“SCCs”) for intragroup transfers of Personal Data from IO Biotech ApS and IO Biotech UK Limited, to IO Bio US Inc. The categories of Personal Data processed by IO Bio US Inc. are set out above. IO Bio US Inc. may also transfer Personal Data to third party recipients who may be located outside the EEA/UK for the purposes set out above. IO Bio US Inc. will only make such onward transfers to recipients ensuring appropriate safeguards pursuant to applicable data protection and privacy laws, or where otherwise permitted by the SCCs.
You can request further information in relation to international transfers and/or a copy of the SCCs by contacting the Data Protection Officer.
7. Other Websites
If our Site provides links to other websites, these websites may operate independently from us and may have their own privacy notices or policies, which we advise you to review. To the extent any linked websites or apps are not owned or controlled by us, we are not responsible for their content.
8. Changes to the Privacy Policy
We will review and update this Privacy Policy as required to keep current with rules and regulations, new technologies and security standards. We will post those changes on the Site or update the “last updated” date of the Privacy Policy. In certain cases, and if the changes are material, you will be notified via email or a notice on our Site.
9. Contact Us
Please do not hesitate to contact us if you have any questions in regard to the protection of your Personal Data or if you wish to exercise your data protection rights (as described in Section 4 above).
IO Biotech ApS, Ole Maaløes Vej 3, DK-2200 Copenhagen N, Denmark
Data Protection Officer: privacy@iobiotech.com
