This Privacy Notice contains general information on what personal data MoonLake Immunotherapeutics AG – https://www.moonlaketx.com (‘MoonLake‘ ‘we‘ ‘us‘ or ‘our‘) collects, uses, and discloses information and what rights you have.

Data protection is of a particularly high priority for us. If you have any questions or comments, please contact ab@gb-swiss.ch.

‘Personal data’ is any information that relates to an identified or identifiable natural person.

The processing of your personal data shall always be in line with the Swiss Federal Act on Data Protection (FADP), and, if applicable, the EU General Data Protection Regulation (GDPR). We seek to comply with the country-specific data protection regulations applicable to MoonLake.

By means of this Privacy Notice, we would like to inform you of the nature, scope, and purpose of the personal data we collect, use and process and which rights you have.

As the controller, MoonLake has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this Website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g., by telephone.

The terms used are not gender-specific.

Last Update: 05.08.2021

Name and Address

MoonLake Immunotherapeutics AG
Attn. Privacy
Dorfstrasse 29
6300 Zug
Switzerland

Email: ab@gb-swiss.ch

Web: www.moonlaketx.com

2. Collection of personal data and purposes of processing

a) Data categories in general

MoonLake will, depending on the product or service we provide to you (if any), collect and process personal data about you including:

  • personal details such as your name, identification number, date of birth, phone number physical and electronic address, and family details such as the name of your spouse, partner, or children;

  • where applicable, professional information about you, such as your job title and work experience;

  • details of our interactions with you and the products and services you use;

  • any records of phone calls between you and us;

  • identifiers we assign to you, such as your client number;

  • when you access our Website, data transmitted by your browser and automatically recorded by our server, including date and time of the access, name of the accessed file as well as the transmitted data;

  • user login and subscription data;

  • Cookies, pixels, unique identifiers and other similar technologies to collect and process information from different channels and devices, including devices that you use to interact with us, to recognize you, remember your preferences, tailor the content we provide to you. For details on how we use cookies, please refer to the section 2i);

  • records of correspondence and other communication between us e.g. live chats, instant messages and  social media communications;

  • Information from third parties or delegated third party service providers e.g. website user information collected through third party component providers that we have a relationship with, or through cookies, pixels, social plugins, tags and other similar technologies (see also section 7);

  • volume and the performance of the access, your web browser, browser language and requesting domain, and IP address (additional data will only be recorded via our Website if their disclosure is made voluntarily, e g in the course of a registration or request). When you visit a Website of us, that Website may contain additional information about how we use your information while you are visiting that Website; and

  • in some cases (where permitted by law), special categories of personal data, such as your health information, racial or ethnic origin, religious or philosophical beliefs, and, to the extent legally possible, information relating to criminal convictions or offences.

We may collect certain of the above personal data types in relation to prospective clients. This personal data is relevant to establish and build relationships with a view to entering into a contractual agreement with them.

Further categories of personal data we may collect are described in the following subsection of this section 2 and in section 7.

b) Purposes – overview

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process personal data for the following purposes:

  • client on-boarding processes, including to verify your identity and assess your application;

  • providing products and services to you and ensuring their proper execution;

  • managing our relationship with you, including communicating with you in relation to the products and services you obtain from us;

  • helping us to learn more about you as a customer, the products and services you receive, and other products and services you may be interested in receiving;

  • taking steps to improve our products and services and our use of technology, including testing and upgrading of systems and processes, and conducting market research to understand how to improve of our existing products and services or learn about other products and services we can provide;

  • contacting you for direct marketing purposes about products and services we think will be of interest to you;

  • meeting our on-going regulatory and compliance obligations, including disclosures to authorities and regulatory, judicial and governmental bodies or in proceedings, and investigating or preventing crime;

  • ensuring the safety of our customers, employees and other stakeholders;

  • undertaking transactional and statistical analysis, and related research;

  • any other purposes described in this Privacy Notice and additional purposes we notify to you from time to time.

c) Website of MoonLake 

The use of the Website of MoonLake is possible without any indication of personal data; however, if you want to use special Services via our Website, processing of personal data could become necessary.

The Website of MoonLake collects a series of general data and information when you call up the Website. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the Website from which an accessing system reaches our Website (so-called referrers), (4) the sub-Websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our information technology systems.

When using these general data and information, MoonLake does not draw any conclusions about you. Rather, this information is needed to (1) deliver the content of our Website correctly, (2) optimize the content of our Website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and Website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, MoonLake analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

As we do not maintain web servers ourselves, these general data and information are stored on the servers of the following partners: https://www.squarespace.com

d) Registration on our Website

You have the possibility to register on our Website with the indication of personal data. Which personal data are transmitted to us is determined by the respective input mask used for the registration. The personal data entered by you are collected and stored exclusively for internal use by MoonLake, and for the purposes apparent from the registration (e.g. newsletter). MoonLake may transfer to one or more processors (e.g., a parcel service) that also process personal data.

By registering on the Website, the IP address — assigned by the Internet service provider (ISP) and used by you — date, and time of the registration are also stored. The storage of this data takes place against the background that this is the only way to prevent the misuse of our services, and, if necessary, to make it possible to investigate committed offenses. Insofar, the processing of this data is necessary for security purposes. This data is not passed on to third parties unless there is a statutory obligation to pass on the data, or if the transfer serves the aim of criminal prosecution.

Your registration, with the voluntary indication of your personal data, is intended to enable us to offer you contents or services that may only be offered to registered users due to the nature of the matter in question. Registered persons are free to change the personal data specified during the registration at any time.

MoonLake will provide information upon your request which personal data we process. In addition, MoonLake will correct or erase personal data at your request, insofar as there are no statutory retention obligations.

e) Subscription to our newsletters

On the Website of MoonLake, you are given the opportunity to subscribe to our  newsletter. The input mask used for this purpose determines what personal data are collected.

MoonLake informs its customers and business partners regularly by means of a newsletter about our offers. Our newsletter may only be received by you if (1) you have a valid e-mail address and (2) you register for the newsletter. A confirmation e-mail will be sent to the e-mail address registered by you for the first time in the double opt-in procedure. This confirmation e-mail is used to prove whether you as the owner of the e-mail address is authorized to receive the newsletter.

During the registration for the newsletter, we also store the IP address of the computer system assigned by the Internet service provider (ISP) and used by you at the time of the registration, as well as the date and time of the registration. The collection of this data is necessary in order to understand the (possible) misuse of your e-mail address at a later date, and it therefore serves the aim of the protection of you and us.

The personal data collected as part of a registration for the newsletter will only be used to send our newsletter. In addition, you as subscriber to the newsletter may be informed by e-mail, as long as this is necessary for the operation of the newsletter service or a registration in question, as this could be the case in the event of modifications to the newsletter offer, or in the event of a change in technical circumstances. The subscription to our newsletter may be terminated by the data subject at any time. Your consent to the collection and processing of personal data may be revoked at any time. For the purpose of revocation of consent, a corresponding link is found in each newsletter. It is also possible to unsubscribe from the newsletter at any time directly on our Website, or to communicate this to us in a different way.

f) Newsletter-Tracking

The newsletter of MoonLake contains so-called tracking pixels. A tracking pixel is a miniature graphic embedded in such e-mails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, MoonLakemay see if and when an e-mail was opened by you, and which links in the e-mail were called up.

Such personal data collected and processed in the tracking pixels contained in the newsletters are stored and analysed by us in order to optimize the shipping of the newsletter, as well as to adapt the content of future newsletters even better to the interests of the data subject. You are at any time entitled to revoke the respective separate declaration of consent issued by means of the double-opt-in procedure. After a revocation, these personal data will be deleted by us, unless statutory retention obligations apply. MoonLake automatically regards a withdrawal from the receipt of the newsletter as a revocation.

g) Contact possibility via the Website

The Website of MoonLake contain information that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If you contact us by e-mail or via a contact form, the personal data transmitted by you are automatically collected and processed. Such personal data transmitted on a voluntary basis by you are stored for the purpose of processing your request and contacting you.

g) Comments function in the blog on the Website

MoonLake offers users the possibility to leave individual comments on individual blog contributions on a blog, which is on our Website. A blog is a web-based, publicly-accessible portal, through which one or more people called bloggers or web-bloggers may post articles or write down thoughts in so-called blogposts. Blogposts may usually be commented by third parties.

If you leave a comment on the blog published on this Internet page, the comments made by you are also stored and published, as well as information on the date of the commentary and on the user’s (pseudonym) chosen by you. In addition, the IP address assigned by the Internet service provider (ISP) to you is also logged. This storage of the IP address takes place for security reasons, and in case you violate the rights of third parties or posts illegal content through a given comment. The storage of these personal data is, therefore, in our own interest

h) Subscription to comments in the blog on the Website

The comments made in the blog of MoonLake may be subscribed to by third parties. In particular, there is the possibility that a commenter subscribes to the comments following his comments on a particular blog post.

If you decide to subscribe to the option, we will send an automatic confirmation e-mail to check the double opt-in procedure as to whether you as the owner of the specified e-mail address decided in favour of this option. The option to subscribe to comments may be terminated at any time.

i) Cookies

The Website of MoonLake use cookies. Cookies are text files that are stored in a computer system via an Internet browser.

Many Internet sites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Website and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified using the unique cookie ID.

Through the use of cookies, MoonLake can provide the users of this Website with more user-friendly services that would not be possible without the cookie setting.

By means of a cookie, the information and offers on our Website can be optimized and personalized. Cookies allow us, as previously mentioned, to recognize our Website users. The purpose of this recognition is to make it easier for users to utilize our Website. The Website user that uses cookies, e.g. does not have to enter access data each time the Website is accessed, because this is taken over by the Website, and the cookie is thus stored on the user’s computer system.

You may, at any time, prevent the setting of cookies through our Website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If you deactivate the setting of cookies in the Internet browser used, not all functions of our Website may be entirely usable.

3. Legal basis for processing

Depending on the purpose of the processing activity (see section 2), the processing of your personal data will be one of the following:

  • necessary for the legitimate interests of MoonLake, without unduly affecting your interests or fundamental rights and freedoms;

  • necessary for taking steps to enter into or executing a contract with you for the services or products you request, or for carrying out our obligations under such a contract,;

  • required to meet our legal or regulatory responsibilities, including when we make the disclosures to authorities, regulators and government bodies referred to in sections 2;

  • in some cases, necessary for the performance of a task carried out in the public interest;

  • when we use special categories of personal data, necessary for establishing, exercising or defending legal claims or where the processing relates to personal data manifestly in the public domain; and

  • processed with your consent which we obtain from you from time to time (for instance where required by law), or processed with your explicit consent in the case of special categories of personal data such as your medical information.

Examples of the ‘legitimate interests’ referred to above are:

  • pursuing certain of the purposes in sections 2 and 7;

  • exercising our rights under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property;

  • when we make the disclosures referred to in section 2 and 7, and keeping our customers, employees and other stakeholders satisfied;

  • meeting our accountability and regulatory requirements around the world,

in each case provided such interests are not overridden by your privacy interests.

4. Third Parties who may have access to your personal data

In some instances, we share personal data with our suppliers and other business partners who provide services to us, such as IT and hosting providers, marketing providers, communication services and others. When we do so we take steps to ensure they meet our data security standards, so that your personal data remains secure.

If required from time to time, we disclose personal data to public and judicial authorities, regulators or governmental bodies and in proceedings, including when required by law or regulation, under a code of practice or conduct, or when these authorities or bodies require us to do so.

If our business is sold to another organisation or if it is re-organised, personal data will be shared so that you can continue to receive products and services. We will usually also share personal data with prospective purchasers when we consider selling or transferring part or all of a business. We take steps to ensure such potential purchasers keep the data secure

We will disclose personal data where required to exercise or protect legal rights, including ours and those of our employees or other stakeholders, or in response to requests from individuals or their representatives who seek to protect their legal rights or such rights of others.

5. Your rights

In this section, MoonLake would like to provide you a general overview of your rights. Please note that your rights depend on the applicable data protection laws and therefore, some of your rights and the conditions to exercise these rights may differ from jurisdiction to jurisdiction.

You have a right to ask us to rectify inaccurate personal data we collect and process and the right to request restriction of your personal data pending such a request being considered.

Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Please also note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

You have a right to ask us to stop processing your personal data, or to request deletion of your personal data – these rights are not absolute under applicable data protection laws (as sometimes there may be other lawful grounds such as a legal obligation or overriding interests that require the processing to continue, for example), but we will consider your request and respond to you with the outcome. When personal data are processed for direct marketing purposes, your right to object extends to direct marketing, including profiling to the extent it is related to such marketing. You may object to direct marketing by clicking the ‘unsubscribe’ link in any of our emails to you, or by emailing us at any time.

Where we process your personal data on the basis of your consent, or where such processing is necessary for entering into or performing our obligations under a contract with you, you may have the right to request your personal data be transferred to you (known as the ‘data portability’ right). You also have the right to ask us for information regarding some or all of the personal data we collect and process about you.

In certain circumstances we may process your personal data through automated decision-making, including profiling. Where this takes place, you will be informed of such automated decision-making that uses your personal data, be given information on the logic involved, and be informed of the possible consequences of such processing In certain circumstances, you can request not to be subject to automated decision-making, including profiling.

If you are not satisfied with our response, you have the right to make a complaint to the data protection authority in the jurisdiction where you live or work, or in the place where you think an issue in relation to your data has arisen.

6. Retention period

In general, we will retain personal data for the period of your relationship or contract with us reflecting the length of time for which legal claims may be made following termination of such relationship or contract.

7. Special cases

a) Data protection for applications and the application procedures

MoonLake will collect and process the personal data of applicants for the purpose of the processing of the application procedure. The processing may also be carried out electronically. This is the case, in particular, if an applicant submits corresponding application documents by e-mail or by means of a web form on the Website to us. If MoonLake concludes an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by us, the application documents shall be automatically erased two months after notification of the refusal decision, provided that no other legitimate interests of MoonLake are opposed to the erasure. Other legitimate interest in this relation is, e.g., a burden of proof in a procedure under applicable labour and other laws such as the General Equal Treatment Act.

b) Data protection provisions about the application and use of third party components

MoonLake may have integrated components of social media platforms or of analytics providers on its Website. The third party components and the providers of such components are listed below.

Please note that social media platforms may operate and provide its services as controller to you. We may use tracking technology such as cookies, pixels, unique identifiers or tags to gather information as outlined above (see section 2) to understand how visitors use the our Website. Tracking technology helps us to manage and improve the usability of our Websites, for example by detecting whether there has been any contact between your device and us in the past and to identify the most popular sections of our Website. We may also use these tracking technologies to check your instructions to us, assess, analyse and improve our service, train our staff.

With each call-up to one of the individual pages of Website, which is operated by us and into which a third party component (plug-ins) was integrated, the web browser on your computer, tablet, mobile or similar device is automatically prompted to download display of the corresponding component from the provider of such components. During the course of this technical procedure, the provider of such components is made aware of what specific sub-site of our Website was visited by you.

If you are logged in at the same time on the respective social media platform, the provider of such components detects with every call-up to our Website by you—and for the entire duration of their stay on our Website. This information is collected through the component and associated with the respective account you are logged in. If you click on one of the third party buttons integrated into our Website, e.g., the ‘Like” button, or if you submit a comment, then the provider of such components matches this information with the personal user account and stores the personal data.

The provider of such components receives, through the component, information about you visit to our Website, whenever you are logged in at the same time on the social media platform during the time of the call-up to our Website. This occurs regardless of whether you click on the component or not. If such a transmission of information to the provider of the component is not desirable for you, then you may prevent this by logging off from your social media account before a call-up to our Website is made.

We may use components of the following providers:

  • Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is the Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The data protection guideline published by Facebook, which is available at https://facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. In addition, it is explained there what setting options Facebook offers to protect the privacy. In addition, different configuration options are made available to allow the elimination of data transmission to Facebook. These applications may be used by you to eliminate a data transmission to Facebook. An overview of all the Facebook Plug-ins may be accessed under https://developers.facebook.com/docs/plugins/.

  • LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, UNITED STATES. For privacy matters outside of the UNITED STATES LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible. LinkedIn provides under https://www.linkedin.com/psettings/guest-controls the possibility to unsubscribe from e-mail messages, SMS messages and targeted ads, as well as the ability to manage ad settings. LinkedIn also uses affiliates such as Eire, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua, and Lotame. The setting of such cookies may be denied under https://www.linkedin.com/legal/cookie-policy. The applicable privacy policy for LinkedIn is available under https://www.linkedin.com/legal/privacy-policy. The LinkedIn Cookie Policy is available under https://www.linkedin.com/legal/cookie-policy.

  • Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, UNITED STATES. The applicable data protection provisions of Twitter may be accessed under https://twitter.com/privacy?lang=en. Further information about the Twitter buttons is available under https://about.twitter.com/de/resources/buttons.

  • YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, UNITED STATES. The YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, UNITED STATES. YouTube’s data protection provisions, available at https://www.google.com/intl/en/policies/privacy/, provide information about the collection, processing and use of personal data by YouTube and Google.

  • The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States. We may have integrated components with the anonymizer function. Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data about the behaviour of visitors to websites. Google Analytics places a cookie on your computer, tablet, mobile or similar device. The definition of cookies is explained above. You may, as stated above, prevent the setting of cookies through our Website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such an adjustment to the Internet browser used would also prevent Google Analytics from setting a cookie on your device. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs. In addition, you have the possibility of objecting to a collection of data that are generated by Google Analytics, which is related to the use of this Website, as well as the processing of this data by Google and the chance to preclude any such. For this purpose, you must download a browser add-on under the link https://tools.google.com/dlpage/gaoptout and install it. Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/and under http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following Link https://www.google.com/analytics/.