Privacy Policy

Note that this privacy notice concerns processing of personal data primarily in the
United States. There might be slight differences to some parts due to national
legislation in other countries.

This Privacy Policy covers our treatment of personal information under applicable
data protection and privacy laws, including but not limited to (1) personally
identifiable information, as defined by numerous statutes in the United States,
including the California Online Privacy Protection Act (such statutes, the "PII
Laws") (2) personal information, as defined by the California Consumer Privacy
Act (the "CCPA") and for this purpose applies solely to visitors, users, and others
who reside in the State of California, and (3) personal data, as defined by the
European Union General Data Protection Regulation (the "GDPR").

Cardea Bio, Inc.
8969 Kenamar Drive, suite 104
San Diego
CA 92121

Contact Details in Data Protection Matters to
Data Protection Officer
Kelly Huang, COO
[email protected]

1. Scope of application

Thank you for your interest in our company. The protection of your privacy is very
important to us. Below we provide details about the handling of your data.
This privacy policy informs users about the nature, scope and purpose of the
collection and use of personal data by the responsible provider Cardea Bio, Inc. on
this website (hereinafter referred to as “Offer”). The legal basis for data
protection can be found in the California Consumer Privacy Act (CCPA) and the
EU’s General Data Protection istrationulation (GDPR).

2. Access data

You can visit our website without providing any personal information. Each time
you access our website, the webserver automatically saves a so-called server log
file, which contains, for example, the name of the requested file, your IP address,
the date and time of access, the amount of data transferred and the requesting
provider (access data) and documents accessed.
This access data is evaluated exclusively for the purpose of ensuring trouble-free
operation of the site and improving our offer. In accordance with Art. 6 Para. 1 lit.
f) GDPR, this serves to protect our legitimate interests in the correct presentation
of our offer, which outweighs our interests in the context of a balancing of
interests. All access data is deleted no later than seven days after the end of your
visit to the site.

3. Deletion and blocking of personal data

We process and store personal subject data only for the period of time necessary
to achieve the purpose of storage or insofar as this is provided for by the
applicable laws to which the controller is subject.

If the storage purpose ceases to apply or if a legally prescribed storage period
expires, the personal data will be routinely blocked or deleted in accordance with
the statutory provisions.

4. Collection and storage of personal data as
well as type and purpose of their use

a) When visiting the website
In principle, you can use our website without disclosing your identity. When you
visit our website, information is automatically sent to our website server by the
browser used on your terminal device. This information is temporarily stored in a
so-called log file. The following information is collected without your intervention
and stored until automated deletion:
-  IP address of the requesting computer,
-  date and time of access,
-  name and URL of the accessed file,
-  website from which the access was made (referrer URL),
-  browser used and, if applicable, the operating system of your computer as
well as the name of your access provider.

The aforementioned data is processed by us for the following purposes:

-  ensuring a smooth connection with the website,
-  ensuring a comfortable use of our website,
-  evaluation of system security and stability, and
-  for further administrative purposes.
The legal basis for data processing is Art. 6 para.1, lit. f) GDPR. Our legitimate
interest follows on from the purpose of data collection as listed above. In no case
do we use the collected data for the purpose of drawing conclusions about your
personal information.
In addition, we use cookies and analysis services when you visit our website. You
can find more detailed explanations of this under sections 8 and 10 of this privacy

b) When using our contact form
For questions of any kind, we offer you the opportunity to contact us via a form
provided on our website. In doing so, it is necessary to provide a valid e-mail
address so that we know from whom the inquiry originates and where to direct a
response. Further information can be provided voluntarily. It is your free decision
whether you want to enter this data in the contact form.
Data processing for the purpose of contacting us is carried out in accordance with
Art. 6 para.1, lit. a) GDPR on the basis of your voluntarily given consent.

5. E-mail advertising with newsletter

If you register for our newsletter, or separately provide your contact information,
we use the data to regularly send you our e-mail newsletter based on your
consent pursuant to Art. 6 para. 1 lit. a GDPR.

We would like to point out that our service provider, HubSpot, evaluates your
user behavior when sending the newsletter or other requested information on
our behalf. For this evaluation, the e-mails sent contain so-called web beacons,
also called tracking pixels. These are single-pixel image files that link to our web
portal and thus enable us to evaluate your user behavior on a session basis. In
doing so, we record when you read our newsletters, which links you click on in
them and infer your personal interests from this.

Tracking is not possible if you have deactivated the display of images by default in
your e-mail program. In this case, however, the newsletter will not be fully
displayed to you and you may not be able to use all the features. If you display
the images manually, the above-mentioned tracking will take place.
You can unsubscribe from the newsletter at any time using the link provided in
the newsletter for this purpose. After unsubscribing, we will delete your e-mail
address, unless you have expressly consented to further use of your data or we
reserve the right to use data beyond this, which is permitted by law and about
which we inform you in this statement.

6. Provision of documents/ download

When you download a document, we request your name, company and e-mail
address. We collect this data for information interest and also for personal
contact. The legal basis is the legitimate interest according to Art.6 para. 1 lit. f)

7. Registration for events

On our website, you can register for various events. In order to be able to process
your registration, we collect and process the following data based on your
declaration of consent given during registration:
Mandatory fields: Salutation, first name, last name, institution, e-mail address.
In order to register, you must accept our data protection notice. The data will be
forwarded by encrypted e-mail to the responsible person at Cardea Bio, Inc. and
exported to our local database for further processing.
We use your data for the organization of the event, in particular

-  we print some of the data (name, institution, e-mail address) in the printed
program booklet,
-  we print some of the data (name, institution) on your name badge,
-  we pass on some of the data (name, institution, function) to the
moderators of the forums/workshops,
-  we may use your contact data (name, e-mail address) to send materials
relevant to the event (e.g. program, evaluation, conference proceedings),
-  we pass on your data (name, institution, function) to the cooperating
institution as far as this is necessary for the provision of the service.

You have the option to object to the use of your data for these purposes in whole
or in part at any time by sending an e-mail with your objection to
[email protected]. We will then immediately stop sending you further
information and your data will be deleted. In this case, we may no longer be able
to respond to your request and ensure your participation in the event. After the
program booklet has been printed (approx. 10 days before the event), you can no
longer object to the use of your data according to 1.


8. Further explanations on the legal basis of
the processing

Art. 6 (1), lit. a) GDPR serves Cardea Bio, Inc. as the legal basis for processing
operations for which consent must be obtained for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract
to which the data subject is a party, the processing is based on Article 6 (1) (b)
GDPR. The same applies to processing operations that are necessary for the
performance of pre-contractual measures, for example in cases of inquiries about
our services and products. If Cardea Bio, Inc. is subject to a legal obligation which
requires the processing of personal data, the processing is based on Art. 6 para. 1
lit. c) GDPR. In rare cases, the processing of personal data might become
necessary in order to protect the vital interests of the data subject or another
natural person. In this case, the processing is based on Article 6(1)(d) of the GDPR.
Furthermore, processing operations could be based on Art. 6 (1), lit. f) GDPR.
Processing operations which are not covered by any of the aforementioned legal
bases are based on this legal basis if the processing is necessary to protect a
legitimate interest of Cardea Bio, Inc. or a third party, unless such interest is
overridden by the interests, fundamental rights and freedoms of the data subject.
Such processing operations are permitted to us in particular because they have
been specifically mentioned by the European legislator (cf. recital 47 sentence 2

9. Consideration of legitimate interests

If the processing of personal data is based on Article 6 (1), lit. f) GDPR, the
legitimate interest of Cardea Bio, Inc. is the performance and fulfillment of our
business activities for the benefit of our employees and shareholders.

10. Passing on of data

Your personal data will only be passed on to third parties involved in the
processing of the contract, service partners such as the logistics company
commissioned with the delivery and the credit institution commissioned with
payment matters. In cases where your personal data is passed on to third parties,
however, the scope of the data transferred is limited to the minimum required.
We do not transfer your personal data to third parties for purposes other than
those mentioned above.

We only pass on your personal data to third parties if:
- you have given your express consent to this in accordance with Art. 6
para.1, lit. a) GDPR,
- the disclosure is required under Art.6 para.1, lit. f) GDPR for the assertion,
exercise or defense of legal claims and there is no reason to believe that
you have an overriding legitimate interest in not disclosing your data,
- in the event that there is a legal obligation for disclosure pursuant to Art. 6
(1), lit. c) GDPR,
- it is legally permissible and necessary according to Art. 6 para.1, lit. b)
GDPR for the processing of contractual relationships with you.
As part of the ordering process, consent is obtained from you for the transfer of
your data to third parties.

11. Recipients of personal data

Within our group of companies, only those persons have access to your personal
data who need it for the purposes stated in each case. Your personal data will
only be passed on to external recipients if this is permitted by law or if we have
your consent.

Processors: In the area of customer management, we use external service
providers who are carefully selected and checked. The processors may only use
the data in accordance with our instructions. The legal basis for this is Art. 6 para.
1 lit. f GDPR. The legal basis for this is Art. 6 para. 1 p. 1 lit. f) GDPR. The
processors may only use the data in accordance with our instructions.

12. Data transfer to third countries

If data is transferred to entities whose registered office or place of data
processing is not located in a member state of the European Union, another state
party to the Agreement on the European Economic Area or a state for which an
adequate level of data protection has been established by a decision of the

European Commission, we will ensure prior to the transfer that the data is
transferred by a legal authorization (use of the EU standard contracts) and
whether an adequate level of data protection exists with the recipient (2-step

13. Use of cookies

We use cookies on our website. These are small files that are automatically
created by your browser and stored on your device (laptop, tablet, smartphone or
similar) when you visit our website. Cookies do not cause any damage to your
device, do not contain viruses, Trojans or other malware.
Details on our cookie policy, including a list of providers can be found here:


14. Data subject rights

You have the right:
-  According to Art.15 GDPR, to request information about your personal data
processed by us. In particular, you can request information about the
processing purposes, the category of personal data, the categories of
recipients to whom your data has been or will be disclosed, the planned
storage period, the existence of a right to rectification, erasure, restriction
of processing or objection, the existence of a right of complaint, the origin
of your data, if it was not collected from me, as well as the existence of
automated decision-making, including profiling and, if applicable,
meaningful information about its details;
-  in accordance with Art.16 GDPR, to demand the immediate correction of
incorrect or completion of your personal data stored by us;
-  pursuant to Art.17 GDPR, to request the erasure of your personal data
stored by us, unless the processing is necessary for the exercise of the right
to freedom of expression and information, for compliance with a legal
obligation, for reasons of public interest or for the establishment, exercise
or defense of legal claims;
-  in accordance with Art.18 GDPR, to request the restriction of the
processing of your personal data, insofar as the accuracy of the data is
disputed by you, the processing is unlawful, but you object to its erasure
and we no longer require the data, but you need it for the assertion,

exercise or defense of legal claims or you have objected to the processing
in accordance with Art. 21 GDPR;
-  pursuant to Art.20 GDPR, to receive your personal data that you have
provided to us in a structured, common and machine-readable format or to
request that it be transferred to another controller;
-  in accordance with Art.7 para.3 GDPR, to revoke your consent once given
to us at any time. This has the consequence that we may no longer
continue the data processing, which was based on this consent, for the
future; and
-  complain to a supervisory authority in accordance with Art. 77 GDPR. As a
rule, you can contact the supervisory authority of your usual place of
residence or workplace or our company headquarters for this purpose.

15. Right of objection

Insofar as your personal data is processed on the basis of legitimate interests
pursuant to Art. 6 para.1 lit. f) GDPR, you have the right to object to the
processing of your personal data pursuant to Art. 21 GDPR, insofar as there are
grounds for doing so that arise from your particular situation or the objection is
directed against direct advertising. In the latter case, you have a general right of
objection, which is implemented by us without specifying a particular situation.
If you wish to exercise your right of revocation or objection, please use the
contact details provided above.

16. Data security

Within the website visit, we use the widespread SSL procedure (Secure Socket
Layer) in connection with the highest encryption level supported by your browser.
As a rule, this is a 256-bit encryption. If your browser does not support 256-bit
encryption, we use 128-bit v3 technology instead. You can tell whether an
individual page of our website is encrypted by the closed key or lock symbol in the
lower status bar of your browser.
We also use appropriate technical and organizational security measures to
protect your data against accidental or intentional manipulation, partial or
complete loss, destruction or against unauthorized access by third parties. Our
security measures are continuously improved in line with technological

17. Up-to-dateness and changes of this
privacy policy

This data protection declaration is currently valid and has the status 30.11.2022.

Due to the further development of our website and offers on it or due to changed legal or regulatory requirements, it may become necessary to change this  Privacy polity