European Union / European Economic
Area (EU/EEA) Privacy Notice

Scope

If you are located in the European Union, European Economic Area, the United Kingdom, or Switzerland, and access our Sites or engage our Services from those locations, this supplemental Privacy Notice applies to you.

Who is the Data Controller?

The data controller is Avellino Lab USA, Inc., 4300 Bohannon Drive, Menlo Park, California 94025 USA.

 

What Are Our Legal Bases for Processing Personal Data?

We process your personal data on several different legal bases, as follows:

  • Contract Performance: Use of our Site and services is subject to our Terms and Conditions and other applicable terms and conditions. We process your personal data as necessary to perform our contractual obligations under such agreements or take steps at your request prior to entering into a contract, pursuant to Article 6(1)(b) of the EU GDPR.
  • Legitimate Interests: We process your personal data as necessary to pursue the following legitimate interests, pursuant to Article 6(1)(f) of the EU GDPR: To provide users with a good user experience, to maintain and secure our Site and services, to understand our users so that we can tailor our communications and services, including our marketing communications, to them, and to support and provide requested services and information to our users or customers. In these cases, we will ensure that your privacy and other fundamental interests do not override our legitimate interests.
  • Legal Obligations: If we are subject to a lawful access request, engaged in a legal proceeding or suspect a user of illegal conduct, we may need to process your personal data as necessary to comply with relevant laws, regulatory requirements and to respond to lawful requests, court orders, and legal process, pursuant to Article 6(1)(c) of the EU GDPR.
  • Consent: If we are required to obtain your consent to send you marketing communications, place certain cookies on your device, or engage in other processing activities associated with our Site, we may perform such processing on the basis of your consent if you have provided it, pursuant to Article 6(1)(a) of the EU GDPR. In such cases, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. In such cases, providing your consent is voluntary, but we will not be able to provide you with a service for which we require your consent until we obtain such consent.
  • Vital Interests: In extenuating circumstances, we may need to process your personal data to protect the vital interests of you or another natural person, pursuant to Article 6(1)(d) of the EU GDPR.

 

Where Do We Transfer Personal Data and How Do We Protect Such Transfers?

We may transfer your personal data to service providers and business partners outside of the countries within the scope of this Notice, including to the following countries [list of countries]. Whenever we transfer your personal data outside any of the countries within the scope of this Notice, we ensure a similar degree of protection is afforded to it as in the EEA by using specific contractual clauses approved by the European Commission which give personal data the same protection it has in Europe or other adequate means. 

How Long Do We Retain Personal Data?

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your personal data are available in our retention policy, which you can request from us by sending an email to privacy@avellino.com.

 

Your Rights

Subject to applicable law, you have the right to:

  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information that override your rights and freedoms.
  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it
  • Request correction of personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your erasure request for specific legal reasons of which you will be notified, if applicable, at the time of your request
  • Request restriction of processing of personal data. This enables you to ask us to suspend the processing of personal data in the following scenarios:
    • If you want us to establish the data’s accuracy
    • Where our use of the data is unlawful, but you do not want us to erase it
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
    • You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it
  • Request the transfer of personal data to you or to a third party. We will provide to you, or a third party you have chosen, personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you are located in any of the countries within the scope of this Notice, you have the right to make a complaint at any time to the data protection authority based in the country in which you are resident. You may find more information about your local data protection authority here. (https://edpb.europa.eu/about-edpb/about-edpb/members_en)

If you are located in the UK, the Information Commissioner’s Office (ICO) (www.ico.org.uk) is the relevant data protection authority.

If you are in the United States, you may contact the US Federal Trade Commission (residents of California may contact the California Department of Justice). Residents of Canada may contact the Privacy Commissioner of Canada or their provincial data protection commissioner. If you are located in another jurisdiction, you will need to research or contact your local government for further guidance.

We would, however, appreciate the chance to deal with your concerns before you approach any of these agencies or data protection authorities, so please contact us in the first instance.

You can exercise your rights by sending an email to privacy@avellino.com. You can otherwise mail your request to the following postal address: Avellino Lab USA, Inc., ATTN: Privacy Office, 4300 Bohannon Drive, Menlo Park, California 94025 USA.