This Date Privacy Policy covers personal data that is provided to, or received by, Innorna Co., Ltd. and/or its
subsidiary companies (“Innorna”, “we”, “us”, “our”).
1. Scope
This policy explains how we collect, use, disclose, and protect personal information when you visit or
interact with our websites, microsites, career portals, and online forms (collectively, the “Site”).
It covers visitors from all regions, including Mainland China, the EU/EEA, the UK, the US (including
California), and other jurisdictions.
This policy does not apply to clinical trials, medical inquiries, patient programs, or off-Site activities
governed by separate privacy notices.
2. What we collect
We collect personal information that you provide or that is generated during your use of the Site:
Marketing and Communication Data: your preferences, event participation, and newsletter subscriptions.
Any other information you voluntarily provide when contacting us or using our services (including name, email
address, phone number, company name, job title, address).
3. Purposes of use
We use personal information for:
Operating and improving the Site, ensuring security and fraud prevention.
Responding to inquiries and requests; sending requested materials or updates.
Managing events, webinars, and business meetings.
Email newsletters and marketing (with your consent and opt-out options).
Recruitment and talent management (evaluate applications, schedule interviews).
Compliance with legal obligations and enforcement of our terms; record-keeping.
Anonymization/aggregation for statistical and research purposes.
4. Legal bases (jurisdiction-specific)
Mainland China (PIPL): consent; performance of a contract or HR management; fulfilling statutory duties; responding to emergencies that protect health and safety; processing within a reasonable scope for news reporting/public interest; and other bases permitted by law. For sensitive PI, we obtain separate consent. Cross-border transfers follow CAC requirements (see Section 8).
EU/EEA and UK (GDPR/UK GDPR): consent; contract performance; legitimate interests (e.g., Site security, product information); legal obligations. You may object to processing based on legitimate interests.
California (CCPA/CPRA): notice at collection; the right to know/access, delete, correct, opt-out of sale/sharing, and limit use of sensitive personal information. We do not sell personal information and do not share personal information for cross-context behavioral advertising.
5. Cookies and tracking
We do not use cookies or any similar tracking technologies on our website.
Your visit to our website will not result in any automatic collection of personal data through cookies, pixels, or analytics tools.
If this changes in the future, we will update this Privacy Policy accordingly and provide clear notice before any tracking technologies are implemented
6. Disclosures and recipients
We may disclose personal information to:
Our affiliates and controlled subsidiaries (for internal administration and shared services).
Service providers and processors that support hosting/cloud, security, analytics, marketing, events, applicant tracking, and communications (bound by contractual privacy and security obligations).
Professional advisers (legal, compliance, accounting), insurers, banks.
Regulators, law enforcement, courts, or public authorities as required by law.
We do not sell personal information.
7. Retention
We retain personal information only for as long as necessary for the purposes described, and to meet legal, tax, and regulatory requirements. Typical periods:
Inquiry and event records: 12-24 months.
Marketing contact details: until you unsubscribe or withdraw consent.
Recruitment records: usually 24 months (unless local law requires shorter/longer).
Logs and security data: 12-24 months.
We may anonymize data for statistical use and retain anonymized data longer.
8. International transfers
Mainland China: if we transfer personal information outside of China, we will comply with the PIPL and CAC rules, which may require a government security assessment, execution of standard contracts (SCCs), or certification. We will inform you of the name of the overseas recipient, contact details, purposes, retention period, and how to exercise rights, and obtain separate consent where required.
EU/EEA and UK: transfers outside the EU/UK follow GDPR/UK GDPR requirements, including adequacy decisions or Standard Contractual Clauses (and, where necessary, transfer impact assessments and supplementary measures).
Other regions: we apply appropriate safeguards consistent with applicable laws.
9. Your rights
Mainland China (PIPL): you have rights to access/copy your personal information; correct or complete; delete; withdraw consent; request account cancellation; request an explanation of processing rules; restrict or refuse targeted marketing; and request how automated decision-making is applied. For minors under 14, guardians may exercise rights.
EU/EEA and UK: rights to access, rectify, erase, restrict, portability, object to processing (including marketing), and not be subject to solely automated decisions with legal or similarly significant effects.
California: rights to know/access specific pieces of personal information; delete; correct; opt-out of sale/sharing; limit use/disclosure of sensitive personal information; non-discrimination for exercising rights.
How to exercise rights: email it@innorna.com. We may verify your identity and respond within statutory timelines. For California, authorized agents may submit requests with proof of authorization.
10. Children’s privacy
The Site is not directed to children. In Mainland China, for minors under 14 we require guardian consent. In other regions, we comply with applicable age thresholds. If we learn we have collected personal information from a child contrary to law, we will delete it promptly.
11. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit, access controls, least-privilege policies, network security, monitoring and logging, vendor due diligence, and employee training. No system is completely secure; please use caution when transmitting information online.
12. Third-party links and social media
The Site may contain links to third-party websites or social media platforms. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.
13. Changes to this policy
We may update this policy to reflect changes in laws, technologies, or our practices. We will post the revised policy with an updated effective date. For material changes, we will provide prominent notice and, where required, seek consent.
14. How to contact us or lodge complaints
Contact: pr@innorna.com
EU/EEA: you may lodge a complaint with your local data protection authority.
UK: you may lodge a complaint with the Information Commissioner’s Office (ICO).
Mainland China: you may lodge a complaint with local CAC or relevant regulator if you believe your rights have been infringed. We encourage you to contact us first, so we can address your concerns.
Note
If we collect additional categories of personal information via certain forms (e.g., medical inquiries, investigator-initiated studies, adverse event reporting), we will display a dedicated privacy notice at the point of collection describing specific purposes, legal bases, retention, and disclosures.