Privacy policy

At ANNION CONSULTING, S.L. (hereafter "ANNION CONSULTING") we work to offer the best possible experience to attendees and visitors of the HYBRIDGE conference. To do so we sometimes need to collect personal data. We care about your privacy and believe we should be transparent about it.

For the purposes of Regulation (EU) 2016/679 (hereafter "GDPR") on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (hereafter "LSSI"), ANNION CONSULTING informs the user that, as the party responsible for processing, it will incorporate the personal data provided by users into an automated file.

1. Who is the controller of your personal data?

• Legal name: ANNION CONSULTING, S.L.
• Trade name: ANNION CONSULTING / HYBRIDGE
• Registered office: C/ Muntaner, 400, entresol 1D — 08006 Barcelona, Spain
• Tax ID (CIF): B01874890
• Contact: admin@annionpharma.com

ANNION CONSULTING has designated an internal contact person as coordinator of the GDPR adaptation. Queries about how your personal data is processed can be sent to admin@annionpharma.com.

2. What personal data do we collect?

The personal data the user may provide includes:

• Identification: name, surname, title and date of birth (only if required for legal purposes).
• Contact: postal address, email and phone number.
• Professional: job title, company, commercial / trading name, company website and tax identification (VAT / NIF).
• Event-related: attendee names and positions, ticket tier selected, notes you choose to share, and the source through which you heard about the event.
• Billing and payment: invoice address, payment method and information related to payments and refunds.
• Technical: IP address, browser and operating system, access date and time. These are kept as proof of consent for newsletter subscriptions and for security auditing.
• Usage analytics (pseudonymous): the pages you visit on this site, referrer and viewport. We do not set any tracking cookie or use third-party analytics. Visits are grouped into a short-lived session hash derived from your IP, user-agent and a server-side secret, truncated to 16 characters and rotated daily — so we cannot identify you or link visits across days.
• Search activity: when you use the in-site search palette, the query text and which result you click are stored to help us understand what visitors are looking for. The same daily session hash applies — queries are not tied to your identity.
• Any other information you choose to share with us via the contact form or by email.

In some cases it is mandatory to fill in the registration form to access certain services on this website. Not providing the requested personal data, or not accepting this privacy policy, means you will be unable to register for the event or subscribe to communications.

3. Why do we process your data?

At ANNION CONSULTING we process the information provided by interested people for the following purposes:

• Manage your registration for the HYBRIDGE conference, including invoicing, payment tracking and event logistics.
• Deliver communications you have explicitly subscribed to, such as The VAMs Briefing newsletter.
• Respond to enquiries you send via the contact form or by email.
• Measure aggregate site traffic and search behaviour to improve the information architecture and content of the conference site, using only pseudonymous, cookie-free signals (see section 2).
• Protect public forms (newsletter, registration, contact) against automated abuse using Altcha, a self-hosted proof-of-work challenge that does not set cookies or share data with third parties.
• Develop commercial actions and carry out the maintenance and management of the relationship with the user, in line with the consent granted.
• Comply with legal, tax and accounting obligations arising from the provision of services.

Personal data obtained will form part of the Register of Activities and Treatment Operations (RAT), which is updated periodically in accordance with the GDPR.

4. What is the legitimacy for the processing of your data?

The processing of your data may be based on the following legal bases:

• Consent of the data subject (Art. 6(1)(a) GDPR) — for the contact form, the newsletter and any optional marketing communications.
• Performance of a contract (Art. 6(1)(b) GDPR) — for the registration and provision of services in connection with the event.
• Legitimate interest (Art. 6(1)(f) GDPR) — for the processing of customer data for direct marketing of our own related services and for the security of our information systems.
• Compliance with legal obligations (Art. 6(1)(c) GDPR) — for fraud prevention, communications with public authorities, accounting and tax record-keeping.

5. How long do we keep your data?

The processing of data for the purposes described will be maintained for as long as necessary to meet the purpose of collection (for example, for the duration of the business relationship), as well as for compliance with legal obligations arising from the processing of data — typically 6 to 10 years for accounting and tax records.

Specific retention periods:

• Newsletter subscribers: kept until you unsubscribe, at which point the record is deleted in full.
• Contact enquiries: kept for up to 24 months from the last interaction, unless a contractual relationship follows.
• Event registrations and invoices: kept for the period required by Spanish tax and accounting law (currently 6 years from the end of the fiscal year), then deleted or anonymised.
• Pseudonymous analytics and search logs: retained for up to 13 months in aggregate form. Because the session hash rotates every 24 hours, no record can be linked back to an individual.

6. To whom will your data be communicated?

Only when necessary will ANNION CONSULTING share user data with third parties — your data is never sold. External service providers that ANNION CONSULTING works with may use the data strictly to provide the corresponding services, and may not use this information for their own purposes or transfer it to third parties. The processors we currently rely on are:

• DigitalOcean — cloud hosting and MongoDB database (EU region).
• Our SMTP provider — delivery of transactional emails (magic-link sign-in, registration confirmations, newsletter double opt-in, contact replies). In development we use a local MailHog instance — no real email is sent.
• Revolut — payment processor for conference registration fees. Card data is entered directly on Revolut's secure environment and is never seen or stored by ANNION CONSULTING; we only receive the transaction reference and status.
• Pexels — CDN used to serve stock imagery shown on public pages. No personal data is shared with Pexels by us; your browser fetches the images directly.
• Altcha — self-hosted anti-spam challenge embedded on public forms. The challenge runs entirely on our servers; no data is sent to a third party.

ANNION CONSULTING takes care to ensure the security of personal data when it leaves the company and verifies that third-party service providers respect confidentiality and have adequate measures in place to protect personal data, in line with Art. 28 GDPR.

In some cases the law may require the disclosure of personal data to public bodies or other parties; only what is strictly necessary for the fulfilment of such legal obligations will be disclosed.

The personal data obtained may also be shared with other current or future companies of the ANNION CONSULTING group.

7. Where is your data stored?

In general, data is stored within the European Union. For data transferred to non-EU third parties, ANNION CONSULTING ensures that they offer an adequate level of protection — either because the country has an adequacy decision from the European Commission, because the parties have signed the Standard Contractual Clauses, or because the recipient is bound by Binding Corporate Rules (BCR).

8. What rights do you have and how can you exercise them?

You can address your communications and exercise your rights by writing to admin@annionpharma.com.

Under the GDPR you can request:

• Right of access: request information about the personal data we hold about you.
• Right of rectification: notify us of any change in your personal data.
• Right to erasure: request the deletion of your personal data.
• Right to restriction of processing: restrict the way in which we process your personal data.
• Right to data portability: ask for a copy of your personal data in a structured, commonly used and machine-readable format for transmission to another data controller.
• Right to object and to automated individual decision-making: request that decisions are not based solely on automated processing, including profiling, where they produce legal effects or significantly affect you.
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

In some cases the request may be refused if you ask for the deletion of data needed for compliance with legal obligations.

If you have a complaint about the processing of your data, you can lodge it with the Spanish Data Protection Authority (AEPD) or with the supervisory authority of your country of residence.

9. Who is responsible for the accuracy of the data provided?

The user is solely responsible for the accuracy and correctness of the data submitted, releasing ANNION CONSULTING from any responsibility in this regard. Users guarantee, in any case, the accuracy, validity and authenticity of the personal data provided, and undertake to keep them properly updated. The user agrees to provide complete and correct information in the registration or subscription form. ANNION CONSULTING reserves the right to terminate services contracted with users if the data provided is false, incomplete, inaccurate or out of date.

ANNION CONSULTING is not responsible for the veracity of information that is not of its own elaboration and for which another source is indicated, and does not assume any liability for hypothetical damages that may arise from the use of such information.

ANNION CONSULTING reserves the right to update, modify or remove the information contained on its websites and may limit or deny access to such information.

The user further certifies that they are over 14 years of age and that they have the legal capacity necessary to give consent to the processing of their personal data.

10. How do we handle the personal data of minors?

In principle, our services are not specifically aimed at minors. In the event that any service is addressed to minors under fourteen years, in accordance with Article 8 of the GDPR and Article 7 of LO 3/2018 of 5 December (LOPDGDD), ANNION CONSULTING will require the valid, free, unequivocal, specific and informed consent of their legal guardians. In such cases, an identity card or other form of identification of the person granting consent will be required.

For persons over fourteen years of age, data may be processed with the user's consent, except where the law requires the assistance of the holders of parental authority or guardianship.

11. Security measures

ANNION CONSULTING has adopted the legally required security levels for personal-data protection and applies additional technical and organisational measures within its reach to prevent the loss, misuse, alteration, unauthorised access and theft of personal data provided to ANNION CONSULTING.

ANNION CONSULTING is not responsible for hypothetical damages that may arise from interferences, omissions, interruptions, computer viruses, telephone breakdowns or disconnections in the operation of this electronic system, caused by reasons beyond its control. The user should remain aware that security measures on the Internet are not impregnable.

12. Links to other websites

This website may contain links to other websites. Clicking through to an external website means your visit becomes subject to the privacy policy of that website. ANNION CONSULTING disclaims any responsibility regarding the privacy policies of third-party sites.

13. Cookies and analytics

The HYBRIDGE website does not set cookies on visitors and does not use Google Analytics or any equivalent third-party tracker. Aggregate traffic and search analytics are recorded server-side using the pseudonymous, daily-rotating session hash described in section 2. Public forms are protected against automated abuse by Altcha, a self-hosted, cookie-free proof-of-work challenge. See the cookie policy for details.

14. Related documents

This notice should be read together with our terms of use, cookie policy and legal notice (avís legal).

15. Changes to this privacy policy

This privacy policy may be modified — we recommend that you review it periodically. Material changes will be notified to current newsletter subscribers by email before they take effect.

16. Language

This English version is published for convenience and to comply with the right to information set out in Article 13 of Regulation (EU) 2016/679 (GDPR) and Article 11 of Organic Law 3/2018, of 5 December (LOPDGDD). In the event of any divergence or inconsistency between the English and Spanish versions of this privacy policy, the Spanish version shall prevail.