Privacy Policy

1. Scope

This Privacy Policy applies to the use of the website (hereinafter, the “Website”) and the services offered through the Website. This Website is provided by BioMed X GmbH, Im Neuenheimer Feld 515, 69120 Heidelberg, Germany, email (hereinafter, “BioMed X” or “we”) as the controller as defined in Article 4 of the EU General Data Protection Regulation (hereinafter, the “GDPR”). You can contact our data protection at

Protecting your personal data is important to us, in particular, protecting your personal rights when we process and use your personal data. Below, we inform you about the collection of personal data when you use our Website. The term personal data includes all data relating to you personally, for example, your name, postal address, email address, and user behavior.

2. Automated Data Collection and Processing

2.1 General Data

As with every other web service, our server collects information automatically and stores it temporarily in server log files unless you deactivate such collection. If you view content in our Website, we collect the following data which for technical reasons we need if we are to display the contents of our Website to you and to ensure the stability and security thereof (legal basis: Article 6 (1) f) of the GDPR):

  • the IP address of the computer from which the inquiry is sent;
  • the file inquired about by the client;
  • the http response code;
  • the Internet page from which you are visiting (referrer URL);
  • the date and time the server inquiry is sent;
  • the type and version of the browser used; and
  • the operating system on the computer sending the inquiry.

No server log files are evaluated in association with an individual person. The provider is not able to allocate the data to any specific person or persons at any time. The data is not merged with data from any other sources.

2.2 Matomo

This website uses the open source web analytics service Matomo. Matomo uses technologies that enable BioMed X Institute to recognize its website users across multiple pages in order to analyze user behavior (e.g. cookies or device fingerprinting). The information collected by Matomo about the use of this website is stored on our own servers. Before archiving, the IP address is first anonymized.

With the help of Matomo, BioMed X Institute can collect and analyze data about the use of its website by visitors. This allows the website operator to get an overview of page views and user activity in different countries. Matomo collects various log files (e.g. IP address, referrer, browser and operating system used) and can thus measure whether visitors to the website perform certain actions (e.g. clicks etc.).

The use of this analysis tool is based on Art. 6(1)(f) GDPR. BioMed X Institute has a legitimate interest in analyzing user behavior in order to optimize its web offering and advertising. Insofar as a corresponding consent has been obtained (e.g., consent to the storage of cookies), the processing is based exclusively on Art. 6(1)(a) GDPR; the consent can be revoked at any time.

IP anonymization
For the analysis with Matomo, the website operator uses IP anonymization. In this process, your IP address is shortened before analysis so that it can no longer be clearly assigned to you.

Matomo is hosted exclusively on our own servers, so that all analysis data is retained and not passed on.


Tracking is currently not active because you have rejected the use of statistical cookies. To reactivate tracking, you must agree to the use of statistics cookies.

Edit your cookie settings

3. Collection and Processing of Data Provided on a Voluntary Basis

3.1 General Contact Information

Generally, your provision of your personal data to us through our Website (e.g. your last name, first name, email address and/or postal address) is voluntary. This data is used to process your inquiries, as part of our contractual relationship, perform our own market research or opinion polls, and make decisions regarding the advertising materials we send out by mail. Unless necessary to process your inquiries, the personal data you provide will not be shared with third parties; in particular, for advertising purposes. We will erase the data collected from you when saving such data no longer is required or, depending on statutory retention obligations, we will restrict the processing of such data. The legal basis for this is Article 6 (1) b) of the GDPR or Article 6 (1) f) of the GDPR.

3.2 BioMed X Career Space

You may register at our BioMed X Career Space to apply for a research project or job offer provided by us as described in each individual call for application. During the registration at the BioMed X Career Space, you are required to provide the following data: name, gender, date of birth, email, nationality, country of residence, institution, address, English language skills, current and desired position, primary interest, and how you heard about BioMed X. After your registration, you may add additional information relating to your qualification, your CV, publications, patents, profile photo, and submit a research project proposal for the respective call for application. The legal basis for this is Article 6 (1) a) of the GDPR, your consent, or Art. 6 (1) b) of the GDPR.

This information will be used to process your application. Therefore, we will share your application with our research sponsors and partners for evaluation. Based on the evaluation, selected applicants will be invited to a job interview or an innovation boot camp. As necessary for the conduction of the job interview or innovation boot camp, the personal data of the applicant will be shared with relevant research sponsors and partners. The legal basis for this is Article 6 (1) a) of the GDPR, your consent.

With your registration, you agree that your data are stored in the BioMed X Career Space. General information provided during the registration or later as part of your applicant profile will be stored until you delete your account. Additional information you provide during your application for a specific job offer or research project will only be used as long as it is necessary for the application process. We will delete the data collected when you delete your account, or the storage of such data is no longer required, or, depending on statutory retention obligations, we will restrict the processing of such data.

4. Transmission to Third Parties

To the extent you provide us with personal data, we will not transmit any such personal data to any third party, except

  • to the extent you consented to such transmission (see 3.2 above): when data is collected, you will be informed of the recipient or categories of recipients;
  • as part of the processing of your inquiries and your use of our services: to subcontractors commissioned by us to whom we transmit only such data as is required to fulfill the respective assignment and such contractors shall use such data for specific purposes only;
  • as part of processing activities pursuant to Article 28 of the GDPR: to external service providers whom we have selected diligently and have commissioned and who are bound by our instructions and by the provisions of the GDPR and are controlled on a regular basis; and
  • in compliance with legal obligations: to parties authorized to obtain such personal data.

5. Cookies

Edit your cookie settings

Our Website uses cookies, small text files that are saved locally in your browser’s cache. The following types of cookies, the scope and functionality of which are explained below, are used:

  • transient cookies and
  • persistent cookies.

Transient cookies are erased automatically when you close your browser. Transient cookies include, but are not limited to, session cookies, which save session IDs that can be used to associate diverse requests from your browser with one joint session. In this way, your computer is recognized when you return to our Website. Session cookies are deleted when you log out or close your browser.

Persistent cookies are erased automatically after a predefined period of time, which period of time may vary depending on the cookie. You can delete persistent cookies in the security settings of your browser at any time.

You can configure your browser settings to meet your needs such that, for example, acceptance of third-party cookies or of all cookies is refused. Please note that in this case you may not be able to use all the functions of our Website.

We use cookies to identify you during your ensuing visits to our Website, provided you have set up an account with us. Otherwise, you will be required to log in every time you visit our Website.

Twitter plug-in

We have integrated functions of the social media platform Twitter into this website. These functions are provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. While you use Twitter and the “Re-Tweet” function, websites you visit are linked to your Twitter account and disclosed to other users. During this process, data are transferred to Twitter as well. We must point out, that we, the providers of the website and its pages do not know anything about the content of the data transferred and the use of this information by Twitter. For more details, please consult Twitter’s Data Privacy Declaration at:

The use of Twitter plug-ins is based on Art. 6 Sect. 1 lit. f GDPR. The operator of the website has a legitimate interest in being as visible as possible on social media.

You have the option to reset your data protection settings on Twitter under the account settings at

LinkedIn plug-in

This website uses functions of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.

Any time you access a page of this website that contains functions of LinkedIn, a connection to LinkedIn’s servers is established. LinkedIn is notified that you have visited this website with your IP address. If you click on LinkedIn’s “Recommend” button and are logged into your LinkedIn account at the time, LinkedIn will be in a position to allocate your visit to this website to your user account. We have to point out that we as the provider of the websites do not have any knowledge of the content of the transferred data and its use by LinkedIn.

The use of the LinkedIn plug-in is based on Art. 6 Sect. 1 lit. f GDPR. The operator of the website has a legitimate interest in being as visible as possible on social media.

For further information on this subject, please consult LinkedIn’s Data Privacy Declaration at:

7. Your Rights

You have the following rights vis-à-vis us regarding your personal data. You have the right to

  • access,
  • rectify or erase,
  • restrict processing,
  • object to processing, and
  • portability.

Please forward all inquiries in writing to our above-mentioned contact.

In addition, you have the right to lodge a complaint with a data protection supervisory authority if you are not satisfied with our processing of your personal data.

8. THALES Whistleblower System

We use the THALES Whistleblower System provided by the law firm THALES Lawyers. This Whistleblower System enables the submission and receipt, as well as the investigation, of reports to prevent, detect, and/or take action against violations of applicable law or company policies.

In cases where reports are not made anonymously, the following data may be collected:

  • Personal identification information of the whistleblower, such as first and last name, address, telephone number, and email address;
  • Employment characteristics;
  • Information about the person being reported in the complaint, such as first and last name, gender, address, telephone number, and email address;
  • Information about violations that may allow for conclusions to be drawn about a natural person.

The processing of personal identification data of the whistleblower is based on the legal obligation of the Whistleblower Protection Act (HinSchG) according to Art. 6 (1) lit. c) GDPR.

If further information regarding employment characteristics, information about the person concerned, and other information that allows conclusions to be drawn about natural persons are processed, this is done either to fulfill legal obligations under the Whistleblower Protection Act (HinSchG) according to Art. 6 (1) lit. c) GDPR or, in the case of the voluntary provision of a whistleblower system, based on a legitimate interest according to Art. 6 (1) lit. f) GDPR. Our legitimate interest lies in the processing of reports to be able to take subsequent measures.

For more information on the data protection provisions of the THALES Whistleblower System, please visit: