Privacy Policy

Last updated: 5 September 2025

---

Introduction

Hesperion (“we”, “our”, “us”) is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, and safeguard information when you use our website hesperion.no and related services. We comply with the General Data Protection Regulation (GDPR), Norwegian data protection law, and other applicable regulations.

1. Who we are

• Controller: Hesperion (Muninn Studio Wroblewski, Østbyveien 22b, 3280 Tjodalyng, Norway)
• General contact: office@hesperion.no
• Data Protection inquiries: privacy@hesperion.no

2. What data we collect

We collect only the minimum necessary data for research participation, website functionality, and communication.

Categories of data:

• Contact information: name, email, organization (when submitted via forms).
• Research participation data: any information voluntarily provided through the secure participation form.
• Website usage data: cookies, analytics, browser type, IP (anonymized where possible).
• Communication data: messages you send to us via email or forms.

Important: We do not request or process directly identifiable patient medical records through the public website or chatbot. Any health-related research data we receive from partners is already de-identified before it reaches us.

3. Legal basis for processing

• Consent (Art. 6(1)(a) GDPR) — e.g., when you submit a form or sign up for updates.
• Legitimate interests (Art. 6(1)(f) GDPR) — e.g., to secure our website, analyze traffic, and improve services.
• Legal obligations (Art. 6(1)(c) GDPR) — where we must comply with law.
• Special category data: If sensitive health-related data is ever processed, it will be under Art. 9(2)(j) GDPR (scientific research purposes), with strict safeguards.

4. How we use your data

• To respond to inquiries and communicate with you.
• To manage participation in research initiatives (via the dedicated study portal).
• To improve website performance and user experience.
• To ensure compliance with laws and ethical requirements.
• To maintain security and prevent misuse.

5. Data storage & security

• Data is stored within the European Economic Area (EEA), preferably on Norwegian or EU servers.
• All information is encrypted in transit (TLS/SSL) and at rest.
• Access is restricted to authorized staff only, under confidentiality agreements.
• Logs and audit trails are maintained to ensure accountability.

6. Data retention

• Contact & communication data: until resolved or up to 24 months.
• Research participation data: according to project-specific ethics approvals and agreements.
• Analytics/cookies: see our Cookie Policy.

7. Sharing of data

We do not sell or trade personal data. We may share data only with:

• Trusted service providers (e.g., secure hosting, analytics) under data processing agreements.
• Research partners, but only in aggregated and de-identified form.
• Authorities, if legally required.

8. Your rights (GDPR)

You have the right to:

• Access your data.
• Request correction or deletion.
• Withdraw consent at any time.
• Restrict or object to processing.
• Data portability.
• Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

To exercise your rights, contact us at privacy@hesperion.no.

9. Cookies & tracking

We use cookies for functionality, analytics, and security. Details are provided in our Cookie Policy. You can manage or withdraw your cookie consent at any time.

10. International transfers

We do not transfer personal data outside the EEA unless adequate safeguards are in place (e.g., Standard Contractual Clauses).

11. Updates to this policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website with the date of last update.

12. Contact

• Email: privacy@hesperion.no
• Address: Østbyveien 22b, 3280 Tjodalyng, Norway

---

Thank you for your trust. We value your privacy and your contribution to advancing autoimmune research.