Privacy Policy

Orpheus Labs SA ("Orpheus Labs", "we", "us") is committed to protecting the personal data of all individuals who interact with our website, research programs, and administrative services. This Privacy Policy explains what data we collect, why we collect it, and how it is handled in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Swiss data protection law (nDSG).

1. Who We Are

The data controller is:

Our Data Protection Officer (DPO) can be reached at: dpo@orpheus-labs.com

2. Data We Collect

We collect data in the following contexts:

a) Contact & Inquiry Forms
When you submit a message via our contact form, we collect: first and last name, institutional email address, affiliated institution, inquiry type, subject, and message content.

b) Access Requests
Requests for access to restricted research data additionally require: curriculum vitae, institutional affiliation documentation, and intended use declaration.

c) Website Analytics
We collect anonymised usage data (pages visited, session duration, referral source) via self-hosted analytics. No personally identifiable information is retained in this process.

d) Research Participants
Data collected in the context of research programs is governed by separate participant information sheets and ethics committee-approved consent protocols, not by this policy.

3. How We Use Your Data

We process your data exclusively for the following purposes:

• Responding to inquiries and collaboration requests (legal basis: legitimate interest, Art. 6(1)(f) GDPR)
• Processing and evaluating access requests (legal basis: contractual necessity, Art. 6(1)(b))
• Improving our website and services (legal basis: legitimate interest)
• Compliance with legal obligations (legal basis: Art. 6(1)(c))

We do not sell, rent, or trade personal data to third parties. We do not use personal data for automated decision-making or profiling.

4. Retention Periods

Contact form submissions are retained for 24 months from the date of last correspondence. Access request documentation is retained for the duration of the access agreement plus 5 years. Analytics data is retained in aggregated, anonymised form indefinitely.

5. Your Rights

Under GDPR and nDSG, you have the right to: access your personal data (Art. 15), rectify inaccurate data (Art. 16), request erasure (Art. 17), restrict processing (Art. 18), data portability (Art. 20), and object to processing (Art. 21).

To exercise any of these rights, contact us at privacy@orpheus-labs.com. We will respond within 30 days. You also have the right to lodge a complaint with the Swiss Federal Data Protection Commissioner (FDPIC) or your local EU supervisory authority.

6. Cookies

Our website uses strictly necessary session cookies for navigation purposes only. We do not use advertising, tracking, or third-party analytics cookies. No cookie consent banner is displayed as no non-essential cookies are set.

7. Third-Party Services

Our website loads Bootstrap CSS and JS from a CDN (jsDelivr). This may result in your IP address being transmitted to jsDelivr's servers. We encourage you to review jsDelivr's privacy policy at jsdelivr.com. No other third-party services are embedded in our public-facing website.

8. Security Measures

All data is transmitted over TLS 1.3. Access to internal systems containing personal data is restricted by role, protected by multi-factor authentication, and subject to regular security audits. Orpheus Labs holds ISO 27001 certification for its information security management system.

9. Contact & Updates

For any privacy-related question, contact our DPO at dpo@orpheus-labs.com. This policy may be updated periodically. Material changes will be notified via a banner on our homepage. The current version is always accessible at this URL.