Data Rights

Scope and Controller

This Data Rights Notice describes how Studio AGD processes personal data in accordance with the EU/UK General Data Protection Regulation (GDPR) and applicable United States privacy laws. Studio AGD provides pharmaceuticals and health education content at studioagd.com.

The data controller for personal data processed in connection with this website is: Studio AGD, c/o Martha Elena, 15425 Detroit Ave, Lakewood, OH 44107, United States. Contact: [email protected].

Applicability

This notice applies to personal data we collect from visitors, subscribers, and individuals who contact us. It extends GDPR rights to individuals located in the EEA/UK where applicable, and outlines state-law rights for U.S. residents (e.g., CA, CO, CT, VA). Where GDPR and U.S. laws differ, we apply the protections required by the law that applies to you.

Categories of Personal Data We Process

• Identifiers and contact information: name, email address, postal address, and similar identifiers you provide.
• Technical and usage data: IP address, device and browser type, operating system, pages viewed, referring URLs, and timestamps collected via server logs and cookies.
• Communications and submissions: messages and content you send to us (e.g., contact forms, feedback).
• Professional information: if you identify yourself as a healthcare or life-sciences professional.
• Approximate location data: derived from IP address (country, region).
• Inferences: preferences or interests derived from usage, limited to improving content relevance.
• Special categories of data: we do not seek to collect health, genetic, biometric, or other sensitive data. If you voluntarily submit such information, we will process it only as necessary to respond and will minimize and delete it where feasible.

Purposes and Legal Bases for Processing

• Operate and secure the website: to deliver pages, maintain availability, prevent abuse, and diagnose errors. Legal bases: legitimate interests (GDPR Art. 6(1)(f)); compliance with legal obligations.
• Respond to inquiries: to answer questions or fulfill requests you initiate. Legal bases: consent (Art. 6(1)(a)) or steps prior to a contract/performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)).
• Analytics and performance: to understand aggregate usage and improve content quality and accessibility. Legal bases: consent where required for cookies (Art. 6(1)(a)); legitimate interests (Art. 6(1)(f)).
• Communications you opt into: if you subscribe to updates or alerts, to send you the requested communications. Legal bases: consent (Art. 6(1)(a)); legitimate interests (Art. 6(1)(f)).
• Compliance and protection: to comply with applicable laws, enforce terms, and protect rights, safety, and security. Legal bases: legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

Sources of Personal Data

• Directly from you when you submit forms or communicate with us.
• Automatically from your device via cookies, pixels, and server logs when you use our site.
• From service providers that support our operations (e.g., hosting, analytics, email delivery).

Cookies and Similar Technologies

We use necessary cookies to operate the site and, where permitted, analytics cookies to measure performance and improve content. You can manage cookies via your browser settings and device controls. Where required by law, we will obtain your consent for non-essential cookies through a consent banner.

Do We Sell or Share Personal Data

We do not sell personal data. We do not share personal data for cross-context behavioral advertising or targeted advertising as defined by U.S. state privacy laws.

Retention

We retain personal data only as long as necessary for the purposes described or as required by law. Typical retention periods are:

• Server logs and security records: up to 12 months.
• Contact inquiries and related correspondence: up to 24 months after resolution.
• Analytics data: 14–26 months, in aggregate where possible.
• Records of consent and rights requests: up to 24 months or as required by law.

We may retain anonymized or aggregated information that does not identify you.

Recipients and International Transfers

We share personal data with service providers acting under our instructions, including hosting providers, analytics platforms, security and performance tools, and customer communications services. These processors are bound by confidentiality and data protection obligations.

If personal data is transferred from the EEA/UK to the United States or other countries not deemed to provide an adequate level of protection, we rely on appropriate safeguards such as Standard Contractual Clauses and supplementary measures where required.

Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, least-privilege practices, and regular monitoring for abuse or anomalies. No system can be guaranteed to be 100% secure; we maintain procedures to detect, respond to, and mitigate incidents.

Children's Privacy

Our content is intended for a general audience and is not directed to children under 13. We do not knowingly collect personal information from children under 13 (COPPA) or under the age applicable in the EEA/UK without appropriate consent. If you believe a child has provided personal data to us, please contact us at [email protected] and we will delete it.

Your Rights

GDPR Rights for EEA/UK Individuals

• Access: obtain confirmation and a copy of your personal data.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion where grounds apply.
• Restriction: limit processing under certain circumstances.
• Portability: receive data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Objection: object to processing based on legitimate interests and to direct marketing.
• Withdraw consent: where processing is based on consent, withdraw at any time without affecting prior processing.

U.S. State Privacy Rights

Depending on your state of residence, you may have rights to:

• Know and access the categories and specific pieces of personal information we have collected.
• Correct inaccuracies in your personal information.
• Delete personal information, subject to exceptions.
• Opt out of sales or sharing for cross-context behavioral advertising (we do not sell or share).
• Receive personal information in portable format.
• Non-discrimination for exercising your rights.
• Appeal a rights request decision (for certain states); instructions provided upon denial.

How to Exercise Your Rights

Submit a request by emailing [email protected] or by mail to: Studio AGD, Attn: Data Rights, 15425 Detroit Ave, Lakewood, OH 44107, USA. Please specify the right you wish to exercise and provide sufficient information to verify your identity (e.g., your email address and the context of your interactions with us). Authorized agents may submit requests where permitted by law with proof of authorization and identity.

We will respond within one month under GDPR and within 45 days under applicable U.S. laws (with permissible extensions). We may request additional information solely to verify your identity and protect your privacy.

Automated Decision-Making and Profiling

We do not engage in automated decision-making producing legal or similarly significant effects, nor do we conduct profiling in a way that triggers GDPR Article 22.

HIPAA and Health Information

Studio AGD provides educational information about pharmaceuticals. We are not a HIPAA covered entity or business associate, and we do not request protected health information (PHI). Please do not submit sensitive medical information to us. If you voluntarily provide health-related details, we will use them only to address your inquiry and will minimize, restrict, and delete such data where feasible.

Data Protection Impact Assessments and Records

Where our processing presents a high risk to individuals, we will conduct Data Protection Impact Assessments and maintain records of processing activities as required by applicable law.

Data Breach Notification

In the event of a personal data breach, we will notify competent authorities and affected individuals as required by law. For EEA/UK residents, we will notify supervisory authorities within 72 hours where required by GDPR and communicate with impacted individuals when the risk is high. For U.S. residents, we will comply with applicable state notification laws.

EU/UK Representative

Studio AGD is established in the United States and does not regularly offer goods or services to, or monitor, individuals in the EEA/UK at scale. If our processing activities change such that Article 27 GDPR applies, we will designate an EU/UK representative and update this notice. In the meantime, EU/UK individuals may contact us directly at [email protected].

Complaints

If you believe we have not handled your personal data in accordance with this notice or applicable law, you may contact us at [email protected]. You also have the right to lodge a complaint with your local supervisory authority (EEA/UK) or your state attorney general (U.S.).

Changes to This Notice

We may update this Data Rights Notice from time to time to reflect changes in our practices or legal requirements. Material changes will be indicated by updating the effective date below.

Effective date: 2025-08-25