This privacy policy explains how PEAK Medicals GmbH (“we”, “us”, “PEAK Medicals”) collects, uses, and protects your personal data when you use the Intl. Lung Cancer Summit website at lungsummit.org (the “Site”). We treat your personal data as confidential and process it in accordance with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the UK Data Protection Act 2018, and this privacy policy.

Data transmitted through the internet (for example by email) may be subject to security breaches. Complete protection of your data from third-party access is not possible.

1. Controller and contact

The controller responsible for the processing of your personal data on this Site is:

PEAK Medicals GmbH
Schuetzenstrasse 1, 8800 Thalwil, ZH, Switzerland
UID: CHE-301.251.575
Phone: +41 (0)31 533 4223
Email: hello@peakmedicals.com

For any data-protection question, you may also write to us at the address above.

2. Scope and intended audience

The Site is intended for healthcare professionals, pharmaceutical and biotech industry professionals, medical researchers, and other stakeholders involved in lung cancer research, treatment, and care. Content is educational and informational and is not intended for patients or the general public. The Site is not directed at children, and we do not knowingly process personal data of persons under 18.

We process your personal data primarily in Switzerland. Where data is transferred to a processor in the European Economic Area or in a third country, we apply the safeguards described in Section 6.

PEAK Medicals GmbH also operates the OncoViews initiative. Where the same account grants access to both initiatives, personal data may be processed across both properties on the same legal bases described in this policy.

3. Personal data we collect

3.1 Server log data

When you visit the Site, your browser automatically transmits the following data, which we record in server logs:

• Date, time, and duration of your visit
• IP address assigned by your internet service provider
• Pages requested and the action performed
• Referring website
• Browser type, operating system, and device class
• Search terms entered in the site search
• Files downloaded

This data is stored separately from any data you submit. It is used for technical operation of the Site, security and anti-abuse, and aggregate statistical analysis. Legal basis: Article 6 (1) (f) GDPR (legitimate interest in providing a functional and secure website).

3.2 Registration and account data

To access the Site, you must register and complete the healthcare-professional verification process. We collect:

• Academic title and full name
• Email address
• Profession (HCP specialty, industry role, or other)
• Affiliation (institution, hospital, or company)
• City and country
• Phone number (optional)
• For paid tiers: address and payment information

Legal basis: Article 6 (1) (b) GDPR (contract performance, namely providing you with access to the Site under our Terms of Service).

3.3 Healthcare-professional verification evidence

To confirm you are a healthcare professional or industry stakeholder, our verification system checks your email domain against an internal whitelist of known institutional and corporate domains. Where a clear match is not found, the system performs an automated public web search to find publicly available evidence linking your name and stated affiliation to a medical or industry role. The query and returned public-result snippets, the resulting verdict score, and any administrative decision are stored against your user profile for audit and account-integrity purposes. No data is transmitted to the search provider beyond the public search query (your name and stated affiliation). We reserve the right to deny or revoke access where verification cannot be completed satisfactorily; we make no representation or warranty as to the verified identity, qualifications, or licensing status of any registered user. Legal basis: Article 6 (1) (b) GDPR (contract performance) and Article 6 (1) (f) GDPR (legitimate interest in restricting medical content to qualified professionals).

3.4 Membership, payment, and invoicing data

The Site offers four access tiers:

• Online Pass: free; remote ILCS access
• Conference Badge: free; on-site ILCS access for professionals from sponsoring pharma and biotech companies
• Industry Pass: paid; remote ILCS access for professionals from non-sponsoring pharma companies
• Industry Badge: paid; on-site ILCS access for professionals from non-sponsoring pharma companies

Paid tier checkouts are handled by our PCI-DSS-compliant card-payment processor. The payment processor is an independent controller for card data; we receive only transaction status, amount, currency, last-four digits, card brand, and an invoice reference for receipt generation. Receipts and tax invoices are generated and stored on the Site in PDF form. Legal basis: Article 6 (1) (b) GDPR (contract performance) and Article 6 (1) (c) GDPR (compliance with accounting and tax-retention obligations).

3.5 Newsletter and engagement data

If you subscribe to our newsletter, we store your subscription status, opt-in date, and topic preferences in our customer-engagement platform. We also record which emails you open, which links you click, and which pages you visit on the Site while logged in. This data is used to send you content relevant to your stated interests and to measure the engagement of our editorial output. Legal basis: Article 6 (1) (a) GDPR (consent, granted at newsletter opt-in) and Article 6 (1) (f) GDPR (legitimate interest in measuring engagement). You may unsubscribe at any time using the link in any newsletter or by contacting us at the address in Section 1.

3.6 Contact-form submissions

If you contact us through the contact form, we store the data you submit (name, title, email, phone, profession, affiliation, address, and message) for the purpose of responding to your enquiry. Legal basis: Article 6 (1) (b) GDPR (steps prior to entering a contract, if relevant) or Article 6 (1) (f) GDPR (legitimate interest in handling correspondence).

3.7 Video watch data

Video content on the Site is delivered through our video player and content-delivery provider. When you watch a video, the player records watch time and completion percentage. This data is associated with your user account and is used to power continue-watching features, to surface relevant follow-on content, and to report aggregate viewership statistics to sponsoring pharma companies as described in Section 5.2. Legal basis: Article 6 (1) (b) GDPR (contract performance) and Article 6 (1) (f) GDPR (legitimate interest in operating the Site).

3.8 Sensitive (special-category) data

We do not request, and you should not submit, special categories of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation). Your professional role is not a health datum within the meaning of Article 9 GDPR. Please do not submit patient information of any kind through the Site; please use channels of your own institution for patient data.

4. Cookies and similar technologies

We use cookies and similar local-storage technologies to operate the Site, to remember your login state and consent preferences, and to measure engagement. Detailed information about each cookie set on the Site (including its purpose, duration, and the party that sets it) is available in our Cookie Policy, which is generated and maintained by our cookie-consent platform.

You can review and change your cookie consent settings at any time through the cookie banner or by clicking the cookie-settings link in the website footer. Strictly necessary cookies (login session, security, fraud prevention, CRM identification) are set without consent under Article 6 (1) (f) GDPR. Non-essential cookies (analytics, embedded third-party services) are set only after you give consent under Article 6 (1) (a) GDPR; you may withdraw that consent at any time without effect on the lawfulness of past processing.

5. Recipients and disclosure

5.1 Categories of recipients (processors)

We engage contractually bound processors to operate the Site. Each processor may only use your data for the specific purpose we instruct and is obliged to handle it in accordance with this privacy policy, our written instructions, and the requirements of Article 28 GDPR. The current categories of processors are:

• Hosting and infrastructure: a European hosting provider for server infrastructure, backups, and email-relay services
• Card-payment processing: a PCI-DSS-compliant card-payment processor established in the European Economic Area
• Transactional email delivery: a cloud email service for confirmation, password-reset, and receipt emails, routed through our hosting environment
• Newsletter and customer-engagement platform: a self-hosted CRM running on our own infrastructure for newsletter subscription, list segmentation, and engagement metrics
• Video player and content-delivery: a video player provider and a video content-delivery network for streaming, watch-time recording, and player analytics
• Healthcare-professional verification: a public web-search API used during sign-up to retrieve open-web evidence of your stated affiliation
• Cookie-consent platform: a consent-management plugin that records and stores your consent choices
• Anti-spam and bot protection: a third-party reCAPTCHA service used on contact and registration forms
• PDF receipt generation: a server-side library bundled with our membership plugin
• Map embed: a third-party maps embed service used where the Site shows location maps (only after cookie consent)

A current named list of sub-processors is available on request from hello@peakmedicals.com. We update this list when we change a processor.

5.2 Sponsoring pharma and biotech companies

The Site is multi-sponsored by pharmaceutical and biotech companies. Sponsors receive aggregated, de-identified reports of audience engagement with their sponsored content (for example, total impressions, total watch time, click counts, geographic distribution of viewers, and professional-role distribution of viewers). Sponsors do not receive personally identifiable information about you through these reports, and cannot identify you as an individual from them. Sponsors do not have access to the underlying user database. Sponsoring-pharma and biotech professionals who register on the Site under a recognised sponsor email domain receive a Sponsor or Sponsoring-Biotech tier account; their registration data is processed on the same basis as any other registered user, and their employer does not receive their individual usage data through this Site. Legal basis for the aggregate reporting: Article 6 (1) (f) GDPR (legitimate interest in commercial reporting to sponsors).

5.3 Faculty, contributors, and editorial partners

Where you correspond with a faculty member, contributor, or editorial partner about content on the Site (for example through a Q&A session), your message and the necessary contact data are shared with that person for the purpose of responding to you. We will tell you in advance when this happens and offer you the chance to opt out.

5.4 Legal and regulatory disclosures

We may transfer personal data to law-enforcement authorities, regulators, or competent courts where there are concrete indications of unlawful or abusive behaviour, where we are required to do so by a binding legal order, or where transfer is necessary to enforce our Terms of Service, defend a legal claim, or protect the rights of a third party. Legal basis: Article 6 (1) (c) GDPR (legal obligation) or Article 6 (1) (f) GDPR (legitimate interest).

5.5 Corporate transactions

If we restructure, merge, or sell part of our business, customer data may be transferred to the acquiring or successor entity as part of that transaction. Any such transfer will be carried out in conformity with this privacy policy and applicable data-protection law, and you will be notified by email in advance of any change of controller.

5.6 Adverse-event reporting forwarding

If you contact us about a suspected adverse drug reaction, side effect, product-quality complaint, or other pharmacovigilance event concerning a product manufactured or marketed by a sponsoring pharma or biotech company, we may be required to forward your report and the contact details necessary to follow up to the marketing-authorisation holder, so that the holder can fulfil its statutory pharmacovigilance obligations (for example under Regulation (EU) No 1235/2010, Swissmedic guidance, or equivalent local law). Where we do this, we transfer the minimum data necessary, and we tell you at the time of forwarding. Legal basis: Article 6 (1) (c) GDPR (compliance with a legal obligation). The Site is not itself a pharmacovigilance reporting channel; please follow the procedure of your national authority for routine adverse-event reporting.

5.7 What we do not do

• We do not sell or rent your personal data to any third party.
• We do not share your personal data with sponsoring pharma or biotech companies in identifiable form; sponsors receive aggregated, de-identified reporting only (see Section 5.2).
• We do not use cross-device tracking to identify common users behind multiple devices.
• We do not participate in hashed-email or identity-graph advertising networks (such as LiveRamp, ID5, or equivalent).
• We do not use your personal data to train any machine-learning, large-language-model, or generative-AI system.

5.8 Editorial use of AI tools

We may use machine-learning and generative-AI tools to support our editorial workflow (for example, to draft summaries of publicly available conference reports, to translate or transcribe video material, or to suggest tagging). All content published on the Site is reviewed and edited by qualified human editors before publication. Your personal data is not used as input to these tools (see Section 5.7).

6. International data transfers

Some of our processors are established in, or may transfer your data to, countries outside the European Economic Area, including the United States. Where this happens, the transfer is protected by EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or by an equivalent safeguard recognised by the European Commission. For transfers to the United States, we rely on the EU-US Data Privacy Framework where the processor is certified, and on Standard Contractual Clauses with supplementary measures otherwise. You can review the EU Standard Contractual Clauses at commission.europa.eu. A copy of the safeguard applicable to a specific transfer is available on request.

7. Retention

We retain your personal data only for as long as necessary for the purposes for which we collected it and for so long after as required by Swiss or EU statutory retention obligations. Indicative retention periods:

• Server access logs: rotated within 14 days
• Account profile data: retained while your account is active and for 24 months after the last login, then deleted on the next quarterly purge unless we are legally required to retain it longer
• Newsletter engagement data: retained while your subscription is active and for 24 months after the last interaction, then anonymised or deleted
• Financial records (invoices, transaction logs): retained for 10 years (Swiss Code of Obligations Art. 958f)
• Contact-form correspondence: retained for 3 years from the last reply
• HCP verification evidence: retained while your account is active; deleted on account deletion

On a written deletion request, we delete account-level data within 30 days, subject to the financial-records retention period above.

8. Your rights

Under the GDPR, the Swiss FADP, and the UK Data Protection Act 2018, you have the following rights, free of charge unless your request is manifestly unfounded or excessive:

• Right of access (Article 15 GDPR): obtain confirmation of whether we process your data and a copy of that data
• Right to rectification (Article 16 GDPR): have inaccurate or incomplete data corrected
• Right to erasure (Article 17 GDPR): have your data deleted, subject to lawful retention obligations
• Right to restriction of processing (Article 18 GDPR): have processing suspended in defined circumstances
• Right to data portability (Article 20 GDPR): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to object (Article 21 GDPR): object at any time to processing based on legitimate interest, including direct marketing
• Right to withdraw consent (Article 7 (3) GDPR): withdraw consent to non-essential processing at any time, without affecting the lawfulness of processing before withdrawal
• Right not to be subject to automated decisions (Article 22 GDPR): we do not take legal or similarly significant decisions about you on a purely automated basis; HCP verification verdicts are reviewed by an administrator before a tier downgrade
• Right to lodge a complaint with a supervisory authority: in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch); in the EU, your national data-protection authority; in the UK, the Information Commissioner’s Office (ico.org.uk)

To exercise any of these rights, contact us at the address in Section 1. We respond within one month of receiving a valid request, in accordance with Article 12 (3) GDPR; that period may be extended by two further months for complex or numerous requests, in which case we will tell you within the first month.

9. Account deletion

You may request deletion of your account by emailing registration@lungsummit.org from the email address associated with your account, or through the account settings page when you are logged in. We delete your profile data, newsletter subscription, behavioural records, and HCP verification evidence within 30 days, subject to the statutory retention periods set out in Section 7.

After deletion, we may retain irreversibly de-identified data (with no realistic possibility of re-identification) for internal research, analytics, sponsor reporting, and product-development purposes. Such de-identified data is no longer personal data within the meaning of GDPR Article 4 (1) and is outside the scope of this privacy policy.

10. Security

We apply industry-standard measures to protect your data, including TLS encryption on all pages, secure password hashing, role-based access control on the back-end, restricted server access, daily off-site backups maintained by our hosting provider, and routine security review of our codebase. No system is fully secure; if you suspect unauthorised access to your account, please notify us at the address in Section 1 promptly so we can investigate and, where applicable, fulfil our breach-notification obligations under Article 33 GDPR.

11. Automated decision-making and profiling

HCP verification involves automated processing (domain whitelist match, web-search heuristic score) but does not produce a legal or similarly significant effect on you without administrator review. Newsletter content personalisation involves limited profiling based on stated topic preferences and click behaviour; the only effect is which articles we send you, and you can stop it by unsubscribing or by objecting under Article 21 GDPR.

12. Linked third-party services

The Site links to third-party websites, including peer-reviewed journals, conference websites, regulatory authority pages, and sponsor microsites. This privacy policy does not apply to those sites; please review their own privacy notices before submitting personal data to them.

13. Changes to this policy

We may update this privacy policy from time to time. Material changes are notified to registered users by email and posted prominently on the Site for at least 30 days before they take effect. The current version is always available at this URL, with the “last updated” date below.

14. Contact

For any privacy-related question, please contact us at hello@peakmedicals.com or write to PEAK Medicals GmbH, Schuetzenstrasse 1, 8800 Thalwil, ZH, Switzerland.

Last updated: 20 May 2026.