Privacy Policy

3DxCell AB (“3DxCell”, “we”, “us”, or “our”) is a Contract Research Organisation (CRO) headquartered in Lund, Sweden, providing organoid-based preclinical services to support drug discovery, translational research, and clinical decision-making.

We take the protection of personal data seriously. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you:

• visit our website at 3dxcell.com (the “Site”);
• contact us through any of our communication channels;
• request a quote or engage us for research services;
• subscribe to our scientific updates; or
• otherwise interact with 3DxCell in a professional capacity.

This Policy is issued in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Swedish Data Protection Act (Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning).

The Site and our services are directed exclusively at professional audiences (researchers, clinicians, pharmaceutical and biotech organisations). We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has provided personal data to us, please contact us so we can promptly delete it.

The data controller responsible for the processing of your personal data is:

For all privacy-related enquiries, requests to exercise your rights, or complaints, please contact us at the address above using the subject line “Privacy Enquiry”.

We collect and process personal data only to the extent necessary for the purposes described in this Policy. Depending on your interaction with us, the categories of personal data we may process include:

3.1 Information you provide directly

• Identification and contact data: full name, professional title, organisation or institution, work email address, telephone number, country of residence.
• Project enquiry data: scientific or commercial details you share when requesting a quote, including therapeutic area of interest, target indications, timelines, and any background information you choose to disclose.
• Correspondence data: the content of emails, messages, meeting notes, and other communications you exchange with us.
• Contractual data: information necessary to negotiate, conclude, and perform service agreements, including signatory details, billing contacts, purchase orders, and invoicing information.

3.2 Information collected automatically

• Technical data: non-identifying information about your visit to the Site, such as referring URL, country-level geolocation, device type, browser, and pages viewed. This is collected through our privacy-friendly analytics provider (see Section 7).

3.3 Information we receive from third parties

• Publicly available professional information (e.g. LinkedIn, conference websites, institutional pages) which we may consult during business development outreach in line with our legitimate interests.

3.4 Data we do not routinely collect

3DxCell does not process patient-identifying data through this Site. Biological samples and associated clinical metadata used in our research services are received from collaborating clinical sites under separate Material Transfer Agreements (MTAs) and Data Processing Agreements (DPAs), and are pseudonymised or anonymised at source before reaching 3DxCell. Such processing is governed by the specific agreement in place between 3DxCell and the originating institution and falls outside the scope of this website Privacy Policy.

Under the GDPR, we may only process your personal data where we have a valid legal basis. The table below summarises the purposes for which we process personal data and the corresponding legal bases.

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request a summary of this assessment by contacting us.

Where we rely on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We do not sell, rent, or trade your personal data. We disclose personal data only in the following circumstances:

5.1 Service providers (data processors)

We engage carefully selected third-party providers to operate our business. Each processor is bound by a written Data Processing Agreement in accordance with GDPR Article 28. Our current categories of sub-processors include:

• Email and communications: Google Workspace (Google Ireland Limited)
• Customer relationship management (CRM): HubSpot / Pipedrive (or equivalent EU-hosted alternative)
• Cloud storage and document management: Microsoft 365 / Google Workspace
• Website hosting: Vercel Inc.
• Web analytics: Plausible Analytics (Plausible Insights OÜ, Estonia)
• Accounting and invoicing: [Fortnox / Visma or equivalent]
• Legal, tax, and audit advisors where strictly necessary

A current list of sub-processors is available on request.

5.2 Collaborators and contractual partners

In the course of delivering research services, we may share necessary information with scientific collaborators, contract laboratories, or sponsors, but only under appropriate confidentiality and data protection terms.

5.3 Public authorities and legal requirements

We may disclose personal data when required by law, court order, or a binding request from a competent authority, including the Swedish Tax Agency (Skatteverket) and the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

5.4 Corporate transactions

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the acquiring entity, subject to the continued application of this Policy or an equivalent standard.

We strive to keep personal data within the European Economic Area (EEA). Where a sub-processor operates outside the EEA — for example, certain cloud infrastructure providers — we ensure that transfers are protected by one of the safeguards permitted under Chapter V of the GDPR:

• an adequacy decision by the European Commission (e.g. EU–U.S. Data Privacy Framework certification);
• Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented where appropriate by additional technical and organisational measures; or
• another lawful transfer mechanism under GDPR Articles 46–49.

You may request a copy of the safeguards in place for a specific transfer by contacting us.

The Site uses Plausible Analytics, a privacy-friendly, EU-hosted analytics service that:

• does not use cookies;
• does not collect any personally identifiable information;
• does not track visitors across websites or over time;
• is fully compliant with GDPR, ePrivacy Directive (PECR), and CCPA.

Because no personal data is collected and no cookies are stored, no cookie consent banner is required for this service. The Site does not currently use marketing, advertising, or third-party tracking cookies.

If we introduce cookies or tracking technologies that require consent in the future, we will update this Policy and present a cookie consent banner accordingly.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements. Our standard retention periods are:

After the applicable retention period expires, we securely delete or irreversibly anonymise the data.

You have the following rights in relation to your personal data, exercisable free of charge in most cases:

• Right of access (Art. 15) — to obtain confirmation of whether we process your data and a copy of that data.
• Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
• Right to erasure / “right to be forgotten” (Art. 17) — to have your data deleted in certain circumstances.
• Right to restriction of processing (Art. 18) — to limit how we use your data in defined situations.
• Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — including objecting to processing based on legitimate interests and to direct marketing.
• Right to withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
• Right not to be subject to automated decision-making (Art. 22) — 3DxCell does not carry out automated decision-making or profiling that produces legal effects on individuals.

To exercise any of these rights, please contact us at info@3dxcell.com. We will respond within one month of receiving a verifiable request, in accordance with Article 12(3) of the GDPR.

You also have the right to lodge a complaint with your competent supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures include:

• access control and least-privilege principles for all internal systems;
• encryption in transit (TLS 1.2+) for all data communications;
• encryption at rest for cloud-stored documents and CRM data;
• multi-factor authentication (MFA) for staff accounts;
• regular review of sub-processors and their security posture;
• written confidentiality undertakings from all staff and contractors;
• documented incident response procedures.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the IMY within 72 hours and, where required, inform affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.

We may update this Policy from time to time to reflect changes in our practices, services, legal requirements, or industry standards. The “Last updated” date at the top of this page indicates when the Policy was most recently revised. Material changes will be communicated through a prominent notice on the Site and, where appropriate, by email to affected individuals.

We encourage you to review this Policy periodically.

For any questions, requests, or concerns regarding this Privacy Policy or our processing of your personal data, please contact: