Privacy Policy and Cookie Notice

This policy applies from December 2025 and replaces previous versions.

1. Introduction
This privacy policy describes how SenzaGen AB (“SenzaGen”, “we”, “us”) processes personal data within our operations. We comply with the EU General Data Protection Regulation (GDPR), the Swedish Data Protection Act, and other applicable legislation, including regulations for public companies such as the Swedish Companies Act and the Market Abuse Regulation (MAR).

This policy applies to you as:

  • Subscriber or recipient of press releases/newsletters
  • Shareholder or investor
  • Customer or potential customer
  • Supplier, business partner, or consultant
  • Job applicant
  • Insider or reporting obligated person
  • Other contact person in connection with business relationships or events
  • Employees and former employees
  • Board members

Data protection contact:
SenzaGen AB (org. no. 556821–9207)
Medicon Village, 223 81 Lund, Sweden
Tel: +46 46 2756200
Email: privacy@senzagen.com
You can always contact us with questions or to exercise your rights.

2. Categories of Personal Data and Purposes
Below you will find which personal data we process per category, for what purposes, and with what legal basis.

2.1 Subscribers / Newsletters / Press Releases
Examples of data: Name, email address, phone, company, role, registrations for mailings or events.

Purposes:

  • Manage subscriptions
  • Send press releases and financial information
  • Invite to investment-related events
  • Fulfill requirements under regulations for public companies

Legal basis:
Legitimate interest (necessary to provide information with limited privacy impact).

Retention period:
As long as you subscribe. Deleted upon deregistration or if mailings are no longer justified. You can deregister at any time.

2.2 Shareholders and Investors
Examples of data:
Name, address, email, phone, ownership information, information from Euroclear, participation in general meetings, and personal identification number (where required for identification and the administration of general meetings).

Purposes:

  • Manage shareholder relations
  • Distribution of financial information
  • Administration of general meetings
  • Fulfill legal requirements applicable to public companies

Legal basis:
Legal requirements (Swedish Companies Act, MAR) and legitimate interest for communication.

Retention period:
According to applicable legislation (typically 7–10 years).

2.3 Customers and Potential Customers
Examples of data:
Name, email, phone, company, role, communication, order-related information, event registrations.

Purposes:

  • Manage and develop business relationships
  • Provide services and support
  • Administration of contracts and orders
  • Comply with applicable regulatory requirements (e.g. regulatory inspections or audits)

Legal basis:
Legitimate interest or contract.

Retention period:
As long as the relationship continues, and thereafter according to the Swedish Accounting Act requirements (7 years) or regulatory requirements.

2.4 Suppliers, Business Partners, and Consultants
Examples of data:
Contact details, contract information, bank details (for sole proprietorships), invoices, access to premises and systems.

Purposes:

  • Fulfill contractual obligations
  • Administer payments
  • Security and compliance
  • Manage access to systems and premises

Legal basis:
Contract or legitimate interest.

Retention period:
Contract duration + statutory time limits (typically 7 years according to the Swedish Accounting Act).
2.5 Job Applicants
Examples of data:
CV, cover letter, diplomas, references, interview materials, notes, test results.

Purposes:

  • Evaluate candidates
  • Conduct recruitments
  • Store candidates for future positions (only with consent)

Legal basis:
Legitimate interest; consent for continued storage after completed process.

Retention period:
24 months after completed recruitment following consent.

2.6 Insiders / PDMR / MAR Reporting
Examples of data:
Name, contact details, personal identification number, and family members and closely associated persons, transaction data according to MAR.

Purposes:

  • Fulfill reporting requirements under the Market Abuse Regulation (MAR)
  • Administer insider lists

Legal basis:
Legal requirements.

Retention period:
According to MAR (typically 5 years).
2.7 Website and Event Visitors
Examples of data:
IP addresses (anonymized when possible), technical logs, cookie banner choices, event registration.

Purposes:

  • Provide and enhance the website
  • Security and error handling
  • Manage event registration

Legal basis:
Legitimate interest (necessary logs) and consent (cookies when required).

Retention period:
See cookie policy below. Event data is saved for a maximum of 12 months.

2.8 Employees and Board Members
We process personal data necessary to fulfill employment contracts and our obligations as an employer (e.g., name, personal identification number, salary, bank account, sick leave, emergency contact information, and information from the recruitment process).

Legal basis:
Employment contract, legal requirements (e.g., tax and social insurance legislation), and in some cases consent or collective agreements.

Retention period:
Contract duration + statutory time limits (typically 7 years according to the Swedish Accounting Act).

3. Sharing of Personal Data
We only share personal data when necessary and proportionate.
Typical recipients of personal data may include:

  • IT and operational service providers, including services for operations, security, hosting, support, and business systems.
  • Financial services, such as providers of accounting, auditing, and financial administration.
  • Payroll administration service providers, for handling employment and payroll-related information.
  • HR and personnel management system providers, for processes related to employment, development, monitoring, and personnel administration.
  • Platforms for insider management, PDMR administration, and MAR reporting, to fulfill legal obligations under stock exchange rules and applicable legislation.
  • Euroclear Sweden AB and other authorities, when required by law, regulations, or government decisions.
  • Regulatory information distribution providers, for distribution of press releases, financial reports, and other mandatory stock exchange information.
  • Communication, mailing, and survey platform providers, for management of newsletters, customer communication, marketing mailings, and customer and stakeholder surveys.
  • Event and conference platform providers, for administration of events and webinars, including registrations, participant lists, and event-related communication.
  • Research and business development partners, to the extent contact information needs to be shared for projects, collaborations, or contract management.

For transfers outside the EU, standard contractual clauses (SCC) and other security mechanisms are used.

4. Your Rights
You have the right to:

  • Request a register extract
  • Request correction or deletion
  • Request restriction of processing
  • Object to processing based on legitimate interest
  • Withdraw consent

File a complaint with the Swedish Authority for Privacy Protection (IMY)

Contact: privacy@senzagen.com
We will respond to your request free of charge within one month (can be extended in case of complexity).

5. Automated Decision-Making
SenzaGen does not use automated decision-making or profiling.

6. Changes to This Policy
We may update the policy as needed. The latest version is always available on our website.

SENZAGEN – INFORMATION ABOUT COOKIES
Read more at https://senzagen.com/cookiepolicy/