Privacy Statement

CellTherEx Consulting AB Privacy Policy

Last updated 230402    

In this privacy policy:


  • Purpose of the Privacy Policy
  • What personal data is
  • When not sharing personal data
  • Changes



  • When you contact us
  • When you are a client or prospective client
  • When you use our website


  • When you contact us
  • When you are a client or prospective client
  • When you use our website


  • Protection
  • Sharing
  • Protection when sharing outside the EU/EEA



Purpose of the Privacy Policy

This privacy policy will explain how our organisation uses the personal data we collect from you when you use our website or interact with CellTherEx Consulting AB, organisation number 559250-2578, herein termed “the company” or “CellTherEx”.

With this Privacy Policy, the company wants to show how the company ensures that your personal data is processed in accordance with the EU’s data protection regulation 2016/679/EC (“GDPR”). The company protects your personal integrity and considers that personal integrity is of the utmost importance. The company therefore takes your privacy very seriously.

This Privacy Policy also describes your rights and how you can use your rights vis-à-vis the Company.

What personal data is

In this Privacy Policy, “personal data” means any information relating to an identified or identifiable natural person, where an identifiable natural person is a person who can be directly or indirectly identified specifically by reference to an identifier such as a name, an identification number, a location data or online identifiers or one or more factors specific to the natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.

When not sharing personal data

You are not obliged to share your personal data with us. In cases where you do not choose to share personal data with the Company, certain services may be limited or not be available at all.


The company may change this Privacy Policy from time to time in response to the company’s changed legal, technical or business reasons and developments. If this happens, the company will publish the adjusted privacy policy on the Website with information about when the changes come into effect. If the company makes material changes, the company will notify You by changing the date at the top of this Privacy Policy and, depending on the specific changes, the company may provide You with additional notice thereof.

The company urges you to keep yourself updated on changes.


The Swedish-registered company CellTherEx Consulting AB, organisation number 559250-2578, is the personal data controller for the processing of your personal data and is thus responsible for your data being processed correctly and securely in accordance with applicable legislation.

If you have questions about how the company processes your personal data or if you want to use your rights, you can simply contact the company in one of the ways below.

If you have any questions about CellTherEx’s privacy policy, the data we hold about you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.


Tel.: +46 731 46 69 02

Postal address:

CellTherEx Consulting AB

Beckasinvägen 8, 12352

Farsta, Sweden


When you contact us

If you provide your personal data when you contact the company, the company processes this in order to be able to answer your question and, where appropriate, maintain a contact. This primarily concerns your name and contact details, but also other information you provide to us.

The legal basis is balance of interests where the company has a legitimate interest in being able to administer its relationships and assignment requests, answer questions and maintain business and customer contacts.

When you are a client or prospective client

When you are a client or prospective client, we may collect personal data from you including your name, address, e-mail address and phone number, financial information, personal description and details. This may also include any information disclosed, generated or collected through interactions with CellTherEx, including meetings etc. This will also include any work product shared or generated by or with CellTherEx.

The legal basis here is the agreement where we need certain personal data to be able to administer and fulfil our contractual obligations with you.

When you use our website

The CellTherEx website contains links to other social media websites. Our privacy policy applies only to our website where we are the data controller, so if you click on a link to another website are they responsible for your personal data and you should read their privacy policy.

The website ( uses Google Analytics, a web analytics service provided by Google Ireland Limited. If the data controller on this website is located outside the European Economic Area or Switzerland, then Google Analytics data processing is carried out by Google LLC. Google LLC and Google Ireland Limited are hereinafter referred to as “Google”.

When you use the company’s website, the company automatically, according to what is stated above about Google Analytics, collects certain information from you and/or your device (which can be considered personal data according to applicable data protection laws), such as technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); pages you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

Google Analytics is used exclusively with the extension “_anonymizeIp()” on the website. This extension ensures anonymisation of the IP address by shortening it and excludes any direct personal reference. The extension means that the IP address is shortened beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the corresponding browser within the scope of Google Analytics will not be merged with other Google data.

The Company does this with the legal basis of legitimate interest where the Company has a weighty interest in the purpose of being able to troubleshoot and take technical measures and develop if needed or desired, which outweighs the user’s interest in protecting this data.

The interests of the users are sufficiently protected by the pseudonymisation.

For information on how the company handles cookies, please see our cookie policy.


The company stores personal data only as long as it is necessary to fulfil the purposes for which the data was collected or as long as the company is obliged to store personal data in accordance with law. In some cases, personal data may also be stored longer to protect the company’s legal interests. The personal data is then deleted.

When you contact us

Information that is processed in connection with you contacting the company is stored as long as you have an ongoing case with the Company and during the time it may require follow-up, however no longer than three (3) years. Emails will be automatically permanently deleted using GDPR compliant Third Party software.

When you are a client or prospective client

When you are a client, we normally process your personal data as long as you are a customer with us and for a period of up to 10 years afterwards in order to administer the relationship and follow up on any questions and complaints.

All work products will be returned to you or destroyed using GDPR compliant Third Party software, as agreed in your contract. Where no signed contract exists stipulating how data is to be handled, all electronic data will be destroyed.



Any data stored in paper format, for example shared business cards, are stored in a locked filing cabinet. At which point any non-sensitive data is recycled and potentially sensitive data will be destroyed using a security level P-4 shredder, meeting GDPR compliance.

Any devices which emails are accessed on are password or biometrically protected.

Google LLC. offers a guarantee based on the standard contractual clauses to maintain an adequate level of data protection.

Any data in electronic format is stored on devices protected with passwords or biometric protection. All data is backup to the Cloud using Third Parties who are GDPR compliant. This includes invoices, electronic meeting notes, presentations and documents.


The company may share personal information with third parties in cases where You have consented or if there is another legal basis for such handling, such as third parties performing services on behalf of the Company. However, the company admits that this should be done restrictively. In such cases, the company always takes the necessary measures to ensure that your data is processed securely.

If you agree, CellTherEx will share your contact details with our partner companies so that they may offer you their products and services for example, but not exclusively, if the company recommends you get help from another company such as in development or law. Storage time then takes place in accordance with consent.

Personal data may be shared with the Company’s third-party suppliers, mainly within IT, accounting and marketing.

Personal data may also be shared with authorities to fulfil legal requirements.

Protection when sharing outside the EU/EEA

In the event that your personal data needs to be transferred and stored outside the EU / EEA, the company selects these suppliers with the greatest care and with regard to your privacy. The company would like to draw your attention to the fact that this may mean less protection for your personal data than the GDPR requires. Nevertheless, the company ensures that the personal data is processed in the safest possible way.

The Company currently uses personal data assistants (regarding website) located in the UK. The UK is considered to have an adequate level of data protection.

The Company will also take all necessary security measures to ensure that your personal data is processed securely and with an adequate level of protection (for example, using approved standard clauses and additional appropriate safeguards).

You can read more about the standard contract clauses and obtain a copy at:


CellTherEx would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

Free register extract

Provided that the company is responsible for personal data, you have the right, at any time, to receive a register extract free of charge with information about what personal data is registered about you, the purposes for the processing of this personal data and information about where this personal data has been obtained, as well as to which recipients the data is has been disclosed or is to be disclosed.

You also have the right to receive information in the register extract about the anticipated period during which the data will be stored or the criteria used to determine this period. You also have the right to find out about the existence of automated decision-making (including profiling). The request for access to such information must be made by the company in writing and sent to the company at the address specified under the heading “Personal data controller”.

Data portability

You have the right to data portability, that is, a right to, under certain conditions, obtain and transfer your personal data in a structured, generally used and machine-readable format to another personal data controller.

Correct and delete

The company will, at your request or on its own initiative, correct, de-identify, supplement or delete information that is found to be incorrect, incomplete or misleading. In some cases, the company is obliged to process your personal data even though you have requested that it be removed, for example in the case of the right to freedom of expression and information, to fulfil a legal obligation or to perform a task of public interest.

Limit use

In some cases, you have the right to demand that the processing of personal data be limited. Restriction means that the data are marked so that they may only be processed for certain limited purposes in the future.

Withdraw consent

In cases where you have previously given consent to the processing of your personal data, you have the right to withdraw that consent both verbally and in writing.

Automatic decision making

You have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on you or otherwise significantly affects you.

The company does not engage in fully automated decision-making that has a legal or otherwise significant effect using personal data.

Exercise rights, ask questions or make complaints

If you make a request, we will respond as soon as possible, at no later than one month from receiving the request. If you would like to exercise any of these rights, please contact us as outlined in section 2.

You always have the right to submit a complaint to the relevant supervisory authority where you live, work or where an alleged violation of the GDPR has occurred. You can find the relevant authority in your country here:

In Sweden, you can contact the Swedish Data Protection Authority:


Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden

Tel. +46 8 657 6100