Legal

Privacy Policy

Last updated: January 15, 2026 · Effective date: February 1, 2026

Summary: We respect your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR / EU 2016/679) and applicable national data protection law, including Swedish data protection legislation.

1. Who We Are & Data Controller Identity

Cytely AB ("we", "us", or "our") is the data controller responsible for processing your personal data in connection with the services available at cytelyio.com (the "Service").

Registered address:
Cytely AB
Scheelevägen 2
223 81 Lund
Sweden

Email: [email protected]

For privacy inquiries: Email: [email protected]
Postal: Privacy Team, Cytely AB, Scheelevägen 2, 223 81 Lund, Sweden

1.1 Data Protection Officer (DPO)

We have designated a person responsible for data protection matters. You may contact them at [email protected] with the subject line "Data Protection Inquiry".

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through:

Our website at cytelyio.com and any subdomains;
Our products, software, applications, and related services;
Communications between you and us (email, telephone);
Marketing activities including newsletters and event registrations.

It does not apply to third-party websites linked from our Service.

3. Personal Data We Collect

3.1 Data You Provide Directly

Category	Examples	When Collected
Identity data	First name, last name, title, institution	Demo request, contact forms
Contact data	Email address, telephone number, institutional address	Registration, contact forms
Account credentials	Username, hashed password	Account creation / login
Transaction data	License details, subscription status, invoice history	During purchase flows
Communications data	Support emails, chat logs	Customer support interactions
Marketing preferences	Newsletter opt-in/opt-out status	Email sign-up, account settings

3.2 Data Collected Automatically

Category	Examples	Source
Technical data	IP address, browser type, OS, device type	Server logs, analytics tools
Usage data	Pages visited, features used, session duration	Analytics cookies & scripts
Location data	Country/city derived from IP address	Server logs
Cookie & tracking data	Cookie IDs, referral sources	Cookies — see our Cookie Policy

3.3 Special Category Data

We do not intentionally collect or process special categories of personal data (Article 9 GDPR) such as health, racial/ethnic origin, religious beliefs, or biometric data.

4. Legal Bases & Purposes for Processing

Under Article 6 GDPR, we rely on the following legal bases:

Purpose	Legal Basis (Art. 6 GDPR)	Data Categories Used
Respond to demo requests and inquiries	Legitimate interests (6(1)(f))	Identity, contact
Provide and deliver software services	Contract performance (6(1)(b))	Identity, contact, credentials, transaction
Send transactional emails (license confirmations, alerts)	Contract performance (6(1)(b))	Identity, contact
Send marketing communications (newsletter)	Consent (6(1)(a))	Identity, contact, marketing preferences
Improve our Service via analytics	Legitimate interests (6(1)(f))	Technical, usage, location
Fraud prevention and security monitoring	Legitimate interests (6(1)(f))	Identity, technical, transaction
Comply with legal obligations	Legal obligation (6(1)(c))	Identity, financial, transaction

5. Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only under appropriate contractual safeguards (Data Processing Agreements per Article 28 GDPR).

Recipient Category	Purpose	Transfer Safeguard
Cloud hosting & infrastructure	Service delivery, data storage	SCCs / Adequacy decision
Payment processors	Secure payment handling	SCCs / PCI-DSS certified
Email service provider	Transactional & marketing emails	SCCs / DPA
Analytics providers	Usage analytics, performance monitoring	SCCs / Consent
Professional advisors	Legal, audit, accounting services	Confidentiality obligations
Law enforcement / regulators	Legal obligation or court order	Statutory obligation

6. International Data Transfers

Cytely AB is established in Sweden (EU/EEA). Some of our processors are located or process data outside the European Economic Area. Wherever personal data is transferred outside the EEA, we ensure an adequate level of protection using one or more of: adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).

7. Data Retention

Data Category	Retention Period	Basis
Account data (active users)	Duration of account + 2 years after closure	Contract / Legitimate interests
Transaction / financial records	7 years from transaction date	Legal obligation (Swedish accounting law)
Support communications	3 years from last interaction	Legitimate interests (claims defence)
Marketing consent records	Until consent withdrawn + 3 years	Consent + legal obligation
Analytics / log data	26 months	Legitimate interests
Deleted account data	Anonymised/purged within 90 days	Data minimisation (Art. 5(1)(e) GDPR)

8. Your Data Subject Rights

Under the GDPR, you have the following rights:

Right of Access (Art. 15)

Obtain a copy of the personal data we hold about you.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restriction (Art. 18)

Restrict processing while a dispute is being resolved.

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent

Withdraw consent at any time where we rely on consent as the legal basis.

Right to Lodge a Complaint

File a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Cookies

We use cookies and similar tracking technologies. For full details, see our Cookie Policy. You can manage your cookie preferences at any time using the cookie banner on our website.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS), access controls, and regular security reviews.

11. Children's Privacy

Our Service is directed at adults and is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by posting a prominent notice on our website or by direct communication to registered users. The "Last updated" date at the top of this policy reflects the most recent revision.

13. Contact Us

For any privacy-related questions or to exercise your rights:

Cytely AB
Attn: Privacy Team
Scheelevägen 2
223 81 Lund, Sweden
Email: [email protected]