Alligators privacy policy

1 General information

1.1 Responsible parties for your data

Below, it is described how Alligator Bioscience AB, company reg. no. 5565978201, with the address Scheelevägen 2, 223 81 Lund, Sweden, and its subsidiaries, (“Alligator”, “the Alligator Group”, “us” or “we”), process personal data. Privacy matters are important to us, and your integrity is our priority. Therefore, it is important for us to protect your personal data and ensure that our processing of the data is conducted in a correct and lawful manner.
This privacy policy relates to processing of personal data for which Alligator is the controller. This means that we are responsible for the processing of your personal data. It also means that you should turn to us with questions or remarks, or if you wish to enforce any of your rights in relation to our processing of your personal data.
The Alligator entity that you enter into an agreement or have contact with is the responsible data controller of your personal data. However, personal data may be shared within the Alligator Group and, thus, other Alligator Group entities may also act as data controller with regards to your personal data. The data will still be processed for the purpose of which the data was received in accordance with this privacy policy.
This privacy policy is applicable when we process personal data that is collected from you as well as in cases where we collect data about you from authorities or other sources.

1.2 Data Protection Officer

To update, rectify or erase personal data that we have collected about you, or to enforce your rights as described above, you are welcome to contact our Data Protection Officer at dpo@alligatorbioscience.com.

1.3 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with your supervisory data protection authority. In Sweden the supervisory authority for privacy is Integritetsskyddsmyndigheten (www.imy.se).

1.4 Data protection principles

Alligator displays its commitment to privacy and data protection by among other things embracing the following principles in accordance with article 5 GDPR:

  • Alligator only processes personal data lawfully, fairly, correctly and in a transparent manner.
  • Alligator only collects necessary personal data, and only to fulfill a legitimate purpose.
  • Alligator store personal data for as long as it is necessary and erases it when it’s no longer needed.
  • Alligator protects personal data with appropriate technical and organizational security measures.

1.5 Place of processing

Alligator processes your personal data within the EU/EEA. However, in exceptional cases, and when necessary, Alligator may transfer data to a country outside the EU/EEA. Any such third country transfer will be carried out in accordance with Articles 44-49 in the GDPR and applicable national data protection legislation. The transfer of your personal data to a third country will be based on Standard Contractual Clauses (SCCs) if the transfer cannot be based on an adequacy decision, together with supplementary measures such as pseudonymization of personal data.


If you have further questions concerning the transfer of your personal data outside the EU/EEA, you may contact us at dpo@alligatorbioscience.com.


You can also read more about the GDPR and how organizations may transfer personal data on the Swedish supervisory authority’s webpage.

1.6 Legal basis

Alligator only processes (collects, stores, transfers, uses etc.) your personal data with a legal basis in accordance with Article 6 GDPR. Legal basis may be based on your consent, for the performance of a task carried out in the public interest, by contract, statutory obligations or from our legitimate interest as a business. Alligator only processes sensitive personal data if one of the exceptions in Article 9 GDPR is fulfilled.

1.7 Third parties

Your personal data will be disclosed to a third party only if any of the following criteria applies:

  • you have given us your explicit consent to do so (pursuant to Article 6.1(a) GDPR),
  • necessary for the performance of a contract with you (Article 6.1(b) GDPR),
  • necessary for the compliance with a legal obligation (Article 6.1 (c) GDPR),
  • necessary for the performance of a task carried out in the public interest (Article 6.1 (e) GDPR), 2
  • required for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6.1 (f) GDPR).

Third parties may be:

  • Suppliers/vendors acting as processors/sub-processors which process personal data on behalf of Alligator
  • Legal authorities in accordance with law requiring us to disclose information.
  • Clinical Research Organizations (CRO) which process personal data on behalf of Alligator.
  • Cloud service providers which process personal data on behalf of Alligator. The data processors engaged may only process personal data in accordance with the purposes and instructions that Alligator issues for the processing. The processor and anyone acting on behalf of the processor may furthermore never see more data than is necessary to carry out the service covered by the agreement with Alligator. Where personal data is to be processed by a data processor, a so-called data processor agreement is drawn up. Alligator uses data processors for various kinds of IT services.

Processing activities

2.1 Corporate partners

We may process personal data attributable to you as a corporate partner (e.g., suppliers, distributors and research collaborators): The personal data Alligator may process is name, title, telephone number, e-mail address, business address, social security number and name of employer. 

The personal data listed above is processed for the purposes of, and based on our legitimate interest in, project management, administering agreements with corporate partners, project participators and suppliers/distributors, contacts regarding business and sales purposes and marketing. Furthermore, the personal data is processed for the purpose of, and based on our legitimate interest in, invoicing company partners.

We may process your social security number for the purpose of invoicing and other business administration conducted on the legal basis of being necessary for the performance of the contract with the sole trader and per requirements of the Swedish book-keeping legislation.

Personal data from corporate partners will be kept for as long as necessary for the performance of the project or agreement, or for the ongoing business relationship.

Personal data processed for the purpose of invoicing will be stored for seven years as this is a requirement under Swedish book-keeping legislation. 

Personal data processed for the purpose of contacting the contact person for business and sales purposes will be deleted within six months as of the date the business relation with the business contact ends. 

Personal data processed for the purpose of marketing will be stored until you choose to opt out of additional marketing. 

2.2 Job applicants

During a recruitment process we may process your personal data in order to carry out the recruitment. Your data will only be processed for the purpose of the application process and, if applicable, for the purpose of your subsequent recruitment. The personal data above is processed for the purpose of, and based on our legitimate interest in, assessing job applicants prior to potentially hiring you and to be able to carry out online personality tests of the applicant.

Only authorized personnel at Alligator will be accessing the personal data collected through the recruitment process.

Once we have notified you about our decision concerning the recruitment, we shall either completely erase your data or (in the event of your recruitment) store them in your personnel file.

2.3 Clinical trials

Patients participating in clinical trials

We process pseudonymized personal data attributable to you as a patient participating in clinical trials. This means that all your clinical research data is coded, and your identity is not revealed to Alligator Group at any time. Your personal data will be processed for the following purposes:

  • For the performance of the study and development.
  • As required to comply with applicable laws and regulations.
  • In aggregated and anonymized form in connection with scientific research.

Every time we process your personal data in a clinical trial, we will rely on a legal basis of processing under GDPR. We process personal data in clinical trials for the performance of a task carried out in the public interest. We also process personal data in clinical trials in the context of safety reporting or in the context of an inspection by national competent authority, or the retention of clinical trial data in accordance with archiving obligations set up by the Clinical Trial Regulation (CTR) or, as may be the case, relevant national laws, to comply with legal obligations to which we are subject to.

We will need to process data about health in clinical trials. Health data is a “special category” of personal data under the GDPR. Special rules apply to this type of data. We process special category of personal data (sensitive personal data) only if one of the exceptions in Article 9 of the GDPR becomes applicable to the processing such as the exception in Article 9 (2)(i) or 9 (2)(j) GDPR.

Personal data in clinical research is only processed by authorized personnel at the Alligator Group.
The storage of personal data in clinical trials depends on our responsibilities under relevant legislation such as EU clinical trials regulation.

You will receive additional information about data protection, and you will have the opportunity to raise any questions before consenting to participate in our clinical trials.

Health care professionals

For healthcare professionals, we will collect your CV including your personal information. The purpose and legal basis for this processing is our legal obligation as required by International Council of Harmonization Good Clinical Practice.

The storage of personal data in your CV depends on our responsibilities under relevant legislation.

2.4 Subscribers to newsletter

We may process the personal data such as name, e-mail address and company attributable to you as a subscriber to our newsletter. This personal data is processed for the purposes of providing marketing, press releases and newsletters. The processing is based on your consent.

Personal data related to newsletter subscribers is stored until you withdraw your consent.

2.5 Office visitors

We may process personal data attributable to you such as your name and company as a visitor at our premises. The personal data above is processed for the purposes of, and based on our legitimate interest in, maintaining security, facilitating the delivery of goods and appointing visitors to the correct host at Alligator.

Personal data related to office visitors is deleted within three months of your visit.

2.6 Investors and insiders

We may process personal data such as name, telephone number, e-mail address and organization/employer etc. attributable to you as an investor or insider.

The personal data relating to investors listed above is processed for the purposes of, and based on our legitimate interest in, logging investors meeting to facilitate future contacts and to keep track of such interactions.

Regarding insiders, the personal data listed above is processed for the purposes of complying with financial regulations and legislation, and for being able to register insiders with the Financial Supervisory Authority (Sw. Finansinspektionen) and keep insider lists. The processing is carried out based on our legal obligations to provide such information to the Financial Supervisory Authority and to comply with applicable laws and regulations.

Personal data related to investors and insiders will be continuously reviewed every second year and outdated personal data will then be deleted.

3 Cookies

3.1 Alligator’s use of cookies

Alligator uses cookies, i.e., small text files that are transmitted by a website server to your hard disc, to analyze the traffic on our websites. The information analyzed includes the number of visits, the pages visited and traffic sources, all with the aim of improving the user experience for our visitors. We also use cookies in connection with our marketing materials to make our advertising as relevant as possible for our customers.

We place non-essential cookies on your device only if you have given your explicit consent. You can withdraw your consent at any time if you change your mind. As a visitor, you can set your own browser to allow cookies to be stored on your computer or not. You can also choose to delete any cookie file that has been placed on your computer at any time.

3.2 How to use our website without cookies

You can also view our website without cookies. Internet browsers are usually pre-set in such a way that they accept cookies. In general, you can deactivate the use of cookies at any point in time via the settings in your browser. You may want to use the help functions of your Internet browser, in order to find out how to change these settings. Please note that some functions of our website may not work if you have deactivated the use of cookies.

Provided your browser settings allow the use of cookies, or you have given us any necessary consent, the cookies below can be used on our websites. You can delete individual cookies or the entire cookie inventory via your browser settings. Depending on the provider of your browser, you will find the relevant information on how to e.g., block cookies in advance by visiting the following links:

4 Your rights as a data subject

You have the right to, at any time, exercise the following rights by getting in touch with our Data Protection Officer dpo@alligatorbioscience.com

Right to withdraw consent (Article 7 GDPR)

If we process personal data about you with consent as a legal basis you may withdraw your consent at any time by contacting dpo@alligatorbioscience.com or your health care provider. Although in certain cases we may need to further process your personal data in accordance with law.

Right to be informed (Article 13-14 GDPR)

You have the right to be informed concerning our processing of your personal data. This is carried out by providing you with information in this Privacy Notice, specific information forms provided to you or by answering your questions sent to dpo@alligatorbioscience.com.

Right of access (Article 15 GDPR)

You have the right to obtain information on the processing of your personal data, and if so, receive a copy of it. Such a copy is commonly referred to as a Data Subjects Access Request (DSAR).

You can send your request for access to dpo@alligatorbioscience.com

Right to rectification (Article 16 GDPR)

If you deem your personal data inaccurate or incomplete, you have the right to have the data corrected (rectified).

You have the right to contact us and request that inaccurate information about you to be rectified. This also means that you have the right to add such personal data that is missing and that is relevant taking into account the purpose of the personal data processing. We must also ensure that the data is accurate and up to date.

If data is rectified at your request, we must also inform you that data has been rectified. This does not however apply if it should prove to be impossible or would involve excessive effort.

You can send your request for rectification to dpo@alligatorbioscience.com

Right to erasure (Article 17 GDPR)

You have the right to contact us when we process your personal data and request that the data relating to you to be erased. The data is to be erased in the following cases:

There are exceptions to the right to erasure and the obligation to inform others if it is necessary in order to satisfy other important rights such as the right to freedom of expression and freedom of information, fulfil a legal obligation, carry out a task in the public interest or as part of the exercise of official authority.

You can send your request for erasure to dpo@alligatorbioscience.com.

Right to restriction (Article 18 GDPR)

In certain cases, you have the right to demand that the processing of your personal data be limited. By “limited” is meant that the data is flagged so that it in future may only be processed for certain limited purposes.

The right to limitation applies among other things when you as a data subject considers that the data is inaccurate and have requested rectification. You can in such cases also request that the processing of your personal data be limited while the accuracy of the data is investigated.

You can send your request for restriction/limitation to dpo@alligatorbioscience.com.

Right to data portability (Article 20 GDPR)

In certain instances, you have the right to transfer your personal data from one controller to another, provided you have given us your permission to the data processing, or you have concluded a contract with us. This can either be carried out by the controller which data is being transferred from, or that you receive the personal data in a commonly used machine-readable format.

You can send a request for data portability to dpo@alligatorbioscience.com.

Right to object (Article 21 GDPR)

When the processing is based on public or legitimate interest (Article 6 subsection 1 e and f, including profiling) you have the right to object to the processing. If Alligator cannot prove that there is a justified public or legitimate interest, we must cease the processing of that personal data.  

You can send your request for objection to dpo@alligatorbioscience.com.

Right to file complaint to the supervisory authority

You can file a complaint to the Swedish supervisory authority or other supervisory authorities where you are located.

More information about your rights

You can read more about your rights as a data subject under the GDPR on the Swedish supervisory authority’s webpage here: https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/

5 Modifications to our data protection provisions

We reserve the right to adjust this data protection statement, so that it always conforms to the current legal requirements, or in order to implement changes in the data protection statement that concern our services, as may be the case when new services are introduced. Whenever you then visit our website, the new data protection statement will be applicable.

Updated 2022-08-17