Atley Solutions AB - Privacy Policy

1. Who this notice covers

This Privacy Policy explains how and why we use personal data about external individuals who interact with us or we may contact proactively.

Use the links below to see what we process, our lawful basis, how we keep data secure, and your rights.

• Job applicants
• Customers
• Customer prospects
• Owners/investors
• Potential new investors
• Vendors
• Newsletter recipients

Data about employees is handled in separate internal notices.

2. Your data

We process personal data only when it’s necessary for a clear purpose and we keep it to a minimum. Below, each activity lists:

• Why we need the information,
• What the information is,
• the Legal basis governing your rights and our specific obligations,
• Retention, i.e. for how long we keep using it
• Sources and sharing (where it comes from and who may see it).

2.1 Job applicants (including selected candidates retained for future roles)

Why: To run the hiring process and stay in touch during it.
What: Information you provide (CV, cover letter) and any references you supply.
Legal basis: Legitimate interests (hiring). Where we move forward with an offer, steps needed for a contract may apply; if you agree to a talent pool, consent applies.
Hiring process (right to object): You may object to further processing. We will stop unless we can demonstrate compelling legitimate grounds or need to retain limited data to establish, exercise or defend legal claims (e.g., discrimination). We will minimize what we keep and restrict access.
Talent pool based on Consent: You can withdraw consent at any time; we’ll remove your profile from the talent pool.
Retention: For the duration of the recruitment process; selected candidates may be kept up to 2 years for future roles.
Sources and sharing: From you (and referees you name). Processed in our recruitment tool (processor: Teamtailor) with access limited to the hiring team/management. No external sharing beyond that.

2.2 Customers (B2B customer contact persons; may include records of completed training sessions)

Why: To manage the customer relationship, deliver services, and support long-term success (including training/maintenance where relevant).
What: Basic contact details (name, role, business email, phone) and, if applicable, a record of completed training sessions.
Legal basis: Legitimate interests (ongoing relationship/service improvement).
Retention: Kept while relevant to the relationship; removed when confirmed obsolete.
Sources and sharing: From you/your employer. Stored in our customer database with access for employees who need it; not shared outside that access group.

2.3 Customer prospects (B2B contacts)

Why: To reach out to relevant business contacts and track conversations to sell our products and services.
What: Only basic business contact details (name, email, telephone).
Legal basis: Legitimate interests (our legitimate interest is to market and grow B2B sales in a proportionate way).
Opt-out: You can opt out of outreach at any time. Just tell us or use any unsubscribe link, and we’ll stop and keep a minimal “do-not-contact” record.
Retention: Only removed when confirmed obsolete or when opted out (except the do-not-contact flag).
Sources and sharing: From you/your employer, or public sources/referrals. Contact details are available to employees with access to our prospecting database (processor: Airtable); not shared outside that access group.

2.4 Investors (private and institutional)

Why: To handle shareholder communications, governance and required filings.
What: Address, email, phone; personal identity number (for private owners); number of shares.
Legal basis: Legal obligation; Contract; Legitimate interests.
Retention: While shares are owned (Legal obligation; Contract), and for a period afterwards to keep in contact (Legitimate interests).
Sources and sharing: From you/your representative. Stored with very limited access (CFO, CEO, COO); not shared outside that access group.

2.5 Potential investors (B2B contacts)

Why: To communicate with relevant investment contacts about Atley (positioning for future rounds).
What: Basic business contact details (name, email, phone).
Legal basis: Legitimate interests (our legitimate interest is to inform qualified investors about Atley).
Retention: Only removed when confirmed obsolete.
Sources and sharing: From you/your firm, public sources or referrals. Access is limited to CEO, CFO and COO in our CRM; not shared outside that access group.

2.6 Newsletter recipients

Why: To send occasional updates about Atley and highlight key events.
What: Email address.
Legal basis: Legitimate interests for B2B, or Consent where required — unsubscribe anytime.
Opt-out: Use the unsubscribe link or tell us; we’ll stop and keep only a minimal “do-not-contact” record.
Retention: Removed when confirmed obsolete or upon opt-out.
Sources and sharing: From you (webpage form, email request or after you ask us in person) or our B2B lists. Managed by authorized admins in our email platform (processor: Mailchimp); not shared outside that access group.

2.7 Vendors

Why: For ordering, payments and follow-ups.
What: Basic business contact details (name, role, email, phone).
Legal basis: Legitimate interests.
Retention: Only removed when confirmed obsolete.
Sources and sharing: From you/your employer. Stored in our order-tracking database with access for employees who need it; not shared outside that access group.
Note: Former vendors may still appear in our records to maintain traceability (legal reasons) or if re-engagement becomes relevant.

2.8 Collaborators (B2B partner/collaborator contact persons)

Why: To manage the partner/collaborator relationships
What: Basic contact details (name, role, business email, phone)
Legal basis: Legitimate interests (ongoing relationship)
Retention: Kept while relevant to the relationship; removed when confirmed obsolete.
Sources and sharing: Stored in our database with access for employees who need it; not shared outside that access group.

3. Our service providers (”processors”) and international transfers

We focus on what we do best: radiopharmaceuticals – and team up with specialist service providers for the rest. These providers (“processors”) handle personal data only on our instructions, under a data processing agreement, and may not use it for their own purposes.

Categories of processors:

• Recruitment platforms (applicant tracking).
• Prospecting and CRM databases (customer/prospect contact management).
• Email and newsletter delivery platforms.
• Cloud storage and collaboration tools.
• IT operations and security (e.g., access management, support/ticketing).
• Finance and accounting (invoicing, payment processing).
• E-signature and contract management.
• Training delivery/learning tools (for customer training records, where applicable).
• Website operations and analytics (logs/cookie tools, where applicable).

Control & security: We keep control of what is processed and by whom. Processors must apply appropriate security measures (e.g., access controls, encryption where supported, deletion and access controls) to meet GDPR requirements.

Sub-processors: Where a processor uses sub-processors, they must have our authorization and equivalent safeguards.

Location / international transfers: Some processors (or their sub-processors) may be located outside the EU/EEA. When that happens, we use EU Commission Standard Contractual Clauses or equivalent transfer mechanisms, carry out transfer risk assessments, and apply technical and organizational measures to ensure a level of protection essentially equivalent to that under EU law.

Want details? You can ask us for more information about which processors handle your data, whether your data is transferred outside the EU/EEA, and the key safeguards we rely on (including a copy or summary of the contractual clauses).

4. Your rights

If you believe that we process data about you, or if you are unsure and would like to know, we are happy to help you check and confirm this, so that you can take control and gain insight into the data we have about you.

This service is entirely free, and we are happy to help. The easiest and fastest way to reach us and get help is by emailing us at privacy@atley.com. We will respond to your request as quickly as possible, and within one (1) month at the latest. You can find out more about your rights below.

General Information About Your Rights

The reason we have listed the legal basis in connection with the reasons we may have for processing data about you (section 2, above) is that while the GDPR gives you significant control over the data we process about you, your rights are dependant on the legal basis. For example, we cannot completely erase your data if we have a legal obligation to retain it. In such cases, instead of erasing the information when you ask to be forgotten – we restrict further use to fulfilling that obligation specifically.

When you request deletion, access, or use any other right under the GDPR, we will always explain to you the actions we’ve taken and the reasoning for it – so that you can ask follow-up question and exercise your right to complain to a supervisory authority should you suspect we are not in compliance.

Right of Access

You have the right to receive information about the personal data we process about you and to obtain a copy of this data. This includes a summary of:

• The purpose of the processing
• The source of the data
• The lawful basis supporting the processing
• Who may have accessed the data, such as partners or system providers
• The period for which we plan to store the data

If we are unable to provide access to certain data, we will explain why. For example, we may need to restrict access if the data also concerns another individual and disclosing it would violate their rights or freedoms. Another example is if the data is subject to legal confidentiality or necessary to protect trade secrets. However, we always strive to provide as much information as possible without compromising these rights or confidentiality.

Right to Rectification

You have the right to request that we correct inaccurate or incomplete personal data about you. This means that if you notice any incorrect information in our records, you can contact us to have it updated or completed.

We will update your data as soon as possible after verifying that your request is valid. In some cases, we may need to ask for documentation or additional information to ensure the accuracy and relevance of the correction.

If, for any reason, we are unable to rectify the data (for example, if it would interfere with an ongoing investigation or legal process), we will inform you and explain why.

Right to Erasure

In certain circumstances, you have the right to request that we erase your personal data, which is sometimes referred to as “the right to be forgotten”. This may apply if:

• The data is no longer necessary for the purposes for which it was collected.
• You withdraw your consent, and we have no other lawful basis for continuing to process the data.
• You object to the processing, and we have no overriding legitimate interest that outweighs your objection.
• The processing is unlawful.
• We are required to erase the data to comply with a legal obligation.

It is important to know that the right to erasure does not always apply. We may be required to retain certain data if there is a legal obligation for us to do so, for example according to the Bookkeeping Act, or if we need the data to establish, assert or defend legal claims.

Right to Restriction of Processing

In certain situations, you have the right to request that we temporarily restrict the processing of your personal data. This restriction means that, for a certain period, we are only allowed to store the data and may not use it for any other purpose than what is necessary to manage the current situation.

You can request that we restrict the processing of your personal data:
i. If you believe that the data about you that we are processing is incorrect and have requested rectification. The processing may then be restricted while we investigate and verify the accuracy of the data.
ii. If we process your personal data based on a legitimate interest, and you object to the processing. In such cases, the processing may be restricted while we examine whether our legitimate interest outweighs your fundamental rights and freedoms.
iii. If you require us to retain the data to be able to establish, assert or defend legal claims, even if we would otherwise erase the data.
iv. If the processing is unlawful, but you prefer us to restrict the use of your data rather than erase it.

We will always inform you of the outcome of a request to restrict processing. If we cannot comply with your request, we will explain why.

Even if we are required in certain cases to retain data for a specific purpose (such as fulfilling a legal obligation), we will cease all other processing activities that no longer have a lawful basis. If we cannot fully erase your data, we will inform you thereof and explain why.

Right to Object to Processing

You have the right to object at any time to processing of your personal data that is based on our legitimate interests or on a public interest, including profiling based on these lawful bases. We must stop processing your data if we cannot demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms.

You always have the right to object to processing of your personal data for direct marketing purposes. If you do, we will immediately stop processing your data for that purpose.

Objection to automated decision-making: If our processing involves automated decision-making, such as profiling, you also have the right to object to such decisions, especially if they produce legal effects for you or otherwise significantly affect you.

Right to Data Portability

In situations where our processing is based on your consent or a contract, and the processing is carried out by automated means, you have the right to receive the personal data you have provided us with in a structured, commonly used and machine-readable format, and to transmit that data to another data controller.

Where technically feasible, you also have the right to request that we transmit the data directly from us to another data controller.

It is important to note that the right to data portability does not automatically entitle you to have your data erased. Additionally, the right to data portability does not apply to processing activities with other lawful bases, such as legal obligations.

Contact Info for the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY)

We encourage you to contact us first if you have any questions or concerns about how we process your personal data. We take such matters very seriously and will do our best to resolve any misunderstandings or issues.

If you still believe that we are not meeting our obligations under the GDPR, you have the right to file a complaint with the supervisory authority. In Sweden, the Swedish Authority for Privacy Protection (IMY) is responsible for overseeing the processing of personal data. You can reach them via their website.

5. Contact Information

Atley Solutions AB

Registration number: 559225-1010
Email: privacy@atley.com
Phone: +46 (0) 10-750 08 11

6. Changes to this Privacy Policy

Changes to This Privacy Policy

We may update our privacy policy as needed to ensure it accurately reflects how we process personal data. All updates will be published on our website. In the event of significant changes that affect how we handle your personal data, and where possible, we will inform you via email well in advance of the changes taking effect.

Version History

Ver. 2025:2 We’ve updated our Privacy Policy to includes more detail about how we process data, who it applies to, and your rights under the GDPR.