BIOXELA

Privacy Policy

Last updated: May 2026

1. Preamble

BIOXELA (hereinafter "we" or "the Data Controller") is committed to protecting the privacy of individuals whose personal data it processes, in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of personal data (GDPR) and the French Data Protection Act (Loi Informatique et Libertés n° 78-17 of 6 January 1978, as amended).

This policy applies to data collected through the bioxela.com website and to data processed in the context of BIOXELA's clinical research consultancy and External Data Protection Officer (DPO) activities.

2. Data Controller

The data controller for personal data collected through bioxela.com is BIOXELA, a Société par actions simplifiée (SAS — Simplified Joint-Stock Company), with its registered office at 379 Route du Coin, 74160 Archamps, France (SIREN: 993 899 640), represented by Alexandra TIZON, President. For any questions regarding the processing of your personal data, you may contact her at alexandra.tizon@bioxela.com or by phone at +33 6 88 96 08 66.

3. Data Protection Officer (DPO)

BIOXELA is not legally required to appoint an internal DPO. Alexandra TIZON, in her capacity as a qualified External DPO, oversees BIOXELA's own GDPR compliance. For any questions regarding the protection of your personal data, you may contact her at: alexandra.tizon@bioxela.com .

4. Data collected, purposes and legal bases

4.1 Contact form

Data collected via the contact form (name, email, company, subject, message) is processed in order to respond to your enquiries and assess the possibility of a collaboration.

  • Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — responding to inbound professional enquiries.
  • Retention period: 3 years from the last contact, in line with the CNIL's recommendations on B2B prospecting.

4.2 Contractual and billing data

In the context of consultancy assignments (Clinical Project Management, External DPO), BIOXELA processes data necessary for contract performance: professional contact details, billing information, and assignment-related correspondence.

  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR — accounting records).
  • Retention period: duration of the contract + 10 years (French accounting and tax obligations, Art. L. 123-22 Commercial Code).

4.3 Browsing data and cookies

The website may collect browsing data (IP address, pages visited, session duration) for audience measurement and user experience improvement purposes.

  • Legal basis: consent (Art. 6(1)(a) GDPR) for non-essential cookies.
  • Retention period: maximum 13 months, in accordance with CNIL guidelines.

For more information, please refer to our cookie policy.

5. Health data and clinical research

In the course of Clinical Project Management assignments, BIOXELA may access pseudonymised or identifiable health data, acting as a data processor or service provider, in strict compliance with the applicable regulatory framework.

Health data constitutes a special category of personal data under Art. 9 GDPR. Processing is only lawful under the conditions set out in Art. 9(2), in particular:

  • for scientific and medical research purposes (Art. 9(2)(j) GDPR), subject to the safeguards of Art. 89 GDPR;
  • for preventive medicine, diagnosis or the provision of healthcare (Art. 9(2)(h) GDPR);
  • on the basis of the participant's explicit consent (Art. 9(2)(a) GDPR), obtained in accordance with EU Regulation No. 536/2014 on clinical trials and applicable national law.

Processing carried out in the context of clinical studies is governed by data processing agreements compliant with Art. 28 GDPR, signed with each sponsor. CNIL methodological frameworks (MR-001, MR-003, MR-004) are applied according to the nature of the study.

Retention periods for clinical trial data are defined by the sponsor, in accordance with ICH E6(R3), EMA and FDA requirements, and applicable national regulations (generally a minimum of 25 years after study closure).

6. Recipients of personal data

Data collected via the bioxela.com website is intended exclusively for Alexandra TIZON, President of BIOXELA. It is not sold, rented or transferred to any third party.

In the context of consultancy assignments, data may be shared with the client sponsor's teams in accordance with contractual arrangements in force (confidentiality agreement, GDPR data processing agreement).

7. International transfers

Data collected via the contact form is hosted in France by LWS (Ligne Web Services SAS, 10 rue Penthièvre, 75008 Paris) and is not transferred outside the European Union. In the context of international clinical trials involving third countries, any transfer is subject to appropriate safeguards (standard contractual clauses of the European Commission, Art. 46 GDPR, or adequacy decision, Art. 45 GDPR).

8. Data security

BIOXELA implements appropriate technical and organisational measures to protect your data against loss, unauthorised access, disclosure, alteration or destruction, in accordance with Art. 32 GDPR. These measures include encrypted communications (HTTPS/TLS), access restricted to authorised personnel only, and regular updates to the tools used.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, BIOXELA undertakes to notify the CNIL within 72 hours in accordance with Art. 33 GDPR, and to inform the individuals concerned if the risk is high (Art. 34 GDPR).

9. Your rights

Under the GDPR, you have the following rights in relation to your personal data:

  • Right of access (Art. 15 GDPR) — Obtain confirmation that data concerning you is being processed and receive a copy thereof.
  • Right to rectification (Art. 16 GDPR) — Request the correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR) — Request the deletion of your data, within the limits provided by law.
  • Right to restriction of processing (Art. 18 GDPR) — Request the temporary suspension of the processing of your data.
  • Right to object (Art. 21 GDPR) — Object to the processing of your data based on legitimate interest.
  • Right to data portability (Art. 20 GDPR) — Receive your data in a structured, machine-readable format, where processing is based on consent or a contract.
  • Right to withdraw consent (Art. 7(3) GDPR) — Withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

Note specific to clinical research: during an ongoing clinical trial, certain rights (erasure, objection, portability) may be restricted in order to safeguard the scientific integrity of the data, in accordance with Art. 89(2) GDPR and the provisions of EU Regulation No. 536/2014. These limitations are set out in the Informed Consent Form (ICF) provided to each trial participant.

How to exercise your rights

Submit your request by email to alexandra.tizon@bioxela.com including proof of identity. A response will be provided within a maximum of one month of receipt of your request (Art. 12(3) GDPR). This period may be extended by a further two months where requests are complex or numerous.

10. Right to lodge a complaint

If you believe that the processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

Commission Nationale de l'Informatique et des Libertés (CNIL)

3, place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 — France

www.cnil.fr — Tel.: +33 1 53 73 22 22

You may also contact the supervisory authority of your country of residence within the European Union.

11. Policy updates

This privacy policy may be updated at any time to reflect legislative or regulatory developments, or changes in our data processing practices. The last updated date shown at the top of this page is authoritative. We encourage you to review it periodically.