Privacy Policy

The data controller for personal data processed via this website is Nalam Biosciences OÜ, a private limited company registered in Estonia.

Legal name

Nalam Biosciences OÜ

Registry code

17221828

Jurisdiction

Estonia, European Union

Headquarters

Tartu, Tartumaa, Estonia

Email

[email protected]

Website

nalambiosciences.com

We do not have a Data Protection Officer (DPO) as we are not required to appoint one under GDPR Article 37. For all data protection enquiries, contact us at [email protected].

We only collect personal data that you actively provide to us:

Under GDPR Article 6, every act of processing personal data must have a lawful basis. The bases we rely on are:

We do not sell, rent, or trade personal data. We share data only with the limited service providers that help us operate this website and respond to your enquiry. We use service providers that process data on our behalf under applicable contractual and data-protection terms.

We may also disclose personal data when required by law, court order, or to protect our legal rights.

Some of our service providers may process data outside the European Economic Area (EEA). Where this happens, we rely on the safeguards permitted by GDPR Chapter V — typically an adequacy decision, the European Commission's Standard Contractual Clauses (SCCs), or, where applicable, the EU-US Data Privacy Framework. The specific safeguard for each provider is set out in that provider's data processing terms, which we review before engaging them.

We apply technical and organisational measures appropriate to the risk:

• HTTPS-only delivery with TLS 1.2+ and HSTS for all visitors
• Strict Content Security Policy and other browser-side hardening headers
• No payment data, account passwords, or special-category data collected
• Access to enquiries restricted to the founders and any operators they have explicitly authorised
• Service providers contractually bound to GDPR-equivalent safeguards

This website does not use tracking, advertising, or analytics cookies. You will not see a cookie consent banner because none is legally required.

Our hosting and security provider (Cloudflare) may set strictly-necessary cookies (e.g., __cf_bm) to protect the site against bots and abuse. These fall within the “strictly necessary” exemption of the EU ePrivacy Directive and Estonian Electronic Communications Act, and do not require consent.

We use Cloudflare Web Analytics, a privacy-preserving, cookieless analytics service that counts page views in aggregate. It does not identify individuals or share data with advertising networks.

We retain personal data only as long as necessary for the purpose it was collected, plus the minimum period required by law:

• Unconverted enquiries: contact form submissions and email correspondence are kept for up to 24 months from last contact, after which they are deleted.
• Active client records: retained for the duration of the engagement plus 7 years (Estonian Accounting Act § 12 retention requirement).
• Server logs: automatically rotated by our hosting provider (typically within 30 days).

You have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct data that is inaccurate or incomplete.
• Right to erasure (“right to be forgotten”) — ask us to delete your data, subject to legal retention requirements.
• Right to restrict processing — ask us to limit how we use your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI) at aki.ee or with the supervisory authority in your EU member state.

To exercise any of these rights, email us at [email protected]. We will respond within one month.

We do not use automated decision-making or profiling that has a legal or similarly significant effect on you within the meaning of GDPR Article 22.

We do not run a marketing newsletter. We only contact you directly in response to an enquiry you have initiated. If you ask us to follow up later or to keep you informed about a specific topic, we will record that consent and let you withdraw it at any time by replying with the word “unsubscribe.”

You are not legally required to contact us. However, if you choose to send us an enquiry, providing your name, email, and a description of what you need is necessary for us to read and reply to your message. If you do not provide this information, we may be unable to respond.

Our website may contain links to third-party websites (for example, our LinkedIn page or external scientific resources). This Privacy Policy applies only to nalambiosciences.com. We are not responsible for the privacy practices, content, or security of external sites. We encourage you to review the privacy policies of any third-party site you visit.

We may update this Privacy Policy from time to time. The latest version will always be published on this page with an updated “Last updated” date. Where appropriate, we may provide additional notice of material changes.