Privacy Policy
CD Biosynsis is committed to protecting your personal information and project data. This policy describes how we collect, use, store, and safeguard your data in compliance with GDPR, CCPA, and international data protection standards.
Your Data, Your Rights
Privacy Policy Contents
Navigate to specific sections of our privacy policy. All sections apply to personal information collected through our websites, services, and project engagements.
1. Information We Collect
CD Biosynsis collects personal information in several categories, depending on how you interact with our services. We are committed to data minimization—collecting only what is necessary for the specified purposes described in this policy.
1.1 Information You Provide Directly
When you request a quote, create an account, communicate with us, or engage our services, you may provide the following categories of information:
- Identity data: Full name, job title, organization/company name, professional affiliation
- Contact data: Email address, telephone number, mailing address, billing address
- Financial data: Payment information, invoicing details, purchase history (processed via secure third-party payment processors)
- Project data: Target enzyme/protein sequences, scientific goals, performance specifications, experimental protocols, and other information you voluntarily share about your project
- Communication data: Contents of emails, inquiry forms, consultation call notes, and support tickets
- Application data: Resume, CV, cover letter, and professional history when applying for career opportunities
1.2 Information Collected Automatically
When you visit our websites, we automatically collect certain technical and usage information:
- Device data: IP address, browser type and version, operating system, device identifiers
- Usage data: Pages visited, time spent on pages, links clicked, referring/exit URLs, search queries
- Analytics data: Aggregated and anonymized usage statistics generated through our web analytics platform
- Cookie data: Information stored by cookies and similar tracking technologies as described in Section 6
1.3 Information from Third Parties
We may receive information from business partners, public databases, and professional networks, including:
- Conference and event registration information where we sponsor or exhibit
- Referral information from business partners with your consent
- Publicly available professional information (e.g., organizational affiliations from LinkedIn)
- Credit reference agencies for payment verification purposes
Project Data & Trade Secrets: When you engage CD Biosynsis for synthetic biology services, you may share proprietary sequences, unpublished data, and trade secrets. All such project data is treated with the highest level of confidentiality and protected under NDA. We do not use your project data for any purpose other than delivering the contracted service.
2. How We Use Your Information
We use your personal information for the following purposes, under the legal bases described. We only process personal data where we have a lawful basis to do so.
2.1 Legal Bases for Processing
| Processing Activity | Legal Basis |
|---|---|
| Providing and delivering contracted services | Performance of contract (Art. 6(1)(b) GDPR) |
| Responding to inquiries and providing customer support | Legitimate interests (Art. 6(1)(f) GDPR) / Consent |
| Sending service-related communications and project updates | Performance of contract (Art. 6(1)(b) GDPR) |
| Marketing communications (where applicable) | Consent (Art. 6(1)(a) GDPR) |
| Improving website and service quality | Legitimate interests (Art. 6(1)(f) GDPR) |
| Complying with legal obligations (tax, audit, regulatory) | Legal obligation (Art. 6(1)(c) GDPR) |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f) GDPR) |
| Job application processing | Legitimate interests / Consent |
2.2 Specific Use Categories
Service Delivery: We use your identity, contact, and project data to deliver contracted synthetic biology services. This includes project scoping, design execution, experimental work, reporting, and delivery of results.
Communication: We use your contact information to send project updates, respond to inquiries, share relevant technical information, and provide customer support. You may opt out of non-essential communications at any time.
Marketing: With your explicit consent, we send newsletters, technical updates, and information about new services. All marketing emails include an unsubscribe link. We do not sell your personal data to third parties for marketing purposes.
Service Improvement: We analyze aggregated, anonymized usage data to understand how visitors use our websites and services, identify improvement opportunities, and develop new capabilities.
Legal Compliance: We retain and disclose information as required by applicable law, including tax regulations, financial reporting requirements, court orders, and regulatory obligations.
2.3 Automated Decision-Making
We do not use fully automated decision-making processes that produce significant effects on individuals. All project-related decisions involving human evaluation of personal data are made by qualified personnel. Where AI tools assist in service delivery, human oversight is maintained throughout.
3. Data Sharing & Disclosure
We do not sell your personal information. We share data only under the following circumstances, with appropriate contractual safeguards in place.
3.1 Service Providers
We share personal information with trusted service providers who process data on our behalf, including:
- Cloud infrastructure providers (data storage and processing)
- Payment processors (secure payment handling)
- Customer relationship management platforms (inquiry and project management)
- Email and communication service providers (transactional and marketing emails)
- Analytics providers (website usage analytics)
- IT security providers (vulnerability scanning, intrusion detection)
All service providers are contractually bound to process data only on our instructions, maintain appropriate security measures, and not use data for their own purposes.
3.2 Business Transfers
In the event of a merger, acquisition, sale of assets, or similar corporate transaction, personal information may be transferred as part of the transaction. We will notify you via email and through a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.
3.3 Legal Requirements
We may disclose personal information if required by law, including:
- Compliance with valid legal process, court orders, or government requests
- Enforcement of our Terms of Service and other agreements
- Protection of the rights, property, or safety of CD Biosynsis, our clients, employees, or the public
- Regulatory reporting obligations (e.g., adverse event reporting for pharmaceutical clients)
3.4 International Data Transfers
CD Biosynsis operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States, European Union member states, and other jurisdictions. Where data is transferred outside the EEA, UK, or Switzerland, we implement appropriate safeguards including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Data processing agreements with all receiving parties
- Adequacy decisions where available
- Additional security measures such as encryption in transit and at rest
4. Data Security
CD Biosynsis implements comprehensive technical and organizational measures to protect your personal information against unauthorized access, loss, misuse, or alteration.
4.1 Technical Security Measures
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: Sensitive data stored on our systems is encrypted using AES-256 or equivalent
- Access controls: Role-based access control limits data access to authorized personnel only, on a least-privilege basis
- Multi-factor authentication: Required for all internal systems handling personal or project data
- Network security: Firewalls, intrusion detection/prevention systems, and network segmentation
- Vulnerability management: Regular security scanning, patch management, and penetration testing
- Backup and recovery: Encrypted, geographically distributed backups with tested restoration procedures
4.2 Organizational Security Measures
- Annual information security training for all employees handling personal data
- Data Protection Officer (DPO) oversight for GDPR compliance
- Incident response procedures and breach notification protocols
- Regular security audits and third-party compliance assessments
- Confidentiality agreements with all personnel with data access
- Vendor security assessment program for all third-party data processors
Project Data Security: Client project data (including proprietary sequences and experimental data) receives enhanced security protections, including isolated storage environments, additional access restrictions, and strict data handling protocols aligned with each client's security requirements.
4.3 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is high risk, we will also notify affected individuals directly, without undue delay, describing the nature of the breach, likely consequences, and mitigation measures taken.
5. Your Privacy Rights
Depending on your location, you may have specific rights regarding your personal information. We are committed to honoring all applicable rights.
5.1 GDPR Rights (European Economic Area)
If you are located in the EEA, you have the following rights under the General Data Protection Regulation:
📋 Right of Access
Obtain confirmation of whether we process your personal data and access a copy of that data, including purposes of processing, categories of data, and recipients.
✎ Right to Rectification
Request correction of inaccurate personal data and completion of incomplete data, without undue delay.
🗑 Right to Erasure
Request deletion of your personal data where it is no longer necessary for the purposes collected, where you withdraw consent, or where processing is unlawful.
🛡 Right to Restriction
Request restriction of processing where you contest data accuracy, where processing is unlawful, or while verification of overriding interests is pending.
🔄 Right to Portability
Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract.
⛰ Right to Object
Object to processing based on legitimate interests or for direct marketing purposes at any time. We will cease processing unless compelling legitimate grounds apply.
5.2 CCPA Rights (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to Know: Request disclosure of personal information collected, used, disclosed, or sold about you, including categories, sources, purposes, and third-party recipients
- Right to Delete: Request deletion of personal information collected, subject to certain exceptions (e.g., legal obligations, completed transactions)
- Right to Opt-Out: Opt out of the sale of personal information (CD Biosynsis does not sell personal information)
- Right to Non-Discrimination: Not be discriminated against for exercising your CCPA rights
California residents may submit requests by emailing privacy@biosynsis.com or calling our toll-free number.
5.3 Other Jurisdictions
Residents of other jurisdictions (UK, Canada, Brazil under LGPD, Australia under the Privacy Act) may have additional rights. Please contact us at privacy@biosynsis.com to exercise your rights or inquire about protections specific to your jurisdiction.
5.4 Exercising Your Rights
To exercise any of these rights, please contact our Privacy Team at privacy@biosynsis.com. We will respond to all verified requests within 30 days. For complex requests, we may extend this period by up to an additional 30 days, with prior notification. We do not charge a fee for responding to requests unless they are manifestly unfounded or excessive.
6. Cookies & Tracking Technologies
We use cookies and similar tracking technologies to operate our websites, analyze usage, and deliver personalized content. This section explains what cookies we use and how you can manage your preferences.
6.1 Types of Cookies We Use
| Category | Purpose | Duration |
|---|---|---|
| Necessary | Required for website functionality: authentication, security, session management, load balancing | Session / 1 year |
| Analytics | Understanding how visitors use our site: page views, navigation patterns, referral sources | Up to 2 years |
| Functional | Remembering preferences: language, region, form data, display settings | Up to 1 year |
| Marketing | Measuring campaign effectiveness, tracking conversions from external links | Up to 90 days |
6.2 Managing Your Cookie Preferences
You can manage your cookie preferences through our cookie consent banner when you first visit our website. You may also adjust browser settings to refuse cookies, though this may affect website functionality. Our cookie preference center allows you to opt out of non-essential cookies at any time.
6.3 Third-Party Cookies
Some cookies on our site are set by third-party services we use, including Google Analytics, LinkedIn Insight Tag, and HubSpot. These third parties may collect data about your visit across multiple websites. We recommend reviewing the privacy policies of these services for information about their data practices.
7. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.
| Data Category | Retention Period |
|---|---|
| Customer account data | Duration of relationship plus 3 years |
| Project data and results | Minimum 7 years (aligned with research record-keeping standards) |
| Communication records | Minimum 3 years from last interaction |
| Financial and invoicing records | Minimum 7 years (tax and audit compliance) |
| Marketing subscriber data | Until consent is withdrawn |
| Website analytics (anonymized) | Up to 26 months |
| Job application data | Up to 12 months after position is filled |
When data is no longer needed, we securely delete or anonymize it. Where anonymization is used for analytical purposes, the resulting data is not considered personal data and may be retained indefinitely.
8. Children's Privacy
CD Biosynsis services are directed at businesses, academic institutions, and professionals. Our websites and services are not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us at privacy@biosynsis.com and we will promptly delete the information.
9. International Data Transfers
CD Biosynsis is headquartered in the United States and operates globally. As such, your personal information may be transferred to, stored, and processed in countries other than your country of residence, including but not limited to the United States, European Union member states, the United Kingdom, and Singapore.
9.1 Safeguards for International Transfers
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as having adequate data protection, we implement the following safeguards:
- Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs for transfers from the EEA, providing contractual guarantees equivalent to those in the EU
- UK International Data Transfer Agreements (IDTAs): For transfers to the UK, we use the ICO-approved IDTA
- Data Processing Agreements: All international data transfers are governed by Data Processing Agreements that set out the obligations of each party
- Encryption: All international transfers use TLS 1.2+ encryption in transit, with data at rest encrypted using AES-256
9.2 Your Consent to International Transfers
By using our services and providing personal information, you acknowledge and agree that your data may be transferred internationally as described in this policy. If you have questions about international data transfers, please contact our Privacy Team.
10. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business circumstances. When we make material changes, we will:
- Post the updated policy on this page with a revised "Last Updated" date
- Notify you via email for significant changes affecting your rights or obligations
- Obtain fresh consent where required by applicable law
We encourage you to review this policy periodically. The current version is always available at https://www.biosynsis.com/privacy-policy.html.
11. Contact Information
If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us:
- Privacy Team: privacy@biosynsis.com
- Data Protection Officer: dpo@biosynsis.com
- Telephone: +1-631-637-0420 (Mon-Fri, 9am-5pm EST)
- Mail: CD Biosynsis, Attn: Privacy Team, SUITE 206, 17 Ramsey Road, Shirley, NY 11967, USA
If you are located in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority.
Last Updated: January 2026
Have Questions About Your Data?
Our Privacy Team is ready to assist with data subject requests, compliance questions, or security concerns. We respond to all inquiries within 3 business days.