Privacy Policy
Surgical Science Privacy Policy
Last updated: October 2025.
Data Controller: Surgical Science Sweden AB, Drakegatan 7A, 412 50 Gothenburg, Sweden
Contact: GDPR@surgicalscience.com
___________________________________________________________________________
1. Introduction
Surgical Science Sweden AB and its subsidiary companies (“SuS”, “we,” “us”) are committed to protecting your privacy. This Privacy Policy (“Policy”) outlines how we collect, use, share, and safeguard your personal data when you visit our website, use our products or services, or interact with us in any way. As a global company, we comply with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws worldwide.
You can find more information about where we operate here.
Our commitment to Privacy
We recognise privacy as a fundamental right. Any data that identifies or can be linked to an individual is considered “personal data,” including direct identifiers (e.g., name) and indirect identifiers (e.g., device serial number). Aggregated data that cannot identify an individual is treated as non-personal under this Policy.
Transparency and Trust
Your trust is important to us, and we are committed to transparency in how we handle your data. By using our website or engaging with us, you acknowledge and agree to this Policy.
We process personal data in various contexts, including when you:
- Visit our website (surgicalscience.com)
- Visit our booth at a tradeshow or conference
- Fill out a form on our website to sign up for a newsletter, register for an event, download a brochure or piece of content, or for other similar purposes
- Use our products or services
- Work for or represent a company we do business with
- Enter into agreements with us
- Apply for a position at SuS or visit our offices
This Policy is based on current legal requirements and outlines your rights, including how to request access, correction, deletion, or transfer of your data.
2. Personal data we collect
The tables below set out the categories of personal data we collect from you.
Personal data collected when you visit our website
| Category | Description |
| Technical data | Personal data collected and processed when you access or use our website. This includes:
– Your IP address: When you visit our website, your browser generates a request that passes through our routers, enabling access to our website. – Cookies and similar technologies, as described in our Cookie Policy. |
Personal data collected during job applications
We collect and process personal data when you apply for a position at SuS. This includes:
| Category | Description |
| Identity data | Information necessary for processing job applications, including: first name, last name, previous names, title, date of birth, job title, languages, electronic signature, nationality, disability status (if voluntarily disclosed), martial or family status (if voluntarily disclosed), social security number, and other information provided in the application. |
| Contact data | Email address, telephone numbers and residential address (if disclosed). |
We collect this data to:
- Assess your application based on the position applied for;
- Process and manage your application, including reviewing CVs, cover letters, references, grades, and certificates;
- Communicate with you regarding the application process or future vacancies;
- Maintain records for potential future recruitment;
- Defend against claims related to the recruitment process (e.g., demonstrating compliance with non-discrimination laws).
The specific data collected may vary depending on the role and the country where the position is based.
Additional categories of personal data we collect
| Category | Description |
| Personal data collected during tradeshows, conferences and other business events | When you provide us with your information that may be deemed as personal data. |
| Personal data collected when you enter into an agreement | When you join our marketplace or use our Services/Products |
| Personal data of company representatives | When you act as a contact person for a company or other legal entity. |
| Marketing data | When you fill out a form on our website to sign up for a newsletter, register for an event, download a brochure or piece of content, or opt in to receive communications from us. |
| Survey and research data | When you participate in a survey or provide feedback through user research |
Personal data received from third parties
We may, in limited cases, receive personal data from third parties, such as acquired companies or trusted service providers, to ensure continuity of services and business operations.
The types of data typically include identity and contact details, and are processed in accordance with this Policy and applicable data protection laws.
Third-party service providers
We use trusted third-party providers to support our recruitment and HR processes. In particular, we use BambooHR as our HR management platform for processing job applications and related HR data. BambooHR acts as our data processor and only processes personal data on our instructions. For more information, please see BambooHR’s Privacy Policy: https://www.bamboohr.com/privacy-policy.
Purpose and legal basis for processing personal data
We only process your personal data where there is a lawful basis for doing so. The table below outlines the legal justifications for processing your data:
| Categories of Personal Data | Purpose | Legal Basis | Retention Time |
| IP address, Cookies | Website functionality | Legitimate interest (for essential cookies necessary to deliver the service) and consent (for non-essential cookies) | Session duration (for session cookies), other cookies stored until deleted by user. |
| Usage data | Website analytics (Google Analytics) | Consent | In accordance with Google Analytics’ privacy disclosures policy: Privacy Disclosures Policy – Analytics Help |
| Identity and contact data | Job application processes, including subscription, general application and candidate Account. | Consent | In accordance with local legislation; generally retained for 1 year based on consent. |
| Identity and contact data | Legal compliance in recruitment | Legal Obligation | 2 years from position closure (per Discrimination Act) |
Contact person at companies
| Personal data processed | Purpose | Legal basis | Retention time |
| Name, social security number (if sole proprietorship), address, e-mail address, telephone number. | We need to process this information in order to enter into a contractual relationship with you. We may use your personal data if you are the contact person for the company we enter into business with. | Legal obligation for the performance of a contract or our legitimate interest in managing business relationships. | We will process this personal data for a period of one (1) year from the date of termination of the service, or the time required by the nature of the service. |
When entering into an agreement or requesting an offer
| Personal data processed | Purpose | Legal basis | Retention time |
| Name, social security number (if sole proprietorship), address, e-mail address, telephone number. | We need to process this information to provide an offer or price estimation. | The legal basis for this processing is that it is necessary for the performance of a contract to which you are a party or to take steps prior to entering into a contract. | The offer is saved for up to thirty (30) days, after which it will be deleted if not accepted. |
| Name, social security number (if sole proprietorship), address, e-mail address, telephone number. | We need to process this information to enter into a contractual relationship with you. | The legal basis for this processing is that it is necessary for the performance of a contract to which you are a party. | We will process this personal data for one (1) year from the date of termination of our service, or the time required by the nature of the service. |
| Name, social security number (if sole proprietorship), address, e-mail address, telephone number, purchased services/products. | We need to process this information to perform our service and the work that you have ordered. We may use your personal information to provide our services, communicate with you, and store our communication. | The legal basis for this processing is that it is necessary for the performance of a contract to which you are a party. | We will process this personal data for three (3) years from the date of termination of our service, or the time required by the nature of the service. |
After entering into an agreement
| Personal data processed | Purpose | Legal basis | Retention time |
| Name, social security number (if sole proprietorship), address, e-mail address, telephone number. | We process this information for invoicing, financial reporting, and compliance with accounting and tax regulations | Legal obligations under applicable accounting and tax laws | We retain personal data for as long as required under applicable accounting and tax laws in each jurisdiction (typically up to 7 years in Sweden and the US). |
| Name, social security number (if sole proprietorship), address, e-mail address, telephone number. | We need to process this information to fulfil our legal and contractual obligations, including warranty conditions. | Legal obligation. | We will process this personal data for the duration of the legally mandated warranty period. |
Direct marketing
| Personal data processed | Purpose | Legal basis | Retention time |
| Name, address, e-mail address, telephone number. | To provide updates on our services, send newsletters, and share relevant marketing information. | Consent – individuals must accept the Privacy Policy before we add or process their information. | We will retain personal data for 1 year from the date of termination of our service relationship or the last interaction. Before this period expires, we will send a reminder asking whether the individual wishes to renew consent. If no response is received, the data will be securely deleted. |
| (Existing contacts collected before consent requirement) Name, address, e-mail address, telephone number. | To request renewed consent and maintain accurate marketing records. | Legitimate interest (temporary) – maintaining contact while seeking renewed consent. | Retained only for the period necessary to obtain consent. If no consent is received within a reasonable period, the data will be deleted. |
Due to legal obligation or to safeguard legal claims
| Personal data processed | Purpose | Legal basis | Retention time |
| Personal data processed as part of an agreement with us. | We need to process your personal data to comply with legal obligations, such as tax or accounting laws. | The processing is based on a legal obligation. | We retain personal data for as long as required under applicable accounting and tax laws in each jurisdiction (typically 7 years in Sweden and the US). |
| Personal data processed due to interactions with our services/products. | In the event of a dispute, we process personal data to establish, exercise, and monitor legal claims. | We have a legitimate interest in safeguarding our rights. | We will process this personal data for three (3) years from the date of termination of the service, or until the legal claim has been resolved and the decision has gained legal force. |
How we share your personal data
| Category of receipts | Categories of personal data shared | Reason for sharing |
| Our auditor | Identity Data, financial data | Compliance with auditing requirements. |
| Our IT supplier | Identity Data, contact data | Maintenance and support of IT systems. |
| Swedish Tax Agency | Identity Data, financial data | Compliance with tax and financial reporting obligations. |
| Service providers | Identity Data, contact data | Processing data necessary for service delivery. |
| Payment partners | Identity Data, financial data | Processing payments for services. |
| Advertising partners | Identity Data, marketing data | Marketing activities. |
| Marketing partners | Identity Data, marketing data | Communication of targeted offers. |
| Other SuS group companies, including acquisitions | Identity data, contact data, and any relevant business-related data. | To carry out business operations and provide/improve services. |
| Law enforcement and other authorities, or other litigation parties | Identity and contact data (as required).
|
Compliance with legal obligations or legal processes.
|
| Purchasers of our business | Relevant business and customer data. | As part of a sale or merger transaction. |
3. Personal data transfers outside the EU/EEA
We strive to process your personal data within the EU/EEA. However, in certain cases, your data may be transferred to countries outside the EU/EEA, including the United States. When such transfers occur, we implement appropriate safeguards in compliance with Article 46 GDPR, including Standard Contractual Clauses approved by the European Commission, and where relevant, supplementary technical and organisational measures.
As a global business, we may process or share personal data with entities in countries that do not offer the same level of data protection as the EU/EEA. To safeguard your data, we implement appropriate measures in compliance with applicable laws, including:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy Decisions where the European Commission has deemed a country to provide adequate data protection
Additional Safeguards, such as encryption, pseudonymisation, and policies to challenge unlawful government access requests
If you are based in the EU/EEA or the UK, we generally process your personal data within these regions. In exceptional cases where processing outside the EU/EEA is necessary, we ensure full compliance with GDPR and other relevant regulations.
4. Data retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy and any applicable service-specific privacy notices, or as required to comply with legal, regulatory, and contractual obligations.
When determining the appropriate retention period, we carefully assess whether the continued retention of personal data is necessary to achieve the intended purposes. If retention is required, we ensure that personal data is retained for the minimum period permissible under applicable law. Personal data may be retained beyond this period only when necessary to comply with legal obligations, resolve disputes, enforce our agreements, or establish, exercise, or defend legal claims.
Once personal data is no longer required for these purposes, it will be securely deleted, anonymized, or otherwise rendered inaccessible in accordance with our data retention and disposal policies.
5. Your rights & choice
The rights available to you depend on the jurisdiction in which you reside. Depending on your location and applicable data protection laws, you may have specific rights regarding your personal data. Below, we outline the rights available to individuals in the EU/EEA, the UK, and the US, along with general opt-out options.
Your rights under the GDPR (EU/EEA & UK GDPR)
If you are based in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
- Right to be informed – You have the right to receive clear, transparent, and understandable information about how we collect, use, and share your personal data.
- Right of access – You have the right to request access to the personal data we hold about you and obtain a copy of it.
- Right to rectification – You have the right to request corrections to inaccurate or incomplete personal data.
- Right to erasure (Right to be forgotten) – You may request the deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
- Right to restrict processing – You may request that we restrict the processing of your personal data under certain conditions (e.g., while verifying its accuracy or objecting to its use).
- Right to data portability – You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transfer it to another controller.
- Right to object – You may object to the processing of your personal data when based on our legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making and profiling – You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant impacts.
- Right to withdraw consent – You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Your rights under US Privacy laws (CCPA/CPRA & other state laws)
If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other applicable US states, you may have the following rights:
- Right to know – You can request details about the personal data we collect, use, disclose, and sell.
- Right to access – You have the right to request a copy of the specific pieces of personal data we hold about you.
- Right to deletion – You may request that we delete your personal data, subject to certain exceptions (e.g., to comply with legal obligations).
- Right to correct – You have the right to request corrections to inaccurate personal data we maintain about you.
- Right to Opt-Out of sale or sharing – You can opt out of the sale or sharing of your personal data for targeted advertising or other commercial purposes.
- Right to limit use of sensitive personal data – If we process sensitive personal data (e.g., financial, biometric, or health data), you may request that we limit its use.
- Right to non-discrimination – Exercising your privacy rights will not result in discriminatory treatment (e.g., denial of services or different pricing).
General Opt-Out options:
Marketing communications
You can opt out of receiving marketing emails by following the unsubscribe instructions in the email or by contacting us directly.
Cookies & tracking technologies
You can manage cookie preferences through your browser settings or opt-out tools provided in our Cookie Policy.
Targeted advertising & data sharing (US residents)
If you are a US resident, you can opt out of targeted advertising and the sharing of personal data by emailing us.
Exercising your rights
To exercise any of your rights, please contact us at GDPR@surgicalscience.com. We will respond in accordance with applicable data protection laws.
Your right to lodge a complaint with the supervisory authority
If you are located in the EEA, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, “IMY”) or with your local data protection authority. You can find IMY’s details here.
If you are located in the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office (“ICO”). Contact details are available at https://ico.org.uk.
If you are located in Israel, you may contact the Israeli Privacy Protection Authority. Contact details are available at https://www.gov.il/en/departments/privacy-protection-authority.
If you are located in the United States, data protection and privacy rights may vary by state. You may have the right to lodge a complaint with your state attorney general or other applicable authority. For example, residents of California may contact the California Attorney General’s Office at https://oag.ca.gov/privacy.
Our use of cookies and similar technologies
Our website uses certain cookies and other technologies of which you should be aware. Please read our Cookie Policy to find out about the cookies we use and how to manage your cookie preferences.
Changes to this policy
We are constantly working to improve our business; therefore this policy may change from time to time. We may update the policy as a result of changes in legal, technical or business developments. We encourage you to review this policy periodically. When we make material updates, we will notify you through our website or by other appropriate means.