Privacy Policy

Last updated: 15 February 2026  ·  Version 1.0

1. Who We Are (Data Controller)

This Privacy Policy applies to the processing of personal data by:

If you have any questions about how we process your personal data, please contact us at the address above. We do not currently have a designated Data Protection Officer (DPO); however, we take our obligations under the GDPR seriously and will respond to all privacy-related requests within the timeframes set out in Article 12 GDPR.

2. What Personal Data We Collect

We collect and process the following categories of personal data, depending on how you interact with us:

2.1 Data you provide directly

• Contact form submissions: name, email address, company name, message content, and any other information you choose to include.
• Email correspondence: any personal data contained in emails you send to us.
• Business card / networking: name, job title, company, email address, telephone number.

2.2 Data collected automatically

• Website usage data: IP address (anonymised where possible), browser type, device type, pages visited, time spent on pages, referring URL.
• Cookies and similar technologies: see Section 7 (Cookies) below.

2.3 Data from third parties

• LinkedIn: If you interact with our LinkedIn Company Page, LinkedIn processes data subject to their own privacy policy. We may receive aggregated, anonymised analytics about page interactions.

We do not process special categories of personal data (sensitive data) as defined in Article 9 GDPR, such as health data, ethnic origin, or political opinions.

3. Legal Basis for Processing

We process your personal data only where we have a lawful basis under Article 6 GDPR:

• Legitimate interests (Art. 6(1)(f) GDPR): To respond to enquiries, manage business relationships, improve our website, and pursue our commercial activities as a regulatory consultancy. We have carried out a balancing test and concluded that our legitimate interests are not overridden by your interests or fundamental rights.
• Performance of a contract (Art. 6(1)(b) GDPR): Where processing is necessary to enter into or perform a contract with you or your organisation.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR): Where processing is required by applicable Belgian or EU law (e.g., accounting, VAT, anti-money-laundering obligations).
• Consent (Art. 6(1)(a) GDPR): For non-essential cookies or marketing communications, where we have obtained your prior consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Purposes of Processing

We use your personal data for the following purposes:

• Responding to contact form submissions and email enquiries
• Providing regulatory consultancy services and managing client relationships
• Sending service-related communications (e.g., project updates, invoices)
• Sending newsletters or sector updates, where you have opted in
• Improving and securing our website and digital services
• Complying with legal and regulatory obligations
• Defending or pursuing legal claims where necessary

5. How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:

• Contact enquiries (no contract concluded): up to 2 years from the date of last contact.
• Client data (contractual relationship): up to 10 years after the end of the contractual relationship, as required under Belgian accounting law.
• Marketing / newsletter data: until you unsubscribe or withdraw consent, whichever is sooner.
• Website analytics data: up to 26 months (anonymised after 13 months where possible).

When data is no longer needed, we securely delete or anonymise it.

6. Who We Share Your Data With

We do not sell your personal data. We may share data with the following categories of recipients:

• IT service providers: hosting providers, email platforms, CRM tools — acting as processors under data processing agreements in accordance with Art. 28 GDPR.
• Professional advisors: lawyers, accountants, and auditors, bound by professional confidentiality obligations.
• Public authorities: where required by law or court order (e.g., tax authorities, law enforcement).

We do not transfer personal data to third countries outside the EEA unless appropriate safeguards are in place (e.g., Standard Contractual Clauses, an adequacy decision). Where applicable, we will inform you of such transfers and the safeguards applied.

7. Cookies

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device.

7.1 Types of cookies we use

• Strictly necessary cookies: Required for the website to function. These cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our site (e.g., Google Analytics with IP anonymisation enabled). Only set with your consent.
• Preference cookies: Remember your settings and choices. Only set with your consent.

7.2 Managing cookies

You can control and manage cookies through your browser settings or via our cookie consent banner. Withdrawing consent for non-essential cookies will not affect the functionality of strictly necessary cookies. For more information, see allaboutcookies.org.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect prior lawful processing.
• Rights related to automated decision-making (Art. 22): We do not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, please contact us at info@3bio.eu. We will respond within one month of receipt of your request. This period may be extended by two further months where necessary, in which case we will inform you within the first month.

We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests; however, we may charge a reasonable administrative fee for manifestly unfounded or excessive requests.

9. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the competent supervisory authority. As we are established in Belgium, the lead supervisory authority is:

We would, however, appreciate the opportunity to address your concerns directly before you contact the supervisory authority. Please reach out to us at info@3bio.eu in the first instance.

10. Security of Your Data

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are reviewed and updated as necessary in line with industry standards and our obligations under Art. 32 GDPR.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR). Where the breach is likely to result in a high risk to you, we will also notify you directly (Art. 34 GDPR).

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. The "Last updated" date at the top of this page indicates when the Policy was last revised. We encourage you to review this Policy periodically. Where changes are material, we will take appropriate steps to inform you (e.g., via a notice on our website or by email where we hold your contact details).

12. Contact Us

For any questions, requests, or concerns relating to this Privacy Policy or our data processing activities, please contact: