1. Introduction and Scope

This Privacy Policy describes how Cell Culture Automation Ltd, trading as CCA BIO ("Company", "we", "us", "our"), collects, uses, stores, discloses, and otherwise processes personal data in connection with the website located at cca.bio (the "Site") and related products and services (the "Services"), including CCA Labs.

This policy applies to visitors, prospective customers, customers, users, and other individuals whose personal data is processed through the Services.

2. Data Controller

For the purposes of UK data protection law, including the UK GDPR and Data Protection Act 2018, Cell Culture Automation Ltd is the data controller for most personal data processed under this policy.

3. Categories of Personal Data

Depending on your relationship with us and use of the Services, we may process the following categories of personal data:

• Identity and contact data (such as name, business email address, organisation, country, and contact details).
• Account and authentication data (such as login metadata, hashed credentials, and access role information).
• Commercial and transaction data (such as quote and invoice details, billing records, and payment references).
• Communications data (such as enquiries, support messages, and correspondence records).
• Technical and usage data (such as IP address, browser and device information, request logs, timestamps, and security events).
• Service content containing personal data submitted by users through the Services.

4. Sources of Personal Data

We obtain personal data from the following sources:

• Directly from you when you use forms, create accounts, request quotes, receive invoices, or communicate with us.
• Automatically through operation of the Site and Services, including security and system logs.
• From third-party providers, including authentication, payment, analytics, and infrastructure partners.

5. Purposes of Processing and Lawful Bases

We process personal data for the following purposes and lawful bases:

• Contractual necessity: to provide and administer Services, accounts, quotations, invoicing, and support.
• Legitimate interests: to secure and improve Services, manage operations, prevent abuse, and maintain business continuity.
• Legal obligation: to comply with applicable legal and regulatory obligations, including accounting, tax, anti-fraud, and HMRC-related recordkeeping and disclosure duties.
• Consent: where required by law, including certain marketing communications and non-essential tracking technologies.

Where personal data is required to enter into or perform a contract, or to comply with legal obligations, failure to provide such data may prevent provision of relevant Services.

6. Disclosure of Personal Data

We may disclose personal data to:

• Hosting, infrastructure, and software service providers acting on our documented instructions.
• Authentication, communications, payment, and analytics providers.
• Professional advisers, auditors, and insurers where reasonably required.
• Competent authorities, regulators, courts, or law-enforcement bodies where disclosure is required or permitted by law.
• Successors or counterparties in connection with merger, acquisition, financing, or asset transfer.

7. International Data Transfers

Personal data may be transferred to and processed in jurisdictions outside the United Kingdom. Where such transfers occur, we implement appropriate safeguards as required by law, including adequacy decisions or approved contractual transfer mechanisms.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy and in accordance with legal, regulatory, tax, accounting, audit, and dispute-resolution requirements.

• Commercial and financial records (including quote, invoice, and payment records) are retained for statutory periods, typically at least 6 years where required by UK law and HMRC rules.
• Account and service records are retained for the service period and a limited period thereafter.
• Security logs and anti-abuse records are retained for operational security and fraud-prevention purposes.

9. Security Measures

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, and disclosure, including encryption in transit, access controls, authentication safeguards, monitoring, and backup practices.

No method of transmission or storage is entirely secure; however, we maintain and review safeguards on an ongoing basis.

10. Your Data Protection Rights

Subject to applicable law, you may have rights to:

• Request access to personal data we hold about you.
• Request correction of inaccurate or incomplete personal data.
• Request erasure of personal data in defined circumstances.
• Object to or request restriction of processing in defined circumstances.
• Request portability of personal data where applicable.
• Withdraw consent where processing is based on consent.

Rights requests may be submitted to hello@cca.bio.

11. Complaints

If you consider that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). We request that you contact us first so we may address your concern.

12. Cookies and Similar Technologies

The Site may use cookies and similar technologies for essential functionality, security, session management, and analytics. Where required by law, we obtain consent for non-essential cookies.

13. Children's Data

The Services are intended for professional and business use and are not directed to children under the age of 18. We do not knowingly collect personal data from children.

14. Changes to This Privacy Policy

We may amend this Privacy Policy from time to time. Updated versions will be published on the Site with a revised update date.

15. Contact

Questions about this Privacy Policy and personal data processing should be sent to hello@cca.bio.