Xilis respects the relationships we have with participants in clinical studies, customers, business partners, website visitors and applicants. We respect the privacy of all individuals whose personal data may be processed by us in the performance of our services and our business operations. All personal data will be protected in accordance with the applicable data protection laws, which includes the General Data Protection Regulation (GDPR) for the European Economic Area (EEA).

This Privacy Notice explains how Xilis collects, holds, uses, and discloses personal data when you visit our website, participate in medical research, do business with us or apply for a job at Xilis. It sets out for what purpose we use your data and what rights you have with regard to our processing of your personal data.


Xilis Inc. (31 Alexandria Way, Durham, NC, 27703, USA) and Xilis B.V. (Heidelberglaan 25, 3584 CS Utrecht, the Netherlands) (hereinafter jointly referred to as Xilis) in principle act as joint data controllers with regard to the processing of your personal data. Joint controllers decide the purposes and means of data processing together: they have the same or shared purposes. Xilis Inc. and Xilis B.V. have a transparent arrangement in place that sets out our responsibilities for complying with the GDPR. The essence of this arrangement is included in this document.

Your questions about the processing of personal data by Xilis can be addressed to or by ordinary mail to Gansstraat 133, 3582 EE Utrecht, the Netherlands.


This Privacy Notice applies to individuals visiting and using the Xilis website, contacting us, who subscribed to our newsletter, visit our office, or do business with us (suppliers, partners, investors). This Privacy Notice also explains how we use your personal data when you apply for a position or internship with Xilis. In addition, we may obtain your personal data as part of your participation to a research study or clinical trial.


Below you will find an overview of the purposes for which Xilis processes personal data about you. It includes which personal data Xilis uses for that specific purpose, what the legal basis is and for how long your personal data is retained.

Clinic trials and scientific research studies 

What is Xilis’ privacy role?
Depending on the (clinical) research study, Xilis may act as data processor on behalf of the investigator (that will act as data controller) in relation to your personal data, for example as contract research organization. When acting in the capacity of data processor, Xilis will process your personal data in line with the instructions provided by the data controller.

This Privacy Notice does not apply where Xilis processes personal data as a processor on behalf of the investigator and our processing of such personal data is governed by our agreement with the investigator. If you have concerns about personal data that we process on behalf of an investigator or wish to exercise your privacy rights regarding such personal data, please contact the investigator directly.

We may provide additional privacy notices or information to you at the time we collect your data to describe our privacy practices in connection with conducting that research or clinical trial.

Clinical trials
Xilis processes (pseudonymized) medical and health information about individuals who take part in clinical trials or (scientific) research studies. This information is collected by medical professionals and shared with Xilis. Personal data processed in this context includes health and medical information (such as information about physical and mental health conditions, diagnoses or symptoms, treatments for medical conditions, family medical history, and medications).

For individuals participating in research studies being managed by Xilis, personal data may be used in order to determine your eligibility for a clinical trial, conducting the clinical trial and carry out the applicable studies and other study-related activities and ensuring that each trial drug is safe and reliable.

Xilis will not collect any information which directly identifies a research participant. In most instances, when Xilis receives your data, it will already be pseudonymized. Xilis will therefore not be able to link it directly to you. In other instances, we will pseudonymize your data ourselves to ensure only those with a need-to-know basis can identify you. We incorporate this technique to provide you with an additional layer of privacy and security but will still treat your pseudonymized data as personal data and will process it in line with data protection legislation.

Xilis will only process personal data if we have a valid legal justification for doing so. Therefore, we will only process your personal data if: you have given your prior consent by signing an Informed Consent Form or if this is necessary for the purposes of our legitimate interests in conducting scientific research. We may also process personal data where such processing is necessary for the performance of a task carried out in the public interest, on the basis of an EU or national law. For example, the Clinical Trials Regulation defines by law certain processing activities, which are necessary for the performance of a task carried out in the public interest for purposes outlined in the approved clinical trial protocol, in this case safeguarding public health. Furthermore, the processing of personal data could also be necessary for the purposes of the legitimate interests pursued by Xilis or a third party, for example in the context of conducting scientific research.

Finally, Xilis is required to retain information that is part of clinical trial master file in accordance with applicable laws. In accordance with European laws relating to clinical trials conducted in the EU, we retain clinical trial data for up to 25 years.

Reliability and safety purposes
In order for Xilis, as the sponsor of clinical trials, to assess all potentially relevant safety information, investigators are legally required to report all adverse events to Xilis. In addition, Xilis is also required to report safety information on serious adverse events to the European Medicines Agency. Xilis processes and shares your personal data for these safety and reliability purposes in order to comply with legal obligations under the Clinical Trials Regulation.

Scientific research and secondary use
Xilis is developing next generation MicroOrganoSphere (MOS) technologies to guide precision therapy for cancer patients and accelerate drug discovery. The clinical trials are necessary to contribute to the development and improvement of MOS and for performing valuable scientific and medical research. Xilis may therefore ask for your separate consent for the use of your personal data for conducting scientific research and/or the use of your personal data you provided during your participation in a clinical trial (secondary use).

Investors, suppliers, partners 

We process personal data that we obtain in the context of our interactions with you as (a staff member of) a (prospective) supplier, investor, or business partner because it is necessary to enter into a contract and for the performance of that contract. We may also need your personal data in order to comply with our legal obligations (for example, tax and accounting regulations) and in order to pursue our legitimate interests (for example, in case of a dispute). For these purposes, we may collect and process identification data (such as, name, email address, phone number, postal address), employment data (such as, employer, function) financial data (such as, bank account), and other information provided (for instance in correspondence with us).
Xilis will retain your information for as long as we hold a business relationship. Data required for our bookkeeping is retained for seven years.

Careers at Xilis

When applicants provide us with personal data, we will process such personal data for recruitment and selection purposes. The personal data and documents provided by you may include your contact details, CV, and motivation letter. We process this personal data to determine your eligibility for the vacancy for which you have applied or, in case of an open application, to determine your eligibility for a position within Xilis.

Xilis has a legitimate interest in the aforementioned data processing activities, which include the recruiting of suitable new staff that meet our high standards of service.

Xilis stores applicants’ personal data during the recruitment and selection procedure. Your application data will be deleted (in the event of rejection) by Xilis in accordance with your applicable jurisdiction. In the European Union, we will delete your application data no later than four weeks after the end or completion of the application procedure. Only with your consent will Xilis retain your application data for a period of one year in order to be able to inform you if a suitable position becomes available for you at a later date. In the United States, we will maintain your application data as long as necessary to comply with applicable state and federal laws.


You may contact us in various ways, including via the contact form on the website, by e-mail, and by telephone. The information we obtain from you for this contact will only be used to answer your question and to provide our services. The legal ground for this data processing can be found in the legitimate business interests of Xilis. We will not retain your data longer than necessary to answer your question.


If you would like to keep informed of our developments and studies, you may subscribe to our newsletter. We process your e-mail addresses in order to send the newsletters. Xilis has a legitimate interest in this processing for such direct marketing purposes. You may unsubscribe at any time via the unsubscribe button in our newsletter.

Website visitors 

We automatically collect generated data about your use of the website. This information consists of your IP address (a unique number, which makes it possible to recognize your device), data displayed or clicked on (including UI elements, links); and other log information (including browser type, IP address, date and time of access, cookie ID, and referrer URL). We need this information in order for the website to work as optimally as possible (for example, to display content correctly and to keep the website secure). The processing of these personal data is based on our legitimate interests. For more information on how we use your information when you visit our website, please be referred to our Cookie Policy.

Visitors to our office 

We meet visitors at our office, including external training providers, job applicants, suppliers, investors, and stakeholders. If your visit is planned, we will send your name and visit information to reception before your visit. If you arrive without an appointment, your name will be noted by the reception upon arrival. The purpose for processing this information is for security and safety reasons and the processing is based on our legitimate interests and the legitimate interests of the building operator (from which we rent our office).

Complaints, disputes, and legal claims 

We may process personal data to exercise our rights by establishing, exercising, or defending a legal claim or in order to defend ourselves or our staff against a legal claim from third parties (including disputes, complaints, questions and/or investigations). It is in our legitimate interest to process personal data to be able to exercise our rights and to defend ourselves and our staff against legal claims. Your personal data will be retained for as long as necessary to achieve these purposes.


We only share your personal data on a strictly need-to-know basis. This means that a party will only gain access to your personal data if and for as far as necessary for the activities of such party. We share your personal data with the below parties.

  • Authorized persons working for us, involved with the processing. We share personal data between Xilis Inc. and our wholly owned subsidiary Xilis BV.
  • Authorized persons working for one of our suppliers or partners in the private sector (incl. subcontractors or service providers), involved with the processing, such as contracted research organization, laboratories, service providers involved in evaluating drug safety and efficacy, providers of medical software, hosting, data analytics, and other cloud-based software providers.
  • Authorized persons working for competent authorities in the public sector, where legally required, such as supervisory authorities, enforcement agencies, regulatory agencies who oversee the conduct of clinical trials and courts.
  • Authorized persons working for a buyer or a successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a growing concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by us is among the assets transferred.
  • Authorized persons working for us to help establish or exercise our right to defend against legal claims.

Transfers outside the European Economic Area (EEA)
Some of these third parties, including Xilis Inc., are established in a country outside the European Economic Area (“EEA”), including the United States. In order to comply with EU data protection legislation for international transfers, we carefully consider whether an adequate level of protection can be safeguarded. Where necessary, we lay down arrangements in a data transfer agreement based on standard contractual clauses adopted by the European Commission (Article 46(2)(c) GDPR).

In specific situations we can also rely on the derogations from article 49 GDPR to legitimize the data transfer. This means that we may transfer personal data: (i) with your explicit consent, (ii) if this is necessary for the performance of a contract that has been concluded with you or has been concluded in your interest, or (iii) if this is necessary for the establishment, exercise, or defense of legal claims. Lastly, in exceptional cases we may also transfer personal data if the data transfer is necessary for our compelling legitimate interests and is not overridden by your interests or rights and freedoms.

For more information about the safeguards for international data transfers, please contact us using the contact details included in this Privacy Statement.


Based on the General Data Protection Regulation ("GDPR"; (EU) 2016/679) you have various privacy rights. To what extent these rights can be exercised, may depend on the circumstances of the processing, such as the manner in which Xilis processes the personal data and the legal basis for the processing. Below we included a summary of the relevant privacy rights under the GDPR.

  • Right to withdraw consent. If the processing of your personal data is based on your consent, you have the right to withdraw such consent at any time. After you have withdrawn your consent, Xilis will no longer process your personal data for the related purposes. Please note that the withdrawal of consent does not affect the lawfulness of the processing before it has been withdrawn.
  • Right of access. This concerns the right to request access to your personal data. This enables you to receive a copy of the data we hold about you (but not necessarily the files themselves). We will then also provide further specifics of our processing of the personal data. For example, the purposes for which we process the data, where we got it from, and with whom we share it.
  • Right of rectification. This concerns the right to request rectification of the data that we hold about you. This enables you or your legal representative to have any incomplete or inaccurate data corrected.
  • Right to erasure. This concerns the right to request erasure of the data. This enables you to ask us to delete or remove personal data where: (i) the data is no longer necessary, (ii) the processing activities have been objected to, (ii) the data has been unlawfully processed, (iv) the data has to be erased on the basis of a legal requirement, or (v) where the data has been collected in relation to the offering of information society services. However, we do not have to honor such request in all cases.
  • Right of restriction. The right to restriction of processing means that Xilis will continue to store personal data at your request but may in principle not do anything further with it. In short, this right can be exercised when Xilis does not have (or no longer has) any legal grounds for the processing of the data or if this is under discussion.
  • Right to data portability. You have the right to receive your personal data that you have provided to Xilis in a structured, commonly used, and machine-readable form and you have the right to transmit those data to another data controller, where the processing is based on your consent or on the performance of a contract.
  • Right to object. Under certain circumstances, you have the right to object to processing of your personal data where we are relying on legitimate interests as processing ground. Insofar as the processing of your personal data takes place for direct marketing purposes, we will always honor your request. If it concerns processing for other purposes, we will make a new balance of interests and determine whether Xilis has compelling legitimate grounds that override your interests.
  • Automated decision-making. This concerns the right not to be subject to a decision based solely on automated processing, which significantly impacts you. In this respect, please be informed that when processing your personal data as described in this Privacy Notice, we do not make use of automated decision-making.
  • Right to complaint. Xilis is committed to resolving complaints about your privacy and our collection or use of your personal data. If you are not satisfied with the way Xilis handles your personal data, you may file a complaint to the appropriate supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or where an alleged infringement took place. Please refer to the website of the European Data Protection Board (EDPB) for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with any concerns before the supervisory authority is approached, so please contact us beforehand.

How we handle request

You can submit your request to Xilis via . Xilis will respond to your request as soon as possible, but in any case, within one month of receipt of the request. This period may be extended by two months if necessary, depending on the complexity of the requests and their number. Xilis will inform you within one month of receipt of the request if such an extension is to be made, stating the reason for the delay. If Xilis does not act upon your request, Xilis will inform you of the reasons for not acting as soon as possible, but in any case, no later than one month after receipt of the request.

Please note that if you are a participant in a clinical trial/scientific research study, the data Xilis processes may not contain information with which we can directly identify you, such as your name or address. Xilis may therefore not be able to respond to your request. In such case, we will inform you and request further information to confirm your identity or kindly refer you to the relevant health care provider for the exercise of your rights.


Please know that we may make changes to this Privacy Notice from time to time. Where required, we will inform you of such updates. The current version is always available on our website This Privacy Notice was last amended in June 2023.