Privacy Policy

1. Introduction

2. Information We Collect

2.1 Technical Data

When you visit our website, we automatically collect certain technical information for security, analytics, and operational purposes. This may include:

• IP address and approximate geographic location
• Browser type, version, and language settings
• Operating system and device information
• Pages visited, time spent on pages, and navigation patterns
• Referring website addresses
• Date and time of access
• Cookies and similar tracking technologies (see our Cookie Policy)

2.2 Client Contact Data (B2B)

In the course of our business-to-business (B2B) consultancy relationships, we collect and process the following categories of client contact information:

• Names: Full names of primary contacts, authorized representatives, and stakeholders within client organizations
• Corporate Email Addresses: Business email addresses used for communication, project delivery, and regulatory correspondence
• Job Titles and Professional Roles: Positions within client organizations (e.g., Quality Director, Regulatory Affairs Manager, R&D Lead)
• Corporate Phone Numbers: Business telephone numbers for project coordination and urgent communications
• Business Addresses: Corporate headquarters and manufacturing facility locations
• Company Information: Company name, registration number, industry sector, device classifications (Class I, II, III), and target markets

2.3 Consulting Data and Regulatory Documents

During the provision of our QARA consultancy services, clients may share regulatory documentation and technical files through secure portals, email communications, or direct file transfers. This category includes, but is not limited to:

• Design History Files (DHF): Technical documentation related to device design, development, and validation processes
• Device Master Records (DMR) and Technical Files: Manufacturing specifications, procedures, and regulatory submission documentation
• Quality Management System (QMS) Documentation: Standard Operating Procedures (SOPs), policies, procedures, and audit reports
• Risk Management Files: ISO 14971 risk assessments and hazard analyses
• Clinical Evaluation Reports (CER) and Post-Market Surveillance (PMS) Data: Clinical data and post-market monitoring documentation
• Regulatory Submission Materials: 510(k) submissions, PMA applications, CE marking technical files, MDSAP audit documentation
• Audit Findings and Remediation Plans: Internal audit reports, supplier audit results, FDA 483 observations, and corrective action plans

2.4 Communication Records

We retain records of communications with clients, including:

• Email correspondence and attachments
• Meeting notes, call transcripts, and project minutes
• Service agreements, contracts, and Statements of Work (SOW)
• Invoicing and payment records

3. Legal Basis for Processing Personal Data

Under UK GDPR and EU GDPR, we process personal data based on the following legal grounds:

3.1 Legitimate Interests (Article 6(1)(f) UK/EU GDPR)

We process B2B contact information (names, corporate emails, job titles) based on our legitimate business interests to:

• Conduct business development and client relationship management
• Communicate about our services, regulatory updates, and industry insights
• Maintain security of our website and IT infrastructure
• Analyze website usage to improve user experience and service delivery

We have conducted a Legitimate Interest Assessment (LIA) and determined that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 7, "Your Rights").

3.2 Contractual Necessity (Article 6(1)(b) UK/EU GDPR)

We process personal data and regulatory documents when necessary to:

• Perform our contractual obligations under service agreements and Statements of Work
• Deliver QARA consultancy services, including QMS implementation, audit preparation, and regulatory submissions
• Manage project delivery, timelines, and client communications
• Process invoices, payments, and financial records

3.3 Legal Obligation (Article 6(1)(c) UK/EU GDPR)

We may process personal data to comply with legal obligations, including:

• Tax and accounting requirements under UK Companies Act 2006
• Regulatory retention obligations under ISO 13485:2016 (see Section 6, "Data Retention")
• Compliance with court orders, regulatory investigations, or legal proceedings

3.4 Consent (Article 6(1)(a) UK/EU GDPR)

Where we rely on consent for specific processing activities (e.g., marketing communications, optional data collection), you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

4. International Data Transfers

VigilaMed operates as a UK-based consultancy with clients across the United Kingdom, European Union, United States, and other global markets. We may transfer personal data across international boundaries in the following circumstances:

4.1 UK to EU Transfers

Following the UK's departure from the EU, data transfers from the UK to EU Member States are generally permitted under UK GDPR adequacy decisions. We transfer personal data to EU-based clients and service providers in accordance with UK GDPR transfer mechanisms, including adequacy decisions and Standard Contractual Clauses (SCCs) where required.

4.2 EU to UK Transfers

Where EU-based clients transfer personal data to VigilaMed in the UK, we rely on the EU-UK Data Bridge (adequacy decision) or, where applicable, the EU Standard Contractual Clauses (Module 2: Controller to Processor, or Module 4: Processor to Processor) as approved by the European Commission.

4.3 Transfers to the United States

When transferring personal data to US-based clients, service providers, or cloud infrastructure, we implement appropriate safeguards, including:

• UK-US Data Bridge: Where applicable, we rely on the UK-US Data Bridge adequacy framework for transfers to certified US organizations
• EU-US Data Privacy Framework: For EU-originating data, we rely on the EU-US Data Privacy Framework adequacy decision for transfers to certified US entities
• Standard Contractual Clauses (SCCs): Where adequacy mechanisms are not available, we implement the International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, supplemented by Transfer Impact Assessments (TIAs)

4.4 Other International Transfers

For transfers to countries outside the UK, EU, and US, we implement appropriate safeguards as required by applicable data protection laws, including SCCs, binding corporate rules, or certification schemes.

5. How We Use Your Information

We use the personal data and regulatory documents we collect for the following purposes:

• Service Delivery: Providing QARA consultancy services, including QMS development, audit preparation, regulatory submissions, and post-market surveillance support
• Project Management: Coordinating project timelines, deliverables, and client communications
• Quality Assurance: Ensuring service quality, compliance with regulatory standards (ISO 13485, FDA 21 CFR Part 820), and internal audit requirements
• Legal and Regulatory Compliance: Complying with UK GDPR, EU GDPR, US privacy laws, tax obligations, and industry-specific retention requirements
• Business Development: Communicating with potential clients about our services, regulatory updates, and industry insights (B2B marketing)
• Security and Fraud Prevention: Protecting our website, IT systems, and client data from unauthorized access, cyber threats, and fraud
• Website Analytics: Analyzing website usage patterns to improve user experience, content relevance, and service delivery
• Client Relationship Management: Maintaining client records, contact information, and service history for relationship management purposes

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We may share your information in the following limited circumstances:

6.1 Service Providers and Processors

We engage trusted third-party service providers who process personal data on our behalf under strict contractual obligations, including:

• Cloud Infrastructure Providers: Secure cloud hosting and data storage services (Microsoft Azure, AWS) with encryption and access controls
• Email and Communication Platforms: Secure email services and project management tools with end-to-end encryption where available
• Accounting and Financial Services: Professional accounting firms for financial record-keeping and tax compliance
• IT Support and Security: Managed IT services for cybersecurity, data backup, and technical support

All service providers are bound by Data Processing Agreements (DPAs) that require compliance with UK GDPR, EU GDPR, and applicable privacy laws.

6.2 Legal and Regulatory Disclosures

We may disclose personal data when required by law or to comply with:

• Court orders, subpoenas, or legal proceedings
• Regulatory investigations by data protection authorities (ICO, EDPB, state privacy regulators)
• Law enforcement requests in connection with criminal investigations
• Regulatory compliance obligations under medical device regulations (FDA, MHRA, Notified Bodies)

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

7. Your Rights Under Data Protection Laws

Under UK GDPR, EU GDPR, and applicable US privacy laws (including CCPA/CPRA), you have the following rights regarding your personal data:

7.1 Right of Access (Article 15 UK/EU GDPR)

You have the right to request a copy of the personal data we hold about you, including information about the purposes of processing, categories of data, recipients, and retention periods. We will respond to your request within one month (extendable to two months for complex requests).

7.2 Right to Rectification (Article 16 UK/EU GDPR)

You have the right to request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification of the requested changes.

7.3 Right to Erasure ("Right to be Forgotten") (Article 17 UK/EU GDPR)

You have the right to request deletion of your personal data in the following circumstances:

• The data is no longer necessary for the original purpose
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate interests
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

Limitations: The right to erasure does not apply where we are required to retain data for legal, regulatory, or contractual obligations (e.g., ISO 13485 retention requirements, tax records, audit documentation). We will inform you if your request cannot be fully honored due to such obligations.

7.4 Right to Restrict Processing (Article 18 UK/EU GDPR)

You have the right to request restriction of processing where you contest the accuracy of data, object to processing, or where processing is unlawful but you prefer restriction over erasure.

7.5 Right to Data Portability (Article 20 UK/EU GDPR)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

7.6 Right to Object (Article 21 UK/EU GDPR)

You have the right to object to processing based on legitimate interests or direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

7.8 US Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA and CPRA, including:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom we share data
• Right to Delete: Request deletion of personal information, subject to exceptions
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (note: VigilaMed does not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information

7.9 Exercising Your Rights

To exercise any of the above rights, please contact us at:

7.10 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, you may contact your local data protection authority. In the US, you may contact your state's privacy regulator or the Federal Trade Commission (FTC).

8. Data Retention

We retain personal data and regulatory documents only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Regulatory Retention Requirements

Retained for the duration of the client relationship plus 5 years, or as specified in service agreements/contract

8.2 Business and Legal Retention

• Client Contact Information (B2B): Retained for the duration of the business relationship plus 6 years for legal and tax compliance (UK Companies Act 2006)
• Contractual and Financial Records: Retained for 6 years after contract termination or completion of services, in accordance with UK tax and accounting requirements
• Website Analytics and Technical Data: Retained for up to 26 months (Google Analytics default) or as required for security incident investigation

8.3 Secure Deletion

Upon expiration of retention periods, we securely delete or anonymize personal data using industry-standard secure deletion methods. Physical documents are shredded or destroyed in accordance with confidential waste disposal procedures.

9. Data Security Measures

We implement robust technical and organizational measures to protect personal data and regulatory documents against unauthorized access, loss, destruction, or alteration:

• Access Controls: Role-based access controls (RBAC), multi-factor authentication (MFA), and principle of least privilege
• Staff Training: Regular data protection and information security training for all personnel
• Incident Response: Documented procedures for data breach detection, notification, and remediation
• Confidentiality Agreements: All staff and contractors are bound by confidentiality agreements and data protection obligations

Despite our security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance user experience, analyze website traffic, and maintain security. For detailed information about our use of cookies, please refer to our Cookie Policy.

11. Children's Privacy

Our services are directed to businesses (B2B) and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete such information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. Material changes will be notified to clients via email or through prominent notices on our website. The "Last Updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically to stay informed about how we protect your information.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

For general inquiries about our services, please contact us at Michelle.Hilling@VigilaMed.com or visit our Contact page.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of England and Wales. Any disputes arising from or relating to this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales. For EU residents, this does not affect your rights under EU GDPR to lodge complaints with your local supervisory authority or seek remedies in your home jurisdiction.