Introduction & Scope
This Privacy Policy explains how SMEDTEC Ltd ("SMEDTEC", "we", "us", or "our") collects, uses, discloses, and protects personal data in connection with the SMEDTEC OS platform and the associated marketing pages at os.smedtec.co.uk (together, the "Services").
We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — where it applies to individuals in the European Economic Area — Regulation (EU) 2016/679 (EU GDPR) (together, the "Data Protection Laws").
1.1 Who this policy is for
This policy is written for the individuals whose personal data we handle as a controller, including:
- Visitors to our website at os.smedtec.co.uk
- People who register for, log in to, or administer a SMEDTEC OS account
- Prospective customers and other people who contact us or subscribe to our updates
1.2 What this policy does not cover
This policy does not cover personal data contained within the regulatory records, documents, and other content that customers upload into SMEDTEC OS ("Customer Data"). For that data, the customer is the controller and SMEDTEC acts as a processor. How we handle Customer Data is governed by our Data Processing Agreement (DPA), not by this policy. Section 4 explains this distinction in more detail.
Definitions
The following terms are used throughout this policy:
| Term | Meaning |
|---|---|
| "Controller" | The natural or legal person who determines the purposes and means of the processing of personal data. |
| "Customer Data" | Personal data and other content that a customer uploads into or generates within SMEDTEC OS in the course of their regulatory work — for which the customer is the controller and SMEDTEC is the processor. |
| "Data Subject" | An identified or identifiable living individual to whom personal data relates. |
| "Personal Data" | Any information relating to an identified or identifiable natural person, as defined in the Data Protection Laws. |
| "Processing" | Any operation performed on personal data, including collection, storage, use, disclosure, and deletion. |
| "Processor" | A person who processes personal data on behalf of, and on the documented instructions of, a controller. |
| "Services" | The SMEDTEC OS platform and the marketing pages at os.smedtec.co.uk. |
| "Sub-processor" | A third party engaged by SMEDTEC to process personal data in connection with the Services. |
| "Supervisory Authority" | The Information Commissioner's Office (ICO) in the UK, or the relevant national data protection authority in the EEA. |
Who We Are
SMEDTEC Ltd is a company registered in England and Wales and is the data controller responsible for the personal data described in this policy.
SMEDTEC Ltd
Registered in England and Wales · United Kingdom
General enquiries: [email protected]
Data protection enquiries: [email protected]
For any question about how your personal data is handled, or to exercise any of the rights described in Section 14, please contact us at [email protected] and mark your message Attention: Data Protection.
Controller & Processor Roles
SMEDTEC OS is a business-to-business platform, and our role under the Data Protection Laws depends on the type of personal data in question:
4.1 Where we are the controller
We act as controller — and this Privacy Policy applies — for the personal data we determine the purposes and means of processing. This includes account registration data, the details of people who contact us, marketing subscribers, and website usage data. In these cases we decide why and how the data is processed.
4.2 Where we are a processor
When a customer uploads Customer Data into their SMEDTEC OS organisation — for example the names and contact details of Responsible Persons, Notified Body contacts, colleagues, or other individuals referenced in regulatory documentation — the customer is the controller and SMEDTEC is the processor. We process that data only on the customer's documented instructions, as set out in our Data Processing Agreement. If you are an individual whose data appears in a customer's account and you wish to exercise your rights, please contact that customer (the controller) in the first instance; we will assist them in responding as required by Section 7 of the DPA.
4.3 Independent controller processing
Where we use anonymised and aggregated usage data to understand and improve the Services, we do so as an independent controller. This data does not identify any individual.
Personal Data We Collect
As controller, we collect and process the following categories of personal data:
| Category | What it includes |
|---|---|
| Account data | Full name, work email address, job title, role within the platform, profile avatar (if provided), and account preferences such as notification settings. |
| Authentication data | Hashed passwords and session tokens managed by our authentication provider, and the timestamp of your last sign-in. We do not have access to your password in plaintext. |
| Usage & log data | Records of how the Services are used — feature usage, AI feature usage logs linked to your user ID, and technical logs. These logs may include IP addresses, browser and device information, and timestamps. |
| Error & diagnostic data | Error reports and stack traces generated when the application encounters a fault, captured via our error-monitoring provider (Sentry). These may include limited personal data necessary to reproduce the error. |
| Billing data | Billing contact details and the subscription associated with your organisation. Payment card details are handled directly by our payment processor (Stripe) — we do not store card numbers. |
| Communications data | The content of enquiries, support requests, and other correspondence you send us, together with our replies. |
| Marketing data | Your email address and preferences where you have subscribed to product updates or our newsletter, and your engagement with those communications. |
5.1 How we obtain it
We collect this data directly from you when you register, use, or contact us about the Services; automatically through your use of the platform (for example log and usage data); and in some cases from the customer organisation that invites you to join their account.
How & Why We Use Your Personal Data
We use personal data for the following purposes:
- To provide the Services — creating and administering your account, authenticating you, and delivering platform functionality.
- To support you — responding to enquiries, providing technical support, and communicating about your account.
- To bill and manage subscriptions — processing payments through Stripe and managing your subscription.
- To secure and maintain the platform — monitoring for security threats, preventing fraud and abuse, diagnosing errors, and enforcing rate limits.
- To improve the Services — understanding how features are used, using anonymised and aggregated data for capacity planning and product development.
- To send service and marketing communications — see Section 15.
- To comply with our legal obligations — including accounting, tax, and responding to lawful requests from authorities.
We do not sell personal data, and we do not use it for advertising, remarketing, or profiling that produces legal or similarly significant effects.
Legal Bases for Processing
Under the Data Protection Laws we must have a lawful basis for each processing activity. The bases we rely on are:
| Processing activity | Legal basis |
|---|---|
| Providing the Services and administering accounts | Contract — processing necessary to perform our contract with you or your organisation, or to take steps at your request before entering into a contract. |
| Billing and payment processing | Contract, and legal obligation for retention of financial records. |
| Security, fraud prevention, error monitoring, and improving the Services | Legitimate interests — our interest in keeping the platform secure, reliable, and continually improving, balanced against your rights and freedoms. |
| Service-related communications | Contract and legitimate interests — keeping you informed about the Services you use. |
| Marketing communications to prospects | Consent, or legitimate interests where permitted for existing business contacts, with an opt-out in every message. |
| Complying with legal and regulatory obligations | Legal obligation. |
Where we rely on legitimate interests, you have the right to object — see Section 14. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
AI-Assisted Features
SMEDTEC OS includes AI-assisted features, including the Product and Portfolio Notebook, semantic search, and document embeddings. These features are powered by Claude, provided by Anthropic, PBC.
- All AI requests are made server-side through authenticated Edge Functions. Personal data is not sent directly from your browser to the AI provider.
- Personal data processed for AI features is handled in-session and is not retained by the AI provider beyond the processing session, subject to the provider's then-current API terms, and is not used to train the provider's models.
- AI-generated content is advisory and is presented for human review. We do not use AI to make autonomous decisions about you.
The AI Act roles, risk classification, and transparency measures that apply to AI features are described in Section 15 of our Data Processing Agreement.
International Transfers
SMEDTEC OS is hosted on infrastructure that offers EU-region data residency. By default, personal data for which we are the controller may be processed in the United Kingdom and/or the European Economic Area.
Some of our providers are located outside the UK and EEA (for example in the United States). Where personal data is transferred to a country not covered by a UK or EU adequacy decision, we ensure an appropriate safeguard is in place — typically the European Commission's Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA).
EU-based data residency (with all applicable data stored in the EU region) is available to customers with GDPR-specific requirements. To discuss data residency, please contact [email protected].
Data Retention
We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.
- Account data is retained for the duration of your account. Following closure or termination, the platform data deletion process in Section 15.3 of our Terms of Service and Section 12 of our Data Processing Agreement applies — a 30-day export window, deletion from active systems within 30 days of the end of that window, and destruction of encrypted backups within a further 60 days.
- Billing and financial records are retained for as long as required by applicable tax and accounting law (typically six years in the UK).
- Support and correspondence are retained for as long as needed to handle the matter and for a reasonable period afterwards.
- Marketing data is retained until you unsubscribe or object, after which we retain a minimal suppression record to honour your preference.
- Anonymised, aggregated data that does not identify any individual may be retained indefinitely.
Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:
- Row-Level Security enforced at the database layer, isolating each organisation's data independently of application code
- Role-based access control (Admin / Member / Viewer) enforced at both application and database levels
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
- All AI and third-party API calls proxied through authenticated server-side Edge Functions — no client-side API keys exposed
- An append-only audit log recording significant actions with user ID and timestamp
- Restriction of internal access to personal data to personnel with a legitimate operational need, subject to confidentiality obligations
- An incident response procedure, with confirmed personal data breaches affecting Customer Data notified to the relevant customer within 72 hours
The full set of measures is described in Schedule 3 of our Data Processing Agreement. Suspected vulnerabilities can be reported to [email protected] with the subject line "Security Disclosure".
Your Rights
Subject to the conditions in the Data Protection Laws, you have the following rights in respect of your personal data:
| Right | What it means |
|---|---|
| Access | To obtain confirmation that we process your data and a copy of it. |
| Rectification | To have inaccurate personal data corrected and incomplete data completed. |
| Erasure | To have your personal data deleted in certain circumstances ("right to be forgotten"). |
| Restriction | To restrict our processing of your data in certain circumstances. |
| Portability | To receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller. |
| Objection | To object to processing based on our legitimate interests, and to object to direct marketing at any time. |
| Withdraw consent | Where processing is based on consent, to withdraw it at any time. |
| Automated decisions | Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not carry out such processing. |
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month, extendable by up to two further months for complex requests, and we will tell you if an extension applies. There is normally no charge, though we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.
If your personal data appears within a customer's SMEDTEC OS account (Customer Data), the relevant customer is the controller and you should direct your request to them — see Section 4.2.
Marketing Communications
We may send you information about the Services, product updates, and our newsletter where you have subscribed, or where you are an existing business contact and the law permits us to do so on the basis of legitimate interests.
Every marketing message includes an unsubscribe link, and you can opt out at any time by using that link or by contacting [email protected]. Opting out of marketing does not stop essential service communications relating to your account.
Children's Data
SMEDTEC OS is a professional tool intended for use by organisations and their staff. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.
Third-Party Links
The Services may contain links to third-party websites and resources — for example, regulatory sources or the privacy policies of our providers. We are not responsible for the privacy practices of those third parties, and we encourage you to read their privacy notices before providing them with personal data.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or the law. When we do, we will update the "Version" and "Last Reviewed" dates at the top of this page. Where changes are material, we will notify you by email to your registered address or through a prominent notice within the platform before the changes take effect. Previous versions are archived rather than deleted, and are available on request.
Contact & Complaints
For any question about this policy or about how your personal data is handled, please contact us:
SMEDTEC Ltd
Data protection: [email protected]
General enquiries: [email protected]
Website: os.smedtec.co.uk
Please mark data protection correspondence: Attention: Data Protection.
We hope to resolve any concern you raise. If you are not satisfied, you have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO), ico.org.uk. If you are in the EEA, you may complain to the data protection authority in your country of residence, place of work, or where the alleged infringement took place. We would, however, appreciate the chance to address your concerns before you approach the regulator.