Legal Document · UK GDPR / EU GDPR

Privacy Policy

Version 1.0
Effective Date 3 July 2026
Last Reviewed 3 July 2026
Data Controller SMEDTEC Ltd
In short: SMEDTEC Ltd is the data controller for the personal data described in this policy. We collect only what we need to operate SMEDTEC OS and support our users, we do not sell personal data, and we do not use advertising or cross-site tracking. For personal data that you upload into the platform as part of your regulatory work, you are the controller and we act as your processor under our Data Processing Agreement. This policy explains what we collect, why, the legal bases we rely on, and the rights you have under UK and EU data protection law.
Section 1

Introduction & Scope

This Privacy Policy explains how SMEDTEC Ltd ("SMEDTEC", "we", "us", or "our") collects, uses, discloses, and protects personal data in connection with the SMEDTEC OS platform and the associated marketing pages at os.smedtec.co.uk (together, the "Services").

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — where it applies to individuals in the European Economic Area — Regulation (EU) 2016/679 (EU GDPR) (together, the "Data Protection Laws").

1.1 Who this policy is for

This policy is written for the individuals whose personal data we handle as a controller, including:

  • Visitors to our website at os.smedtec.co.uk
  • People who register for, log in to, or administer a SMEDTEC OS account
  • Prospective customers and other people who contact us or subscribe to our updates

1.2 What this policy does not cover

This policy does not cover personal data contained within the regulatory records, documents, and other content that customers upload into SMEDTEC OS ("Customer Data"). For that data, the customer is the controller and SMEDTEC acts as a processor. How we handle Customer Data is governed by our Data Processing Agreement (DPA), not by this policy. Section 4 explains this distinction in more detail.

Section 2

Definitions

The following terms are used throughout this policy:

TermMeaning
"Controller"The natural or legal person who determines the purposes and means of the processing of personal data.
"Customer Data"Personal data and other content that a customer uploads into or generates within SMEDTEC OS in the course of their regulatory work — for which the customer is the controller and SMEDTEC is the processor.
"Data Subject"An identified or identifiable living individual to whom personal data relates.
"Personal Data"Any information relating to an identified or identifiable natural person, as defined in the Data Protection Laws.
"Processing"Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
"Processor"A person who processes personal data on behalf of, and on the documented instructions of, a controller.
"Services"The SMEDTEC OS platform and the marketing pages at os.smedtec.co.uk.
"Sub-processor"A third party engaged by SMEDTEC to process personal data in connection with the Services.
"Supervisory Authority"The Information Commissioner's Office (ICO) in the UK, or the relevant national data protection authority in the EEA.
Section 3

Who We Are

SMEDTEC Ltd is a company registered in England and Wales and is the data controller responsible for the personal data described in this policy.

SMEDTEC Ltd
Registered in England and Wales · United Kingdom
General enquiries: [email protected]
Data protection enquiries: [email protected]

For any question about how your personal data is handled, or to exercise any of the rights described in Section 14, please contact us at [email protected] and mark your message Attention: Data Protection.

Section 4

Controller & Processor Roles

SMEDTEC OS is a business-to-business platform, and our role under the Data Protection Laws depends on the type of personal data in question:

4.1 Where we are the controller

We act as controller — and this Privacy Policy applies — for the personal data we determine the purposes and means of processing. This includes account registration data, the details of people who contact us, marketing subscribers, and website usage data. In these cases we decide why and how the data is processed.

4.2 Where we are a processor

When a customer uploads Customer Data into their SMEDTEC OS organisation — for example the names and contact details of Responsible Persons, Notified Body contacts, colleagues, or other individuals referenced in regulatory documentation — the customer is the controller and SMEDTEC is the processor. We process that data only on the customer's documented instructions, as set out in our Data Processing Agreement. If you are an individual whose data appears in a customer's account and you wish to exercise your rights, please contact that customer (the controller) in the first instance; we will assist them in responding as required by Section 7 of the DPA.

4.3 Independent controller processing

Where we use anonymised and aggregated usage data to understand and improve the Services, we do so as an independent controller. This data does not identify any individual.

Section 5

Personal Data We Collect

As controller, we collect and process the following categories of personal data:

CategoryWhat it includes
Account data Full name, work email address, job title, role within the platform, profile avatar (if provided), and account preferences such as notification settings.
Authentication data Hashed passwords and session tokens managed by our authentication provider, and the timestamp of your last sign-in. We do not have access to your password in plaintext.
Usage & log data Records of how the Services are used — feature usage, AI feature usage logs linked to your user ID, and technical logs. These logs may include IP addresses, browser and device information, and timestamps.
Error & diagnostic data Error reports and stack traces generated when the application encounters a fault, captured via our error-monitoring provider (Sentry). These may include limited personal data necessary to reproduce the error.
Billing data Billing contact details and the subscription associated with your organisation. Payment card details are handled directly by our payment processor (Stripe) — we do not store card numbers.
Communications data The content of enquiries, support requests, and other correspondence you send us, together with our replies.
Marketing data Your email address and preferences where you have subscribed to product updates or our newsletter, and your engagement with those communications.

5.1 How we obtain it

We collect this data directly from you when you register, use, or contact us about the Services; automatically through your use of the platform (for example log and usage data); and in some cases from the customer organisation that invites you to join their account.

Special category data: SMEDTEC OS is not designed to process special category personal data (such as health data identifying individuals) or clinical patient data. Please do not upload such data into the platform without a prior written agreement with us. See Section 6.4 of our Terms of Service.
Section 6

How & Why We Use Your Personal Data

We use personal data for the following purposes:

  • To provide the Services — creating and administering your account, authenticating you, and delivering platform functionality.
  • To support you — responding to enquiries, providing technical support, and communicating about your account.
  • To bill and manage subscriptions — processing payments through Stripe and managing your subscription.
  • To secure and maintain the platform — monitoring for security threats, preventing fraud and abuse, diagnosing errors, and enforcing rate limits.
  • To improve the Services — understanding how features are used, using anonymised and aggregated data for capacity planning and product development.
  • To send service and marketing communications — see Section 15.
  • To comply with our legal obligations — including accounting, tax, and responding to lawful requests from authorities.

We do not sell personal data, and we do not use it for advertising, remarketing, or profiling that produces legal or similarly significant effects.

Section 8

Cookies

SMEDTEC OS uses only a small number of strictly necessary and functional cookies — principally authentication session cookies, together with limited cookies set by our payment processor (Stripe) and error-monitoring provider (Sentry). We do not use advertising, remarketing, or cross-site tracking cookies.

Full details of each cookie, its purpose, and how to manage cookies through your browser are set out in our Cookie Policy.

Section 9

AI-Assisted Features

SMEDTEC OS includes AI-assisted features, including the Product and Portfolio Notebook, semantic search, and document embeddings. These features are powered by Claude, provided by Anthropic, PBC.

  • All AI requests are made server-side through authenticated Edge Functions. Personal data is not sent directly from your browser to the AI provider.
  • Personal data processed for AI features is handled in-session and is not retained by the AI provider beyond the processing session, subject to the provider's then-current API terms, and is not used to train the provider's models.
  • AI-generated content is advisory and is presented for human review. We do not use AI to make autonomous decisions about you.

The AI Act roles, risk classification, and transparency measures that apply to AI features are described in Section 15 of our Data Processing Agreement.

Section 10

Sharing & Recipients

We do not sell personal data. We share it only with the following categories of recipient, and only to the extent necessary:

10.1 Service providers (sub-processors)

We rely on carefully selected providers to run the Services. Each is bound by a data processing agreement imposing obligations no less protective than our own. Our current providers are:

ProviderPurposeLocation
Supabase, Inc.Database hosting, authentication, file storage, and Edge Function runtime — the primary infrastructure layer.EU (Ireland) by default; US available. EU-only residency available on request.
Anthropic, PBCAI language model (Claude) for AI-assisted features. Processed in-session only; not used for model training.United States — safeguarded by SCCs and the UK IDTA.
Stripe, Inc.Payment processing and subscription management. Stripe is PCI-DSS Level 1 certified.United States / Ireland.
Vercel, Inc.Application hosting and content delivery for the frontend. Processes request logs that may include IP addresses.Global CDN; primary compute in the United States — safeguarded by SCCs.
Sentry, Inc.Application error monitoring and performance tracking.United States — safeguarded by SCCs and the UK IDTA.

The authoritative and most current sub-processor list is maintained in Schedule 2 of our Data Processing Agreement.

10.2 Professional advisers and authorities

We may disclose personal data to our professional advisers (such as lawyers, auditors, and accountants), and to regulators, law enforcement, or other authorities where we are required to do so by law or to protect our legal rights.

10.3 Business transfers

If SMEDTEC is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you and, where required, seek your consent before your personal data becomes subject to a materially different privacy policy.

Section 11

International Transfers

SMEDTEC OS is hosted on infrastructure that offers EU-region data residency. By default, personal data for which we are the controller may be processed in the United Kingdom and/or the European Economic Area.

Some of our providers are located outside the UK and EEA (for example in the United States). Where personal data is transferred to a country not covered by a UK or EU adequacy decision, we ensure an appropriate safeguard is in place — typically the European Commission's Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA).

EU-based data residency (with all applicable data stored in the EU region) is available to customers with GDPR-specific requirements. To discuss data residency, please contact [email protected].

Section 12

Data Retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

  • Account data is retained for the duration of your account. Following closure or termination, the platform data deletion process in Section 15.3 of our Terms of Service and Section 12 of our Data Processing Agreement applies — a 30-day export window, deletion from active systems within 30 days of the end of that window, and destruction of encrypted backups within a further 60 days.
  • Billing and financial records are retained for as long as required by applicable tax and accounting law (typically six years in the UK).
  • Support and correspondence are retained for as long as needed to handle the matter and for a reasonable period afterwards.
  • Marketing data is retained until you unsubscribe or object, after which we retain a minimal suppression record to honour your preference.
  • Anonymised, aggregated data that does not identify any individual may be retained indefinitely.
Section 13

Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

  • Row-Level Security enforced at the database layer, isolating each organisation's data independently of application code
  • Role-based access control (Admin / Member / Viewer) enforced at both application and database levels
  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
  • All AI and third-party API calls proxied through authenticated server-side Edge Functions — no client-side API keys exposed
  • An append-only audit log recording significant actions with user ID and timestamp
  • Restriction of internal access to personal data to personnel with a legitimate operational need, subject to confidentiality obligations
  • An incident response procedure, with confirmed personal data breaches affecting Customer Data notified to the relevant customer within 72 hours

The full set of measures is described in Schedule 3 of our Data Processing Agreement. Suspected vulnerabilities can be reported to [email protected] with the subject line "Security Disclosure".

Section 14

Your Rights

Subject to the conditions in the Data Protection Laws, you have the following rights in respect of your personal data:

RightWhat it means
AccessTo obtain confirmation that we process your data and a copy of it.
RectificationTo have inaccurate personal data corrected and incomplete data completed.
ErasureTo have your personal data deleted in certain circumstances ("right to be forgotten").
RestrictionTo restrict our processing of your data in certain circumstances.
PortabilityTo receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller.
ObjectionTo object to processing based on our legitimate interests, and to object to direct marketing at any time.
Withdraw consentWhere processing is based on consent, to withdraw it at any time.
Automated decisionsNot to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not carry out such processing.

To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month, extendable by up to two further months for complex requests, and we will tell you if an extension applies. There is normally no charge, though we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.

If your personal data appears within a customer's SMEDTEC OS account (Customer Data), the relevant customer is the controller and you should direct your request to them — see Section 4.2.

Section 15

Marketing Communications

We may send you information about the Services, product updates, and our newsletter where you have subscribed, or where you are an existing business contact and the law permits us to do so on the basis of legitimate interests.

Every marketing message includes an unsubscribe link, and you can opt out at any time by using that link or by contacting [email protected]. Opting out of marketing does not stop essential service communications relating to your account.

Section 16

Children's Data

SMEDTEC OS is a professional tool intended for use by organisations and their staff. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

Section 18

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or the law. When we do, we will update the "Version" and "Last Reviewed" dates at the top of this page. Where changes are material, we will notify you by email to your registered address or through a prominent notice within the platform before the changes take effect. Previous versions are archived rather than deleted, and are available on request.

Section 19

Contact & Complaints

For any question about this policy or about how your personal data is handled, please contact us:

SMEDTEC Ltd
Data protection: [email protected]
General enquiries: [email protected]
Website: os.smedtec.co.uk

Please mark data protection correspondence: Attention: Data Protection.

We hope to resolve any concern you raise. If you are not satisfied, you have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO), ico.org.uk. If you are in the EEA, you may complain to the data protection authority in your country of residence, place of work, or where the alleged infringement took place. We would, however, appreciate the chance to address your concerns before you approach the regulator.