隱私 政策。

1. Information We Collect

MedStrato collects information that you provide directly when you create an account, request a demonstration, or use our medical device procurement platform. This includes your name, business email address, company name, job title, and any tender documentation or procurement specifications you upload to the platform.

We also automatically collect certain technical information when you access our services, including IP addresses, browser type, device identifiers, and usage patterns. This data is processed in accordance with our SOC 2 Type II certified security controls and is used solely to maintain and improve service performance.

When you upload tender documents, product specifications, or compliance matrices, we process this data exclusively for the purpose of delivering our matching and compliance verification services. All uploaded documents are encrypted using AES-256 encryption both in transit and at rest.

2. How We Use Your Information

We use your information to provide, maintain, and improve our medical device procurement matching services. This includes processing tender documents against our device database, generating compliance reports, and delivering match recommendations based on your specified criteria and regulatory requirements.

Your information may also be used to communicate service updates, respond to support inquiries, and provide technical assistance. We do not use your procurement data, tender specifications, or compliance information for any purpose other than delivering the services you have requested.

Analytics data is aggregated and anonymised to improve platform performance and matching accuracy. Individual procurement data is never shared with other clients or used to inform competitive intelligence of any kind.

3. Data Sharing and Disclosure

MedStrato does not sell, rent, or trade your personal information or procurement data to third parties. We may share limited information with infrastructure providers who are contractually bound by data processing agreements that meet or exceed GDPR requirements.

All sub-processors are vetted against our ISO 13485 quality management system requirements and must demonstrate SOC 2 Type II compliance. A current list of sub-processors is available upon request from our Data Protection Officer.

We may disclose information where required by law, regulation, or valid legal process. In such cases, we will notify you to the extent permitted by applicable law and will limit disclosure to the minimum information required.

4. Data Retention

Account data is retained for the duration of your active subscription and for a period of ninety (90) days following account termination, after which it is permanently deleted from all production systems and backups.

Tender documents and procurement data uploaded during a demonstration session are deleted within twenty-four (24) hours of the session's conclusion, unless you explicitly request otherwise. This policy ensures that no sensitive procurement information is retained beyond its immediate purpose.

Aggregated, anonymised analytics data that cannot be used to identify any individual or organisation may be retained indefinitely for the purpose of improving service quality and matching accuracy.

5. Security Measures

MedStrato maintains comprehensive security controls validated through annual SOC 2 Type II audits conducted by independent third-party auditors. Our security programme encompasses access controls, encryption, network security, incident response, and business continuity.

All data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit. Access to production systems is restricted to authorised personnel through multi-factor authentication and role-based access controls. All access is logged and monitored continuously.

Our infrastructure is hosted within SOC 2 certified data centres located in the European Union. Regular penetration testing and vulnerability assessments are conducted to ensure the ongoing integrity and security of our platform.

6. International Data Transfers

MedStrato primarily processes data within the European Economic Area (EEA). Where data transfers outside the EEA are necessary for service delivery, we rely on European Commission-approved Standard Contractual Clauses (SCCs) and conduct transfer impact assessments in accordance with GDPR Chapter V requirements.

We maintain supplementary technical measures including end-to-end encryption and pseudonymisation to ensure that transferred data receives a level of protection substantially equivalent to that guaranteed within the EEA.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to withdraw consent where processing is based on consent.

To exercise any of these rights, please contact our Data Protection Officer at privacy@medstrato.com. We will respond to all legitimate requests within thirty (30) days. Where requests are complex or numerous, we may extend this period by an additional sixty (60) days, with prior notification.

You also have the right to lodge a complaint with your local supervisory authority if you believe your data has been processed in a manner inconsistent with applicable data protection legislation.

8. Cookies and Tracking

MedStrato uses strictly necessary cookies to maintain session state and ensure the security of your account. These cookies do not require consent as they are essential for the provision of the service you have requested.

We use a minimal set of analytics cookies to understand how our platform is used and to improve the user experience. These cookies are only set with your explicit consent and can be disabled at any time through your browser settings or our cookie preferences panel.

We do not use third-party advertising cookies, tracking pixels, or any form of cross-site tracking technology. We do not participate in advertising networks or sell data to advertising platforms.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you via email or through a prominent notice within the platform at least thirty (30) days before they take effect.

Your continued use of the platform following the effective date of any changes constitutes your acceptance of the revised policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at privacy@medstrato.com. You may also write to us at MedStrato, Data Protection Office, Dublin, Ireland.

For general enquiries about our services or to request a demonstration, please visit our contact page or email hello@medstrato.com. We aim to respond to all privacy-related enquiries within five (5) business days.