← Back to home
SCALEMEDTECH
05 / Legal

GDPR Compliance

Our Commitment

ScaleMedTech is committed to full compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018. This page explains how we meet our obligations as a data controller and describes the rights available to data subjects whose personal data we process.

Data Controller

ScaleMedTech, operated by Navix Medical, acts as the data controller for personal data processed through the Platform. Our Data Protection contact is reachable at privacy@scalemedtech.com.

Categories of Personal Data Processed

We process the following categories of personal data:

Subscriber data — business contact information (name, email, company, role) for individuals with Platform accounts.

Professional intelligence data — publicly available professional information about healthcare professionals, regulatory contacts, distributor personnel, and industry executives, compiled into the Platform’s KOL graphs and distributor registries. This includes names, institutional affiliations, publication records, and conference participation sourced from public registries, regulatory databases, academic records, and conference proceedings.

Usage data — technical identifiers and behavioural data generated while using the Platform (session data, feature interactions, search queries).

Legal Bases

We rely on the following lawful bases under Article 6 UK/EU GDPR:

Article 6(1)(b) — Contract: processing subscriber data to perform the subscription agreement and deliver Platform services.

Article 6(1)(f) — Legitimate interests: processing professional intelligence data to build and maintain the Platform’s intelligence outputs, and processing usage data to improve the Platform. Our legitimate interests are balanced against data subjects’ rights given the professional and public-record nature of the data.

Article 6(1)(c) — Legal obligation: where applicable law requires us to process or retain data.

Data Subject Rights

Under UK GDPR and EU GDPR, individuals whose data we process have the following rights, exercisable by contacting privacy@scalemedtech.com:

Right of access (Art. 15) — obtain a copy of your personal data and information about how it is processed.

Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.

Right to erasure (Art. 17) — request deletion where we have no overriding legal basis to retain data.

Right to restriction (Art. 18) — request that we restrict processing in certain circumstances.

Right to data portability (Art. 20) — receive your data in a structured, machine-readable format where processing is based on consent or contract.

Right to object (Art. 21) — object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

We will respond to all requests within 30 days. Where requests are complex or numerous, we may extend this period by a further two months with notification.

International Data Transfers

Our primary infrastructure is hosted within the UK and EU. Where personal data is transferred outside these regions (for example, to cloud service providers operating globally), we rely on: adequacy decisions made by the UK Secretary of State or the European Commission; or Standard Contractual Clauses (SCCs) approved under Article 46 EU GDPR, supplemented where necessary by additional safeguards. Transfer impact assessments are conducted where required.

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Subscriber account data is retained for the duration of the subscription and for up to 24 months thereafter. Usage logs are retained for 12 months. Requests for early deletion are handled in accordance with Article 17 GDPR.

Security Measures

We implement technical and organisational measures to protect personal data against unauthorised access, disclosure, loss, or destruction. These include: TLS encryption for all data in transit; row-level security and access controls at the database layer; role-based access management for Platform users; regular security assessments; and staff training on data protection obligations.

Data Processors

We use a limited number of third-party processors to operate the Platform (cloud infrastructure, email delivery). All processors are subject to written data processing agreements under Article 28 GDPR that bind them to process data only on our instructions and to implement appropriate security measures.

Supervisory Authority

If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) at ico.org.uk. In the EU, you may contact the supervisory authority in your member state of residence.

Contact

For any data protection enquiries, to exercise your rights, or to report a potential breach, contact our Data Protection team at privacy@scalemedtech.com.

Last updated: April 2026