Ideal Med Limited is a data controller (Ideal Med Ltd ICO registration number: ZB859297) and we are committed to protecting the privacy and security of personal data of clients, healthcare providers, and users associated with the distribution of medical devices. This Privacy Policy explains how we collect, process, store, and share personal and health-related data in compliance with the UK GDPR, EU GDPR, and other applicable regulations relevant to medical device distribution.

1. Data we collect

1.1. We may collect the following types of personal data:

• Name, title, and contact details (name of patient, phone, address).
• Business and professional information (organization and role).
• Health-related data when provided for device use, support, or regulatory compliance.
• Payment or billing information.
• Order and delivery history.

1.2. Automated information:

• Device information (Type, software version, serial number).
• Hospital IP address/es and network information.
• Usage data relating to our services and communications.

2. Legal basis for processing

2.1. We process personal data only when legally permitted, including when:

• It is necessary for contract performance with customers or healthcare providers
• We are fulfilling legal obligations under medical device regulations (e.g., MDR, UK MDR 2002).
• We have obtained explicit consent for marketing communications or health data processing.
• Legitimate interests in maintaining service quality, safety reporting, and device traceability.

3. How we use the data

• To provide, distribute, and support medical devices.
• To comply with regulatory obligations, including post-market surveillance.
• To manage complaints, incidents, and recalls in coordination with manufacturers.
• For administrative, billing, and order management purposes.
• To communicate updates or safety notices regarding medical devices.
• For internal reporting, audits, and quality assurance.
• For lawful marketing communications where consent has been obtained.

4. Data sharing and disclosure

4.1. We may share personal data with:

• Manufacturers and authorized representatives for compliance and product support.
• Regulatory authorities for reporting, inspection, or recall purposes.
• Third-party service providers such as logistics, IT management, or payment processors.
• Legal or professional advisors when required by law.

4.2. If sharing personal data which is classified as health data, then a data sharing agreement (DSA) shall be in place with those third parties if they are also data controllers.

4.3. If sharing personal data with a third party who is a data processor (rather than controller) then a data processing agreement (DPA) shall be in place with them.

4.4. We never sell personal data to third parties and ensure data sharing occurs strictly for operational, legal, or regulatory purposes under confidentiality agreements.

5. Data storage and security

We implement appropriate technical and organizational safeguards to protect personal and health data, including:

• Encryption and network security measures.
• Secure storage of physical and electronic records.
• Access restrictions to authorized personnel only.
• Periodic security assessments and audits including maintenance of cyber essentials certification.

We retain records to satisfy regulatory requirements, generally 10 years for standard devices and 15 years for implantable devices, following EU MDR Article 14 and UK guidance.

6. Your rights

6.1. Under GDPR and UK GDPR, you may exercise the following rights:

• Access your personal data.
• Request corrections or updates.
• Request data deletion or restriction of processing.
• Object to direct marketing or processing based on legitimate interests.
• Request data portability when applicable.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority such as the Information Commissioners Office (ICO)

6.2. Requests can be submitted via the contact information in Section 10.

7. Data transfer

Personal data may be transferred outside on the UK or EU/ EEA only where adequate safeguards are in place, such as standard contractual clauses or approved binding corporate rules. All transfers comply with applicable data protection laws, for example:

• For the USA, it is the EU-US Data Privacy Framework and the UK Data Bridge.
• For countries outside the UK which do not have an adequacy agreement with the EU, transfers require an International Data Transfer Agreement (IDTA) and a Transfer Risk Assessment (TRA).

8. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in legal obligations or organisational practices. Updated versions will be available on request with the revision and date of issuance clearly indicated within the header of the document.

9. Contact Us

9.1. For questions, concerns, or to exercise your data subject rights please contact us via either by phone or mail:

• Phone: 0151 329 0427
• Address: Unit A2, Beech house, Oaklands Office Park, Hooton Road, Hooton, CH66 7NZ

9.2. This Privacy Policy ensures compliance with GDPR, UK GDPR and post-market surveillance requirements under medical device regulations. It reflects our commitment to protecting the privacy and security of data associated with distributed medical devices.

9.3. The document is reviewed and amended as necessary, the latest version and release date of the policy is contained within the header of the document.