We take your privacy seriously. This Privacy Notice explains how we handle personal data collected through our website and our related activities, in line with the UK General Data Protection Regulation (UK GDPR).

1. Who we are

We are Heartfelt Technologies Ltd, a medical device company based in Cambridge, UK.

You can contact us about privacy matters at: [email protected].

2. What personal data we collect

We collect personal data in the following ways:

• Website visits: We use Cloudflare as our content delivery network (CDN), DDoS protection and reverse-proxy service. This means Cloudflare processes website traffic data on our behalf, including IP addresses, traffic routing data, system configuration information and other security/performance metadata, to deliver our site securely and reliably. Cloudflare acts as our data processor for this purpose. We do not have access to IP addresses logs.
• Contact forms: If you complete a form (for enquiries, demo requests, recruitment interest, or job applications via Google Forms, LinkedIn, Indeed or Rippling), we collect the details you provide (such as your name, email, CV and other application information).
• HubSpot tracking: We use HubSpot for newsletters and analytics, which may track interactions with our emails and website.
• Newsletters and mailing lists: If you sign up, we collect your name, email, and communication preferences.
• Patient screening: If you express interest in joining one of our studies, we may collect information about your health as part of pre-screening. This is considered “special category data” under UK GDPR.
• Clinical trials: If you participate in one of our clinical trials, additional information will be collected and processed in line with the trial-specific Participant Information Sheet and Consent Form.

3. How we use your data

We use your personal data to:

• Respond to enquiries and manage demo or recruitment requests.
• Process job applications and manage recruitment.
• Manage newsletters, mailing lists and company updates.
• Analyse engagement with our website and communications through HubSpot.
• Screen potential participants for studies and manage clinical trial participation (under separate agreements and consents).
• Comply with legal and regulatory requirements (including submissions to MHRA, FDA, EMA and other regulators).
• Maintain IT, business operations and security.

4. Legal basis for processing

We process your data on the following bases:

• Consent: For newsletters, mailing lists, and clinical trial pre-screening.
• Contract: For recruitment and employment processes.
• Legitimate interest: For business communications, maintaining security, and improving our services.
• Legal obligation / public interest in research: For regulatory submissions and clinical trial activities.
• Special category data (health): Processed only with your explicit consent or under applicable research/legal exemptions.

5. Sharing your data

We do not sell your personal data. We may share it with:

• Service providers: HubSpot (marketing and newsletters), Google (forms, email, cloud storage), Rippling (HR and recruitment), and other IT/operational vendors.
• Professional advisers: Accountants, auditors, legal advisers.
• Regulators and authorities: MHRA, FDA, EMA, and others, using anonymised or pseudonymised data where possible.
• Cloud and collaboration tools: Google Drive, SharePoint, Dropbox, and similar platforms.

Some of these providers may process your data outside the UK/EU. Where transfers occur, we ensure safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or standard contractual clauses approved by the ICO. In particular, Cloudflare may process this data outside the UK/EU (including the United States). We rely on Cloudflare’s approved transfer safeguards, which include participation in the EU-U.S. Data Privacy Framework (with the UK Extension) and Swiss-U.S. DPF, and Standard Contractual Clauses, as applicable.

6. How long we keep your data

• Website visits: As per Cloudflare's privacy policy, it retains logs only for as long as necessary for performance, security and troubleshooting, and applies appropriate technical and organisational measures (including encryption and access controls).
• Newsletters/mailing list: Until you unsubscribe or withdraw consent.
• Enquiries and contact forms: Retained for up to 12 months.
• Job applications: Retained for up to 12 months after recruitment unless you become an employee, or if you have specifically asked us to keep those records.
• Clinical trial data: Retention is defined in the trial-specific documentation and regulatory requirements.
• Server logs: Typically retained for security and troubleshooting purposes for up to 12 months.

7. Data security

We take appropriate technical and organisational measures to protect your data, including encryption, access controls, secure cloud storage, and incident response procedures. Access to personal data is restricted to authorised personnel only.

8. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Request correction or deletion of your data.
• Withdraw your consent at any time (for consent-based processing).
• Object to certain processing activities.
• Complain to the UK Information Commissioner's Office (ICO) if you are unhappy with how we handle your data: www.ico.org.uk.

9. Contact us

If you have any questions about this notice or wish to exercise your rights, please contact us at: [email protected].

Our Data protection Officer is Dr Oriane Chausiaux (PhD), you can email her at [email protected]. She works at Heartfelt Technologies Ltd, Platinum Building St John's Innovation Park, Cowley Road, Cambridge, CB4 0DS, United Kingdom.