Privacy Policy

This Privacy Policy explains how MedRep (“MedRep”, “we”, “us”) handles personal data in connection with our white-label field operations platform (the “Platform”) and this marketing website (the “Site”). It is written to align with the UK GDPR and EU GDPR.

1. Controller and processor roles

For personal data we collect through the Site (for example sales enquiries and demo requests), MedRep acts as the data controller. For personal data processed inside a customer’s tenant on the Platform — such as records about their customers, contacts and field representatives — MedRep acts as a data processor on behalf of the customer, who is the controller. Our processing of customer data is governed by the data processing terms in the customer’s contract.

2. What data we collect

• Enquiry data: name, work email, company, role and the contents of messages you send us through the Site or sales process.
• Account data: authentication identifiers, role assignments and audit metadata for users of the Platform.
• Customer-controlled data: the records a customer chooses to store in their tenant, processed under their instructions.
• Technical data: IP address, device and browser information, and minimal cookie data needed to operate and secure our services (see our Cookie Policy).

3. Lawful basis for processing

Where MedRep is the controller, we rely on the following lawful bases under Article 6 of the GDPR:

• Legitimate interests — to respond to enquiries, run our business and secure our services, balanced against your rights.
• Contract — to provide the Platform and services you or your employer have engaged us to deliver.
• Consent — for any optional analytics cookies or marketing communications, which you may withdraw at any time.
• Legal obligation — where processing is required to comply with the law.

4. Data residency and hosting

The Platform is hosted on Microsoft Azure. Customer data is stored in the Azure region agreed with each customer, with backups held in a paired region within the same geography. Enterprise customers may select a specific data residency location as part of their contract. We do not transfer personal data outside the agreed region except where permitted by an appropriate transfer mechanism.

5. Sub-processors

We engage a limited set of vetted sub-processors to operate the Platform. These are contracted to comparable data protection obligations and are used generically for the functions below:

• Cloud infrastructure, identity and AI services (our primary hosting provider).
• Productivity and collaboration tooling for internal operations.
• Payment processing for billing where applicable.
• CRM and marketing automation for sales and customer communications.
• Transactional email delivery for system and account notifications.
• Commerce and inventory connectors where a customer enables them.

A current list of named sub-processors is available on request and is notified to customers in advance of any material change.

6. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and to data portability. You can submit a data subject access request (DSAR) or erasure request using the contact details below. Where MedRep processes data on behalf of a customer, we will refer your request to the relevant controller and assist them in responding. You also have the right to lodge a complaint with a supervisory authority.

7. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law. Enquiry data is retained for the duration of our relationship and a reasonable period thereafter. Customer data is retained per the customer’s contract and deleted or returned on termination, subject to legal retention requirements and routine backup cycles.

8. Security

We apply technical and organisational measures appropriate to the risk, including per-tenant data isolation, encryption in transit and at rest, role-based access control, audit logging and least-privilege service identities. No system is perfectly secure, but we work continuously to protect the data entrusted to us.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified through the Site or to customers directly. The “last updated” date above reflects the most recent revision.

10. Contact us

For privacy questions or to exercise your rights, contact our privacy team at privacy@medrep.io.