Privacy Policy

1. Introduction

PatientGroups.co, operated by Phormulate Ltd, is committed to protecting your privacy and personal data. This privacy policy explains how we collect, use, process, and protect your information when you use our patient advocacy intelligence platform.

We are committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (GDPR), and applicable US state privacy laws including the California Consumer Privacy Act (CCPA) and other state-specific regulations.

2. Scope and Definitions

This policy applies to three categories of users:

• Customers: Organizations and individuals with accounts who use our platform services
• Website Visitors: Anyone accessing our public website and marketing materials
• Research Subjects: Individuals whose organizations or activities are analyzed in our patient advocacy intelligence reports

3. Information We Collect

3.1 Customer Data

When you register for an account and use our services, we collect:

• Account Information: Organization name, contact person name, email address, job title
• Authentication Data: Securely hashed passwords and authentication tokens
• Billing Information: Payment details processed securely through our third-party payment provider
• Usage Data: Platform activity, features accessed, reports generated, search queries, and interaction metrics
• Communication Data: Support tickets, email correspondence, and feedback submissions

3.2 Research and Analytics Data

Our platform analyzes publicly available information about patient advocacy organizations:

• Organizational Data: Names, websites, locations, and public activities of patient advocacy groups
• Public Content: Information from websites, social media, publications, and other publicly accessible sources
• Relationship Mapping: Connections between organizations, therapeutic areas, and geographic regions
• AI-Enhanced Analysis: AI-powered insights generated from publicly available information

3.3 Website and Technical Data

• Device Information: IP address, browser type, device type, and operating system
• Usage Information: Pages visited, time spent, navigation paths, and referral sources
• Cookies and Tracking: Essential, functional, and analytics cookies (see Section 10)
• Location Data: Approximate geographic location based on IP address

4. How We Use Your Information

We process personal data for the following purposes:

4.1 Service Delivery

• Providing access to the PatientGroups.co platform and its features
• Generating patient advocacy intelligence reports and analytics
• Processing searches and delivering relevant results
• Enabling data visualization and insights

4.2 Account Management

• Creating and maintaining user accounts
• Authenticating users and managing access permissions
• Processing billing and subscription management
• Providing customer support and responding to inquiries

4.3 Platform Improvement and Analytics

• Analyzing usage patterns to improve platform features and user experience
• Conducting research and development for new services
• Generating aggregated, anonymized statistics and insights
• Testing and optimizing platform performance

4.4 Security and Legal Compliance

• Detecting and preventing fraud, abuse, and security threats
• Complying with legal obligations and responding to lawful requests
• Enforcing our terms of service and protecting our rights
• Maintaining audit logs and compliance records

4.5 Communication

• Sending service updates, technical notices, and security alerts
• Providing customer support and responding to inquiries
• Sharing product updates and new features (with consent)
• Conducting user satisfaction surveys (with consent)

5. Legal Basis for Processing

Under GDPR and UK GDPR, we process personal data based on the following legal grounds:

• Contractual Necessity: Processing required to provide our services under our terms of service
• Legitimate Interests: Processing necessary for our business operations, fraud prevention, and service improvement
• Consent: Where you have given specific consent for marketing communications or optional features
• Legal Obligations: Where processing is required to comply with applicable laws

6. Data Sharing and Third Parties

We share personal data with trusted third-party service providers who assist us in operating our platform. All third parties are contractually obligated to protect your data and use it only for specified purposes.

6.1 Categories of Third Parties

• Cloud Infrastructure Providers: Hosting and data storage services
• AI and Analytics Providers: Natural language processing and data analysis services with strict no-training, no-retention policies
• Payment Processors: Secure payment processing and billing management
• Authentication Services: Identity verification and secure access management
• Communication Tools: Email delivery and customer support platforms
• Analytics Services: Website analytics and performance monitoring

6.2 Data Protection Measures

6.3 We Never Sell Your Data

Phormulate Ltd does not sell, rent, or trade personal data to third parties for their marketing purposes.

6.4 Legal Disclosures

We may disclose personal data when required by law, court order, or legal process, or when necessary to:

• Comply with legal obligations and respond to lawful requests from authorities
• Protect our rights, property, or safety, or that of our users or the public
• Detect, prevent, or address fraud, security, or technical issues
• Enforce our terms of service and agreements

7. International Data Transfers

Phormulate Ltd is based in the United Kingdom. We may transfer personal data to countries outside the UK and European Economic Area (EEA) when necessary for service delivery. When we do so, we ensure appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries recognized as providing adequate data protection
• Standard Contractual Clauses: EU Commission-approved contractual protections
• UK International Data Transfer Agreement (IDTA): UK-approved transfer mechanisms
• Data Processing Agreements: Binding agreements with service providers ensuring GDPR/UK GDPR compliance

For US-based service providers, we ensure compliance with applicable frameworks and state-level privacy requirements.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

8.1 Retention Periods

• Active Account Data: Retained for the duration of your active subscription or account
• Inactive Accounts: Deleted 12 months after account termination or inactivity, unless legal retention is required
• Billing Records: Retained for 7 years to comply with tax and accounting regulations
• Support Communications: Retained for 3 years for quality assurance and legal protection
• Security Logs: Retained for 12 months for security monitoring and incident response
• Analytics Data: Aggregated and anonymized data may be retained indefinitely for research purposes

8.2 Deletion Procedures

When data is no longer required, we securely delete or anonymize it using industry-standard methods. Backups containing deleted data are securely overwritten within 90 days.

9. Data Security

We implement comprehensive technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction.

9.1 Technical Security Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) and principle of least privilege
• Authentication: Multi-factor authentication (MFA) available and encouraged
• Password Security: Passwords hashed using industry-standard algorithms (bcrypt/Argon2)
• Network Security: Firewalls, intrusion detection, and regular security monitoring
• Secure Infrastructure: Hosting with certified cloud providers meeting ISO 27001, SOC 2, and other standards

9.2 Organizational Security Measures

• Staff Training: Regular security and data protection training for all employees
• Background Checks: Security screening for personnel with data access
• Confidentiality Agreements: All staff bound by confidentiality obligations
• Incident Response: Documented procedures for security incident management
• Regular Audits: Internal and external security assessments and penetration testing
• Vendor Management: Third-party security assessments and ongoing monitoring

9.3 Data Breach Response

In the unlikely event of a data breach that poses risks to your rights and freedoms, we will:

• Notify affected individuals within 72 hours where feasible and required by law
• Report the breach to relevant supervisory authorities as required
• Provide clear information about the breach, potential impact, and mitigation steps
• Take immediate action to contain and remediate the breach

10. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience, analyze usage, and provide personalized content.

10.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, security, and core platform functionality
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use the platform to improve performance
• Marketing Cookies: Track effectiveness of marketing campaigns (only with consent)

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect platform functionality. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block cookies from specific websites
• Block all cookies
• Delete all cookies when you close your browser

11. Your Privacy Rights

You have important rights regarding your personal data. The specific rights available depend on your location.

11.1 GDPR and UK GDPR Rights (UK and EU Residents)

• Right of Access: Request a copy of your personal data we hold
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data (subject to legal obligations)
• Right to Restriction: Limit how we use your personal data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent for processing at any time
• Right to Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO) or your local supervisory authority

11.2 US Privacy Rights (US Residents)

Under various US state privacy laws (including CCPA, CPRA, VCDPA, CPA, and others), you may have the following rights:

• Right to Know: Request information about personal data collected, used, and shared
• Right to Delete: Request deletion of your personal data
• Right to Correct: Request correction of inaccurate personal data
• Right to Opt-Out: Opt out of the sale or sharing of personal data (we do not sell data)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights
• Right to Limit Sensitive Data Use: Limit use of sensitive personal information

11.3 Exercising Your Rights

To exercise any of these rights, please contact us at:

We may need to verify your identity before processing your request. We will never charge a fee for a valid rights request unless it is excessive, repetitive, or manifestly unfounded.

12. Children's Privacy

PatientGroups.co is a business-to-business platform designed for use by healthcare professionals and research organizations. Our services are not directed at children under the age of 16 (or the applicable age in your jurisdiction).

We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.

If you believe we have collected data from a child, please contact us at privacy@patientgroups.co.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify active users via email or prominent notice on the platform
• Provide a summary of significant changes
• Obtain consent where required by law

We encourage you to review this policy periodically to stay informed about how we protect your data.

14. Contact Information

If you have questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

15. Specific Information for Research Subjects

Our platform analyzes publicly available information about patient advocacy organizations. If your organization is included in our database:

• Public Information: We collect only publicly available information from websites, social media, publications, and other public sources
• Legitimate Interest: Processing is based on our legitimate interest in providing healthcare intelligence services
• Your Rights: You have the right to access, correct, or request removal of information about your organization
• Opt-Out: You may request to opt out of our database by contacting privacy@patientgroups.co

We balance our legitimate business interests with your rights and will consider all requests carefully. Please note that removal may affect the completeness of our platform for customers conducting patient advocacy research.