Privacy Policy

PGD Management System is committed to protecting your privacy and personal information.

Last Updated: January 11, 2026

1. Information We Collect

We collect and process the following types of information:

• Account Information: Email address, name, role (GP, Nurse, Pharmacist), and organization details
• Professional Data: Digital signatures, PGD signing records, and completion status
• Authentication Data: Login credentials (encrypted), password reset tokens, and session information
• Usage Data: Browser type, IP address, access times, and pages visited

2. How We Use Your Information

Your information is used exclusively for the following purposes:

• Providing access to the PGD Management System
• Maintaining records of PGD signatures and compliance
• Sending notifications about new or updated PGDs
• Managing organizational subscriptions and user access
• Ensuring system security and preventing unauthorized access
• Improving system functionality and user experience

3. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract Performance: To provide you with access to our services
• Legal Obligation: To maintain regulatory compliance and audit trails
• Legitimate Interest: To ensure system security and improve services
• Consent: For email communications (where required)

4. Data Sharing and Disclosure

We do not sell your personal data. We may share information only in these circumstances:

• Within Your Organization: Authorized administrators can view user lists and signing records
• Service Providers: AWS (document storage), Stripe (payment processing), and email service providers
• Legal Requirements: When required by law or to protect our legal rights

5. Data Storage and Security

We implement industry-standard security measures:

• Passwords are encrypted using bcrypt hashing
• PDF documents are securely stored in AWS S3 with encryption
• All data transmission uses SSL/TLS encryption
• Access controls limit data visibility to authorized users only
• Regular security audits and monitoring

6. Data Retention

We retain your information for the following periods:

• Active Accounts: Data retained while your account is active
• PGD Signatures: Retained for 7 years for regulatory compliance
• Archived PGDs: Retained indefinitely for audit purposes
• Closed Accounts: Personal data deleted within 30 days unless legally required to retain

7. Your Rights (GDPR/UK GDPR)

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Update or correct inaccurate information
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Opt-out of non-essential communications

To exercise any of these rights, please contact us through the contact page.

8. Cookies and Tracking

We use essential cookies to:

• Maintain your login session
• Remember your preferences
• Ensure system security (CSRF protection)

We use cookie consent notifications to inform you about cookie usage. You can manage cookies through your browser settings.

9. Third-Party Services

We use the following third-party services:

• AWS S3: Secure document storage
• Stripe: Payment processing (subject to Stripe's privacy policy)
• Email Provider: For system notifications and alerts

10. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or system notification. Continued use of the system after changes constitutes acceptance of the updated policy.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

• Email: Contact via our contact form
• Data Protection: For GDPR/data protection inquiries, please use the subject "Data Protection Request"