Privacy Policy
MediSights Holdings, Inc. ("MediSights", "we", "us", or "our") operates an AI-assisted qualitative research platform serving the global life sciences industry. Our work brings together Healthcare Professionals (HCPs) research, and pharmaceutical and biotech sponsors. By the nature of that work, we collect and process personal data, and in some circumstances special category data relating to health.
This Privacy Policy explains what data we collect, why and how we process it, the lawful bases on which we rely, with whom we share it, how long we retain it, and the rights available to data subjects. It is written to reflect our obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), the UK GDPR and the UK Data Protection Act 2018, applicable U.S. state privacy laws including the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and the standards expected of vendors operating in pharmaceutical and healthcare research environments, including the British Healthcare Business Intelligence Association ("BHBIA") Legal and Ethical Guidelines and the EphMRA Code of Conduct.
Scope
This Policy applies to personal data processed by MediSights in connection with the recruitment, onboarding, and ongoing engagement of HCPs and other research participants; the delivery of qualitative and quantitative research projects, whether commissioned by a Client or initiated by MediSights; the operation, maintenance, and improvement of the MediSights platform and associated AI components; the production and distribution of research outputs, including syndicated insights; and our website, marketing communications, and corporate operations.
This Policy does not govern personal data that our Clients independently process within their own systems, or data processed by third parties operating under their own privacy notices.
Definitions
Personal data means any information relating to an identified or identifiable natural person, as defined under the EU GDPR, UK GDPR, and equivalent regimes.
Special category data means personal data revealing health, racial or ethnic origin, biometric data, and other categories afforded enhanced protection under Article 9 GDPR.
HCP means a Healthcare Professional, including physicians, nurses, pharmacists, and allied clinical professionals participating in MediSights research.
Client means the pharmaceutical, biotech, or commercial intelligence organisation that engages MediSights to conduct or platform-enable market research.
Controller and Processor carry the meanings given to them under Article 4 GDPR. MediSights acts as a Controller, Processor, or Joint Controller depending on the context, as set out in Section 4.
Research outputs means the aggregated, de-identified analyses, transcripts, and insight reports produced from HCP research engagements.
Our Role: Controller, Processor, and Joint Controller
Our role under data protection law depends on the activity. We do not adopt a single posture across all processing.
When we recruit HCPs into our own research panel and manage that panel relationship, we act as a Controller. When we design, commission, and run our own research — including syndicated studies, benchmarks, and thought-leadership programmes where MediSights determines the research question, methodology, and use of the output — we act as a Controller in respect of the participant data, and we remain accountable for that data throughout its lifecycle. The resulting research outputs are delivered to third parties only in aggregated, de-identified form and do not constitute personal data in the hands of the recipient.
When we conduct research projects on behalf of a Client under a written research agreement — where the Client determines the research question, target audience, and deliverable — we act as a Processor, and the Client is the Controller. When we operate and improve the MediSights platform, including model development on lawfully obtained data, we act as a Controller. When we engage vendors such as cloud hosting and transcription providers, those vendors act as our sub-processors.
Where we act as a Processor on behalf of a Client, the relevant Client's privacy notice and our Data Processing Agreement ("DPA") govern the specifics of that processing. Where joint control arises — for example, where MediSights and a Client jointly determine the purposes and means of a co-designed study — the parties will document the arrangement under Article 26 GDPR.
Data We Collect
In the ordinary course of operating our platform and delivering research, we apply the principle of data minimisation: we collect only what is necessary for the stated purpose.
HCP and research participant data includes identifiers and contact data (name, professional email, professional address, phone number, and where required for verification, professional registration or licence number such as NPI, GMC, RPPS, or ONK); professional and demographic data (specialty, sub-specialty, years in practice, institutional affiliation, country of practice, prescribing volume estimates where self-declared, and patient population descriptors); screening data used to confirm eligibility for a study; research interaction data (audio and, where consented, video recordings of interviews; transcripts; chat-based or asynchronous responses; survey responses; and free-text answers); and honoraria and tax data, including payment details and, where required by law, tax identifiers necessary for fair-market-value compensation and transparency reporting.
In the course of describing clinical experience, HCPs may refer to anonymised patient cases. We instruct participants not to share identifiable patient information, and we apply controls (described in Section 11) to detect and remove such information from transcripts and downstream outputs if it occurs.
Client user data includes account and authentication data (name, business email, role, organisation, and authentication credentials) and usage data (interactions with the platform, queries submitted, exports requested, and audit-log entries).
Website and operational data includes IP address, device and browser information, referring URLs, and pages visited (see Section 14), as well as communications you send to us, including support requests and procurement correspondence.
What we do not collect. MediSights is not a clinical system. We do not knowingly collect identifiable patient records or U.S. Protected Health Information ("PHI") within the meaning of HIPAA; diagnostic, prescription, or treatment records linked to identifiable patients; or genetic or biometric data of patients. If identifiable patient information is inadvertently disclosed by an HCP during a research engagement, we treat it as in-scope sensitive content and apply the controls in Section 11 to redact it from transcripts and downstream outputs.
How We Collect Data
We collect personal data directly from HCPs and research participants when they register for our panel, complete screening, participate in interviews, or respond to surveys. We also receive data from verified third-party recruitment partners and HCP panel providers, who are contractually required to obtain valid consent and provide a clear privacy notice before referring participants to us. Our Clients may provide lists of HCPs they wish to be invited to participate, where the Client has confirmed it has a lawful basis to share that data. We use publicly available professional directories and licensing databases solely to verify professional credentials. Finally, we collect certain information automatically through cookies and similar technologies on our website, as described in Section 14.
Purposes of Processing
We process personal data to recruit and verify HCPs for participation in research, including credential verification; conduct research interviews, surveys, and asynchronous engagements; generate transcripts, coded analyses, and de-identified research outputs; operate, secure, and improve the MediSights platform, including the AI components described in Section 11; administer honoraria and comply with tax, anti-bribery, and pharmaceutical transparency obligations; communicate with Clients, panel members, and prospects about projects, opportunities, and platform updates; and meet our legal, regulatory, audit, and contractual obligations.
We do not process personal data for purposes incompatible with those for which it was collected. We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.
Legal Basis for Processing (GDPR / UK GDPR)
Where the EU GDPR or UK GDPR applies, we rely on the following legal bases.
We rely on consent under Article 6(1)(a) and Article 9(2)(a) for participation in research interviews, recording of interviews, and any processing of special category data disclosed during research. We rely on contract under Article 6(1)(b) for administering panel membership, paying honoraria, and delivering services to Clients. We rely on legal obligation under Article 6(1)(c) for tax records, transparency disclosures, and responses to lawful regulatory requests. We rely on legitimate interests under Article 6(1)(f) for HCP outreach using professional contact details, platform security, fraud prevention, credential verification against public registers, and improvement of our services. We have conducted a Legitimate Interests Assessment for each such use and balance our interests against the rights and freedoms of data subjects.
Consent is freely given, specific, informed, and unambiguous, and may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, data subjects may object as set out in Section 13.
Data Sharing & Third Parties
We share personal data only where necessary and under appropriate contractual safeguards.
We deliver de-identified, aggregated research outputs to the commissioning Client. Raw transcripts and recordings are shared with a Client only where the participant has been informed and has consented, and where the engagement letter expressly contemplates it.
We engage vetted sub-processors for cloud hosting, transcription, translation, communications, and payment administration. Each sub-processor is bound by a written agreement compliant with Article 28 GDPR. A current list of sub-processors is available on request to procurement reviewers.
We might share data with professional advisors and auditors — legal, accounting, insurance, and compliance advisors — under duties of confidentiality. We disclose data to regulators and authorities where required by law, court order, or legitimate regulatory request. We may also share data in connection with a corporate transaction such as a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards and continuity of this Policy.
We do not sell personal data within the meaning of the CCPA/CPRA or any other privacy law, and we do not engage in cross-context behavioural advertising.
International Data Transfers
MediSights is incorporated in the United States and operates with Clients and research participants across the United States, the United Kingdom, the European Economic Area ("EEA"), and other jurisdictions. Personal data may therefore be transferred across borders.
Where we transfer personal data from the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we implement appropriate safeguards. These may include the European Commission's Standard Contractual Clauses ("SCCs") and the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, as applicable; Transfer Impact Assessments, with supplementary technical, contractual, and organisational measures where required; and reliance on the EU–US Data Privacy Framework or the UK Extension thereto, where the receiving party is certified.
Details of the safeguards applicable to a specific transfer are available on request.
AI & Automated Processing
AI is integral to how the MediSights platform operates. We are transparent about this and apply controls proportionate to the sensitivity of the underlying data.
Where AI is used. AI assists with adaptive interview probing during HCP engagements, where the platform suggests follow-up questions based on participant responses; transcription and translation of audio recordings; de-identification, including detection and redaction of names, locations, and other direct identifiers from transcripts; thematic coding, sentiment analysis, and qualitative synthesis; and search, summarisation, and benchmarking across de-identified research outputs.
Human-in-the-loop and quality controls. AI outputs that materially inform research outputs are subject to human review by trained MediSights research staff before they are delivered to Clients. The platform does not produce decisions that have legal or similarly significant effects on data subjects within the meaning of Article 22 GDPR.
Model training. We do not use Client-confidential data, raw transcripts of an identified study, or any data subject to a confidentiality obligation, to train general-purpose third-party AI models. Where we improve our own internal models, we do so on de-identified data, on data lawfully obtained for that purpose, or on data for which the data subject has provided specific consent. Client agreements may further restrict our internal use of project data, and those restrictions take precedence over this Policy.
Third-party AI providers. Where we use third-party AI services to process personal data, we contract for enterprise-grade terms that prohibit the provider from using our inputs or outputs to train its models, require appropriate security and confidentiality, and align with the GDPR Article 28 requirements for processors.
Data Security
We implement technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures are proportionate to the sensitivity of the data and the risk presented by the processing.
Our controls include encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent); role-based access controls, least-privilege provisioning, and multi-factor authentication for administrative access; logical separation of Client data within our environment; cloud infrastructure operated within ISO/IEC 27001 and SOC 2 Type II certified hosting environments; vendor due diligence, including security and privacy review of all sub-processors; documented incident response procedures, with breach notification within statutory timelines (72 hours under GDPR); annual employee training on privacy, security, BHBIA standards, and pharmacovigilance reporting, together with mandatory confidentiality obligations for all personnel; Data Protection Impact Assessments ("DPIAs") for high-risk processing activities; and a formal record of processing activities maintained under Article 30 GDPR.
No information system can be guaranteed to be completely secure. We continuously review and improve our controls and respond promptly to identified risks.
Pharmacovigilance & Adverse Events Reporting
Where, in the course of a research engagement, a participant spontaneously reports information that meets the definition of an adverse event, product complaint, or suspected misuse relating to a Client product, MediSights will report that information to the relevant Client (or, where required, to the relevant regulator) in accordance with the BHBIA Adverse Event Reporting Guidelines and the terms of the applicable engagement. Such reporting is limited to information necessary for pharmacovigilance and is conducted on a non-promotional basis.
Data Subject Rights
Subject to applicable law, individuals have the right to access the personal data we hold about them; to rectification of inaccurate or incomplete data; to erasure of data, where the legal conditions are met; to restriction of processing in defined circumstances; to object to processing based on legitimate interests or for direct marketing; to data portability for data provided to us and processed by automated means; to withdraw consent at any time, where processing is based on consent; and to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO); in the EU, the relevant national Data Protection Authority; in California, the California Privacy Protection Agency.
Where MediSights acts as a Processor on behalf of a Client, we will refer requests to the Client and assist them in responding within statutory timelines. Where MediSights acts as Controller, we will respond directly. Requests can be submitted to the contact details in Section 18 and will be acknowledged without undue delay and, in any event, within the timeframes required by applicable law.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, audit, or contractual requirements. The retention periods set out below may be extended where a longer period is required by law, by a Client agreement, or to defend or pursue legal claims.
Raw audio and video recordings of HCP interviews are retained for up to 180 days following project completion, to support quality assurance, transcription verification, and dispute resolution; they are deleted thereafter unless a Client agreement specifies otherwise. De-identified transcripts are retained for up to 7 years to support research integrity, audit trail, and BHBIA- and MRS-aligned record-keeping. HCP panel records, including contact and credentialing data, are retained for the duration of panel membership plus 24 months, to support ongoing engagement and re-contact for follow-up research, subject to consent withdrawal at any time. Honoraria and fair-market-value payment records are retained for 7 years to meet tax, anti-bribery, and pharma transparency reporting obligations, including the U.S. Sunshine Act and the EFPIA Disclosure Code. Aggregated, de-identified research outputs are retained indefinitely; they no longer constitute personal data and are used for syndicated benchmarks and comparative analysis. Client account and contractual records are retained for the term of the agreement plus 7 years, to support contract performance, audit, and limitation periods. Website analytics and cookie data are retained for up to 13 months.
On expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Anonymised data may be retained indefinitely as it no longer constitutes personal data.
Cookies & Tracking Technologies
Our website uses a limited set of cookies and similar technologies. Strictly necessary cookies are used to operate the site. Analytics cookies, where deployed, are loaded only after the visitor has provided consent through our cookie banner, in line with the EU ePrivacy Directive and the UK Privacy and Electronic Communications Regulations. Visitors may withdraw consent at any time through the cookie preferences control on the website.
Children's Data
MediSights' services are directed at professional users in the life sciences industry. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.
Updates To This Policy
We may update this Policy from time to time to reflect changes in our practices, in applicable law, or in the expectations of our Clients and regulators. The "Effective date" at the top of this document indicates when it was last revised. Material changes will be communicated through our website and, where appropriate, directly to affected data subjects and Clients. Prior versions are available on request.
Contact Information
Questions, requests, and complaints relating to this Policy or to the processing of personal data should be directed to our Privacy Office:
MediSights Holdings, Inc.
Attn: 1111B S Governors Ave, STE 58872 Dover, DE 19904 United States
Email:ian@medisights.com