Sefam Software Privacy Policy

Sefam Medical Ltd Software Privacy Policy 08-09-25

1. About this Privacy Notice

We are Sefam Medical Ltd (“Sefam”, “we”, “us”). We take your privacy seriously and handle personal data with transparency and care in accordance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). This Privacy Policy explains what we collect, why we collect it, how we use and share it, how long we keep it, and the choices and rights you have.

2. Controller vs Processor Roles

When providing platforms or services to healthcare providers, we act as a processor and the provider is the controller. For direct-to-consumer services, websites, apps, or where we determine processing purposes, Sefam acts as the controller.

3. The types of Personal Data we collect and why

We collect and process the following categories of data:

  • Identity & contact data: name, email, phone, postal address, organisation/clinic, role
  • Account & order data: account identifiers, order history, delivery details, VAT relief declarations, payment references
  • Device & therapy data: device identifiers, usage metrics, alerts, therapy settings and logs, health-related information
  • Support & communications: enquiries, service tickets, call/email/web-chat records
  • Technical & usage data: IP address, device type, browser, pages viewed, cookie/consent preferences, error logs
  • Marketing preferences: subscriptions, opt-in/opt-out status, and related interaction data

4. What is the legal basis for processing your Personal Data?

We use personal data for the following purposes:

  • To provide products/services and manage our relationship: Contract and Legitimate Interests
  • To support clinicians/healthcare providers: Legitimate Interests and/or Legal Obligation
  • To process special-category (health) data: see Section 6
  • To improve websites, apps and services: Legitimate Interests
  • To send service messages: Legal Obligation or Contract
  • To send marketing: Legitimate Interests or Consent, in line with PECR
  • To comply with law: Legal Obligation
  • Special-Category (Health) Data (Section 6 in Sefam) covers legal bases for processing health data under UK GDPR Articles.

5. Special-Category (Health) Data

Where we process health information, we rely on:

  • Article 6(1)(b)/(f)/(c) UK GDPR
  • Article 9(2)(h) for health or social care
  • Article 9(2)(a) for explicit consent
  • We maintain records of the conditions relied upon for each processing purpose.

6. Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing that produce legal or similarly significant effects. If this changes, we will update this notice and explain your rights.

7. Who we share your Personal Data with

We share data with:

  • Healthcare providers/clinics
  • Service providers (hosting, IT, delivery, payment, communications)
  • Public authorities/regulators
  • In corporate transactions (sale/merger/restructure)

8. Cookies and Similar Technologies

We use cookies and similar technologies to operate our sites and services, measure performance, and personalise content or marketing. Non-essential cookies are used only with your consent. Our cookie banner allows you to Accept all / Reject all / Manage preferences

9. How we protect your privacy

We implement safeguards including access controls, encryption, secure configuration, and vendor due diligence.

 In case of a data breach, we assess and notify the ICO and affected individuals as required.

10. Storage, retention and deletion of data

We retain data only as long as necessary:

  • Enquiries/support: up to 24 months
  • Orders/warranty/finance: 7 years
  • Device/therapy data: 2–7 years
  • Marketing data: until opt-out or after 24 months of inactivity
    Where we act as processor, retention follows the controller’s instructions.

11. Technical and organisational measures

We implement safeguards including access controls, encryption, secure configuration, and vendor due diligence.

12. Transfers of Personal Data outside the EU/EEA

Data is usually stored in the UK or EEA. If transferred outside the UK, we use:

  • UK adequacy regulations
  • Appropriate safeguards (UK IDTA or EU SCCs with UK Addendum)
    You may request a copy or summary of these safeguards.

13. Minors

This policy complies with the General Data Protection Regulation (GDPR), which includes strict rules about processing children’s data. Under GDPR, parental consent is required for processing personal data of children under 16 (or lower depending on national law, such as 13 in the UK).

14. Your data protection rights

You have rights to:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection
  • Withdraw consent
    To exercise your rights, contact customerserviceuk@sefam-medical.com. We respond within one month.

15. Updates to this Notice

We may update this notice to reflect changes in our processing or legal requirements. Updates will be posted here with a revised ‘Last updated’ date.

16. How to contact us

Controller: Sefam Medical Ltd (Company No. 13500192, VAT GB 385 8825 38)
Registered office / trading address:
Unit 6, Blackthorn Way, Five Mile Business Park, Lincoln, LN4 1BF, UK
Email: customerserviceuk@sefam-medical.com
Data Protection Lead (DPL): Contact at the above email address for privacy-related queries or to exercise your rights.

17. Complaints

You may contact us to resolve concerns. You also have the right to complain to the Information Commissioner’s Office (ICO) at https://ico.org.uk or call 0303 123 1113.

Appendix A – Data Protection Impact Assessment (DPIA) Statement

Sefam Medical Ltd conducts Data Protection Impact Assessments (DPIAs) for any processing activities that are likely to result in a high risk to the rights and freedoms of individuals, particularly where special-category health data is involved or where new technologies are deployed (e.g., connected therapy devices, remote monitoring platforms).

We assess:
– The nature, scope, context, and purposes of processing
– Risks to individuals’ rights and freedoms
– Measures to mitigate those risks (e.g., encryption, access controls, pseudonymisation)

DPIAs are reviewed regularly and updated when significant changes to processing occur. Where necessary, we consult the Information Commissioner’s Office (ICO) prior to implementation.

Appendix B – Legitimate Interests Assessment (LIA) Statement

Where Sefam Medical Ltd relies on Legitimate Interests as a lawful basis for processing, we conduct a Legitimate Interests Assessment (LIA) to ensure that our interests do not override the rights and freedoms of data subjects.

Each LIA includes:
1. Purpose Test – Identifying the legitimate interest (e.g., improving services, supporting clinicians, fraud prevention)
2. Necessity Test – Confirming that the processing is necessary and not achievable by less intrusive means
3. Balancing Test – Evaluating the impact on individuals and implementing safeguards (e.g., opt-outs, transparency)

We document all LIAs and make them available upon request. Individuals retain the right to object to processing based on legitimate interests.

Scroll to Top