Client Privacy Policy

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to them and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told them about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told them about.
• Kept securely.

• Name
• Company
• Job title
• Business contact details such as addresses, telephone numbers and email addresses
• Records of communication (e.g. emails, testimonials)
• Records of consent or opt-in/out
• Meeting recordings
• Complaints information
• Data collected from using our software, FlexiPlatform™ (e.g. IP address, hardware specifications, operating system, software version, date and time of last use)

We do not intentionally collect “special categories” of more sensitive information about Data Subjects. However, in some instances, such as during recorded meetings, we may incidentally capture information, for example, about race or ethnicity, religious or philosophical beliefs, or information about physical health, such as disabilities.

In this section we would like to inform clients about where we collect personal information from.

Publicly available sources
As part of our business development strategy, it is important to identify clients who can benefit from our services that we can communicate with. We typically collect business contact information for Data Subjects from publicly available sources, such as LinkedIn and Google.

Data brokers
We may also collect business contact information from service providers, such as Cognism and hunter.io, that provide data brokering or data matching services using publicly available sources. Due diligence is carried out on these vendors to ensure compliance with data protection laws. We also check this data against local opt-out registers, such as the Telephone Preference Service, before using it.

Our website
Our most frequent website users are typically clients. Personal data is collected from or provided by Data Subjects through our website. For more information read our Website Privacy Notice.

Our software products (FlexiPlatform™)
We collect personal data from Data Subjects who use our software, usually during licence activation and user registration. We also collect data during its use.

Directly from the Data Subject
Most of the personal data we collect from client Data Subjects is provided directly. This will often be through calls, meetings, emails, or in the course of the provision of our services.

The applicable legal basis are:

• Processing is necessary to fulfil legal obligations
• Processing is necessary to fulfil a contract
• Processing is based on Data Subject’s valid consent
• Processing is based on our legitimate interests without conflicting with the Data Subject’s interests

Processing is necessary to fulfil a contract
We process information on the basis that there is a contract between us and a client for the following purposes:

• To communicate with the client about our products and services
• To provide clients with our products and services
• To provide clients with a software license
• To assess the performance of our software
• To develop and improve our products and services
• To prevent and investigate fraud and other misuse
• To protect our rights and/or our property
• To protect our clients’ rights and/or property

Processing is based on consent
When there is no contractual relationship between us and a client, we aim to obtain explicit consent from Data Subjects. Sometimes Data Subjects might give consent implicitly, such as by sending us a message by e-mail to which they would reasonably expect us to reply. Consent is obtained for the following purposes:

• To market our products and services to clients
• To develop and improve our products and services
• To monitor and assess the performance of our website
• To monitor and assess the performance of our business

Processing is necessary to fulfil legal obligations
Sometimes, we must process a Data Subject’s information in order to comply with a legal obligation, such as:

• To prevent and investigate fraud and other misuse
• To ensure IT security and protect the privacy of personal data
• To provide information to legal authorities if the request it or that have authorisation, such as a warrant or court order
• To defend legal claims against us, our clients or other third parties

Processing is based on our legitimate interests
Some of our processing is based on Inpharmation’s legitimate interests. Before processing data, we weigh the interests of the Data Subject against our own: is their interest in not having their data processed for a given purpose greater than our legitimate interest for processing.

Our legitimate interests are:

• To optimize the user experience of our website
• To ensure IT security and data protection
• To protecting our rights and our property
• To prevent and investigate fraud and other misuse
• To contact and market our products and services to clients
• To keep a record of Data Subject’s consent and opt in/out
• To manage and resolve complaints by the client or the Data Subject

Typically, we may disclose personal collected for the aforementioned purposes to:

• Inpharmation employees with signed NDAs and the appropriate level of access
• Other client employees where the Data Subject is also employed
• Service providers, such as:
  • customer relationship management platforms (Salesforce),
  • data storage platforms (SharePoint),
  • web hosting providers (SiteBites)
  • server/backup providers (TSOHost, Hyve, FastHosts, Barracuda)
• Public authorities, such as law enforcement, if we are legally required to do so or if we need to protect our rights or the rights of third parties

In most cases, personal data will be transferred to and processed in the United Kingdom. Where we use large “software-as-a-service” vendors, such as Microsoft and Salesforce, data may be transferred to or through other countries (e.g. Email servers) or accessed by Inpharmation employees in other countries. Standard Contractual Clauses form part of the data processing agreements Inpharmation has with these SaaS vendors.

Business contact information
For the most part, any business contact information provided by the Data Subject is transferred from the Data Subject’s country of origin to the United Kingdom. Our servers are all based in the United Kingdom. Vendors who process this data (such as Salesforce and Microsoft) have data centres located in the United Kingdom and European Economic Area.

However, this data may be transferred outside the UK and EEA if it is accessed by an Inpharmation employee when travelling to other countries during the course of normal business activity (e.g. client meetings). Generally, Inpharmation employees travel to the United States or countries within the EEA.

Records of communication
Emails, Microsoft Teams messages, meeting recordings and client communication of this nature are largely processed by our vendors (e.g. Salesforce and Microsoft) and stored on servers located in the United Kingdom and European Economic Area. However, it may be the case that communication data is routed through and therefore transferred to countries closer to the Data Subject’s country of origin.

This data may also be transferred outside the UK and EEA if it is accessed by an Inpharmation employee when travelling to other countries during the course of normal business activity (e.g. client meetings). Generally, Inpharmation employees travel to the United States or countries within the EEA.

FlexiPlatform™ user data
User data collected during registration and during use are collected, transferred from the Data Subject’s country of origin, and stored on our servers in the United Kingdom.

• Where processing is necessary to fulfil a contract: we will only delete data once it is no longer necessary to fulfil contractual obligations to our clients. For example, when a FlexiPlatform™ license expires and is not renewed, we will immediately delete user data.
• Where processing is based on consent: we will delete data immediately if consent is withdrawn or Data Subjects opt out of processing.
• Where processing is based on our legitimate interests: We will delete data as soon as it is no longer required for these purposes or if a Data Subject requests their data be erased. For example, the data is no longer necessary to market or provide our services to a client.

We are allowed to and may keep data for longer than listed above if it is necessary for:

• Exercising the right of freedom of expression and information
• Compliance with a legal obligation
• The establishment, exercise, or defence of legal claims

Data Subjects have several rights that they can exercise over their data, such as the right to access, correct, and request to delete their personal information, data portability, restricting the processing or objecting to it if it was done under legitimate interests.

Data Subjects also have the right to lodge a complaint with a supervisory authority, in particular in their country of residence (e.g. the Information Commissioner’s Office in the UK), if they consider the processing of their personal information infringes applicable law.

For questions or more information or guidance about Data Subject rights please contact dataprivacy@inpharmation.com. Read more information about Data Subject rights below.

Access to your data
You can request access to the information we hold about you, with some limited exceptions, and we will also tell you;

• why we are processing it;
• who are we sharing it with and if any information is transferred to a country not deemed to have adequate protections in place for personal data;
• how long will we be keeping your data;
• the source of the information if it was not collected directly from you;
• if we are using your data for automated decision making or profiling.

If you make a request for a copy of the personal information that we are processing, please be as specific as possible as this will both help us to identify the information more quickly and provide you with a copy without any undue delay.

Rectifying inaccuracies
If you feel the information we hold on you is inaccurate, you can ask us to correct or update it.

Right to be forgotten
You can also request that we erase your information, although that might not always be possible if doing so means we cannot perform our contract with you, or we have a legal obligation or legitimate interest to keep the information. We will explain the consequences of erasing your information.

Restrict the processing
If you feel we are processing your information unlawfully or with inaccurate information, you can ask us to restrict processing. Where Personal Information is subjected to restriction in this way, we will only process it with your consent or for the establishment, exercise or defence of legal claims unless we have your consent. If the processing is restricted, we will continue to store the information.

Object to the processing
If you disagree with any legitimate interest or public interest we have relied upon to process your information, you can object to the processing. We will then stop processing the information unless we can demonstrate a compelling legitimate ground that overrides your rights, or the processing is required to establish, exercise, or defend a legal claim.

Data Portability
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to Inpharmation in a structured, commonly used and machine‑readable format, and also to require us to transmit it to another controller where this is technically feasible.

Make a complaint
We are committed to safeguarding your data and upholding your rights, but if you feel we have not done that, please contact dataprivacy@inpharmation.com. Additionally you have the right to complain to the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO) at https://ico.org.uk/.