1. Introduction
Velastria ("we", "our", or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you visit our website or use our services.
This policy applies to information we collect through:
- Our website (velastria.app and subdomains)
- Our software-as-a-service (SaaS) platform
- Email, text, and other electronic communications
- Beta testing applications and programmes
2. Information We Collect
2.1 Personal Information
We may collect the following types of personal information:
- Identity Data: Name, title, professional qualifications
- Contact Data: Email address, telephone number, postal address
- Professional Data: Clinic name, specialty, number of staff, professional registration numbers
- Technical Data: IP address, browser type, device information, operating system
- Usage Data: Information about how you use our website and services
- Communications Data: Your preferences in receiving marketing from us and your communication preferences
2.2 Special Categories of Data
When you use our platform to manage patient records, you will process special category data (patient health information). We act as a data processor in this context, and you (the clinic) are the data controller. Our obligations as a processor are detailed in our Data Processing Agreement.
2.3 How We Collect Information
We collect information through:
- Direct interactions: When you fill out forms, apply for beta access, or contact us
- Automated technologies: Cookies, server logs, and analytics tools
- Third parties: Analytics providers, advertising networks (if applicable)
3. How We Use Your Information
We use your information for the following purposes:
3.1 Provision of Services
- To provide access to our platform and services
- To process your beta application
- To provide customer support and technical assistance
- To send service-related notifications and updates
3.2 Business Operations
- To administer our business operations
- To improve our website and services
- To conduct analytics and research
- To detect and prevent fraud or security issues
3.3 Marketing (With Your Consent)
- To send you information about new features and updates
- To provide relevant marketing communications
- You may opt out of marketing communications at any time
3.4 Legal Obligations
- To comply with legal and regulatory requirements
- To respond to lawful requests from public authorities
- To protect our rights, property, and safety
4. Legal Basis for Processing (GDPR)
Under the UK General Data Protection Regulation (UK GDPR), we rely on the following legal bases:
- Consent: For marketing communications and optional data processing
- Contract: To provide our services and fulfil our obligations to you
- Legal Obligation: To comply with legal and regulatory requirements
- Legitimate Interests: To operate our business, improve our services, and prevent fraud
5. Data Sharing and Disclosure
5.1 Third-Party Service Providers
We may share your data with trusted third parties who provide services on our behalf:
- Cloud hosting providers: Amazon Web Services (AWS)
- Payment processors: Stripe
- Email services: For transactional and marketing emails
- Analytics providers: To understand website usage
All third parties are required to maintain appropriate security measures and process data only as instructed.
5.2 Legal Requirements
We may disclose your information if required by law, court order, or regulatory authority, or to protect our rights and safety.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
6. Data Security
We implement appropriate technical and organisational measures to protect your personal data:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Staff training on data protection and security
- Incident response procedures
While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
7. Data Retention
We retain your personal data only for as long as necessary:
- Active users: For the duration of your subscription plus 6 years (in line with UK medical record retention requirements)
- Beta applicants: For 2 years from application date
- Marketing data: Until you opt out or 3 years of inactivity
- Legal obligations: As required by law (typically 6-7 years for tax and accounting records)
After the retention period, we securely delete or anonymise your data.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for marketing purposes
- Right to Withdraw Consent: Withdraw consent at any time (where consent is the legal basis)
- Right to Lodge a Complaint: Complain to the Information Commissioner's Office (ICO)
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to:
- Remember your preferences and settings
- Analyse website traffic and usage patterns
- Improve user experience
Types of Cookies We Use:
- Essential Cookies: Required for website functionality (e.g., session management)
- Analytics Cookies: Help us understand how visitors use our site (e.g., Google Analytics)
- Marketing Cookies: Track visitor behaviour for advertising purposes (with consent)
You can manage cookie preferences through your browser settings. Note that disabling cookies may affect website functionality.
10. International Data Transfers
Your data may be transferred to and stored in countries outside the UK and European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the UK ICO
- Adequacy decisions by the UK Government
- Binding corporate rules or certification schemes (where applicable)
Our primary data hosting is with Amazon Web Services (AWS) in the EU and UK regions.
11. Children's Privacy
Velastria is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at [email protected].
12. Third-Party Links
Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.
13. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Posting a notice on our website
- Sending an email to registered users
- Updating the "Last updated" date at the top of this policy
Your continued use of our services after changes constitutes acceptance of the updated policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
15. Supervisory Authority
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your data appropriately: