Privacy Notice
Effective Date: 8th December 2025
1. Introduction
At Qureight Limited ("Qureight", "we", or "us"), we are committed to protecting your privacy whenever we process your personal information. We manage your personal information responsibly, using privacy by design to address the principles of data protection regulations globally, such as the UK Data Protection Act 2018 (UK GDPR), the EU Regulation 2016/679 ('EU GDPR') and US state laws (where applicable).
This privacy notice explains the types of personal information we collect about you, how this data is used, and why. We want you to feel confident when engaging with us and be assured that we manage your personal data lawfully, fairly and transparently. We are the controller of your personal data unless otherwise stated.
Please note that we use the terms 'personal information' and 'personal data' interchangeably throughout to represent personal data as defined by applicable privacy legislation.
2. The personal information you provide to Qureight
We process your personal information when you engage with us through our websites, products, and services. Some information is provided voluntarily by you, e.g., you enter your personal information into our website, and other information is collected automatically, e.g., our website logs your IP network address.
We also process your personal information when we receive it from a third party, such as a recruiter, customer or supplier.
In this section, we provide information on the personal information we process in different situations.
2.1 Contacting Qureight through Qureight's website
| Category | Details |
|---|---|
| Types of personal information collected | - Name and contact details including email address and phone number - Your job title and/or employer - Information related into your enquiry - Your interests in our products and services - Any additional information available via social medial profiles, e.g. LinkedIn - Technical information including your internet IP address and browser user agent We do not request special category data via our website communication channels. |
| Intended purpose of our processing | - To communicate with you and respond to your query - To ensure the security and availability of our web site, products and services - To de-identify data so that it can be used for research and statistical reporting purposes |
| Legal bases for our processing | - Article 6(f) Legitimate interests in responding to your enquiry, ensuring your and our digital security and in de-identifying data for reporting purposes - Article 6(b) Contractual obligations |
| Retention period | We will retain your data for as long as it is relevant to responding to your enquiry after which it will be de-identified or erased. |
2.2 Applying to work at Qureight
| Category | Details |
|---|---|
| Types of personal information collected | - Name, gender and contact details including address, email address and phone number - Information that you disclose in your application, curriculum vitae and any attachments - Information regarding your educational background, previous jobs, skills, competency, experience and performance - Information that may be available about you on social media, e.g. LinkedIn - Background checks including references from your current and/or previous employers - Information that you disclose during the interviews and assessments - Technical information including your internet IP address and browser user agent - Special category data including racial or ethnic origin, as volunteered or governed by applicable laws |
| Intended purpose of our processing | - To process your job application and assess your suitability for employment at Qureight - Take up your references - To ensure the security and availability of our web site and products and services - To de-identify data so that it can be used for research and statistical reporting purposes |
| Legal bases for our processing | - Article 6(b) Contractual obligations - Article 6(f) Legitimate interests in processing your application (including verifying its accuracy), ensuring your and our digital security and in de-identifying data for reporting purposes - Article 6(c) Legal obligations - Article 6(a) Consent Special category data is processed under the following provision(s): - 9(2)(a) Explicit consent - 9(2)(b) Employment, Social Security or Protection Law |
| Retention period | If you are hired by Qureight, we will retain your personal information as part of your personnel file in line with applicable employment and other relevant legislation and our retention policy. If you are not hired by Qureight, we will retain your personal information as required by law, or a period of one year, whichever is shorter, before de-identifying or erasing it. |
2.3 Working for Qureight as a consultant or contractor
| Category | Details |
|---|---|
| Types of personal information collected | - Name, gender and contact details including address, email address and phone number - Financial information including bank account and tax information - Information regarding your training and competence - Information regarding your next of kin - Information regarding your allocation and use of company assets, software applications and personal devices - Technical information including your internet IP address and browser user agent - Special category data including racial or ethnic origin, health data, and trade union membership as volunteered or governed by applicable laws |
| Intended purpose of our processing | - To administer your engagement by Qureight - To meet Qureight's legal obligations as a customer - To ensure you receive appropriate remuneration - To submit information to relevant tax authorities - To maintain the security, integrity and availability of Qureight's systems and assets - To ensure the security and availability of our web site and services - To deidentify data so that it can be used for research and statistical reporting purposes |
| Legal bases for our processing | - Article 6(b) Contractual obligations - Article 6(f) Legitimate interests in processing your application (including verifying its accuracy), managing our engagement of you, ensuring your and our digital security and in de-identifying data for reporting purposes - Article 6(c) Legal obligations - Article 6(a) Consent Special category data is processed under the following provision(s): - 9(2)(a) Explicit consent - 9(2)(g) Preventing etc. unlawful acts |
| Retention period | We will retain your personal information for as long as required by our need to maintain effective business records and/or as required by applicable laws. |
2.4 Engaging with Qureight on social media
| Category | Details |
|---|---|
| Types of personal information collected | - Name, gender, general location and contact details - Social handles - Information that you share on social media or others have shared about you including educational background, current and previous job roles, experience, competency, skills, interests, images and news articles - Information regarding your activity including engagement, e.g. likes and comments, with social media articles and posts |
| Intended purpose of our processing | - To communicate with you - For general marketing purposes - To improve our products, services, marketing communications and websites - To analyse stakeholder engagement with our social media activities - To de-identify data so that it can be used for research and statistical reporting purposes |
| Legal bases for our processing | - Article 6(f) Legitimate interests in engaging with our on-line stakeholders and to de-identify data for sentiment analysis - Article 9(2)(e) publicly available |
| Retention period | We will retain your personal information for as long as required by our need to maintain effective business records and/or as required by applicable laws. |
2.5 Working with Qureight as a customer, vendor, or business partner
| Category | Details |
|---|---|
| Types of personal information collected | - Name, job title and business contact information including passwords, mailing address, email address and telephone number - Information about you including your qualifications, experience, skills and preferred languages - Information regarding your roles and responsibilities for your employer and the nature of your employer's business - Information on the product(s) and service(s) related to your engagement with Qureight on behalf of your employer - Logs of your interactions with our product(s) and your use of our service(s) |
| Intended purpose of our processing | - General planning, fulfilment, and the management of the business relationship, including the negotiation, execution, and amendment of contracts or other agreements - General administration such as the processing of payments, rating evaluations, accounting, auditing, as well as providing support - Providing newsletters and other marketing communications - Responding to inquiries from you - General communication with you in connection with the business relationship - To maintain the security, integrity and availability of Qureight's systems and assets and our customers' data - To ensure the security and availability of our web site and services - To de-identify data so that it can be used for research and statistical reporting purposes |
| Legal bases for our processing | - Article 6(b) Contractual obligations - Article 6(c) Legal obligations - Article 6(f) Legitimate interests in ensuring compliance with terms of use, our policies and procedures and laws and regulations |
| Retention period | We retain your personal information for as long as is necessary to fulfil the business relationship and where applicable to a clinical study, as required by Good Clinical Practice and medicines' regulators worldwide. |
2.6 Using Qureight's services as part of a clinical study
| Category | Details |
|---|---|
| Categories of data subjects whose personal data is processed | - Partners, suppliers, healthcare professionals, monitors and other third parties with whom Qureight conducts business whilst performing its obligations to a sponsor in relation to their clinical study - Employees of and contractors for the sponsor, its affiliates or partners and suppliers - Patients and research subjects participating in clinical studies, research studies and other research work, as provided by a third party such as a healthcare professional |
| Types of personal information collected | - Contact information, including name, address, phone number, email etc. - Employment related information, including title, position, work tasks, department, performance, licences, skills and specialism - Bank account information Special category data: - Pseudonymised participant data originating from clinical trials, studies and other research work - Other pseudonymised data concerning clinical study participants' health - Race, ethnicity and trade union membership as may be required for compliance with employment regulations, monitoring and reporting |
| Intended purpose of our processing | Your personal data is processed to support the objectives of the clinical study, as described by the sponsor. This includes the collection, storage, processing and expert analysis (using Qureight's proprietary technology) to allow reporting of pseudonymised personal data associated with the management of and scientific analysis within clinical studies or other forms of medical research. For further details on the specific purposes, please see the sponsor's protocol. |
| Legal bases for our processing | - Article 6(b) Contractual obligations - Article 6(c) Legal obligations - Article 6(f) Legitimate interests in ensuring compliance with terms of use, our policies and procedures and laws and regulations |
| Data Controller | For the purposes of privacy laws, including the GDPR, the study sponsor acts as the data controller of your personal data. Qureight acts as the sponsor's processor (or sub processor, if Qureight supports the study through a contract research organisation) and processes your personal data strictly in accordance with the sponsor's instructions. |
| Retention period | The retention period for your personal data is determined by the study sponsor and is typically 25 years complying with ICH Good Clinical Practice (GCP) guidance and the requirements of global medicines regulators. |
3. Cookies and other tracking technologies
Please refer to our Cookie Policy for information regarding Qureight's use of Cookies and other Tracking Technologies.
4. Data security, integrity and retention
The security, integrity, and confidentiality of your information are extremely important to us. We have implemented technical, organisational, and physical security measures that are designed to protect personal information from unauthorised access, disclosure, use, and modification. We encrypt all personal information at rest and in transit, using industry-standard encryption to a minimum of AES-256 and TLS v1.2, respectively. We regularly review our security procedures to consider appropriate new technology and methods.
5. Sharing your Personal Data
We may share information with third-party organisations ('processors') that have a contractual relationship with Qureight, such as IT system suppliers and with other recipients such as accountancy or legal services firms. This is because they provide a service to Qureight that helps us achieve the intended purpose for the processing of your personal data. We always ensure that third-party organisations only process your personal data according to our instructions and are contractually bound to maintain the privacy and security of your data to an equivalent standard as Qureight.
In certain circumstances, we are legally obliged to share information. This includes but is not limited to:
- with national tax authorities
- when a court orders us to do so.
We may also share information if the public good outweighs your right to confidentiality. This could include:
- where a serious crime has been committed
- where there are serious risks to the public or our staff.
Further, we may disclose your personal data to third parties to whom we may sell (or buy), transfer or merge part(s) of our business or our assets
6. International Transfers of your Personal Data
Qureight operates globally, with customers, suppliers, business parties and processors based in many countries. At times, we may transfer your data to other jurisdictions that do not maintain the same legal protections as your country or state of residence. Personal data is primarily stored within our servers located within the United Kingdom, European Union, or other countries deemed adequate under the UK GDPR (Adequate Countries). However, subject to the provision of suitable safeguards, we have the right to move your personal data and our servers (including those provided by our processors) to outside the Adequate Countries. In the absence of a decision on adequacy by the UK's Secretary of State, the suitable safeguards include guarantees of a contractual or negotiated nature, including Binding Corporate Rules and standard contractual clauses for data protection. In the absence of a decision on adequacy or other suitable safeguards as described above, the transfer to and/or processing of your personal data by third parties outside the Adequate Countries will be carried out only with your consent.
Further information is available upon request from [email protected]
7. Your rights
There are certain rights under the UK GDPR that you may exercise by contacting us using the contact details at the end of this privacy notice. You are not usually required to pay for exercising your rights. If you make a request, we have one month to respond to you, unless the request is complex, in which case we may extend the period by up to another two months. Subject to legally permissible exemptions and restrictions (which will be explained to you if Qureight relies upon them) and the lawful basis which we are relying upon to justify the processing of your personal information you may have the following rights:
| Right | Description |
|---|---|
| Right to be informed | You have the right to be clearly and transparently informed about how your personal data is collected, used, stored, and shared. We provide this information to you via this Privacy Notice and any other supplemental notice with which we serve you. |
| Right to access | You can request a copy of your personal data from Qureight, along with details about how it is being processed. This is called a Subject Access Request (SAR). |
| Right to rectify | If your personal data is inaccurate or incomplete, you can ask for it to be corrected or updated. |
| Right to erasure (Right to be forgotten) | You can ask for your personal data to be deleted or removed if there's no valid reason for it to be kept. This applies if the data is no longer needed, you withdraw consent, or it was processed unlawfully. |
| Right to restrict processing | You may be able to limit how Qureight uses your data. This means your data can be stored but not processed further. You can request this if you contest the accuracy of your data, the processing is unlawful, or you oppose erasure. |
| Right to object to processing | You can object to the processing of your personal data where Qureight is relying on its legitimate interests to justify the processing or where we are sending you direct marketing. Qureight must stop unless they have compelling legitimate reasons to continue. Your right to object to the continued receipt of direct marketing is absolute. |
| Right to portability | You can obtain and reuse your personal data for your own purposes across different services. This applies to data you provided and that is processed automatically, based on your consent or a contract. |
| Rights related to automated decision processing and profiling | You have the right not to be subject to decisions based solely on automated processing (including profiling) of your special category data that significantly affect you, unless it's necessary for a contract, authorized by law, or based on your explicit consent. |
| Withdrawal of consent | If Qureight processes any of your data based on your consent, you can withdraw that consent at any time. We must stop processing your data for that purpose unless another legal basis applies. |
8. Data Protection Officer
Qureight's Data Protection Officer is Dr Steven Bishop. Our Data Protection Officer is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at [email protected].
9. Changes to this Privacy Notice
From time to time, we may change this privacy notice to accommodate new technologies, industry practices, regulatory requirements or for other purposes. We will provide notice to you if these changes are material and, where required by applicable law, we will seek your fresh consent. Notice may be by email to you at the last email address you provided us, by posting notice of such changes on our sites and applications, or by other means, consistent with applicable law.
10. Contacting Qureight
If you have any other questions about our Privacy Notice, please get in touch with us at:
Qureight Limited,
Legal Department,
50-60 Station Road,
Cambridge.
CB1 2JH.
United Kingdom.
Email: [email protected]
Telephone: +44 1223 625384
We also maintain a designated EU Representative for Data Protection. Our EU representative can be contacted at:
DataRep,
The Cube,
Monahan Road,
Cork,
T12 H1XY,
Republic of Ireland.
Please note: All postal communications should be addressed to 'DataRep', not 'Qureight Ltd'
Email: [email protected]
Website: www.datarep.com/data-request/
11. Making a Complaint
You can make a complaint by contacting us using the contact details above or by emailing [email protected].
If we are unable to satisfactorily resolve your complaint, or you otherwise wish, you can submit a complaint to the UK's Information Commissioner:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Telephone: 0845 630 6060
Website: www.ico.org.uk