Privacy & Healthcare Data Policy at Strasys

At Strasys, we are committed to maintaining high standards of data privacy, security, and governance. This Privacy & Healthcare Data Policy explains how we collect, use, store, share, and protect information relating to individuals and organisations that interact with us, including through our website and in connection with our work supporting health and care systems.

We understand the responsibility that comes with handling data in regulated environments, and we aim to be transparent about our practices and your rights.

1. Who this policy applies to

This policy applies to:

  • Visitors to our website.
  • Individuals who contact us (for example via forms, email, phone, or events).
  • Individuals whose business contact details are provided to us in the context of our work.
  • Where relevant, individuals whose information may be included in datasets used for analysis within partner organisations.

2. Definitions

Personal data means information that identifies, or can reasonably be used to identify, an individual.

Special category data (also known as sensitive personal data) includes information about a person’s health.

Partners refers to organisations we work with (for example NHS Trusts, Integrated Care Systems, and other health and care bodies).

Depending on the engagement, Strasys may act as a data controller or a data processor. Where we act as a processor, we handle data on the documented instructions of our partner organisation.

3. What data we collect

3.1 Website and communications

We may collect:

  • Name, job title, organisation, email address, telephone number.
  • Information you include in messages to us.
  • Records of communications (for example emails or call notes).

3.2 Website technical data

We may collect:

  • IP address, browser type, device information, and pages visited.
  • Cookie and similar tracking data (see section 9).

3.3 Data used in analytics or decision-support work

In some engagements, we may handle data provided by partner organisations to support analysis. This may include:

  • Operational or governance information (including documents and text content).
  • Aggregated, pseudonymised, or de-identified data.
  • In some circumstances, special category data (such as health information), where permitted and with appropriate safeguards.

We do not use personal data provided by partners for unrelated purposes.

4. How we use data

We use information for purposes including:

  • Responding to enquiries and providing requested information.
  • Managing professional relationships and delivering services.
  • Improving our website and communications.
  • Maintaining security, preventing fraud, and protecting our systems.
  • Where agreed with partners, carrying out analytics and producing outputs that support decision-making.

Where our work involves AI-enabled analysis, we use AI to accelerate analysis and highlight patterns, with human oversight and governance. Our AI outputs are intended to support decision-making, not replace professional judgement.

5. Lawful bases for processing

Under UK GDPR, we rely on one or more lawful bases depending on the context:

  • Consent (for example, when you submit an enquiry form or opt in to communications).
  • Contract (where processing is necessary to deliver services to partners).
  • Legitimate interests (for example, to operate our business, improve our services, and keep our systems secure).
  • Legal obligation (where we must comply with legal or regulatory requirements).

Where we process special category data (such as health data), we will ensure an appropriate condition applies (for example, explicit consent where relevant, or processing necessary for substantial public interest, healthcare, or scientific/statistical purposes, alongside required safeguards).

6. Sharing data and third parties

We may share information with:

  • Service providers who support our operations (for example website hosting, email services, analytics, and IT support).
  • Professional advisers (for example legal, audit, and insurance), where necessary.
  • Authorities or regulators where required by law.

Where we use service providers, we require them to protect data and only process it for specified purposes.

7. International transfers

If personal data is transferred outside the UK, we will ensure appropriate safeguards are in place (for example UK International Data Transfer Agreement or other recognised transfer mechanisms).

8. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, including legal, regulatory, and contractual requirements.

Retention periods vary depending on the nature of the information and the engagement. Where possible, we will securely delete or anonymise data when it is no longer needed.

9. Cookies and similar technologies

Our website may use cookies and similar technologies to support functionality, understand usage, and improve performance.

Where required, we will request your consent before placing non-essential cookies. You can manage cookie preferences through your browser settings and any on-site cookie controls.

10. Automated decision-making

Our tools and analytics may use automated methods to identify patterns or produce summaries. However, Strasys’ work is designed to support human-led decision-making.

Where automated processing is used, we aim to apply appropriate safeguards, including transparency, oversight, and the ability for partners to review outputs.

11. Security

We take appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse, alteration, or disclosure. Measures may include access controls, encryption, secure systems, and operational procedures.

No system is completely secure, but we work to reduce risk and respond appropriately to threats.

12. Your rights

Subject to applicable law, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of data (in certain circumstances).
  • Restrict or object to processing (in certain circumstances).
  • Request data portability (where applicable).
  • Withdraw consent (where we rely on consent).

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

13. Contact

To ask questions about this policy or exercise your rights, contact us.

14. Updates to this policy

We may update this policy from time to time to reflect changes in law, regulation, or our practices. We encourage you to review this page periodically for the latest version.