Privacy Policy

Last updated: 16 February 2026

MoniDose ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the MoniDoseQMS platform ("Service").

1. Data Controller

MoniDose is the data controller for Personal Data collected in connection with the operation of the Platform (e.g., account registration, platform administration). For Customer Data entered into the Platform by Users, the Customer organisation acts as the data controller and MoniDose acts as a data processor.

2. Personal Data We Collect

2.1 Information You Provide

  • Account information: name, email address, username, department, job title.
  • Company information: company name, contact email, industry.
  • Authentication data: password (stored as a cryptographic hash, never in plain text).
  • Support requests: information you provide when contacting us for assistance.

2.2 Information Collected Automatically

  • Access logs: IP address, browser type, pages visited, timestamps.
  • Audit trail data: actions performed within the Platform (who, what, when).
  • Security events: login attempts, password changes, 2FA events.

2.3 Cookies

We use strictly necessary cookies for:

  • Authentication: maintaining your login session.
  • Anti-forgery: protecting against cross-site request forgery (CSRF) attacks.
  • Preferences: remembering your display settings.

We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party cookies are set by the Platform.

3. How We Use Your Data

We use Personal Data for the following purposes:

Purpose Legal Basis (GDPR Art. 6)
Providing and maintaining the Service Contract performance (Art. 6(1)(b))
User authentication and access control Contract performance (Art. 6(1)(b))
Audit trail and compliance record-keeping Legal obligation (Art. 6(1)(c))
Service-related notifications Contract performance (Art. 6(1)(b))
Security monitoring and fraud prevention Legitimate interests (Art. 6(1)(f))
Responding to support requests Contract performance (Art. 6(1)(b))

4. Data Sharing

We do not sell your Personal Data. We may share data with:

  • Hosting providers: for infrastructure and data storage (within the EEA).
  • Email service providers: for sending service-related notifications.
  • Law enforcement: only when required by law or valid legal process.

All third-party providers are bound by data processing agreements that ensure GDPR-compliant handling of data.

5. Data Storage and Retention

Customer Data is stored on servers located within the European Economic Area (EEA). We do not transfer data outside the EEA unless required and with appropriate safeguards in place.

We retain Personal Data as follows:

  • Active accounts: data is retained for the duration of the account.
  • Terminated accounts: data is available for export for 30 days, then securely deleted within 90 days.
  • Regulatory records: audit trails, electronic signatures, and quality records are retained as required by medical device regulations (typically 10-15 years).
  • Security logs: retained for 12 months for security analysis purposes.

6. Your Rights Under GDPR

You have the following rights regarding your Personal Data:

  • Right of access (Art. 15) — obtain a copy of your data.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion (subject to regulatory retention requirements).
  • Right to restriction (Art. 18) — limit how we process your data.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent.

To exercise these rights, contact us at privacy@monidoseqms.com. We will respond within 30 days.

Note: In a regulated QMS environment, certain records (audit trails, electronic signatures, quality records) cannot be deleted due to legal retention requirements under FDA 21 CFR Part 11, EU MDR, and ISO 13485. We will explain the specific legal basis if we cannot fully honour a deletion request.

7. Data Security

We protect your data using:

  • Encryption in transit (TLS 1.2+) and at rest.
  • Cryptographic password hashing (PBKDF2).
  • Multi-factor authentication support.
  • Role-based access controls with tenant isolation.
  • Regular security assessments.
  • Automated encrypted backups.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay (GDPR Art. 34) where required.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect Personal Data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Platform at least 30 days before taking effect.

11. Contact and Complaints

MoniDose — Data Protection

Email: privacy@monidoseqms.com

General enquiries: support@monidoseqms.com

If you are not satisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority. In Finland, this is the Office of the Data Protection Ombudsman (tietosuoja.fi).