Legal
Privacy Policy – MedMatchAITM
This document can be printed for reference by using the print command in the settings of any browser.
Effective Date: 03 Jul 2026 | Last Updated: 6 Jul 2026
This Privacy Policy explains how Nord Pacific Medical Ltd (“NPM”, “we”, “us”, or “our”) collects, uses, discloses, and otherwise processes personal data in connection with the MedMatchAITMplatform (the “Service”).
1. Scope of this Policy
This Privacy Policy applies to:
- users of the MedMatchAI platform
- visitors to the MedMatchAI website
- individuals whose professional or business-related personal data may be included in datasets accessible through the Service
This Policy should be read together with our Terms of Use, which govern your use of the Service.
2. Who We Are
MedMatchAI™ is owned and operated by:
Nord Pacific Medical Ltd, Room 1905, 19/F, West Tower, Shun Tak Centre, 168-200 Connaught Road Central, Hong Kong.
Email: info@nordpacificmed.com
For the purposes of applicable data protection laws, NPM acts as the data controller in respect of personal data processed through the Service, except where otherwise stated.
3. Categories of Personal Data We Process
We may process the following categories of personal data:
(A) Information You Provide Directly
- full name
- business email address
- company name, job title, and business role
- account login credentials
- communications, feedback, or enquiries
(B) Usage and Technical Information
- IP address and device identifiers
- browser type and operating system
- login activity (timestamps, frequency, access logs)
- interaction with platform features
This information is used for system security, analytics, and service optimisation.
(C) Billing and Account Information
- billing contact details
- subscription and account history
- transaction-related information
Payment processing is handled by third-party payment providers. We do not store full payment card details.
(D) Third-Party Business and Professional Data (“Platform Data”)
The Service provides access to structured business intelligence, which may include:
- names of individuals in professional roles
- job titles and organisational roles
- company affiliations
- business contact details (e.g. professional emails)
- publicly available professional information
This data may be sourced from:
- government and regulatory registries
- publicly available websites and filings
- third-party data providers
- other lawful sources
4. Sources of Personal Data
We collect and obtain personal data from:
- users directly
- automated collection through platform usage
- publicly available sources
- third-party data providers and partners
5. How We Use Personal Data
We use personal data for the following purposes:
(A) Provision of the Service
- account creation, authentication and management
- enabling access to platform features and datasets
- responding to user enquiries and providing support
(B) Platform Operation and Improvement
- monitoring system performance and security
- analysing usage trends and user interactions
- enhancing functionality, features, and user experience
(C) Subscription and Account Management
- billing and payment processing
- managing subscriptions and service access
- issuing service-related communications and updates
(D) Outreach Communications Sent Through the Service
The Service includes a function that allows you to compose a message to a distributor through the Service. Where you use this function:
- the message is transmitted by NPM, as a processor acting on your instruction, to the email address associated with the relevant distributor’s listing
- you determine the purpose and content of the message; NPM does not author, select the recipient based on the message content, or determine why the message is being sent
- any reply is sent directly to your own email address; NPM does not receive, retain, or have visibility into any reply or any subsequent exchange between you and the distributor
As part of transmitting your message, NPM may have technical visibility into the content of outbound messages. NPM retains outbound message content for up to twelve (12) months following the closure of your Account, after which it is deleted (see Section 10). You are solely responsible for:
- the content of communications you send through this function
- compliance with applicable data protection, anti-spam, and electronic marketing laws
(E) Legal and Compliance Purposes
- enforcing our Terms of Use
- detecting fraud, misuse, or security incidents
- complying with applicable laws and regulatory obligations
6. Legal Basis for Processing
Where required under applicable law, we rely on:
- performance of a contract (e.g. providing the Service)
- legitimate interests (e.g. operating and improving the platform)
- compliance with legal obligations
Where consent is required (e.g. certain cookies or marketing), it will be obtained in accordance with applicable law.
7. Platform Data and Third-Party Personal Data
The Service includes personal data relating to third parties compiled from external sources (“Platform Data”). Platform Data is compiled and structured with the assistance of Kuration AI Limited, acting as our data processor, using publicly available sources, including government regulatory registries, professional networks, and other publicly accessible materials. NPM’s legal basis for compiling and making Platform Data available is legitimate interests, namely the legitimate interest of medical device manufacturers in identifying licensed and regulated distributors, balanced against the interests of the individuals concerned. NPM has conducted an assessment and is satisfied this processing is conducted on a legitimate basis.
Platform Data may also incorporate data obtained from third-party data providers, which is subject to those providers’ own data sourcing and licensing terms.
You acknowledge that:
- such data is collected from public or third-party sources
- it may not be complete, accurate, or current
- NPM does not independently verify all such data
- confidence scores or indicators are internal assessments only
The data is provided on an “as is” and “as available” basis.
Users must:
- independently verify information before relying on it
- use such data only for legitimate business purposes
- comply with all applicable laws, including data protection and anti-spam laws
Where you download Platform Data containing personal data, you become independently responsible for that data as a separate controller, including for its lawful use, retention, and deletion. Your responsibilities in this respect are set out in Section 12.
8. Disclosure of Personal Data
We may disclose personal data to the following categories of recipients:
(A) Service Providers
- hosting and cloud providers (Vercel, Supabase)
- analytics providers (Google Analytics)
- payment processors (Stripe), which process card transactions; we can view only the last four digits of a card and the card type, and do not store full card numbers
(B) Data Providers
- third-party data vendors supporting the Service, including Kuration AI Limited (platform data compilation and back-end infrastructure) and any other third-party data provider(s)
(C) Legal and Regulatory Authorities
- where required by law
- to protect our legal rights or prevent misuse
(D) Corporate Transactions
- in connection with mergers, acquisitions, or restructuring
9. Cross-Border Transfers
Personal data may be transferred to and processed in jurisdictions outside your country of residence. This includes transfers to our service providers and sub-processors, who may process data in their own jurisdictions of operation, including Singapore (where our database infrastructure is hosted), the United States (in connection with our cloud hosting and payment processing providers), and Hong Kong (our registered office and back-end data provider). Where required, we implement appropriate safeguards to protect such transfers in accordance with applicable data protection laws.
10. Data Retention
We retain personal data only for as long as necessary to:
- provide and operate the Service
- fulfil contractual obligations
- comply with legal requirements
We may retain data for longer periods where necessary for:
- dispute resolution
- audit and compliance purposes
- legal defence
As a general guide: account and subscription data is retained for the duration of your subscription and for a period of seven (7) years following account closure, for legal, accounting, and dispute-resolution purposes; Platform Data is retained on an ongoing basis, refreshed periodically, and corrected or removed on verified request; and the content of outbound messages sent through the Service is retained for up to twelve (12) months following the closure of your Account, after which it is deleted. This Policy’s retention practices apply only to data held on our own systems and do not extend to Content you have downloaded (see Section 12 of this Policy).
11. Data Security
We implement reasonable technical and organisational measures to safeguard personal data, including:
- access restrictions and controls
- system monitoring and logging
- encryption where appropriate
However, no system can guarantee absolute security.
12. User Responsibilities
Users of the Service are responsible for:
- ensuring lawful use of any personal data accessed through the platform
- complying with applicable privacy, data protection, and marketing laws
- ensuring that any communications or outreach activities you send through the Service are lawful, including under applicable anti-spam and electronic marketing laws
Users must not misuse personal data or attempt to extract or repurpose datasets in breach of the Terms of Use. Where you download Content containing personal data, including Platform Data, you become independently responsible for that data as its holder, including for its retention, security, and deletion in accordance with applicable data protection law. Our retention practices described in Section 10 apply only to data held on our own systems and do not extend to copies you have downloaded.
13. Cookies and Tracking Technologies
We use cookies and similar technologies to:
- operate and maintain the Service
- enable essential functionality
- analyse usage and improve performance
Further details are set out in our Cookies Policy below.
14. Your Rights
Subject to applicable law, individuals may have rights to:
- access their personal data
- request correction or updates
- request deletion
- object to or restrict certain processing
Requests may be submitted using the contact details in Section 18. We will endeavour to respond within thirty (30) days, although this period may be extended where permitted by applicable law. For users in Hong Kong, these rights are governed by the Personal Data (Privacy) Ordinance (Cap. 486); for users in other jurisdictions, equivalent rights may apply under local data protection law.
15. Third-Party Websites
The Service may contain links to third-party websites or services.
We are not responsible for the privacy practices or content of such third parties.
16. Changes to this Policy
We may update this Privacy Policy from time to time. The version in effect is identified by its effective date. Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated Policy.
17. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region, consistent with the governing law and dispute resolution clause in our Terms of Use. NPM is the data controller for personal data processed under this Policy. For users in other jurisdictions, your local data protection laws may also apply, as described in this Policy.
18. Contact Us
For questions regarding the Privacy Policy, you may send to info@nordpacificmed.com.