clinstead
Back to clinstead.com
Legal · Privacy

Privacy policy

How Clinstead Ltd handles personal data — what we collect, why, how long we keep it, and the rights you have under UK GDPR and EU GDPR.

Last updated: May 19, 2026Version: 1.0.0Questions? legal@clinstead.com
01

Who we are

Clinstead Ltd is a company incorporated in England and Wales. We operate clinstead.com and the Clinstead platform (SteadFlow, SteadOS, and SteadReach). For the purposes of UK GDPR and EU GDPR, Clinstead Ltd is the data controller for personal data we collect through the website and the data processor for personal data our customers process inside the platform.

Privacy queries can be sent to privacy@clinstead.com. For data-subject rights requests, see Your rights below.

02

Scope of this policy

This policy applies to the clinstead.com marketing site and our sales interactions (e.g. demo booking, email exchanges, documentation downloads). It does not describe how participant or study data is processed inside the platform — that is governed by the Data Processing Addendum agreed with each customer.

03

What we collect

We collect a deliberately small set of categories:

  • Information you give us. Name, work email, organisation, role, and any free-text context you provide when booking a demo, replying to an email, or contacting sales.
  • Booking metadata. When you book a demo we record the date, time, and timezone you selected, plus any study scope fields you optionally filled in (phase, cohort size, focus areas).
  • Technical data.IP address, user agent, referrer, and basic page-view information collected by our hosting provider's logs. We do not run third-party analytics or advertising trackers on clinstead.com.
  • Communications. The content of emails, support messages, and meeting notes you exchange with our team.

We do notcollect special-category data (Article 9 GDPR) through the marketing site. Patient and study data processed inside SteadOS / SteadReach is covered by the DPA.

04

Why we process it

We rely on the following lawful bases:

  • Legitimate interests — to respond to demo requests, support pre-sales conversations, and keep our website secure and operational.
  • Contract — to negotiate, enter into, and perform agreements with customers.
  • Consent — for any future marketing emails or newsletter signups (we do not run a newsletter at present; if we start one, opt-in will be explicit).
  • Legal obligation — to comply with tax, accounting, and regulatory requirements applicable to a UK company.
05

Who we share it with

We share personal data only with sub-processors that help us run the business and only to the extent necessary. Our current sub-processors for clinstead.com are:

Sub-processorPurposeRegion
Vercel Inc.Website hosting and edge deliveryEU / US
Cloudflare Inc.DNS, DDoS protectionGlobal edge
Google WorkspaceBusiness email, calendar, meetEU / US

A full list of sub-processors used to deliver the Clinstead platform itself is maintained in the Data Processing Addendum.

We do not sell, rent, or trade personal data, and we do not share it with advertisers.

06

How long we keep it

We keep personal data only as long as we need it for the purpose it was collected for.

  • Demo bookings and sales correspondence — up to 24 months from last contact, then deleted or anonymised.
  • Customer records — for the duration of the contract plus 7 years for tax and audit purposes.
  • Website logs — 30 days, after which they are aggregated and the originals deleted.
07

Cookies and similar technology

clinstead.com runs without analytics cookies, advertising cookies, or third-party trackers. The only state we may store in your browser is strictly-necessary technical data — for example, a session cookie if you sign into a future customer portal.

If we ever introduce analytics or marketing cookies, we will update this policy and ask for your consent through a banner that lets you decline without losing functionality.

08

International transfers

Some sub-processors are based outside the UK and EU. When personal data is transferred to such providers, we rely on:

  • The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs;
  • EU Standard Contractual Clauses (2021/914);
  • An adequacy decision where one applies.

For data processed inside the Clinstead platform, customers can select EU, US, UK, or ANZ residency at the study level — see the DPA for detail.

09

How we protect it

We follow defence-in-depth principles: TLS 1.3 in transit, AES-256 at rest, hardware-backed MFA on all administrative accounts, principle-of-least-privilege access, and regular third-party penetration testing. See the security overview for the full programme.

10

Your rights

Under UK GDPR and EU GDPR you have the right to ask us to:

  • Access the personal data we hold about you;
  • Correct inaccurate data;
  • Erase data we no longer have a basis to hold;
  • Restrict or object to processing;
  • Port your data to another provider in a structured machine-readable format;
  • Withdraw consent at any time where we rely on it.

Send rights requests to privacy@clinstead.com. We respond within one month and will not charge a fee unless the request is manifestly unfounded or excessive.

You also have the right to complain to a supervisory authority. In the UK, that is the Information Commissioner's Office (ICO).

11

Changes to this policy

We version this document. Material changes will be communicated to customers in advance and to website visitors via a banner on the landing page. The footer always shows the latest version and date.

12

Contact

Clinstead Ltd
Registered in England and Wales.
Email: privacy@clinstead.com
General enquiries: hello@clinstead.com

Need a signed copy or a redline? Write to legal@clinstead.com with your organisation, jurisdiction, and the document(s) you'd like reviewed. We typically turn requests around within two business days.