Privacy Policy

Data Controller

Medical Software Consulting is the data controller responsible for your personal information.

Information We Collect

We collect personal information lawfully and fairly, only to the extent necessary for our business activities. The categories of information we may collect include:

Information you provide directly

• Inquiry and contact forms: name, organization, email address, and the content of your message
• MSC Regulatory Watch feedback form: name, organization, email address, role, jurisdiction of interest, and feedback content
• Newsletter subscription: name and email address
• Seminar or service registrations: name, organization, email address, and other relevant contact details

Information collected automatically

• Website usage data via Google Analytics 4 (see Section 9)
• Server access logs, including IP address, browser type, and access timestamps

How We Use Your Information

We use personal information only for the following purposes. For users in the EEA and the UK, the corresponding legal basis under the GDPR / UK GDPR is indicated:

• Responding to inquiries and feedbackLegitimate interest / Consent
• Delivering newsletters and service updatesConsent (opt-in)
• Providing consulting servicesPerformance of contract
• Sending invitations to seminars and eventsConsent
• Complying with legal obligationsLegal obligation
• Improving our servicesLegitimate interest

We do not use your personal information for automated decision-making or profiling. We do not use personal information for any purposes other than those listed above.

Sharing & Third-Party Processors

We share personal information only in the following circumstances:

• With service providers who assist us in operating our services (listed below)
• Where required by law or legal process
• With your explicit consent

Main third-party processors

We engage the following processors to support our services. All processors are bound by appropriate data protection agreements and are subject to our oversight.

• Brevo (Sendinblue SA) — France
  Newsletter email delivery
• Google LLC — United States
  Analytics and document management
• XServer Inc. — Japan
  Website hosting

We may engage additional processors from time to time as necessary for our business operations, always under appropriate supervision.

International Data Transfers

Our services are operated from Japan, and personal information is stored and processed primarily in Japan.

For users in the European Economic Area (EEA) and the United Kingdom: Japan has been recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision, January 2019). Transfers of personal information to Japan therefore do not require additional safeguards under the EU / UK GDPR.

Where personal information is transferred to processors outside the EEA, UK, or Japan (such as Google LLC in the United States), we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.

Data Retention

We retain personal information only for as long as necessary for the purposes for which it was collected:

• MSC Regulatory Watch feedback responses3 years from receipt
• Newsletter subscriber informationUntil unsubscription + 30 days
• Consulting inquiries (no contract executed)3 years from last contact
• Consulting inquiries (contract executed)7 years from contract end
• Google Analytics data14 months (GA4 default)
• Server access logs3 months

After these periods, personal information is securely deleted or anonymized. Where longer retention is required by law, we retain the information for the applicable statutory period.

Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, loss, alteration, or disclosure. These measures include encrypted data transmission (HTTPS / TLS), access controls, regular security updates, and secure credential management. Where we engage processors to handle personal information on our behalf, we exercise appropriate oversight.

However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Your Rights

Depending on your location, you have the following rights regarding your personal information. We will respond to verified requests within 30 days.

Rights available to all users

• Right to access your personal information
• Right to rectification of inaccurate or incomplete information
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to object to processing
• Right to withdraw consent (where processing is based on consent)

Additional rights for EU / UK users (GDPR / UK GDPR)

• Right to data portability
• Right not to be subject to automated decision-making
• Right to lodge a complaint with your national data protection authority

Additional rights for California residents (CCPA / CPRA)

• Right to know what personal information we collect and how it is used
• Right to delete personal information
• Right to opt out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at info@medical-sc.com. We may need to verify your identity before fulfilling your request.

Google Analytics & Cookies

Google Analytics

We use Google Analytics 4 (Measurement ID: G-YSLBR8FSGW) to understand how visitors interact with our website. Google Analytics uses cookies to collect information such as pages visited, time spent, referring website, device type, and approximate geographic location.

We have enabled IP address anonymization, and the data is processed on an aggregated basis and is not used to identify individual visitors. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

For details on Google's data practices, see Google's Privacy Policy.

Cookies

Our website uses cookies to improve usability and analyze traffic. A cookie is a small data file that websites store on your device through your browser.

You can refuse cookies through your browser settings, although some website functions may not operate properly if cookies are disabled.

Children's Privacy

Our services are directed at professionals in the medical device regulatory field and are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at info@medical-sc.com.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable legal requirements. Material changes will be communicated through our website. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

We comply with applicable data protection laws and regulations, including Japanese law and other applicable international norms, and review this policy periodically to ensure ongoing compliance.

Contact Us

For questions, requests, or complaints regarding this Privacy Policy or our handling of your personal information, please contact: