Global Privacy Policy

Your privacy is important to us. This Global Privacy Policy explains how MediChain Global and its group entities (“MediChain Global,” “we,” “our,” or “us”) process personal data, and for what purposes.

MediChain Global is committed to ensuring that your privacy is protected. We comply with applicable data-protection laws and other laws governing tracking technologies (such as cookies), electronic communications, and the processing of personal data in each jurisdiction in which we operate (together, the “Data Protection Laws”).

This Policy explains what data we collect, how it is collected, why we use it, when and with whom we may share it, and the rights and choices you have in relation to it.

This Policy applies where MediChain Global receives personal data through our interactions with you when we conduct our business — including through our website, our B2B marketplace and contracting platform (the “Platform”), email and other communication channels, support requests, and where data is shared with us directly by you or, subject to appropriate permissions, by your organization.

This Policy does not apply to any third-party websites, services, or applications, even if accessible through the Platform or if the Platform is accessed through them.

For the purposes of this Policy, the personal data we process relates to the people we interact with — including representatives of Sponsors, Vendors, partners, and suppliers (or the individuals representing those organizations), and any other person we interact with. This Policy does not apply to information relating solely to corporations, organizations, or other legal entities, since Data Protection Laws apply only to information relating to natural persons. Information relating to organizations may nonetheless be protected by confidentiality obligations under the relevant Contract, which we take equally seriously.

Where you are located in a jurisdiction with additional local Data Protection Law requirements (e.g. the UK, EEA, Switzerland, or other regions), the relevant additional rights are set out in Section 11 (Your Rights) below.

In this Policy, “MediChain Global,” “we,” “our,” and “us” refer to MediChain Global and its group entities operating the Platform.

We determine the purposes and means of processing the personal data described in this Policy and act as the data controller (or equivalent term) for the purposes of applicable Data Protection Laws, except where we act as a processor on behalf of a Sponsor or Vendor in relation to project-specific data, as described in Section 7.

If you have any questions, concerns, or complaints about this Policy or how your personal data is handled, please contact us using the details in Section 16 (Questions or Complaints).

The personal data we receive about you depends on the context of your interactions with us — including your role, the features you use, your account settings, your location, and applicable law.

3.1 Information you give us

• Account & registration: when you register an organization, create a user account, or are added as an authorized user, we collect your name, work email, phone number, job title, role within your organization, and password (stored hashed).
• Organization & profile data: legal name, registration number, address, industries served, service categories, certifications, facility information, and authorized-signatory details, provided as part of onboarding or profile updates.
• RFPs, bids & contracts: the content of Requests for Proposal, bids, clarification messages, Contract terms, milestone submissions, and signature events, where these include your name or contact details.
• Payments & payouts: billing details and, for Vendors, payout instrument details (e.g. bank account or UPI identifiers) needed to process escrow releases.
• Support & correspondence: information you provide when you contact us for support, including your name, organization, email, and the content of your message.
• Documents you upload: certifications, facility proofs, NDAs, deliverables, and dispute evidence, where these contain personal data of your representatives.

3.2 Information we collect automatically

• Operational & security telemetry: IP address, device and browser type, operating system, login timestamps, session identifiers, and in-platform action logs — used for authentication, audit trails, fraud prevention, and security.
• Cookies: we use strictly necessary session and authentication cookies to keep you signed in and to maintain platform security. We do not use third-party advertising or cross-site tracking cookies. See Section 13 (Cookies) for details.

3.3 Information provided by others

• Your organization: where you are a representative of a Sponsor or Vendor, your organization (or its administrators) may provide us with your name, email, job title, role, and contact details when adding you as an authorized user.
• Other platform users: where another organization interacts with you through the Platform (e.g. as the counterparty to an RFP, bid, or Contract), information you exchange through that interaction is processed by us as described in this Policy.
• Publicly available sources: we may verify organization details (e.g. company registration status) against publicly available registries or government sources as part of onboarding verification.

3.4 Special category data

Please do not submit any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation (including, without limitation, any patient or research-subject data) (“Special Categories of Personal Data”), or any information relating to criminal convictions or offences, on the Platform, in any communication with us, or in any uploaded document — unless this is project data whose handling is governed entirely by the relevant Contract between Sponsor and Vendor and does not require MediChain Global to process it as a controller. By using the Platform, you instruct us to remove any such data that is submitted to us in our capacity as controller, although we are under no obligation to actively check for, or remove, such data.

We collect and process personal data about you to:

• communicate with you and respond to requests and enquiries;
• create and administer accounts and provide log-in access to the Platform;
• operate the marketplace, contracting, escrow, and execution-tracking features (RFPs, bids, Contracts, milestones, Agreement Documents, signature audit trails);
• verify business identity, review certifications, and compute trust/tier scores;
• process escrow funding, milestone-based releases, commission deductions, and vendor payouts;
• provide billing, invoicing, identification, and authentication;
• maintain immutable audit trails for compliance and dispute-resolution purposes;
• analyze, develop, and improve the function and performance of the Platform;
• manage the security and operation of our systems and networks;
• comply with applicable laws and regulations in the operation of our business; and
• send you platform notifications (RFP/bid/contract/escrow/dispute updates) and, where you have not opted out, optional product or marketing communications.

We may combine personal data we receive from different sources described above. We may also anonymize or aggregate information we collect and use it for any purpose, including research and product development — such information will not identify you individually.

We do not sell personal data to other organizations for commercial purposes, except to provide services you have requested, with your permission, or as otherwise set out in this Policy.

For personal data collected from individuals in the UK, EEA, Switzerland, or other jurisdictions with an equivalent “legal basis” requirement, our basis for processing is:

• Performance of a contract — to provide you and your organization access to the Platform, operate RFPs, bids, Contracts, escrow, and payouts, and otherwise administer our contractual relationship with your organization.
• Legitimate interests — to verify business identity and compute trust/tier scores; to analyze, develop, and improve the Platform; to maintain security and prevent fraud; and to manage our relationship with your organization, balanced against your rights and interests.
• Compliance with legal obligations — e.g. retaining audit trails, escrow, and tax records for the periods required by applicable law.
• Consent — for optional features and any marketing communications, which you may withdraw at any time as described in Section 9.

The Platform computes trust scores and Tier (A/B/C) classifications using automated rules based on verification outcomes, certifications, ratings, performance history, and dispute records. These scores influence visibility and eligibility for certain RFPs but do not result in any decision producing legal or similarly significant effects without the possibility of human review. If you believe a tier or score classification is incorrect, you may request a manual review using the contact details in Section 16.

Except as set out in this Policy, MediChain Global does not determine the purposes and means of processing personal data that Sponsors and Vendors place on or share via the Platform between themselves. When you initiate or respond to an RFP, bid, or Contract, the counterparty organization (and its authorized users) will receive the information you submit as part of that interaction, together with platform admins acting in their verification, escrow, and dispute-oversight role. Sponsors and Vendors are responsible for ensuring that any sharing of personal data between them complies with applicable Data Protection Laws.

We may also share your personal data:

• with other MediChain Global group entities, where necessary to provide the Platform or fulfil the purposes in this Policy;
• with sub-processors and infrastructure providers under data-processing agreements (see Section 8);
• with our payment-processing / payout provider, to the extent necessary to fund escrow and process Vendor payouts;
• when required by law, regulation, court order, or to establish, exercise, or defend legal claims, including in connection with a dispute raised under the Dispute Resolution Clause;
• to protect MediChain Global, our users, or others — e.g. to investigate or prevent fraud, security incidents, or violations of our Terms of Use; and
• in connection with a merger, acquisition, financing, restructuring, or sale of assets, in which your information is among the assets transferred, subject to the acquiring party honoring this Policy for previously collected data.

We do not sell your personal data to third parties for monetary or other valuable consideration.

We engage third-party service providers to help us operate the Platform and perform functions on our behalf, including providers of:

• cloud hosting, application infrastructure, and database services;
• private object storage for documents, certifications, deliverables, and Agreement Documents;
• transactional email delivery (account, RFP, contract, escrow, and dispute notifications);
• payment processing and vendor payouts for escrow funding and releases;
• analytics used to understand and improve Platform usage; and
• professional services such as auditors, legal, and other advisors.

These providers may access personal data only as necessary to perform services on our behalf and are contractually restricted from using it for any other purpose. Our services may also contain links to third-party websites; any information you provide to such sites is governed by their own privacy policies, not this Policy.

You can decline to submit certain information to MediChain Global, although this may prevent you from using the Platform, prevent us from providing certain services to you, or prevent your organization from transacting with other organizations via the Platform.

Your organization's administrators may change or limit the use and disclosure of personal data, update profile information, or close an account by contacting us using the details in Section 16.

We treat all personal data we collect as relating to individuals' business contact details, and our communications with you are therefore “business to business,” not “business to consumer.” If you believe this does not apply to you, or you are in a jurisdiction where opt-in consent is specifically required for us to send you marketing communications even in a B2B capacity, please contact privacy@medichainglobal.com. You may stop receiving direct marketing at any time by clicking the “unsubscribe” link in our marketing emails, or by following the instructions in the original message.

The Platform is intended for business use by adult representatives of registered organizations and is not directed at, and should not be used by, individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have done so, we will delete it.

11.1 United Kingdom, European Economic Area, or Switzerland

If you are located in the UK, Switzerland, or the EEA, you may exercise the following rights in relation to our processing of your personal data, to the extent they apply to you. In some cases we may be unable to fulfil a request — for example, where doing so would be unreasonably burdensome or would violate the rights of someone other than you — and we will explain why.

To exercise any of these rights, submit a request to the contact details in Section 16. We may request specific information from you to confirm your identity before responding.

11.2 India and other jurisdictions

If you are located in India or another jurisdiction with equivalent statutory rights (e.g. under the Digital Personal Data Protection Act, 2023, or the IT Act, 2000 and associated rules), you have corresponding rights to access, correct, update, and request erasure of your personal data, to the extent applicable, and to grievance redress. You may exercise these rights, or raise a grievance, using the contact details in Section 16. We aim to acknowledge grievances promptly and resolve them within the timeframe required by applicable law.

Ensuring the security of your information is an important part of our business. We take commercially reasonable and appropriate technical and organizational measures to protect against unauthorized access to, or unauthorized alteration, disclosure, or destruction of, personal data, including:

• passwords hashed using industry-standard algorithms (bcrypt) and never stored or transmitted in plain text;
• encryption in transit (TLS 1.2+) for all traffic between your browser and the Platform;
• encryption at rest for our database and document storage (managed by our cloud providers);
• role-based access controls restricting every protected route and document to authorized users (the relevant Sponsor, Vendor, and platform admins);
• document downloads (certifications, deliverables, Agreement Documents) served via short-lived, signed URLs rather than public links;
• immutable, append-only audit logs for sensitive actions (contract signatures, escrow releases, dispute decisions); and
• restricted internal access — personal data is accessible only to personnel and contractors who need it to operate, develop, or improve the Platform, and who are bound by confidentiality obligations.

It is important that you also protect your account: do not share your login credentials, and sign out of shared devices after use. The internet and email are inherently insecure — communications may pass through multiple jurisdictions and could be intercepted by third parties. We cannot accept responsibility for unauthorized access or loss of personal data that is beyond our reasonable control. In the event of a data breach affecting your personal data, we will notify you and, where required, the relevant supervisory authority, without undue delay and in accordance with applicable law.

We use strictly necessary session and authentication cookies to keep you signed in, maintain platform security, and remember basic preferences (such as theme). These cookies are essential to the operation of the Platform and cannot be disabled without affecting your ability to log in. We do not use third-party advertising or cross-site tracking cookies, and we do not permit third parties to place advertising cookies through the Platform.

To provide the Platform, it may be necessary for your personal data to be processed in, or transferred to, countries other than the one in which you are located — for example, where our cloud hosting, storage, email, or payment-processing providers operate infrastructure. Such transfers may be to countries whose data-protection laws differ from those in your jurisdiction. Where you are based in the UK, Switzerland, or the EEA, any such transfer is made subject to Standard Contractual Clauses or another transfer mechanism recognized as adequate under applicable law.

We retain personal data for as long as your organization has an active account, and typically for a further period afterwards to allow us to deal with any issues relating to the services or your account, and to bring or defend legal claims. Specific retention periods include:

We may retain personal data for longer where required or permitted by applicable law, for legal, contractual, tax, or regulatory reasons, or for our own internal audit and record-keeping purposes. We will only use personal data for the purposes for which it was collected, unless we reasonably consider another purpose to be compatible, or we obtain your consent to a materially different purpose before further processing.

You can direct any questions or complaints about the use or disclosure of your personal data to privacy@medichainglobal.com. We will investigate and aim to resolve any complaint within 45 days of receipt. Where you are exercising one of the rights set out in Section 11, we will respond within one month of receipt (extendable as permitted by applicable law for complex requests).

If you are in the UK, you may also contact the Information Commissioner's Office (ICO) at www.ico.org.uk. If you are in the EEA, you may contact your local data-protection authority. If you are in India, you may also raise a grievance with our Grievance Officer at privacy@medichainglobal.com, in accordance with the Information Technology Act, 2000 and rules made thereunder.

MediChain Global aligns with CDSCO / DCGI guidance to the extent that it does not engage in the practice of medicine, manufacturing, or clinical research. The Platform facilitates commercial transactions between regulated entities and processes personal and project data only as necessary to support that facilitation role. MediChain Global does not own clinical research data, raw study data, or any scientific output transacted through the Platform — ownership defaults are specified in each Contract (sponsor / vendor / joint).

This Policy may change from time to time, consistent with developments in our practices, the Platform, or applicable law. We expect most changes to be minor; where changes are material, we will provide more prominent notice (including, where appropriate, email notification) before they take effect. The “Version” date at the top of this page indicates when this Policy was last revised. Unless stated otherwise, the current version of this Policy applies to all information we hold about you and your account.

For privacy-related questions or to exercise your rights, email privacy@medichainglobal.com. For general legal queries, email legal@medichainglobal.com.