SaaS Privacy Policy
Last updated: January 27, 2026
This policy explains how we handle data in TrialTrack and VendorVigilance (the "Services").
Our role
Mayet acts as data controller for account information (email, organisation) and as data processor for operational data entered into Services (studies, tasks, sites, vendors, participants).
What we collect
- Account data: Email address, role, organisation name
- Operational data: Studies, tasks, sites, vendors, participants, and related records you create
- Usage data: Audit logs, timestamps, IP addresses for security and compliance purposes
The Services are designed for operational task management, not for storing patient health records or personally identifiable patient data.
How we use your data
- To provide and maintain the Services
- To authenticate users and enforce permissions
- To generate audit trails for compliance purposes
- To send transactional notifications (e.g., task reminders, system alerts)
- To respond to support requests
Legal basis (GDPR)
- Contract: Processing necessary to provide the service you signed up for
- Legitimate interest: Security, fraud prevention, service improvement
- Legal obligation: Where required by law
Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Heroku (Salesforce) | Hosting infrastructure | EU / US |
| Customer.io | Transactional email | US |
| HelpScout | Customer support | US |
Mayet maintains contracts with each subprocessor requiring data protection and will notify customers of material changes.
Data location
Services are hosted in AWS data centres via Heroku. Data is stored in EU (Dublin) or US (Virginia) based on customer location. For EU customers with US-based subprocessors, Mayet relies on Standard Contractual Clauses and equivalent safeguards.
Data retention
- User account data retained while organisation's account is active
- Organisation deletion: All data permanently deleted within 30 days with complete, uneditable audit trail export provided beforehand
- Individual account deletion: Individual user accounts cannot be deleted while organisation remains active, as user identity is embedded in audit trails required for regulatory compliance. Users can be disabled by an organisation Admin, but historical actions remain part of audit records.
Your rights
Under GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Restrict or object to processing
- Data portability
- Withdraw consent (where applicable)
Note: Individual user data cannot be deleted while your organisation's account is active, as it forms part of the regulatory audit trail. If your organisation closes its account, all data including audit records will be deleted. This retention is necessary for compliance with ICH E6(R3), 21 CFR Part 11, and EU Annex 11, and is exempt from individual erasure requests under GDPR Article 17(3)(b).
To exercise these rights, contact Mayet. If you believe your rights have been violated, you may lodge a complaint with the Information Commissioner's Office (UK) or your local EU data protection authority.
Security
Mayet implements technical and organisational measures including encryption in transit (TLS 1.2/1.3), encryption at rest (AES-256), role-based access controls, and continuous backups. The company is Cyber Essentials Plus certified.
Data Processing Agreement
Business customers requiring a Data Processing Agreement for vendor qualification can contact Mayet to request one.
Changes to this policy
Mayet may update this policy from time to time. Material changes will be communicated via email or in-app notification.