CergenX Privacy Policy

Introduction

CergenX (“we”, “us”, “our”) is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, disclose, store, and otherwise process personal data (“personal data” or “personal information”) in the context of our business, including our software as a medical device product, our website, employment functions, clinical research, and customer and partner relationships.

We are the Data Controller for the personal data described in this policy, unless expressly stated otherwise.

If you have any questions about this Privacy Policy or our data protection practices, please contact our Data Protection Officer (see registered office address and contact details below).

Scope

This policy applies to personal data processed by CergenX in relation to:

  • Current and prospective customers (including website visitors)

  • Employees and prospective employees (including candidates)

  • Contract personnel (including screeners and graders)

  • Study and trial subjects (including those involved in prospective studies)

  • Clinicians (including those involved in studies, trials and research activities)

  • Patients (including individuals on whom a CergenX medical device is used during clinical care or research activities).

Data we collect and process

Depending on the category of data subject, we may collect:

  • Website visitors: Contact information and technical usage data (e.g. cookies, IP address).

  • Employees and applicants: Identification, contact, contract, and HR records.

  • Screeners/graders: Identification details, access credentials, audit logs.

  • Study subjects: Anonymised EEG data and associated metadata (see Section 5 on anonymisation).

  • Patients: Health-related data captured or processed in the use of a medical device, subject to de-identification, anonymisation and secure transfer controls. 

Special categories of data

As a medical device company, we process special categories of personal data, including health data derived from EEG recordings and related metadata.

Where such data remain identifiable, we process them under one or more of the following lawful bases (as defined in the GDPR):

  • Article 9(2)(a): explicit consent of the data subject (and/or of the data controller providing the data);

  • Article 9(2)(i): processing necessary for public interest in the area of public health, ensuring high standards of quality and safety of medical devices; and/or

  • Article 9(2)(j): processing necessary for scientific research purposes, subject to appropriate safeguards and technical measures.

We implement robust measures to pseudonymise, anonymise and minimise the data we handle where possible (see Section 5 below).

Anonymisation and pseudonymisation

  • Data from hospitals, universities, or research partners are supplied to CergenX in fully anonymised or pseudonymised form.

  • No direct identifiers (e.g. patient names, IDs, addresses) are shared with CergenX; linkage keys, if any, remain solely under the control of the originating hospital or partner.

  • When personal data must be processed (e.g. for audit or traceability), we apply strong technical and organisational controls including encryption, access restriction and de-identification.

  • We continuously review our data flows and storage to ensure compliance with ISO 13485 requirements on product data integrity and FDA 21 CFR Part 11 (electronic records and signatures).

Purposes of processing & legal basis

We process personal data for the following purposes and on the following legal bases:

  • Website visitors

    • To respond to enquiries submitted via “Contact Us” form, we rely on the basis of consent (where applicable) and/or legitimate interest (to respond to potential customer or partner enquiries).

    • To analyse website usage and improve our website/service, we rely on legitimate interest (our interest in operating and improving our website).

    • To set website cookies and tracking technologies, we rely on the basis of consent (where required by local law for optional cookies) or legitimate interest (for strictly necessary cookies).

  • Employees and job applicants

    • To administer recruitment, contracts, payroll, benefits, performance and other HR management activities, we rely on the basis of contractual performance (or the steps prior to entering such a contract), compliance with legal obligation (employment law, tax/social security law), and legitimate interest (running our business).

    • To comply with regulatory, audit and quality obligations (including ISO 13485, FDA 21 CFR Part 11 and other device-regulatory obligations), we rely on the basis of compliance with legal obligation and/or legitimate interest.

  • Contract employees

    • To manage contractor relationships, ensure secure access to systems, track usage and audit for quality and regulatory compliance, we rely on the bases of performance of contract, legitimate interest (quality, audit) and legal obligation (device regulation).

  • Study subjects and clinicians

    • To process anonymised EEG data for the development, verification and validation of our AI algorithm and product, we rely on the bases of legitimate interest (research & product development) and/or the explicit consent of the data subject (and/or of the hospital/partner).

    • To manage clinical-trial/feasibility study logistics, reporting, auditing and regulatory compliance, we rely on the basis of compliance with a legal obligation and/or consent.

  • Patients

    • To deliver the contracted product/service to hospitals/clinicians and ultimately patient care, we rely on the basis of the performance of contract (with the hospital/clinician) and related legal obligations (medical safety, quality).

    • To monitor and improve product safety, post-market surveillance, machine learning algorithm improvement, the basis relied upon is that of legitimate interest and our regulatory obligations.

Automated decision making and AI processing

The CergenX medical device product uses artificial intelligence (AI) and machine-learning models to analyse EEG data and identify risk patterns associated with potential brain injury.

  • The system produces decision-support outputs intended to assist clinicians — it does not make autonomous medical or legally impactful decisions about patients.

  • Human clinical judgement alongside other clinical assessment (e.g., APGAR score, neurologic exams, etc) is always required to capture results and determine diagnosis or treatment.

  • We implement validation, traceability, and audit controls in accordance with ISO 13485 and applicable regulatory requirements on AI/ML-based medical devices.

Disclosure and sharing of personal data

We may share data:

  • With authorised processors (see Section 9).

  • With partner hospitals, universities, and research institutions under written Data Processing Agreements (DPAs)Data Transfer Agreements (DTAs) and/or Collaboration Agreements, which define roles, responsibilities, security measures, and permitted uses of data.

  • With regulators, auditors, or authorities as required by law.

  • With acquirers or affiliates in case of corporate restructuring, subject to appropriate safeguards.

We do not sell personal data.

Processors and international transfers

We use trusted third-party processors to provide infrastructure and support services. These include:

  • Framer.com (website hosting)

  • Amazon Web Services / AWS (cloud computing and storage)

  • Google (Workspace / Gmail)

  • BrightPay (payroll)

  • Xero (accounting)

  • Qualio (eQMS)

  • DocuSign (e-signature tool)

Transfers outside the EEA / UK are governed by approved mechanisms such as Standard Contractual Clauses or adequacy decisions.

Data retention

We retain personal data only for as long as necessary for the purposes outlined above and to meet legal, and regulatory requirements, including compliance with the strictest interpretations of health and privacy regulatory standards including HIPAA, ICH- GCP, 21 CFR Part 11 and GDPR regarding data retention.

Once the retention period expires, data will be securely deleted or anonymised for archival use.

Data security and quality

CergenX maintains technical and organisational measures aligned with ISO 13485, FDA 21 CFR 820, and industry best practice to protect the confidentiality, integrity and availability of personal data. Measures include:

  • Encryption (in transit and at rest);

  • Access control and least-privilege principles;

  • System audit trails and logging;

  • Regular security testing and supplier risk assessments; and

  • Employee training on data-protection and security practices.

Your rights

Under the GDPR (and UK GDPR) you have the following rights (subject to legal limitations):

  • The right to access your personal data (Article 15)

  • The right to correct inaccurate or incomplete personal data (Article 16)

  • The right to erasure (right to be forgotten) (Article 17)

  • The right to restrict processing (Article 18)

  • The right to data portability (Article 20)

  • The right to object to processing (Article 21), including where we rely on legitimate interests

  • The right not to be subject to decisions based solely on automated processing (Article 22) unless appropriate safeguards apply

  • The right to withdraw consent at any time (when processing is based on consent)

To exercise these rights or ask questions, please contact our Data Protection Officer (see contact details below).

You also have the right to complain to your local supervisory authority (e.g., in Ireland, where CergenX is based, the office of the Data Protection Commissioner).

Cookies and analytics

Our website uses cookies and similar technologies to collect limited usage data (e.g., IP address, device/browser type, page visits, time on site). You may control cookies through your browser settings. 

Changes to this privacy policy

We may update this policy from time to time (for example to reflect changes in our processing practices or legal/regulatory changes). When we do so, we will publish the updated version on our website and indicate the effective date. We encourage you to check this page regularly. 

Contact information

If you have questions about this Privacy Policy, if you wish to exercise your rights as a data subject rights or wish to lodge a complaint, please contact:

Data Protection Officer
CergenX Limited
23 Green Park, Orwell Road, Rathgar, Dublin, Ireland.
privacy@cergenx.com 

Last updated: 21 January 2026