Privacy Policy

v2.1 01 MAR 2024

ChilliBean Limited T/A ChilliPharm (hereafter referred to as ChilliPharm) has created this privacy policy to demonstrate our commitment to the privacy of the users of our website ChilliPharm is committed to protecting your privacy by ensuring that any personal data is collected and used lawfully and transparently. When delivering our online platform we are deemed as a Data Processor.

Please read the following to learn more about our privacy policy, and how we treat personally identifiable information collected from our visitors and users.

Who are we?

ChilliPharm is a software as a service (SaaS) company which develops and supports the clinical video management Web Application along with the ChilliPharm Filming Kit and Facial Redaction as supporting services. Specialising in video archiving, ChilliPharm provides a secure and reliable platform for filming, uploading and sharing patient videos to selected authorised users for examination in a clinical trial setting.

When providing these services, we take our responsibilities regarding data protection very seriously and are bound by all applicable data protection laws in respect of the handling, processing and collection of data. All employees who handle personal and business data are fully trained to ensure that the data is processed in line with the General Data Protection Regulations 2018 (GDPR) as well as The Data Protection Act 2018 (DPA 2018).

Personal Data we collect or process

The type and frequency of any personal data collected will always depend on how our website and services are used. If you do not wish to provide us with certain categories of personal data, you may not be able to use our services in their entirety.

Personal Data provided to us

We use electronic contact forms across our websites. These forms will prompt users to input basic contact details so we can reply to your inquiries, to provide you with requested products and services, to set up your account, and to contact you regarding new products and services. You may also provide data to us when registering for a vacancy or when corresponding with us by phone, email, letter or social media. It is important that the personal data we hold about you is accurate and current. You should keep us informed if your personal data changes during your relationship with us.

Personal Data collected by us

Where you ask us to provide services, we may be required to process additional categories of personal data relating to you or other parties to ensure the full provision of services we have been contracted for. We may also collect additional data from you as part of our recruitment process, during your employment or when you visit our offices via CCTV.

Personal Data from other sources

We may receive information about you and/or your company from specific third parties such as our clients, business partners, sub-contractors, advertising networks, analytics providers, hosting providers and search information providers.

Special categories of Data

In provision of our services to our Clients we process Special Category Data captured during the course of a clinical trial. Special category data is a more sensitive type of data which reveals insights about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation. We also in certain circumstances process child data dependent on the patient requirements of the clinical trial. Sensitive data collection will only take place where it is applicable to the provision of the services that we are contracted to provide. The fundamental rights of the data subjects are always assessed to ensure that the processing is fair, transparent and lawful

Online identifiers

ChilliPharm use FullStory in order to better understand our users’ needs and to optimise this service and experience. Fullstory is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Fullstory uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Fullstory stores this information on our behalf in a pseudonymised user profile. Fullstory is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the ‘Why Fullstory’ section of FullStory’s customer website. ChilliPharm automatically receives and records non-personal information on our server logs from your browser including your IP address, cookie information and the page you requested. ChilliPharm may use this information to customise the advertising and content you see and to fulfill your requests for certain products and services. However, ChilliPharm does not connect this non-personal data to any personal information collected from you.

By accessing the services of ChilliPharm and voluntarily providing us with the requested personal information, you consent to the collection and use of the information in accordance with this privacy policy.

Our legal basis for processing

Before processing any personal data, we ensure that at least one lawful basis under GDPR is met. We will not disclose personal data for any purpose other than what the data was originally collected for; unless there is an overriding legal basis that enables this processing.

We may collect, hold, use and disclose the information collected to compile statistical data and to maintain our database; to develop or improve our website; respond to any queries; notify you of any upcoming marketing, training or other events that we think may be of interest to you; manage quality control and compliance issues; manage systems administration; provide you or your organisation with advice; notify you about important changes or developments to our services; contact you for your views on our services or to determine the suitability for employment. We may also process your personal data in the following circumstances.

To Perform Our Service Under the Contract

We process information in order to support and maintain our existing or potential contractual relationships under the lawful basis ‘performance of a contract’. We may process personal data or special category data in order to provide various client services, take payments and to make improvements to our service offerings. The lawful basis which we often rely on to process data for the duration of servicing on your account and for the decision to enter an initial or any subsequent contract is under our ‘legitimate interests’. Ensuring our administrative and IT systems are secure and robust against unauthorised access also falls under this basis.

To defend Legal Issues

We have a ‘legitimate interest’ to process data which may assist us in connection with the establishment, exercise or defence of legal claims.

When you apply for a vacancy

You provide several pieces of data to us directly during the recruitment process. In some cases, and to facilitate our ‘Legitimate Interests’ we will collect data about you from third parties, such as employment agencies and former employers when gathering references. Should you be successful in your job application, we will gather further information from you, for example, your bank details and next of kin details, once your employment begins. We have a Legal Obligation to ensure you have a right to work in the UK and make reasonable adjustments for you if you have a disability. The ongoing lawful basis we rely on to process your data will be under our legal obligations or legitimate interests which may include assessments made on salary or bonuses.

ChilliPharm may only disclose your personal information on a confidential basis to external third parties who work on behalf of ChilliPharm to provide products and services requested by you. When we share data with an external third party; these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external companies we work with to ensure that high levels of data integrity are maintained.

Any transfers taking place outside the EEA are only permitted with the provision of an Adequacy decision, Standard Contractual Clauses (SCC’s) or any other lawful transfer mechanism.

ChilliPharm may otherwise disclose your personal information when:

  • We have your express consent to share the information for a specified purpose;
  • We need to respond to subpoenas, court orders or such other legal process;
  • We need to protect the personal safety of the users of our websites or defend the rights or property of ChilliPharm;
  • We find that your actions on our websites violate the ChilliPharm Terms of Use document or any of our usage guidelines for specific products or services.

Before any data is shared, we ensure that all technical and organisational controls are firmly in place and a data protection impact assessment is undertaken, where applicable, if the sharing or transfer is considered high risk. We do not sell your data to any third parties.

We use technologies such as Cookies to provide, improve, protect and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services.

Unfortunately, no data transmission over the Internet can be considered 100% secure. However, your ChilliPharm Information is protected for your privacy and security. In certain areas of our websites, as identified on the site, ChilliPharm uses industry-standard SSL-encryption to protect data transmissions. We take all reasonable precautions to keep your personal information secure, including safeguards against unauthorised access, use, or data loss. This includes ensuring our staff, partners and any third parties who perform work on our behalf comply with security standards as part of their contractual obligations. We use a cloud provider with servers based within the EU jurisdiction. and as a company we promote a ‘paperless’ culture. Furthermore, ChilliPharm retains your personal information only as long as necessary to fulfil the purposes identified above or as required by law.

ChilliPharm will retain your personal information for as long as is necessary for the purposes described above, unless there is an overriding legal ground. We will not retain data if it is deemed unlawful to do so. Typically, we will retain your data to fulfil our business purposes, to comply with legal and regulatory requirements, or for any legal claims. We may keep your data for longer where this is necessary for statistical and historical research purposes. However, we will ensure all personally identifiable information is removed at the appropriate time.

All data subjects have individual rights. On a case by case basis, you have the following rights in relation to your personal data processed by ChilliPharm:

  • The right to be informed about how your personal data is collected and used
  • The right to request access to a copy of any personal data that we hold about you
  • The right to rectify personal data we may hold which is identified as incorrect or misleading
  • The right to erasure of any personal data; also known as ‘the right to be forgotten’
  • The right to restrict further processing of your personal data
  • The right to data portability where technology allows us to send personal data onto a new    processor
  • The right to object to the processing or certain processing activities
  • Rights in relation to automated decision-making including profiling.

As a company we do not operate any automated decision-making systems. Please be aware that the rights listed in this section only apply to individuals and cannot be used to request data relating to business entities. Please be aware that your rights of access do not entitle you to physical or digital copies of any documentation we hold.

If you do not consent to the collection, use or disclosure of your personal information as outlined in this policy, please do not provide any personal information to ChilliPharm. If you have provided personal information to ChilliPharm and no longer consent to its use or disclosure as outlined herein, please notify ChilliPharm at [email protected].

The Policy (the “California Residents Notice”) provides additional information for California residents, as required under the California Consumer Privacy Act of 2018 (“CCPA”). This section is effective as of January 1, 2020. We may update this section, our relevant data practices, or our processes for handling CCPA requests, in response to the final CCPA regulations or other CCPA legal developments.

ChilliPharm (“we”, “us” and “our”) is the ‘data controller’ for the personal information you share with us. If you have any specific concerns around the privacy of your personal information or require further information about how we manage your personal information, please get in touch with us directly [email protected].

This California Residents Notice applies to the personal information we collect, both online and offline, about California consumers, including personal information that we collect:

  • From users of our Websites, including the services available via our Websites
  • About clients and individuals that use or enquire about our related services that we make available
  • About individuals that reply to our emails or communications, visit our offices, or otherwise communicate or engage with us
  • About individuals from clients and others related to the Services we provide

We automatically collect and store only the following information about your visit: The Internet domain and IP address (a number that is automatically assigned to your computer whenever you are surfing the web) from which you access our website; the type of browser and operating system used to access our site; the date and time you access our site; the pages you visit, device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

As used in this California Residents Notice, “personal information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household; it does not include publicly available information made lawfully available by state or federal governments or anonymised information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked directly or indirectly to a particular individual.

A list of what is defined under the CCPA as personal information includes:

  • Direct identifiers such as real name, alias, postal address, social security numbers, driver’s license, passport information and signature
  • Indirect identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names
  • Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data
  • Geolocation data such as location history via devices
  • Internet activity such as browsing history, search history, data on interaction with a webpage, application or advertisement
  • Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information

Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. Pursuant to the CCPA, we may collect and disclose for a business purpose the following categories of personal information (as defined by the CCPA):

CategoryWe CollectWe DiscloseWe Sell
A. Identifiers
Examples: Name, alias, postal address, unique personal identifier, online identifier,
internet protocol address, email address, account name, social security number, driver’s
license number, passport number, or other similar identifiers.
B. Categories of Personal Information in Cal. Civ. Code 1798.80(e)
Examples: Name, signature, social security number, physical characteristics or description,
address, telephone number, passport number, driver’s license or state
identification card number, insurance policy number, education, employment.
C. Characteristics of Protected Classifications under California or Federal Law
Examples: Race or color, ancestry or national origin, religion or creed, age (over 40),
mental or physical disability, sex (including gender and pregnancy, childbirth,
breastfeeding or related medical conditions), sexual orientation, gender identity or
expression, medical condition, genetic information, marital status, military and
veteran status.
D. Commercial Information
Examples: Records of personal property, products or services purchased, obtained,
or considered, or other purchasing or consuming histories or tendencies.
E. Biometric Information
Examples: Physiological, biological, or behavioural characteristics, including DNA,
that can be used, singly or in combination with each other or with other identifying data,
to establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand,
or exercise data that contain identifying information.
F. Geolocation Data
Example: Precise physical location.
G. Sensory Information
Examples: Audio, electronic, visual, thermal, olfactory, or similar information.
H. Professional or employment-related information
Examples: Job application or resume information, past and current job history, and job
performance information.
I. Non-Public Education Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99)
Examples: Records that are directly related to a student maintained by an educational
agency or institution or by a party acting for the agency or institution.
J. Inferences Drawn from Personal Information
Examples: Consumer profiles reflecting a consumer’s preferences, characteristics,
psychological trends, preferences, predispositions, behavior, attitudes, intelligence,
abilities, and aptitudes.

We may collect the above categories of personal information directly from you, automatically about your use of our Websites, and from third parties such as clients of our legal services, government and public entities and public records.

We use these categories of personal information we collect to provide our services and improve our offerings.

If you are a California resident, you may exercise the following rights.

Right to Know and Access. You may submit a verifiable request for information regarding the: (1) categories of Personal Information collected or disclosed by us; (2) purposes for which categories of Personal Information are collected by us; (3) categories of sources from which we collect Personal Information; and (4) specific pieces of Personal Information we have collected about you during the past twelve months.

Right to Delete. Subject to certain exceptions, you have the option to have Personal Information about you that we have collected from you, deleted.

Verification. Requests for access to or deletion of Personal Information are subject to our ability to reasonably verify your identity.

Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations.

Shine the Light. We do not rent, sell, or share your Personal Information with nonaffiliated companies for their direct marketing purposes.

Submit Requests. To exercise your rights under the CCPA, you can request directly via our [email protected] email address.

This Site is not directed to children under 13. We do not knowingly collect, use or disclose personally identifiable information from anyone under 13 years of age. If we determine upon collection that a user is under this age, we will not use or maintain his/her Personal Information without the parent/guardian’s consent. If we become aware that we have unknowingly collected personally identifiable information from a child under the age of 13, we will make reasonable efforts to delete such information from our records.

ChilliPharm may at any time, without notice to you and in its sole discretion, amend this policy from time to time. Please review this policy periodically. Your continued use of ChilliPharm websites after any such amendments signifies your acceptance thereof. If a revision meaningfully reduces your rights, we will notify you.

How to complain

ChilliPharm has a compliance team who can be approached for any questions, comments and requests regarding this statement, our privacy policy or our Information Security and Privacy Management System. We welcome communication around our policies and practices which can be directly contacted here: [email protected].

If you have any concerns about our use of your personal information, you can make a complaint to us at [email protected].

If you’re not happy with our response, or believe we’re not processing your personal data in accordance with the law, you can also approach the UK regulator for further guidance at or in writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire SK9 5AF
United Kingdom

If you are an EU citizen you can contact our EU Representative:

Nathan Trust
1st Floor
6 Lapps Quay

Speak to us
+44 (0)207 479 7030

or email us
[email protected]