1. Who we are
EUDAPrep is a document-processing and XML-generation tool for EUDAMED medical-device registration submissions. The service is operated by Stalwart Consulting Ltd, a Hong Kong limited liability company (referred to in this policy as “EUDAPrep,” “we,” or “our”).
EUDAPrep is established outside the European Union and offers services to data subjects in the EU on a non-occasional basis. An EU representative under GDPR Article 27 is currently being arranged; until the appointment is finalised and published in this policy, please direct all GDPR enquiries to privacy@eudaprep.com or to your local supervisory authority.
Questions about this policy or about how we handle personal data may be sent to privacy@eudaprep.com.
2. What this policy covers
This policy describes how we process personal data through the EUDAPrep web application at app.eudaprep.com, the public marketing site at eudaprep.com, and any related email or notification services.
When EUDAPrep is used by a medical-device manufacturer or its representative to process documents on behalf of that manufacturer, EUDAPrep is a data processor under GDPR Article 28 and the manufacturer is the controller. Our Data Processing Agreement governs that relationship and prevails over this policy where they diverge. This policy describes the processing for which EUDAPrep is the controller — primarily the account, authentication, billing, and audit-trail data tied to the user’s individual EUDAPrep account.
3. Categories of personal data we process
| Category | Examples |
|---|---|
| Account identity | Email address, hashed password, account creation timestamp |
| Authentication metadata | Login timestamps, session tokens, IP address at sign-in |
| Disclaimer acknowledgements | User ID, email at time of click, IP address, browser identifier (user-agent), version of disclaimer accepted, timestamp |
| Submission audit trail | Document hashes, model and prompt versions, mapping decisions, final XML hash |
| Billing | Stripe customer ID, subscription status, invoices (payment card data is held by Stripe, not by us) |
| Document content | Files you upload (IFUs, labels, certificates) may contain names, signatures, or contact details of regulatory staff. This processing is governed by the DPA between us and your organisation. |
4. Lawful basis for processing
We rely on the following lawful bases under GDPR Article 6(1):
- Performance of a contract (Art. 6(1)(b)) — for account, authentication, billing, and the core service of preparing your EUDAMED XML.
- Compliance with a legal obligation (Art. 6(1)(c)) — for tax records, records required by Hong Kong companies legislation, and other statutory retention requirements.
- Legitimate interests (Art. 6(1)(f)) — for service security (intrusion detection, abuse prevention) and for retention of disclaimer acknowledgements and audit-trail records as evidence to defend legal claims (see Section 6 below). Our legitimate interests are balanced against your fundamental rights and freedoms; you may object under Art. 21.
We do not rely on consent (Art. 6(1)(a)) for any of the processing described above. The disclaimer acknowledgement you provide on first sign-in is an evidentiary record of contract terms acceptance, not GDPR consent.
5. Sub-processors and recipients
We rely on the following sub-processors to operate the service. All are contractually bound to GDPR-equivalent data protection terms:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting, edge networking | EU (Frankfurt) |
| Cloudflare | Marketing site hosting (eudaprep.com) | Global edge |
| Stripe | Subscription billing, invoicing | EU / global |
| Resend | Transactional email (auth, notifications) | EU / US |
| Google (Gemini API) | Document text extraction and code-mapping suggestions | US (transfer, see Section 7) |
We notify customers at least 30 days before adding a new sub-processor where the change materially affects the processing of customer data, and the customer may object during that period under the terms of our DPA.
6. Retention periods
We retain personal data only for as long as necessary for the purposes described above:
- Account identity and authentication metadata: for the lifetime of your account, plus 90 days after closure.
- Disclaimer acknowledgements and submission audit trail: 10 years from the date of each acknowledgement or audit event, for the establishment, exercise, or defence of legal claims (GDPR Art. 17(3)(e)). This anchor is based on the long-stop period for civil claims against software vendors under the Revised Product Liability Directive (EU) 2024/2853 Art. 16(1) and German BGB §199(3); it is independent of the manufacturer’s own technical-documentation retention obligations under MDR Art. 10(8).
- Billing records: as required by applicable tax and companies legislation (typically 7 years).
- Document content uploaded for processing: per the DPA between us and the manufacturer; deleted on instruction of the controller, subject to any statutory retention obligations.
When you exercise your right to erasure (Section 8), we will delete or anonymise records that are not subject to a legal retention obligation. Records covered by Art. 17(3)(e) — disclaimer acknowledgements and audit-trail records — are retained for the period stated above, because their purpose is to establish, exercise, or defend legal claims.
7. International transfers
EUDAPrep is operated from Hong Kong, and our primary application infrastructure is hosted in the European Union. Where personal data is transferred outside the European Economic Area, we rely on:
- The European Commission’s Standard Contractual Clauses (SCCs) with each non-EU sub-processor;
- Where applicable, supplementary measures including encryption in transit and at rest, access controls, and data-minimisation review.
The LLM extraction pipeline transmits document content to Google’s Gemini API under Google’s Standard Contractual Clauses for international data transfers. A Transfer Impact Assessment is maintained for this transfer. The platform’s data-residency roadmap includes migration to an EU-hosted LLM provider (Vertex AI europe-west3, AWS Bedrock eu-central-1, or equivalent); this Privacy Policy will be updated on completion.
8. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase personal data, subject to the exemptions in Art. 17(3) — in particular, disclaimer acknowledgements and audit-trail records are retained under Art. 17(3)(e) (legal claims) for the period stated in Section 6;
- Restrict processing in certain circumstances (Art. 18);
- Data portability for data you provided to us (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Lodge a complaint with the supervisory authority in your EU Member State of residence or place of work.
To exercise any of these rights, contact privacy@eudaprep.com. We will respond within one month and may extend by two further months for complex requests as permitted under Art. 12(3).
9. Cookies and similar technologies
Application (app.eudaprep.com): EUDAPrep uses strictly necessary cookies for authentication and session management only. We do not use advertising or analytics cookies.
Marketing site (eudaprep.com): we do not run advertising or analytics tracking on the public marketing site. The site embeds a YouTube product demonstration via youtube-nocookie.com, which sets tracking cookies only after the visitor actively plays the video. If you do not play the video, no third-party cookies are set.
If we introduce non-essential tracking in the future, we will surface a consent banner and update this policy.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, audit logging, and segregated environments for production and development. In the event of a personal data breach affecting your data, we will notify you and the relevant supervisory authority in accordance with GDPR Articles 33 and 34.
11. Updates to this policy
We may update this policy as our service or our legal obligations change. The effective date at the top of this page reflects the most recent revision. Material changes will be communicated by email and through an in-app notice. Earlier versions are retained internally for our own records.
12. Contact
Controller: Stalwart Consulting Ltd, Hong Kong
Privacy contact: privacy@eudaprep.com
EU Article 27 representative: being arranged — see Section 1.