Effective date: 21 March 2026 · Last updated: 21 March 2026
1. Who We Are
This platform (“MDR/IVDR Training Programme”, operated at natpet.online) provides educational training content on EU Medical Devices Regulation 2017/745 (MDR) and In Vitro Diagnostic Regulation 2017/746 (IVDR). It is operated from Ireland and subject to Irish and EU data protection law, including the General Data Protection Regulation (GDPR) (EU) 2016/679.
2. Data We Collect
We collect only the minimum data necessary to operate this training platform:
Account data: Name, email address, and hashed password when you register an account.
Training progress: Module completion status, assessment scores, and certificate records linked to your account.
Usage analytics: Anonymous, aggregated page-view and interaction data via Google Analytics 4 (with IP anonymisation enabled).
Technical data: Server logs containing IP addresses, browser type, and timestamps, retained for security purposes.
We do not collect sensitive/special-category data (health data, biometric data, etc.).
3. Legal Basis for Processing
Contract performance (Art. 6(1)(b) GDPR) — to provide the training service you registered for.
Legitimate interest (Art. 6(1)(f) GDPR) — to maintain platform security and improve content quality.
Consent (Art. 6(1)(a) GDPR) — for optional analytics cookies. You can withdraw consent at any time.
4. Cookies
This site uses:
Strictly necessary cookies: Session authentication (next-auth.session-token). These cannot be disabled as the platform requires them to function.
Analytics cookies: Google Analytics 4 (_ga, _ga_*) — only placed with your consent via the cookie banner. Used to understand how users navigate the platform so we can improve the training content.
You can change your cookie preferences at any time by clearing your browser cookies. No advertising or third-party tracking cookies are used.
5. How We Use Your Data
To provide and personalise your training experience.
To issue educational completion certificates bearing your name and score.
To improve training content based on aggregated usage patterns.
To maintain platform security and prevent misuse.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
6. Data Sharing
Your data may be processed by the following categories of service providers, acting as data processors under GDPR-compliant agreements:
Hosting provider: Cloud infrastructure for application and database hosting.
Google Analytics: Anonymised usage analytics (if consent given).
Where data is transferred outside the EU/EEA, appropriate safeguards (Standard Contractual Clauses) are in place.
7. Data Retention
Account and progress data: retained while your account is active, deleted within 30 days of account deletion.
Server logs: retained for up to 90 days for security.
Analytics data: retained in anonymised form for up to 14 months (Google Analytics default).
8. Your Rights Under GDPR
As an EU/EEA data subject, you have the right to:
Access your personal data (Art. 15).
Rectify inaccurate data (Art. 16).
Erase your data (“right to be forgotten”) (Art. 17).
Restrict processing (Art. 18).
Data portability (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Withdraw consent at any time without affecting prior lawful processing (Art. 7(3)).
To exercise any of these rights, contact us at the address listed below. We will respond within 30 days.
9. Data Protection Authority
If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Data Protection Commission (DPC), Ireland’s supervisory authority:
For privacy-related enquiries or to exercise your data protection rights, please use the contact page or email us at the address provided there.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the platform. Continued use after changes constitutes acceptance of the revised policy.