Privacy Policy

Privacy Policy

Envision Pharma Group (“Envision Pharma Group”/”we”/”us”/”our”) respects an individual’s right to privacy. This notice explains our approach to any Personal Information that we collect through our business dealings or obtain via our websites, including:;;; and (“Websites”).

In particular, this notice describes:

Personal Information” means any information or a set of information that identifies or is used by or on behalf of Envision Pharma Group to identify an individual.

Who we are

Envision Pharma Group is a full-service global medical strategy and communications agency, and our services include the provision of market-leading hosted software applications.

Envision Pharma Group refers to Envision Pharma Group Limited (company no. 10117262) and its subsidiaries. Unless otherwise stated, Envision Pharma Limited (company no. 04486293) will be the data controller as regards Personal Information collected or obtained via our websites. Envision Pharma Limited is also the EU representative of our US subsidiaries.

Our Data Protection Officer can assist with any questions and can be contacted at either of the following:

Envision Pharma Group
FAO: The Data Protection Officer
Envision House
5 North Street
RH12 1XQ
United Kingdom

What Personal Information we collect

We may collect Personal Information from individuals in the course of our business, including through the use of our websites, when we are contacted or information is requested from us, when content is downloaded from our Websites, from business cards, when individuals apply for job vacancies, when our services are engaged, when we engage others for goods or services, when individuals register for an online community which we host, or when individuals voluntarily submit responses to surveys. Sometimes Personal Information is not sought by us but is delivered or sent to us without prior request.

The Personal Information that we process includes:

How we use Personal Information

We only use Personal Information when the law allows us to do so. Most commonly, we will use Personal Information in the following circumstances:

The types of personal data that we process depends on the relevant circumstances; however, some of the key types of Personal Information that we may process together with the relevant basis for processing and details of any third parties with whom such information is shared, are set out below. Please also see our Cookies notice.

Purpose for which we use Personal Information Legal basis for processing Third-party organisations with whom Personal Information may be shared

To send requested information about us and/or our services.

Legitimate interests.


To provide content requested or downloaded from our Websites and to obtain feedback regarding such content.

Legitimate interests.


To market our services including communicating about updates, news, newsletters and event invitations which are relevant to the individual’s activities and in line with stated preferences.

Legitimate interests.



For the purposes of recruitment.

Legitimate interest.


Third-party technology service providers such as applicant tracking systems.

Professional advisers.

To manage our relationship with our clients and potential clients (including helpdesk requests).

Legitimate interests.

Performance of a contract.

Third-party vendors (where required).

To manage our relationship with our vendors and potential vendors.

Legitimate interests.

Performance of a contract.


To provide and improve our website.

Legitimate interests.

Web service providers and cookie providers.

To compile anonymous statistics including for managing our business performance and assessing client satisfaction to improve our services.

Legitimate interests.


To enable us to provide webinars, meetings and events.

Legitimate interests.

Third-party travel and hospitality service providers.

To provide services to our clients, including the handling of Personal Information of others on behalf of our clients.

Legitimate interests.

Performance of a contract.

Third-party service providers.

“Third-party organisations” does not include any of our group companies. We are an international business and any information provided to us may be shared with and processed by any of our group entities around the world.

Where necessary, or for the reasons set out in this notice, Personal Information may also be shared with regulatory authorities, courts, tribunals, government agencies and law enforcement agencies. While it is unlikely, we may be required to disclose Personal Information to comply with legal or regulatory requirements. We will use reasonable endeavours to notify the individual before we do this, unless we are legally restricted from doing so.

As described above, our services include the provision of hosted software applications to our clients. If an individual provides Personal Information via a website portal of one of our hosted software applications licensed to a client of ours, that individual is providing Personal Information to that client and should ensure he/she understands how their Personal Information may be used. Reference should be made to the relevant client company’s privacy policy which may be published on such website portal, or available on such client company’s corporate website. In such circumstances, the relevant client company is the data controller. We do not access or use such Personal Information save as permitted or required under our contractual arrangements with our clients. Neither do we distribute such Personal Information to any third parties.

How long we keep Personal Information

Personal Information will be retained in accordance with our global data retention policy which categorises all of the information held by us and specifies the appropriate retention period for each category of Personal Information. Those periods are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used, taking into account legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action, good practice and our general business purposes.

Any Personal Information processed by us as part of providing hosted software applications to our clients will be retained for as long as that client’s account is active or as needed for us to provide the relevant services, and as required to comply with legal or contractual obligations.

How we protect Personal Information

A key principle of data protection legislation is that Personal Information must be dealt with securely by means of "appropriate technical and organisational measures". This involves considering matters such as risk analysis, organisational policies, and physical and technical measures, all of which contribute to ensuring the confidentiality, integrity and availability of systems and processes. Envision Pharma Group is certified under ISO/IEC 27001:2013, which is an auditable international best practice standard that formally outlines requirements for an Information Security Management System.

In addition, the data centres in which our servers are located in respect of our hosted software applications are also certified under ISO/IEC 27001:2013. Reports pursuant to SSAE 18/ISAE SOC 1 Type 2, SOC 2 Type 2 and SOC 3 Type 2 can also be provided in relation to such data centres upon request.

Which countries we transfer Personal Information to

We may need to transfer Personal Information to locations outside of the European Economic Area (the “EEA”).

The level of information protection in countries outside the EEA may be less than that offered within the EEA. Where this is the case, we will implement appropriate measures to ensure that Personal Information remains protected and secure in accordance with applicable data protection laws. EU standard contractual clauses are in place between all Envision Pharma Group companies that share and process Personal Information.

In addition, Envision Pharma Group complies with the principles of the EU-US and Swiss-US Privacy Shield Framework regarding the transfer of Personal Information from the EEA or Switzerland to the United States and has certified to the Department of Commerce that it adheres to the Privacy Shield principles. To view our certification, please visit Please also see our Privacy Shield Policy which should be read in conjunction with this notice.

An individual’s rights regarding their Personal Information

The European Union’s General Data Protection Regulation provides certain rights for individuals.

An individual is entitled to request details of the information we hold about them and how we process it. They may also have a right to have Personal Information rectified or deleted; to restrict, object or withdraw consent to our processing of that information, to stop unauthorised transfers of Personal Information to a third party and, in some circumstances, to have Personal Information relating to them transferred to another organisation. Such individual may also have the right to lodge a complaint in relation to our processing of Personal Information with a local supervisory authority.

If an individual objects to the processing of their Personal Information, or withdraws their consent to processing after having initially provided it, we will respect that choice in accordance with our legal obligations but it is likely this will make it impractical for us to deal with the relevant individual.

The California Consumer Protection Act ("CCPA") also provides certain rights to California consumers.

A California consumer is entitled to request details of the information we hold about him or her and how we process it and, under certain circumstances, has the right to request that his or her Personal Information be deleted. Such requests may be submitted through the following methods:

We will acknowledge receipt of your request within ten (10) days and begin the process of verifying your request. Depending upon the sensitivity of the data collected and the nature of your request, we are required to verify your identity to a reasonable degree of certainty or a reasonably high degree of certainty. A reasonable degree of certainty requires matching at least two pieces of personal information provided via the toll free number or Request Form with information already maintained by us. Whereas, a reasonably high degree of certainty requires matching at least three pieces of personal information. If you have an account on one of our software platforms, we may seek to verify your identity through the existing authentication practices for the applicable software platform. The verification process also requires us to consider whether it is likely the submitted request is fraudulent.

A California consumer may also designate an authorized agent to make a request under the CCPA on the California consumer’s behalf. When a request is submitted by an authorized agent, we will require written evidence of the authorization and, except when the authorized agent has a power of attorney pursuant to California Probate Code sections 4000 to 4465, we will also need to verify the agent’s identity as well as the consumer’s identity.

Please be aware, that the CCPA prohibits discriminatory treatment of a California consumer that exercises his or her right conferred by the CCPA.

Changes to this notice

Envision Pharma Group may revise or update this notice from time to time.

Last updated 22 June 2020

California Consumer Protection Act Contact Form

Please complete the form below and one of our team will be in contact with you shortly.
Fields marked with an * are mandatory.

Relationship to Envision