Last updated: 25 May 2026
This Privacy Policy explains how GreenM ("GreenM," "we," "us," or "our") collects, uses, shares, and protects personal data in connection with our website greenm.io and our business communications (collectively, the "Site").
GreenM is operated by [INSERT LEGAL ENTITY NAME], a company registered in [JURISDICTION] under company number [REG NO], with its registered office at [REGISTERED ADDRESS].
For the purposes of UK GDPR and EU GDPR, GreenM is the controller of personal data collected through this Site.
If you have questions about this policy, contact us at privacy@greenm.io.
This policy covers personal data we collect when you:
GreenM provides AI, data, and engineering services to healthcare organisations. When we process protected health information (PHI), patient records, or other clinical data on behalf of a healthcare client, we do so as a data processor (under UK/EU GDPR) and/or as a Business Associate (under HIPAA, where applicable).
The processing of such data is governed by the separate Data Processing Agreement (DPA) and/or Business Associate Agreement (BAA) we sign with the relevant client — not by this Privacy Policy. This Privacy Policy applies only to personal data we collect as a controller through our Site and direct business interactions.
If you are a patient and have questions about how your data has been used in a system built or operated by GreenM, please contact the healthcare provider that holds the relationship with you. They are the controller of that data; we cannot identify you or respond to data subject requests without their involvement.
We use personal data for the following purposes:
We do not use the personal data collected through this Site for automated decision-making that produces legal or similarly significant effects.
We process professional contact data — including names, work email addresses, job titles, and employer names — sourced from professional networks and third-party B2B data providers for the purpose of identifying and contacting professionals who may have a genuine interest in GreenM's services. We process this data in their professional capacity only.
The legal basis for this processing is our legitimate interests under Article 6(1)(f) UK GDPR and EU GDPR. We have conducted a Legitimate Interest Assessment (LIA) that concludes: (i) we have a genuine and real commercial interest in reaching relevant B2B decision-makers; (ii) the processing is necessary and proportionate to that interest; and (iii) the rights and interests of the individuals concerned do not override our interest, given the professional context, the non-sensitive nature of the data, and the safeguards we apply. A copy of the LIA is available on request by emailing privacy@greenm.io.
You have the right to object to this processing at any time. We will honour objections within five business days and maintain a permanent suppression record to prevent re-contact.
We share personal data only when necessary, and only with parties who provide adequate safeguards. Categories of recipients:
We do not sell personal data, and we do not share it with third parties for their own marketing purposes.
GreenM operates internationally, and some of our service providers are located outside the UK and the European Economic Area (EEA), including in the United States.
When personal data is transferred outside the UK or EEA to a country not covered by an adequacy decision, we rely on appropriate safeguards, including:
You can request a copy of the relevant safeguards by emailing privacy@greenm.io.
We retain personal data only for as long as we need it for the purposes described in this policy. Default retention periods:
After the retention period expires, we delete or irreversibly anonymise the data, unless we are legally required to keep it longer.
Depending on where you live, you may have the following rights in relation to your personal data:
To exercise any of these rights, email privacy@greenm.io. We may need to verify your identity before responding. We will respond to your request within one calendar month of receiving it. In complex or high-volume cases, we may extend this by a further two months; if so, we will notify you within the first month and explain the reason for the extension.
Where your request results in the deletion or anonymisation of your personal data, we will complete that action within 90 days of confirming your request. Data held in backup systems and security logs may be retained for the remainder of their standard retention period before being deleted in the ordinary course. A suppression record — containing only the minimum information necessary to prevent re-processing — may be retained after deletion to honour your request on a permanent basis.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. GreenM does not sell personal information. To exercise CCPA rights, email privacy@greenm.io.
The Site uses cookies and similar technologies to make it work, to understand how it is used, and (with your consent) to support marketing.
You can accept, reject, or manage non-essential cookies at any time via our cookie preferences. You can also manage cookies through your browser settings.
GreenM maintains an information security programme designed to protect personal data against unauthorised access, disclosure, alteration, and destruction. Our controls include:
Our information security management system is aligned with ISO 27001, and our healthcare engagements are designed to meet HIPAA, UK GDPR, EU GDPR, and NHS DSPT requirements as applicable to the engagement.
No system can be guaranteed 100% secure. If you believe you have discovered a vulnerability or that your account has been compromised, contact security@greenm.io.
Where a processing activity is likely to result in a high risk to the rights and freedoms of individuals — including where we deploy new technologies, process data at scale, or engage in processing that could significantly affect individuals — we conduct a Data Protection Impact Assessment (DPIA) prior to commencing processing, in accordance with Article 35 UK GDPR and EU GDPR. DPIAs are reviewed when the nature, scope, or purpose of the relevant processing changes materially.
We recognise that our healthcare and enterprise clients have their own governance and security obligations. Where a client has a contractual right to conduct a security audit of GreenM's systems or processes under a signed agreement, we will co-operate with reasonable audit requests within agreed scope and timelines. Audit requests should be directed to security@greenm.io in the first instance.
GreenM maintains documented procedures for detecting, reporting, and responding to personal data incidents. Where we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with our obligations under UK GDPR, EU GDPR, and HIPAA. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals directly without undue delay.
We do not publicly disclose specific details of our incident response procedures, security controls, or the technical and organisational measures under investigation during or after an incident, as doing so could compromise the security of our systems and the privacy of those whose data we protect. We will communicate with affected individuals and regulators as required by law and will co-operate fully with any regulatory inquiry.
If you believe your personal data has been compromised, please contact us immediately at security@greenm.io.
The Site is intended for business users and is not directed at children. We do not knowingly collect personal data from children under [16]. If you believe a child has provided us with personal data, contact privacy@greenm.io and we will delete it.
The Site may contain links to third-party websites (for example, client case studies, partner pages, social media). We are not responsible for the privacy practices of those sites. Review their privacy notices before providing them with personal data.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or a notice on the Site. We encourage you to review this policy periodically.
For privacy questions or to exercise your rights:
If you are in the UK, you also have the right to complain to the Information Commissioner's Office (ico.org.uk). If you are in the EEA, you can complain to your local data protection authority.
