1. Introduction

Vigil ("we", "our", or "us") is operated by Curistica Ltd, a company registered in England and Wales. This Privacy Policy explains how we handle your information when you use our web application at vigil.curistica.ai.

Vigil is a privacy-first tool designed to help healthcare professionals and members of the public create Yellow Card reports for the UK's Medicines and Healthcare products Regulatory Agency (MHRA) concerning AI and software medical devices.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal information is:

Curistica Ltd
Email: hello@curistica.com
Website: curistica.com

3. What Information We Collect

When you use Vigil to create a Yellow Card report, you may provide the following information:

About You (Reporter Information)

• Your role (e.g., healthcare professional, patient, carer)
• Your profession (if applicable)
• Your full name
• Your email address
• Your organisation name
• Your consent preferences for MHRA contact

About the AI/Software Medical Device

• Software or application name
• Manufacturer or developer name
• Version number
• Type of AI/software
• Description of the software's purpose
• Where the software is used
• Regulatory marking information (UKCA/CE)

Incident Details

• Date and description of the incident
• Who was using the software
• Expected versus actual behaviour of the software
• Impact and outcomes (including any patient harm)
• Actions taken to address the issue

Patient Information (if applicable)

• Approximate age
• Biological sex
• Relevant medical history or conditions

Additional Information

• Any other comments or details you choose to provide

4. How We Store Your Information

Vigil is a privacy-first application. We do not store any of your information on our servers.

All data you enter into Vigil is stored exclusively in your web browser's local storage (localStorage) on your own device. This means:

• No server transmission: Your information never leaves your device unless you actively choose to submit it to the MHRA
• Local auto-save: Your progress is automatically saved on your device only
• You control submission: Nothing is sent to the MHRA or any other party until you manually copy, email, or download your report and submit it yourself
• Complete control: You can delete all stored data at any time using the "Clear all data" button

Important: Because data is stored only in your browser, if you:

• Clear your browser data or cookies
• Use private/incognito browsing mode
• Switch to a different device or browser

...your draft report will not be accessible. We recommend completing your report in one session or downloading a copy if you need to continue later.

5. How We Use Your Information

The information you provide is used solely to:

• Generate a properly formatted Yellow Card report for submission to the MHRA
• Auto-save your progress locally so you can complete the report over time
• Allow you to export your report in various formats (copy to clipboard, email template, PDF download)

We do not:

• Access, collect, or store your data on our servers
• Use your data for analytics, marketing, or any other purpose
• Share your data with any third parties (except as described below for PDF generation)
• Track your behaviour or usage
• Use cookies for tracking purposes

6. Third-Party Services

PDF Generation Library (jsPDF)

When you choose to download your report as a PDF, Vigil loads the jsPDF library from a Content Delivery Network (CDN). This library processes your data entirely within your browser to create the PDF file. No data is sent to the CDN or any external server during this process.

Hosting (Cloudflare Pages)

Vigil is hosted on Cloudflare Pages. Cloudflare may collect standard web server logs, including:

• IP addresses
• Browser type and version
• Operating system
• Date and time of access
• Pages visited

These logs are used solely for security, performance monitoring, and troubleshooting. For more information, see Cloudflare's Privacy Policy.

External Links

Vigil contains links to external websites, including:

• MHRA Yellow Card Scheme (yellowcard.mhra.gov.uk)
• Curistica Ltd (curistica.com)
• MHRA AI Guidance (gov.uk)

We are not responsible for the privacy practices of these websites. Please review their respective privacy policies.

7. Legal Basis for Processing (UK GDPR)

Because Vigil does not collect or store your data on our servers, we are not the data processor for the information you enter. However, to the extent that we provide the tool that facilitates data collection, our legal basis would be:

• Consent: By using Vigil, you consent to the local storage of your data in your browser
• Public interest: Facilitating safety reporting to the MHRA serves the public interest in medical device safety

When you submit your report to the MHRA, the MHRA becomes the data controller for that information. Please refer to the MHRA's Personal Information Charter for details on how they process Yellow Card reports.

8. Data Retention

Your data is retained in your browser's local storage until you either:

• Click the "Clear all data" button to delete it
• Clear your browser data manually
• Uninstall or reset your web browser

We do not have access to delete or retrieve your locally stored data as it resides entirely on your device.

9. Your Rights Under UK GDPR

Under the UK GDPR, you have the following rights:

• Right of access: You can access your data at any time by viewing it in the Vigil form
• Right to rectification: You can edit your data directly in the form before submission
• Right to erasure: You can delete all your data using the "Clear all data" button
• Right to restrict processing: You can choose not to submit your report
• Right to data portability: You can export your data as a PDF or copy it to your clipboard
• Right to object: You can stop using Vigil at any time

Because all data is stored locally on your device and we do not have access to it, you have complete control over your information.

10. Security

We take security seriously and have implemented the following measures:

• HTTPS encryption: All communication with Vigil is encrypted using SSL/TLS
• Content Security Policy (CSP): Strict CSP headers prevent unauthorized scripts from running
• Security headers: X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers protect against common web vulnerabilities
• No server-side storage: By design, your data never reaches our servers, eliminating server-side data breach risks
• Minimal permissions: Vigil requests no device permissions (no geolocation, camera, microphone, etc.)

However, please note that the security of data stored in your browser's local storage depends on the security of your device and browser. We recommend:

• Using an up-to-date browser with security patches
• Protecting your device with a password or biometric lock
• Not using shared or public computers for sensitive reports
• Clearing your data after submitting your report if using a shared device

11. Cookies and Tracking

Vigil does not use cookies or any tracking technologies.

We do not use:

• Analytics cookies (e.g., Google Analytics)
• Advertising cookies
• Social media tracking pixels
• Session cookies
• Any form of user tracking or profiling

Your browser's local storage is used solely to auto-save your draft report on your device.

12. Children's Privacy

Vigil is intended for use by adults, including healthcare professionals and individuals aged 16 and over. We do not knowingly collect information from children under 16. If you are under 16, please ask a parent, guardian, or healthcare professional to help you use Vigil.

13. International Data Transfers

Because your data is stored exclusively in your browser on your device, there are no international data transfers of your personal information.

The Vigil website is hosted on servers that may be located outside the UK, but since we do not store your data on those servers, this does not constitute a data transfer.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Continued use of Vigil after changes are posted constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your information, please contact us:

Curistica Ltd
Email: hello@curistica.com
Website: curistica.com

16. Complaints

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

Summary

Vigil is designed with privacy at its core:

• Your data never leaves your device unless you actively submit it to the MHRA
• We do not collect, access, or store any of your personal information on our servers
• No cookies, no tracking, no analytics
• You have complete control over your data and can delete it at any time
• All data is stored in your browser's local storage only

Your privacy and security are our top priorities.