Privacy Policy
Veridian Corp — Personal Data Protection Standards
Document ID: PP-001
Version: 4.1
Effective Date: January 15, 2026
Owner: Data Protection Officer
Approved By: Chief Legal Officer
Data Collection
Veridian Corp collects only the minimum personal data necessary for the stated business purpose in accordance with the data minimization principle.
Users must provide explicit, freely given, informed consent before any personal data is collected for marketing or non-essential purposes.
Personal data of individuals under the age of 16 must not be collected without verifiable parental or guardian consent.
All new data collection activities must be documented in the Data Processing Register within 5 business days of initiation.
Data Storage and Encryption
All personal data stored at rest must be encrypted using AES-256 encryption.
All personal data transmitted over networks must be encrypted using TLS 1.2 or higher.
Personal data must not be stored on personal devices, personal cloud accounts, or unmanaged endpoints.
Cloud storage systems used for personal data must receive prior written approval from the Information Security team before use.
Data Retention and Disposal
Personal data must not be retained beyond the defined retention period specified in the Veridian Data Retention Schedule.
Customer account data must be permanently deleted within 30 days of account closure or upon receipt of a verified deletion request.
Physical media containing personal data must be disposed of using certified destruction methods including shredding or degaussing, with a certificate of destruction retained.
All data disposal events must be logged and the log must be retained for a minimum of 3 years for audit purposes.
Data Subject Rights
Data subjects have the right to access a copy of their personal data within 30 calendar days of a verified subject access request.
Data subjects have the right to have inaccurate personal data corrected within 15 business days of a verified correction request.
Data subjects may withdraw consent at any time; the withdrawal must be processed and confirmed within 5 business days.
Veridian Corp must notify affected data subjects and the relevant supervisory authority within 72 hours of discovering a personal data breach that poses a risk to individual rights and freedoms.
Third-Party and Cross-Border Transfers
Personal data must not be shared with any third party without a signed Data Processing Agreement (DPA) in place prior to any data transfer.
Third-party vendors with access to Veridian personal data must undergo an annual information security assessment.
Cross-border transfer of personal data to countries outside the European Economic Area (EEA) requires Standard Contractual Clauses (SCCs) or equivalent approved safeguards.
A record of all third-party data transfers must be maintained and reviewed by the Data Protection Officer on a quarterly basis.
HIPAA & Protected Health Information (PHI)
As a healthcare technology company manufacturing FDA-regulated devices that collect and transmit patient health data, Veridian Corp is a HIPAA-covered entity and business associate where applicable. PHI collected through devices such as the Veridian Glucose Patch (K231156) and Veridian Pulse Monitor (K240847) is subject to the HIPAA Privacy and Security Rules.
Protected Health Information (PHI) must be accessed only by authorized workforce members on a minimum necessary basis.
All PHI must be encrypted at rest using AES-256 and in transit using TLS 1.2 or higher without exception.
Business Associate Agreements (BAAs) must be executed with all vendors that create, receive, maintain, or transmit PHI on Veridian's behalf before any PHI access is granted.
Patient authorization must be obtained before PHI is used for marketing purposes or disclosed to third parties not involved in treatment, payment, or healthcare operations.
HIPAA breach notification to affected individuals must occur within 60 days of discovery; HHS OCR must be notified for breaches affecting 500+ individuals within 60 days.
Device-generated health data (glucose readings, ECG waveforms, insulin delivery logs) is classified as PHI and must follow the same handling requirements as all other protected health information.
PHI Data Categories from Medical Devices
| Data Type | Source Device | Classification | Retention | Regulatory Basis |
|---|---|---|---|---|
| Continuous glucose readings | VGP-200 (K231156) | PHI / Confidential | 7 years | HIPAA · 21 CFR 820.180 |
| ECG waveforms & heart rate | VPM-4000 (K240847) | PHI / Confidential | 7 years | HIPAA · 21 CFR 820.180 |
| Insulin delivery logs | VID-100 (K220893) | PHI / Confidential | 7 years | HIPAA · 21 CFR 820.180 |
| Device telemetry metadata | All devices | Internal | 3 years | Internal retention schedule |
| De-identified aggregate analytics | Cloud platform | Internal | Indefinite | HIPAA Safe Harbor de-identification |
Related documents: HIPAA Security Rule Assessment 2026 (PDF) · FDA Compliance Program · Data Handling SOP
Related Documents & Downloads
-
Privacy Policy v4.1 — PDF Version
Official PDF export of this policy document for audit and archival purposes.
-
HIPAA Security Rule Assessment 2026
Annual assessment covering administrative, physical, and technical safeguards.