Privacy policy

Last updated: 05/01/2026

Data Controller

MyDefib.co.uk is operated by WEL Medical Ltd (referred to as ‘we’, ‘us’, ‘our’)

Company Number: 5714397 (England & Wales)

Registered Address: 1 Chancerygate Way, Farnborough, Hampshire, GU14 8FF

Email: hello@mydefib.co.uk

Phone: 01252 985717

Website: mydefib.co.uk

We take your privacy seriously. This Privacy Policy explains how we collect, use, store, share and protect your personal information when you:

Visit or use our website www.mydefib.co.uk
Purchase automated external defibrillators (AEDs) or related products from us
Register a device with us
Contact our customer service team
Subscribe to our marketing communications.

Please read this Privacy Policy carefully to understand how we handle your personal information. This policy should be read together with our Terms & Conditions and Cookie Policy.

1. Information we collect about you

You may provide us with information when you:

Create an account on our website
Place an order for products
Contact customer service
Subscribe to marketing emails
Leave a product review or complete a survey
Report a product issue or safety concern
Apply for a job with us (recruitment data is handled separately).

This information may include:

Identity data: Name, title, date of birth (for age verification)
Contact data: Email address, postal address (delivery and billing), phone number
Account data: Username, password, security questions
Purchase data: Products ordered, order history, delivery preferences
Device data: Device serial numbers, purchase date, warranty information
Payment data: Card type and last 4 digits (full payment details are processed securely by our payment provider and not stored by us)
Communication data: Records of customer service conversations, emails, feedback, reviews
Marketing preferences: Your preferences for receiving marketing communications.

1.2 Information We Collect Automatically

When you visit our website or use our services, we automatically collect:

Technical data: IP address, browser type and version, device type, operating system, time zone setting
Usage data: Pages visited, time spent on pages, links clicked, products viewed, search queries, page response times, download errors
Location data: Approximate location based on IP address (for delivery purposes and fraud prevention).

Much of this information is collected using cookies and similar technologies. For detailed information about cookies, please see our Cookie Policy at www.mydefib.co.uk/cookies.

1.3 Information We Receive from Third Parties

We may receive information about you from:

Fraud prevention services: Checks to prevent fraudulent transactions

Payment providers: Confirmation of successful payment, fraud prevention data

Delivery services: Delivery status updates, failed delivery information

Analytics providers: Website usage statistics (Google Analytics)

Advertising platforms: Information about ad engagement (if you consent to marketing cookies)

2. How and why we use your information

We only use your personal information where the law allows us to. Under UK GDPR, we must have a lawful basis for processing your information. The table below sets out the purposes for which we use your personal information and the legal basis we rely on.

We will never sell your personal information to third parties.

Purpose	Type of Information	Legal Basis
To create and manage your account	Identity, Contact, Account	Performance of contract with you
To process and deliver your order including managing payments and collecting debts	Identity, Contact, Purchase, Payment, Device	Performance of contract with you; Legitimate interests (to recover debts)
To verify your age (18+) for AED purchases	Identity (date of birth)	Legal obligation (Medical Devices Regulations 2002); Legitimate interests (age-restricted product compliance)
To provide customer support and handle inquiries	Identity, Contact, Purchase, Device, Communication	Performance of contract with you; Legitimate interests (providing customer service)
To notify you about product safety issues, recalls, or field safety corrective actions	Identity, Contact, Device, Purchase	Legal obligation (Medical Devices Regulations 2002; MHRA reporting); Vital interests (protecting health and safety)
To process and investigate product complaints and report serious incidents to MHRA	Identity, Contact, Device, Purchase, Communication	Legal obligation (Medical Devices Regulations 2002 post-market surveillance)
To manage our relationship with you, including notifying you about changes to our terms or policies	Identity, Contact, Marketing preferences	Performance of contract; Legal obligation; Legitimate interests (keeping records updated)
To send you product reviews requests or customer surveys	Identity, Contact, Purchase	Legitimate interests (understanding customer satisfaction and improving our products)
To administer and protect our business and website (including troubleshooting, security, fraud prevention)	Identity, Contact, Technical, Usage	Legitimate interests (running our business, network security, fraud prevention); Legal obligation
To analyze website usage and improve our website and products	Technical, Usage (anonymized where possible)	Legitimate interests (understanding how customers use our website and products to improve them)
To send you marketing communications about our products (where you have consented or we have legitimate interest)	Identity, Contact, Marketing preferences	Consent (for email/SMS marketing); Legitimate interests (for post-purchase marketing to existing customers)
To deliver targeted advertising (where you consent via cookies)	Identity, Contact, Technical, Usage	Consent (via cookie consent banner)

Medical Device Post-Market Surveillance:

As a medical device distributor, we have legal obligations under the Medical Devices Regulations 2002 and MHRA guidance to monitor the safety of devices sold and report serious incidents. We may need to contact you urgently about safety issues or recalls. This is a legal obligation that takes precedence over marketing preferences.

3. Marketing communications

3.1 When we send marketing

We may send you marketing communications if:

You have consented to receive marketing (e.g., by ticking a box during checkout or signing up to our newsletter)
You are an existing customer and we are marketing similar products to those you have purchased (soft opt-in), and you have not opted out

3.2 How to Opt Out

You can stop receiving marketing communications at any time by:

Clicking the ‘unsubscribe’ link in any marketing email
Logging into your account and updating your marketing preferences
Contacting us at hello@mydefib.co.uk

Important: Opting out of marketing does NOT opt you out of essential service communications such as order confirmations, delivery notifications, warranty information, or critical product safety alerts.

4. Who we share your information with

We may share your personal information with the following categories of recipients:

4.1 Service Providers

We use trusted third-party service providers who process personal information on our behalf:

Payment processors: To securely process credit/debit card payments (e.g., Stripe, PayPal)
Delivery services: To deliver your orders (e.g., Royal Mail, DPD, DHL)
Email service providers: To send transactional emails and marketing communications (e.g., Mailchimp)
Website hosting: To host our website and store data securely
Analytics providers: To analyze website usage (e.g., Google Analytics – only with your cookie consent)
Customer support software: To manage customer service inquiries
Fraud prevention services: To detect and prevent fraudulent transactions.

These service providers are contractually obliged to process your data only on our instructions and to maintain appropriate security measures. They cannot use your information for their own purposes.

4.2 Legal and Regulatory Authorities

We may share your information with:

MHRA (Medicines and Healthcare products Regulatory Agency): When legally required to report serious incidents involving medical devices
Law enforcement: When required by law or to protect our legal rights
Courts and regulators: When required by court order or regulatory request
Tax authorities: For tax compliance purposes (HMRC).

4.3 Business Transfers

If we sell or reorganize our business, we may transfer your personal information to the new owner. You will be notified of any such change.

4.4 Device Manufacturers

We may share device serial numbers and purchase information with the device manufacturer (e.g., HeartHero) for warranty administration, product safety monitoring, and post-market surveillance as required by medical device regulations.

5. International transfers

Some of our service providers and device manufacturers operate outside the United Kingdom and European Economic Area (EEA). This means your personal information may be transferred to, stored in, or accessed from countries with different data protection laws.

When we transfer your data internationally, we ensure appropriate safeguards are in place:

Adequacy decisions: Where the UK government has determined that the destination country provides adequate data protection
Standard Contractual Clauses: Approved by the UK government for transfers to countries without adequacy decisions
Binding Corporate Rules: For transfers within multinational organizations with approved internal policies

Countries where data may be transferred:

USA (for payment processing, analytics, cloud storage)
EEA countries (for various service providers)

If you would like more information about the specific safeguards we use for international transfers, please contact us at hello@mydefib.co.uk.

6. How long we keep your information

We only keep your personal information for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

Typical retention periods:

Order and purchase records: 7 years from date of purchase (for tax and accounting purposes)
Device serial numbers and warranty information: Life of device + 10 years (for product liability and recall purposes)
Customer service communications: 3 years from last contact
Marketing consent: Until you withdraw consent, or 2 years of inactivity (whichever is sooner)
Website analytics data: 26 months (Google Analytics default)
Account data: Until you request deletion, or 3 years of account inactivity
CCTV footage (if applicable): 30 days unless required for investigation.

In some circumstances, we may retain your information for longer periods, for example if required by law, or if there is a reasonable prospect of litigation.

7. Data security

We take the security of your personal information seriously and have implemented appropriate technical and organizational measures to protect it against unauthorized access, loss, destruction, or damage.

Our security measures include:

Encryption of data in transit and at rest
Secure data centers with restricted access
Regular security testing and vulnerability assessments
Staff training on data protection and security
Access controls limiting who can access personal information
Secure payment processing (PCI-DSS compliant payment providers).

However, no method of transmission over the internet or electronic storage is 100% secure. While we use reasonable measures to protect your information, we cannot guarantee absolute security. If you suspect unauthorised access to your account, please contact us immediately.

8. Your privacy rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal information:

Right of access: You can request a copy of the personal information we hold about you. This is commonly known as a ‘data subject access request’.
Right to rectification: You can ask us to correct personal information about you that is inaccurate or incomplete.
Right to erasure (‘right to be forgotten’): You can ask us to delete your personal information in certain circumstances, such as when it is no longer necessary for the purpose for which it was collected, or if you withdraw consent.
Right to restriction of processing: You can ask us to restrict how we use your personal information in certain circumstances, such as when you contest the accuracy of the data.
Right to data portability: You can request a copy of your personal information in a structured, commonly used, machine-readable format, and ask us to transfer it to another organization.
Right to object: You can object to processing of your personal information where we rely on legitimate interests, or where we use your information for direct marketing.
Rights related to automated decision-making: You have the right not to be subject to automated decision-making, including profiling, which produces legal effects or similarly significantly affects you. We do not currently use automated decision-making.

8.1 How to Exercise Your Rights

To exercise any of these rights, please contact us:

Email: hello@mydefib.co.uk

Phone: 01252 985717

Post: Data Protection Manager, WEL Medical Ltd, 1 Chancerygate Way, Farnborough, Hampshire, GU14 8FF

We may ask you to provide proof of identity before we can respond to your request. This is a security measure to ensure personal information is not disclosed to unauthorized persons.

We will respond to your request within one month. In complex cases, we may extend this by up to two months and will notify you if this is necessary.

8.2 Right to Complain

If you are unhappy with how we have handled your personal information, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

Online complaint form: ico.org.uk/make-a-complaint

We would appreciate the opportunity to resolve your concern before you approach the ICO, so please contact us first.

9. Cookies and similar technologies

We use cookies and similar technologies on our website to improve your experience, analyze how the site is used, and deliver targeted advertising (with your consent).

Cookie categories:

Strictly necessary cookies: Essential for the website to function (no consent required)
Analytics cookies: Help us understand how visitors use the site (requires consent)
Marketing cookies: Used to deliver targeted advertising (requires consent)

When you first visit our website, you will see a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your cookie preferences at any time by clicking ‘Cookie Settings’ in the website footer.

For detailed information about the cookies we use, please see our Cookie Policy at www.mydefib.co.uk/cookies

10. Links to other websites

Our website may contain links to third-party websites, including social media platforms, payment processors, and delivery tracking services. This Privacy Policy only applies to MyDefib.co.uk.

When you click on a link to another website, you will be subject to that website’s privacy policy. We are not responsible for the privacy practices or content of third-party websites. We recommend you read their privacy policies before providing any personal information.

11. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations.

When we make changes, we will update the ‘Last updated’ date at the top of this policy. If we make significant changes that affect your rights or how we use your information, we will notify you by:

Displaying a prominent notice on our website
Sending you an email (if you have an account or have provided us with your email address)

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact us

If you have any questions about this Privacy Policy, how we handle your personal information, or wish to exercise your privacy rights, please contact us:

Data Protection Manager

WEL Medical Ltd (trading as MyDefib.co.uk)

1 Chancerygate Way

Farnborough

Hampshire

GU14 8FF

Email: hello@mydefib.co.uk

Phone: 01252 985717

This Privacy Policy is effective as of 05/01/2026.