Privacy Policy

Medicexum Ltd (“Medicexum”, “we”, “us”, “our”) is a company registered in England & Wales providing regulatory, compliance, quality and commercial advisory services to the UK medicinal cannabis sector. We are the data controller for personal data collected through this website, our email communications and connected social channels (including LinkedIn).

Contact for privacy matters: contact@medicexum.co.uk.

• Contact details you submit via our contact form, mandate enquiry form, or email (name, work email, firm, role, phone, LinkedIn URL).
• Mandate & commercial information you choose to share (jurisdiction, ticket size, sector focus, business summary, revenue/EBITDA bands, licences held, reason for sale, desired timeline, expected value).
• NCNDA & CIM access records (recipient email, acceptance name, IP address, user agent and timestamp) where you accept a non-disclosure agreement or view a confidential information memorandum we have issued to you.
• Counterparty & KYC information for parties we engage with on transactions (firm, signatory name, contact details, jurisdiction, KYC notes, source-of-funds confirmation).
• Email engagement data (delivery status, bounces, unsubscribes, suppression).
• Technical data when you visit the website (IP-derived approximate location, device, browser, referring URL, pages visited). We do not use advertising trackers or third-party analytics cookies that profile you.
• LinkedIn data — when we share content to our LinkedIn company page via the LinkedIn Marketing API, we process only the content we ourselves publish and the resulting engagement metrics LinkedIn returns to us. We do not collect personal data about LinkedIn users beyond what LinkedIn itself makes available to a page admin.

Each processing activity is justified under a UK GDPR lawful basis:

• Respond to enquiries and deliver services — contract / pre-contract steps and our legitimate interest in running our business.
• Triage mandate enquiries (including automated scoring against published criteria) — legitimate interest in allocating senior time to credible counterparties. You can ask for a manual review at any time.
• Send transactional emails (contact acknowledgements, NCNDA & CIM links, mandate updates, admin digests) — contract / legitimate interest.
• Comply with legal, regulatory and KYC obligations — legal obligation and legitimate interest.
• Publish industry insights (including auto-posting our own articles to our LinkedIn company page) — legitimate interest in marketing our services. No personal data of third-party individuals is published without their consent.
• Maintain site security and audit trails — legitimate interest and legal obligation.

We use only strictly necessary cookies and local storage to keep you signed into the staff admin area and to remember UI preferences. We do not use marketing or cross-site advertising cookies on this website. Where third-party platforms (e.g. LinkedIn) embed content they may set their own cookies under their own privacy policies.

We do not sell personal data. We share it only with:

• Service providers acting as our processors — our hosting and database provider, transactional email provider and infrastructure vendors — bound by written terms and data processing agreements.
• LinkedIn when we publish content via the LinkedIn Marketing API to our company page — LinkedIn becomes the controller of any further processing of that content within its platform, under its own terms.
• Counterparties to a transaction — only with your explicit instruction or pursuant to an executed NCNDA.
• Regulators, professional advisers, courts where required by law.

Some of our processors may store or process data outside the UK. Where they do, we rely on UK GDPR adequacy decisions or the UK International Data Transfer Agreement / Addendum to the EU SCCs.

Under the UK GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and to object to automated decision-making with significant effect. Exercise any of these rights by emailing contact@medicexum.co.uk. You can unsubscribe from marketing emails using the link in any email we send.

You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

Our mandate triage uses automated scoring to prioritise enquiries that match our published mandate criteria. The score is advisory only — every enquiry that passes triage is reviewed by a human before any commercial response. Low-band enquiries may receive an automated decline; you can request a manual review at any time.

We use row-level security, encrypted transport (TLS), least-privilege access controls, audit logs and short-lived signed tokens for any confidential document delivery (NCNDA / CIM links).

Our services are directed exclusively at businesses, regulated operators and professional investors. The site is not intended for children and we do not knowingly collect data from anyone under 18.

We may update this policy to reflect changes in our practices or the law. The “Last updated” date at the top of this page shows when it was last revised.