Privacy policy

Learn how and why we collect and process your data – and what we do to keep it safe.

Last update: 17 September 2020

About this privacy policy

Cyted (‘we’ or ‘us, ‘our’) is committed to respecting and protecting your privacy. This Privacy Policy tells you what we do with your personal data, why we use it, who we share it with and how long we keep it in the course of running our business.

This privacy policy is intended for:

Users of our website
Parties interested in Cyted
Organisations purchasing medical diagnosis reports products or services from us (“Customers”)
Organisations supplying goods or services to us (“Suppliers”)
Staff and other representatives of our Suppliers or Customers (“Representatives”)
Job applicants

Who is the data controller?

Cyted Ltd is the controller for the personal information we process, unless otherwise stated. We are a limited company registered in England and Wales (company number 11478299). Our registered address is Platinum Building St John’s Innovation Park, Cowley Road, Cambridge, England, CB4 0DS.

Under the Data Protection Act 2018, Cyted is registered with the Information Commissioner’s Office (Registration number: ZA513427).

Our contact details and how you can facilitate your rights

We have appointed a Data Privacy Lead who is responsible for handling questions concerning the operation of our privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our Data Protection Lead. Our Data Protection Lead can be contacted at privacy@cyted.ai or by mail at Data Protection Lead, Cyted Ltd, WeWork, 50 / 60 Station Road, Cambridge, CB1 2JH.

Personal data that we collect

We may collect personal data from you in the course of running our business, including through your use of our website, the use of our products or services, when you contact or request information from us, as a result of you applying for a job with us, or as a result of your relationship with one or more of our staff or customers.

Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been anonymised.

We also collect aggregated data such as statistical or demographic data for any purpose. For instance, if you visit our website, we will use your usage data to calculate the number of users accessing a particular web page.

The following is a non-exhaustive list of the categories of personal data that we collect which is grouped by data category:

Data category	Data description
Identity data includes	First name, last name, username or similar identifier, gender, marital status, title, date of birth, passport info, car registration, picture, biometric data, physical characteristics.
Contact data includes	Postal address, postcode, email address and telephone numbers.
Financial data includes	Bank account and payment card details used to purchase products or services from us or to make payments to us.
Biographical data includes	Information about a data subject such as held in CVs.
Transaction data includes	Details of products and services you have purchased from us or we have purchased from you, details about payments to and from you.
Technical data includes	Internet protocol (IP) address, browser type and version, your login data, time zone setting and location, operating system and platform, browser plug-in types and versions, error reporting, performance data and other technology on the devices you use to access the Website or in relation to communications we send to you electronically.
Employment data includes	Information relevant to any job application you make to us.
Profile data includes	Your username and password, purchases or orders made by you or any interests communicated to us to enable the personalisation of services, preferences, feedback and survey responses.
Usage data includes	Information about how you use the website and products and services we provide including the features you used, the setting selected, pages visited etc.
Health data includes	Information relating to your health status to enable us to provide our health services to you.
Marketing and Communications data includes	Your preferences in receiving marketing from us [and our third parties] and your communication preferences.
Authentication data includes	If you visit us we may collect information (Identity data) that we need in order to identify you and complete any security checks. We may collect your image on CCTV.
Special Category data includes	Any personal that is considered in law to be special category data such as health data, Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership Genetic data, Biometric data for the purpose of uniquely identifying a natural person, Data concerning health, or Data concerning a natural person’s sex life or sexual orientation.
Criminal conviction data includes	Criminal conviction data including processing related to offences, or related security matters.
Miscellaneous data includes	Any other information relating to you which you may provide to us.

Nature of provision of personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.

How we obtain your personal information

We collect personal information from you and others as necessary in the course of running our business.

Most of the personal data we process is provided directly to us by you for one of the following reasons:

When you or your organisation makes an enquiry or uses any of our products or services
When you or your organisation provides products or services to us
When you communicate with us by phone, electronic messaging, in writing, or directly when you meet with our staff
When you or your organisation browse our website, complete a form or communicate via the website or our other electronic services
When you or your organisation participates in our marketing events, recruitment events or other promotional events
When you agree to receive marketing communications from us
When you or your organisation gives feedback (for example completing a survey)
When provided by a publicly available source such as public lists of registers e.g. electoral register, Companies House and others

We also receive personal data indirectly, in the following scenarios:

When provided by a third party organisation, such as an identity verification agency if you had applied for employment with us ; by an analytic provider such as Google if you use the internet; from payment providers if you bought something from us; by a delivery organisation if you took delivery a from us; from a regulatory authority such as HMRC if you are employed by us
When provided by our customer, such as a request for medical diagnosis or investigation where we provide a medical diagnosis report
When you interact with our website or use our systems, we may automatically collect data about your access device and browsing session, using cookies and other technologies. We may also receive technical data about you if you visit other websites using our cookies

As part of Cyted’s corporate function, we process special category and criminal conviction data. We have an appropriate policy document that explains our safeguarding policy for special category and criminal conviction data.

Why we use your personal information

We will only process your personal data when we have a lawful basis to do so.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these will apply whenever we process personal data:

Consent: we have your consent to process your personal data for a specific purpose
Contract: the processing is necessary for a contract we have
Legal obligation: the processing is necessary for us to comply with the law
Vital interests: the processing is necessary for us to protect someone’s life
Public task: the processing is necessary for us to perform a task in the public interest
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests

In most cases, we do not rely on consent as a legal basis for processing your personal data with the exception in relation to sending direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us.

We will not use your personal data for making any automated decisions.

How we use your personal data

Cyted will only use your personal data fairly and where we have a lawful basis to do so. Most commonly, we will use your personal data in the following circumstances:

Purpose of data processing	Type of data	Legal basis for processing
Registering you or your organisation as a client	Identity data Contact data Financial data	Performance of a contract Legal or regulatory obligation Legitimate interest (to manage our customer relationships, to confirm credit worthiness)
To supply our products or services	Identity data Contact data Financial data	Performance of a contract Legal or regulatory obligation Legitimate interest (to recover outstanding debts to us)
To process employment applications	Identity data Contact data Financial data Biographical data Employment data Health data Special Category data	Performance of a contract Legal or regulatory obligation Legitimate interest (assessing your skills, suitability prior to employment offer)
To promote our products and services	Identity data Marketing and Communications data Contact data Profile data	Consent Legitimate interest (to promote our products and services)
To handle enquiries and requests	Identity data Contact data Transaction data	Performance of a contract Legitimate interest (to respond to enquiries from customers and others)
To process payments, invoicing, delivery and collections	Identity data Contact data Financial data Transaction data	Performance of a contract Legal or regulatory obligation Legitimate interest (to collect outstanding money owed)
To monitor and review the supply of our products, services and communications, including notification of changes in terms or policy; Completing feedback surveys; market research	Identity data Contact data Profile data Usage data Transaction data Marketing and Communications data	Performance of a contract Legal or regulatory obligation Legitimate interest (to obtain feedback to help improve the quality of products and services provided)
To track and audit compliance with our policies, processes and procedures	Identity data Profile data Usage data Transaction data	Performance of a contract Legal or regulatory obligation Legitimate interest (to ensure compliance for legal and operational purposes)
To visit our premises	Identity data	Legitimate interest (to maintain security)
To produce a medical diagnosis report	Identity data Contact data Financial data Health data Special Category data	Contract (we have a contract with a healthcare organisation or a private customer) Legal (we are regulated by the Care Quality Commission and must maintain proper records of care and treatment provided) Vital Interest - on urgent referrals we need to respond with a diagnosis asap and often within 4 hours referral Public interest (there is a public interest in providing good quality health diagnosis services Legitimate interest (to ensure we have records of diagnosis given to facilitate payment for our services, for clinical audit, resolution of queries, meeting insurance and regulatory compliance obligations

Processing special category data

When we process special category data, we need to identify both a lawful basis for processing and a special category condition to ensure compliance with Article 9 GDPR. We consider Criminal offence information within special category data.

Purpose of data processing	Type of data	Special Category condition for processing
To process job applications involving special category data e.g. processing a DBS request	Special category data such as health data. We also include criminal offence data in this category	Processing is necessary for employment purposes Art 9 2(b) and our obligations in employment and the safeguarding of staff fundamental rights and article 9(2)(h) for assessment of employee work capacity. Also Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
To produce a patient diagnosis report	Health data	Processing is necessary for medical diagnosis Art 9 2(h) Also Schedule 2 paragraph 2 2018 Data Protection Act provides for processing that is necessary for health or social care purposes which we take to be (c) medical diagnosis and (d) the provision of healthcare or treatment

Recipients of personal data we process

Access to personal data is strictly controlled to maintain its privacy and security.

We may share personal data for the purposes mentioned in the above tables with the following recipients or categories of recipients:

Our Staff – we share personal data with our staff involved with the delivery of our medical diagnosis services
Our Healthcare professionals – we share personal data with our healthcare professionals involved with the delivery of our medical diagnosis services
Our Customers – we share personal data with representatives of the medical organisation that commissioned our services
Government and other regulatory bodies – we may be required to share personal data with regulators to comply with our legal, regulatory and statutory obligations such as the Care Quality Commission, Department of Work and Pensions, HMRC, Coroners Court
Service providers – we may share personal data with service providers acting as processors who provide IT and system services
Third parties – We may also be required to pass personal information to third parties acting as data processors of joint controllers such as law enforcement agencies, our insurers, our auditors, the courts and our professional adviser’s

These recipients or categories of recipients are only allowed to process personal data for specified purposes and where they are processing personal data on our behalf, they must do so in accordance with our instructions.

Also, we may share your personal data with other third parties in the context of a possible sale or restructuring of the business.

Transfer to third countries

Some of our recipients are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data outside the EEA, we will ensure that a similar degree of protection of personal data is given by ensuring at least one of these safeguards is in place:

Countries are deemed adequate by EU Commission- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Use model contracts – We may use model contracts approved by the European Commission which give the same protection to personal data as afforded within EEA. These model contracts terms are available on the EU Commissioner website.
Use of Privacy Shield – If the provider processes personal data in USA, we may transfer data to the provider if they have been accredited Privacy Shield status which required them to protect personal data to a similar level as afforded within EEA.

How long we keep your personal data

We will only retain your personal data for as long as it is necessary for the purposes we collected it for, which will include the purposes of meeting any legal, regulatory, accounting or reporting requirements. For further information about how long we hold personal data see our retention schedule that is available on request from our Data Protection Lead.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access- You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. This right is commonly known as a “data subject access request” or “DSAR”.
Your right to rectification- You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure- You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing- You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing- You have the right to object to processing in certain circumstances.
Your right to data portability- This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

Making an information request to us

You can make a request to exercise your privacy rights by contacting us at the address above. To respond we will need information from you to deal with the request such as to locate the information you are looking for. We will set up an electronic case file containing the details of your request. This normally will include your contact details and any other information that you have given us. If you are making a request about your personal data , or are acting on behalf on someone making a request, then we will ask for information to satisfy us of your identity.

You are not required to pay any charge for exercising your rights however we may charge a reasonable fee if your request for access is repeated and/or unfounded or excessive. We have one month to respond to you.

Your right to complain to a supervisory authority

If you have concerns about the way we handle your personal data, you can contact the ICO or raise a complaint. We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner’s Office so please contact us in the first instance.

If you remain dissatisfied, you have the right to make a compliant about the way we process your personal information by contacting the ICO.

by phone on +44 303 123 1113
by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
via their website at http://www.ico.org.uk/concerns

Changes to this policy

We may change our privacy policy from time to time. If or when changes are made, we’ll include them here, so be sure to check back occasionally.

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your information.

We may monitor the use and content of emails, calls and secure messages sent from and received by us so that we can, for instance, identify and take legal action against unlawful or improper use of our systems. The main examples of unlawful or improper use are attempting to impersonate Cyted, the transmission of computer viruses and attempts to prevent this website or its services from working.

Further processing

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.

The NHS National Opt-Out

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters. On this web page you will:

See what is meant by confidential patient information
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
Find out more about the benefits of sharing data
Understand more about who uses the data
Find out how your data is protected
Be able to access the system to view, set or change your opt-out setting
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/introducing-patient-data (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Cyted Ltd is currently compliant with the national data opt-out policy.