Select Page

About this privacy policy

Cyted (‘we’ or ‘us, ‘our’) is committed to respecting and protecting your privacy. This Privacy Policy tells you what we do with your personal data, why we use it, who we share it with and how long we keep it in the course of running our business.

This privacy policy is intended for:

  • Users of our website
  • Parties interested in Cyted
  • Organisations purchasing medical diagnosis reports products or services from us (“Customers”)
  • Organisations supplying goods or services to us (“Suppliers”)
  • Staff and other representatives of our Suppliers or Customers (“Representatives”)
  • Job applicants

 

WHO IS THE DATA CONTROLLER?

Cyted Ltd is the controller for the personal information we process, unless otherwise stated. We are a limited company registered in England and Wales (company number 11478299). Our registered address is Platinum Building St John’s Innovation Park, Cowley Road, Cambridge, England, CB4 0DS.

Under the Data Protection Act 2018, Cyted is registered with the Information Commissioner’s Office (Registration number: ZA513427).

 

OUR CONTACT DETAILS AND HOW YOU CAN FACILITATE YOUR RIGHTS

We have appointed a Data Privacy Lead who is responsible for handling questions concerning the operation of our privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our Data Protection Lead. Our Data Protection Lead can be contacted at privacy@cyted.ai or by mail at Data Protection Lead, Cyted Ltd, WeWork, 50 / 60 Station Road, Cambridge, CB1 2JH

 

PERSONAL DATA THAT WE COLLECT

We may collect personal data from you in the course of running our business, including through your use of our website, the use of our products or services, when you contact or request information from us, as a result of you applying for a job with us, or as a result of your relationship with one or more of our staff or customers.

Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been anonymised.

We also collect aggregated data such as statistical or demographic data for any purpose. For instance, if you visit our website, we will use your usage data to calculate the number of users accessing a particular web page.

The following is a non-exhaustive list of the categories of personal data that we collect which is grouped by data category:

 

Data Category

Data description

 

Identity Data includes

first name, last name, username or similar identifier, gender, marital status, title, date of birth, passport info, car registration, picture, biometric data, physical characteristics

 

Contact Data includes

postal address, postcode, email address and telephone numbers.

 

Financial Data includes

bank account and payment card details used to purchase products or services from us or to make payments to us.

 

Biographical data includes

Information about a data subject such as held in CVs

Transaction Data includes

details of products and services you have purchased from us or we have purchased from you, details about payments to and from you

Technical Data includes

internet protocol (IP) address, browser type and version, your login data, time zone setting and location, operating system and platform, browser plug-in types and versions, error reporting, performance data and other technology on the devices you use to access the Website or in relation to communications we send to you electronically

Employment data includes

information relevant to any job application you make to us

Profile Data includes

your username and password, purchases or orders made by you or any interests communicated to us to enable the personalisation of services, preferences, feedback and survey responses.

Usage Data includes

information about how you use the website and products and services we provide including the features you used, the setting selected, pages visited etc.

Health Data includes

information relating to your health status to enable us to provide our health services to you

Marketing and Communications Data includes

your preferences in receiving marketing from us [and our third parties] and your communication preferences

Authentication data includes

If you visit us we may collect information (Identity data) that we need in order to identify you and complete any security checks. We may collect your image on CCTV.

Special Category Data includes

Any personal that is considered in law to be special category data such as health data,

Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership

Genetic data, Biometric data for the purpose of uniquely identifying a natural person, Data concerning health, or

Data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

Criminal conviction data including processing related to offences, or related security matters

Miscellaneous data includes

Any other information relating to you which you may provide to us.

 

NATURE OF PROVISION OF PERSONAL DATA

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.

 

HOW WE OBTAIN YOUR PERSONAL INFORMATION

We collect personal information from you and others as necessary in the course of running our business.

Most of the personal data we process is provided directly to us by you for one of the following reasons:

  • When you or your organisation makes an enquiry or uses any of our products or services
  • When you or your organisation provides products or services to us
  • When you communicate with us by phone, electronic messaging, in writing, or directly when you meet with our staff
  • When you or your organisation browse our website, complete a form or communicate via the website or our other electronic services
  • When you or your organisation participates in our marketing events, recruitment events or other promotional events
  • When you agree to receive marketing communications from us
  • When you or your organisation gives feedback (for example completing a survey).
  • When provided by a publicly available source such as public lists of registers e.g. electoral register, Companies House and others.

 

We also receive personal data indirectly, in the following scenarios:

  • When provided by a third party organisation, such as an identity verification agency if you had applied for employment with us ; by an analytic provider such as Google if you use the internet; from payment providers if you bought something from us; by a delivery organisation if you took delivery a from us; from a regulatory authority such as HMRC if you are employed by us
  • When provided by our customer, such as a request for medical diagnosis or investigation where we provide a medical diagnosis report
  • When you interact with our website or use our systems, we may automatically collect data about your access device and browsing session, using cookies and other technologies. We may also receive technical data about you if you visit other websites using our cookies.

 

As part of Cyted’s corporate function, we process special category and criminal conviction data. We have an appropriate policy document that explains our safeguarding policy for special category and criminal conviction data.

 

WHY WE USE YOUR PERSONAL DATA

We will only process your personal data when we have a lawful basis to do so.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these will apply whenever we process personal data:

  1. Consent: we have your consent to process your personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract we have
  3. Legal obligation: the processing is necessary for us to comply with the law
  4. Vital interests: the processing is necessary for us to protect someone’s life.
  5. Public task: the processing is necessary for us to perform a task in the public interest
  6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

In most cases, we do not rely on consent as a legal basis for processing your personal data with the exception in relation to sending direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us.

We will not use your personal data for making any automated decisions.

 

HOW WE USE YOUR PERSONAL DATA

Cyted will only use your personal data fairly and where we have a lawful basis to do so. Most commonly, we will use your personal data in the following circumstances:

Purpose of data processing

Type of data

Legal basis for processing

Registering you or your organisation as a client

Identity Data

Contact Data

Financial Data

Performance of a contract

Legal or regulatory obligation

Legitimate interest (to manage our customer relationships, to confirm credit worthiness)

To supply our products or services

Identity Data

Contact Data

Financial Data

Performance of a contract

Legal or regulatory obligation

Legitimate interest (to recover outstanding debts to us)

To process employment applications

Identity Data

Contact Data

Financial Data

Biographical Data

Employment Data

Health Data

Special Category Data

Performance of a contract

Legal or regulatory obligation

Legitimate interest (assessing your skills, suitability prior to employment offer)

To promote our products and services

Identity Data

Marketing and Communications Data

Contact Data

Profile data

Consent

Legitimate interest (to promote our products and services)

To handle enquiries and requests

Identity Data

Contact Data

Transaction data

Performance of a contract

Legitimate interest (to respond to enquiries from customers and others)

To process payments, invoicing, delivery and collections

Identity Data

Contact Data

Financial Data

Transaction data

Performance of a contract

Legal or regulatory obligation

Legitimate interest (to collect outstanding money owed)

To monitor and review the supply of our products, services and communications, including notification of changes in terms or policy; Completing feedback surveys; market research

Identity Data

Contact Data

Profile data

Usage Data

Transaction data

Marketing & communication

Performance of a contract

Legal or regulatory obligation

Legitimate interest (to obtain feedback to help improve the quality of products and services provided)

To track and audit compliance with our policies, processes and procedures

Identity Data

Profile data

Usage Data

Transaction data

Performance of a contract

Legal or regulatory obligation

Legitimate interest (to ensure compliance for legal and operational purposes)

To visit our premises

Identity Data

Legitimate interest (to maintain security)

To produce a medical diagnosis report

Identity Data

Contact Data

Financial Data

Health Data

Special Category Data

Contract (we have a contract with a healthcare organisation or a private customer).

Legal (we are regulated by the Care Quality Commission and must maintain proper records of care and treatment provided.)

Vital Interest- on urgent referrals we need to respond with a diagnosis asap and often within 4 hours referral.

Public interest (there is a public interest in providing good quality health diagnosis services

Legitimate interest (to ensure we have records of diagnosis given to facilitate payment for our services, for clinical audit, resolution of queries, meeting insurance and regulatory compliance obligations.

 

PROCESSING SPECIAL CATEGORY DATA

When we process special category data, we need to identify both a lawful basis for processing and a special category condition to ensure compliance with Article 9 GDPR. We consider Criminal offence information within special category data.

Purpose of data processing

Type of data

Special Category condition for processing

To process job applications involving special category data e.g. processing a DBS request

Special category data such as health data. We also include criminal offence data in this category

Processing is necessary for employment purposes Art 9 2(b) and our obligations in employment and the safeguarding of staff fundamental rights and article 9(2)(h) for assessment of employee work capacity.

Also Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.

To produce a patient diagnosis report

Health Data

Processing is necessary for medical diagnosis Art 9 2(h)

Also Schedule 2 paragraph 2 2018 Data Protection Act provides for processing that is necessary for health or social care purposes which we take to be (c) medical diagnosis and (d) the provision of healthcare or treatment.

 

 

RECIPIENTS OF PERSONAL DATA WE PROCESS

Access to personal data is strictly controlled to maintain its privacy and security.

We may share personal data for the purposes mentioned in the above tables with the following recipients or categories of recipients:

  • Our Staff – we share personal data with our staff involved with the delivery of our medical diagnosis services
  • Our Healthcare professionals – we share personal data with our healthcare professionals involved with the delivery of our medical diagnosis services
  • Our Customers – we share personal data with representatives of the medical organisation that commissioned our services
  • Government and other regulatory bodies – we may be required to share personal data with regulators to comply with our legal, regulatory and statutory obligations such as the Care Quality Commission, Department of Work and Pensions, HMRC, Coroners Court.
  • Service providers – we may share personal data with service providers acting as processors who provide IT and system services
  • Third parties – We may also be required to pass personal information to third parties acting as data processors of joint controllers such as law enforcement agencies, our insurers, our auditors, the courts and our professional adviser’s.

These recipients or categories of recipients are only allowed to process personal data for specified purposes and where they are processing personal data on our behalf, they must do so in accordance with our instructions.

Also, we may share your personal data with other third parties in the context of a possible sale or restructuring of the business.

 

TRANSFER TO THIRD COUNTRIES

Some of our recipients are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data outside the EEA, we will ensure that a similar degree of protection of personal data is given by ensuring at least one of these safeguards is in place:

  • Countries are deemed adequate by EU Commission- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Use model contracts – We may use model contracts approved by the European Commission which give the same protection to personal data as afforded within EEA. These model contracts terms are available on the EU Commissioner website.
  • Use of Privacy Shield – If the provider processes personal data in USA, we may transfer data to the provider if they have been accredited Privacy Shield status which required them to protect personal data to a similar level as afforded within EEA.

 

HOW LONG WE KEEP YOUR PERSONAL DATA

We will only retain your personal data for as long as it is necessary for the purposes we collected it for, which will include the purposes of meeting any legal, regulatory, accounting or reporting requirements. For further information about how long we hold personal data see our retention schedule that is available on request from our Data Protection Lead.

 

YOUR DATA PROTECTION RIGHTS

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

  • Your right of access- You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. This right is commonly known as a “data subject access request” or “DSAR”.
  • Your right to rectification- You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
  • Your right to erasure- You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing- You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing- You have the right to object to processing in certain circumstances
  • Your right to data portability- This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

 

MAKING AN INFORMATION REQUEST TO US

You can make a request to exercise your privacy rights by contacting us at the address above. To respond we will need information from you to deal with the request such as to locate the information you are looking for. We will set up an electronic case file containing the details of your request. This normally will include your contact details and any other information that you have given us. If you are making a request about your personal data , or are acting on behalf on someone making a request, then we will ask for information to satisfy us of your identity.

You are not required to pay any charge for exercising your rights however we may charge a reasonable fee if your request for access is repeated and/or unfounded or excessive. We have one month to respond to you.

 

YOUR RIGHT TO COMPLAIN TO A SUPERVISORY AUTHORITY

If you have concerns about the way we handle your personal data, you can contact the ICO or raise a complaint. We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner’s Office so please contact us in the first instance.

If you remain dissatisfied, you have the right to make a compliant about the way we process your personal information by contacting the ICO.

  • by phone on +44 303 123 1113
  • by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • via their website at http://www.ico.org.uk/concerns

 

CHANGES TO THIS POLICY

We may change our privacy policy from time to time. If or when changes are made, we’ll include them here, so be sure to check back occasionally.

 

OTHER THIRD PARTY LINKS

Our website may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

 

SECURITY AND SAFE STORAGE OF YOUR PERSONAL INFORMATION

The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your information.

We may monitor the use and content of emails, calls and secure messages sent from and received by us so that we can, for instance, identify and take legal action against unlawful or improper use of our systems. The main examples of unlawful or improper use are attempting to impersonate Cyted, the transmission of computer viruses and attempts to prevent this website or its services from working.

 

FURTHER PROCESSING

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so