OMED Health App Privacy Notice

OMED Health® (“OMED”) is committed to protecting the privacy and security of your personal information. We take care to protect the privacy of all end users of the OMED Health App (hereinafter referred to as the “App”). 

We have therefore developed this privacy policy (which should be read alongside our end-user licence agreement: (a) for Apple device users; (b) for Android device users to inform you of the data we collect, what we do with your information, what we do to keep it secure as well as the rights and choices you have over your personal information when using the App. 

This policy applies to OMED Health App version 1, as updated periodically, and will be presented to you once you have downloaded a copy of the App onto supported iOS and Android device models (“Mobile Device”). This policy applies to any services provided through the App.  

This App is not intended for children and we do not knowingly collect data relating to children.  

For information regarding OMED’s processing of your personal data outside of this App, please see our general privacy notice.   

Throughout this document we refer to Data Protection Legislation, which means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with the aforementioned legislation. Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time. 

Where data is processed on individuals based in the United States (US), OMED will process your Personal Data in accordance with Data Protection Legislation as defined above and in line with this privacy notice. Should there be any additional requirements from any US legislation that applies to our processing of your data, we will process your data in accordance with the relevant piece of legislation. 

This policy is provided in a layered format so you can click through to the specific areas set out below. 

Owlstone Medical® Limited (“OML”) (Company Number 04955647) has launched OMED Health (“OMED”) as a brand name for its digestive health related tests and activities.   

OML remains the legal and beneficial owner of OMED and therefore is ultimately responsible for this App. OML is registered with the Information Commissioner’s Office (the ICO) with registration number ZB023504. 

In this Privacy Notice, the terms “we”, “us”, and “our” (and other similar terms) refer to OML’s activities as OMED and specifically the App. View the wider OML privacy notice.    

2.1 Data Controller  

We are the controller for the personal information we process as identified in 5.2 of this privacy policy. Should you share data produced by our App with a third party, such as your clinician or hospital, they will be the controller of the information that you share. Please see section 6.3. 

In some instances, you may be using our App as part of your participation in a clinical trial with a third party. The third-party will be the controller of any data collected by our App as part of the trial, with OMED fulfilling the role of a processor (service provider). Such processing is not in scope of this notice and so we would direct you to the privacy policies of the relevant third party in such instances. OMED may use study data for its own research purposes should this have been permitted/you have consented (where applicable) to this as part of the third-party trial, in which case OMED will be a controller for the data used as part of its own research. We have appointed a Data Protection Officer to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and the ICO. 

Our Data Protection Officer is:  

The DPO Centre Ltd.
50 Liverpool Street
London
EC2M 7PY 

We have also Appointed an EU Representative to act on our behalf for EU GDPR matters. 

Our EU Representative is The DPO Centre Europe Ltd. 

For further details on how you can contact us or our EU Representative, please see the contact us  section below. 

We only collect personal information that we know we will genuinely use and in accordance with Data Protection Legislation. The type of personal information that we will collect on you depends on the nature of the relationship that we have with you. Additionally, third party service providers (Apple and Google) can collect certain information when you download the App from the iOS App and Google Play stores to track App installations, usage patterns and to improve their services. For further information or to opt out of this data collection refer to Google and Apple privacy policies. The following data may be collected: 

Other information that we may collect that is not specifically listed here but that we will use in accordance with this privacy policy or as otherwise disclosed at the time of collection. 

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific App feature.

However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy. 

In most instances, you are under no statutory or contractual requirement or obligation to provide us with your personal information; however, we will often require elements of the information above in order to provide our services to you in an efficient and effective manner. 

4.1 Information you give us 

This is information (including Identity, Contact, Marketing and Communications Data) you give us about you by filling in fields on the App. It includes information you provide when you register to use the App and if you report a problem with our App or our services. If you contact us, we will keep a record of that correspondence. 

We may further collect your Special Category Data when you submit data by completing fields in the App.  

4.2 Information we collect about you and your Mobile Device 

Each time you use our App we will automatically collect personal data which may include Mobile Device and Usage Data. 

4.3 Information we receive from other sources including third parties and publicly available sources 

We will receive personal data about you from third party sources: 

• Device Data from analytics providers such as Apple and Google based outside the UK. 

4.4 Unique Application numbers 

When you want to install or uninstall the App containing a unique application number or when automatic updates are searched for, that number and information about your installation, for example, the type of operating system, may be sent to us. 

4.5 Will the App track my location? 

The App does not require location access under normal circumstances. The App will only ask you to enable location permissions if your Mobile Device is running Android 11. This will allow the App to connect over Bluetooth Low Energy (BLE) and support Android 11 features and requirements. Please be assured that our App does not collect or use your location information. To enable location services, go to Settings >> Apps >> OMED Health and enable location. 

5.1 Lawful basis 

We only process, store or transfer your personal information when we have a legal basis for doing so. The lawful bases we may rely on to process the information identified in this policy are as follows: 

• Where you have consented before the processing for one or more specific purposes. You may withdraw this consent at any time, either through the channel in which you provided your consent, or by getting in touch via the contact us section below. 
• Where we need to perform a contract we are about to enter or have entered with you. 
• Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests. 
• Where we need to comply with a legal or regulatory obligation. 
• Where data needs to be processed to protect your vital interests. 

5.2 Purpose 

We may use your data in the following ways: 

5.3 Sensitive data 

Where Special Category Data is processed, as well as relying on a lawful basis in accordance with 5.1/5.2 above, OMED will rely on the following exceptions for processing: 

• Where you have provided your explicit consent to the processing. This can be withdrawn as above.  
• Scientific research purposes or statistical purposes.  
• To establish, exercise or defend our legal claims. 

6.1 Our data sharing 

We may share your personal data with trusted third-party organisations. Where relevant, we will ask for your consent to sharing data with these third parties: 

• With third party companies or individuals (data processors) to perform services on our behalf. This could include: data storage and analytics companies; technology support and communication services (email, web hosting, marketing, etc.). This includes: 
  • Blue Frontier 
  • Amazon Web Services 
  • Salesforce Marketing Cloud 
  • Sentry
• With professional advisors, such as lawyers, where necessary in the course of the professional services that they render to us. 
• With government or law enforcement officials or private parties as required by law and disclose and use such information as we believe necessary or appropriate. 

 We only share your data with third parties that can provide sufficient guarantees that they will process your data securely and in accordance with Data Protection Legislation. Where these third parties are our data processors, they are not legally permitted to do anything with your personal information unless we have instructed them to do it. 

In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data. These situations will be governed by specific terms, privacy policies, or consent forms that provide additional information about how we will use your information.  We will honour these additional terms with respect to your information and thus, strongly recommend you review the additional terms prior to participating. 

6.2 Additional App data sharing 

When you submit personal data to download an App, that data might not only be disclosed to the OMED as App owner, but also to: 

1. The App store provider (possibly automatically through its operating software); and 

1. Your mobile network operator. 

Some of these providers may also be able to access some or all of the Usage Data or Mobile Device Data.  

6.3 Your data sharing 

In some instances, you will have been directed to or asked to download and use our App by a third party, such as your clinician or hospital. Should you share any information with such third parties, e.g. a report produced by the App or any other Insights Data, the third party will become an independent controller for that information. You should review their privacy notices and policies regarding how they manage such data. 

We have a dedicated database in each geography served by the App. For example, should you download the App in the UK, your data will be hosted in the UK, and should you download the App in the US, your data will be hosted in the US.

As such, we do not routinely transfer or access your data outside of your jurisdiction. Should we ever have a need to do so, any such transfers will be conducted securely and based on safeguards that allow us to transfer the data in accordance with Data Protection Legislation, such as specific contracts approved by the ICO providing adequate protection of personal information. We will also update this privacy notice accordingly. Currently, the following international transfer may take place:

• Sentry is based in the US and provides us with real-time error tracking, crash reporting and application monitoring. To provide these services, Sentry may gain access to the Mobile Device and Usage Data of UK App users. To safeguard this transfer we have entered into a comprehensive Data Processing Agreement, which includes standard contractual clauses and the UK Addendum, a transfer mechanism approved by the ICO.

We may send you service messages that provide you with information that we legitimately have cause to send you as a user of our App or in order to help us improve our App (feedback requests, market research, etc.). Such messages will not contain promotional material. 

We may separately send you information regarding our App where we believe such messages are relevant and will be of interest to you. In such instances, we will contact you if you have provided your consent for the processing or where you are an existing customer that has bought or negotiated to buy products or services from us in the past and have not opted out of receiving such communications. Each email communication will have an option to object to the processing. If you wish to amend your marketing preferences, you can do so by following the link in any email you receive from us, by updating your preferences or by calling us on the number displayed on our website.  

8.1 OMED Waitlist 

You can sign up to the OMED Waitlist to receive information relating to our products prior to release in your location. As a subscriber to the Waitlist, we will send you release information, blog articles and other product information relevant to you.  

Once products are live in your location, you may be contacted for up to a further 12 months, at which point your data will be deleted and you will not be contacted further unless you demonstrate renewed interest in our products. If we do not launch a product in your location within 24 months of you signing up to our Waitlist, your information will be deleted, and you will not be contacted further. You may withdraw your consent at any time. 

You have a number of rights regarding our processing of your data. To exercise these rights, please contact our Data Privacy Team, using the contact details below.  

9.1 The right to be informed about our collection and use of personal data 

You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal data protection policies and through this and other privacy policies. These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities. 

9.2 Right to access your personal information 

You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is referred to as a ‘Data Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will typically provide it to you or them free of charge and aim to do so within one month from when your identity has been confirmed. 

9.3 Right to rectify your personal information 

If any of the personal information we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it. 

9.4 Right to object or restrict our processing of your data 

You have the right to object to us processing your personal information for particular purposes or have its processing restricted in certain circumstances. 

9.5 Right to erasure 

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.  

9.6 Right to portability 

The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller.  

9.7 Automated processing 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal or similarly significant impact on you. This type of processing is not currently carried out by OMED, however, we will update this section of the policy should this change in the future. 

9.8 Withdraw consent 

Where you have provided consent for the processing of your personal data for any reason, you are able to withdraw your consent at any time. If you have provided consent through the App, you can withdraw consent through the App. Alternatively, you can contact us using the details in this notice and we will action accordingly. 

9.9 For more information about your privacy rights 

The Information Commissioner’s Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here.

You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.  

We will retain your personal information in order to provide you with a high-quality service, in accordance with Data Protection Legislation and for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means. 

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you). 

Details of retention periods for different aspects of your personal data are available in our retention schedule which you can request by contacting us. 

By default, in the event that you do not use the App for a period of 3 years then we will treat the account as expired and your personal data may be deleted. 

Data security is of great importance to us and to protect your data we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure your collected data.   

All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our App, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. 

Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. We do this by: 

• Limiting access to our buildings to those that we have determined are entitled to be there (by use of passes, key card access and other related technologies). 
• Implementing access controls to our information technology. 
• We use Appropriate procedures and technical security measures (including pseudonymisation, strict encryption and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile Apps, offices, and stores.  

We have put in place procedures to deal with any suspected personal data breach and will notify you and any Applicable regulator when we are legally required to do so. 

We keep our privacy notice under regular review. 

This version was last updated on 4th April 2024.  

Any changes to our notice will be posted on this page and, where appropriate, notified to you when you next start the App. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. 

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this notice, the way your personal information is processed, please contact us by one of the following means: 

By email: Privacy@Owlstone.co.uk
By post: Owlstone Medical Limited, 183, Cambridge Science Park, Milton Road, Milton, Cambridge, CB4 0GJ
By phone: 01223 428200 

If you are based in Europe, you can contact our EU Representative, The DPO Centre Europe Ltd: By email: EuRep@Owlstone.co.uk
By post: The DPO Centre Ltd, Rue des Poissonniers 13, 1000 Brussels, Belgium
By phone: +32 2 786 19 61 

Please note, if you are exercising one of your data subject rights, we may need to ask for proof of identity and sufficient information about your interactions with us, as permitted by Data Protection Legislation. 

Thank you for taking the time to read our privacy notice.