1. Introduction
Everyone at OMED Health® is committed to protecting the privacy and security of your personal information. We take care to protect the privacy of actual and prospective customers and patients, as well as all other users or parties that interact with us, visit our website or whose data we collect indirectly (such as family members of patients for medical history purposes).
We have therefore developed this privacy notice to inform you of the data we collect, what we do with your information, what we do to keep it secure as well as the rights and choices you have over your personal information.
If you are a user of our OMED Health Mobile App (the “App”), you will be presented with an additional privacy notice upon logging into the App, which will provide you with information regarding App-specific processing. You can then access the App notice at any time via the App.
If you wish to book an appointment for our Inside Insights test (using the ReCIVA® Breath Sampler), you will be presented with an Information Booklet, which will provide you with additional information about the test.
Throughout this document we refer to Data Protection Legislation, which means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with the aforementioned legislation. Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.
Where data is processed on individuals based in the United States (US), OMED will process your Personal Data in accordance with Data Protection Legislation as defined above and in line with this privacy notice. Should there be any additional requirements from any US legislation that applies to our processing of your data, we will process your data in accordance with the relevant piece of legislation.
2. About us
Owlstone Medical® Limited (“OML”) (Company Number 04955647) has launched OMED Health (“OMED”) and this website as a brand name for its consumer and patient related products and activities.
OML remains the legal and beneficial owner of OMED. OML is registered with the Information Commissioner’s Office (“ICO”) with registration number ZB023504. OML is also registered with the Care Quality Commission.
In this Privacy Notice, the terms “we”, “us”, and “our” (and other similar terms) refer to OML’s activities as Omed Health and no other part of its processing activities. The OML privacy notice can be found here: https://www.owlstonemedical.com/privacy-policy/.
2.1 Data Controller
We are the controller for the personal information we process as identified in this privacy notice and for the purposes detailed in section 4 below.
In some circumstances, OMED may facilitate referrals on behalf of other organisations. Should you have been referred to OMED by another organisation or be using our App as part of your participation in a clinical trial or research study with another organisation, these other organisations will be independent controllers for some of your information themselves and you may need to consult their own privacy notices for details on what they do with your data.
We have appointed a Data Protection Officer to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and the ICO.
Our Data Protection Officer is:
The DPO Centre Ltd.
50 Liverpool Street
London
EC2M 7PY
www.dpocentre.com
We have also appointed an EU Representative to act on our behalf for EU GDPR matters.
Our EU Representative is The DPO Centre Europe Ltd.
For further details on how you can contact us or our EU Representative, please see the contact us section below.
3. The information we collect and when.
We only collect personal information that we know we will genuinely use and in accordance with Data Protection Legislation. The type of personal information that we will collect on you depends on the nature of the relationship that we have with you and the type of service we provide. We may collect the following:
- Contact Data: Personal and business contact information (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information).
- Online Data: Cookies and IP addresses. For more information, please see our cookie banner and Cookie Policy.
- Communications Data: Your communication preferences, subscriptions, feedback and any records of interactions with you.
- Market Research Data: Any data that you provide to us in response to market research or as part of a user group. This could include your opinion on our products and services, or answers to questions we have asked you, such as your age. The data processed for market research will be made clear to you when you participate in the research and could include Health Data.
- Health Data: Information that reveals or infers details about your health, which may include medical background, health symptoms, details relating to digestive health. This may also include medical diagnosis, treatments and responses to medical questionnaires; or your exhaled breath samples, weight, height, diet, smoking status, alcohol intake, information relating to your breathing and collected breath samples, risk of exposure to or the presence of any infectious diseases, medications you might be taking.
- Biographical Data: Biographical and demographic information (such as age, gender, and in some circumstances information regarding any parents or legal guardians).
- Transaction Data: Information about payments to and from you and other details of products and services you have purchased from us.
- Analytical Data: Volatile organic compounds (i.e. molecules found on breath), derived data and metadata concerning, relating to, associated with or derived from the Health Data and Biographical Data.
- Financial Data: Information such as bank account and payment card details.
- Other Data: Information that we may collect that is not specifically listed here but that we will use in accordance with this privacy notice or as otherwise disclosed at the time of collection.
In most instances, you are under no statutory or contractual requirement or obligation to provide us with your personal information; however, we will often require elements of the information above in order to provide our services to you in an efficient and effective manner.
4. How we use your information
4.1 Collection
In most instances we collect personal information directly from you, for example where you have either purchased an Inside Insights test or sought advice from one of our healthcare professionals in relation to our clinical services, or from online forms, medical questionnaires, where you have provided your information to us at an event, by email, from clicking on one of our ads or as part of a market research survey. If you are related to, or an emergency contact of, a patient, then the patient may provide us with personal data relating to you.
In some instances, one of our partner organisations may refer you to us. In these instances, should you confirm your interest our partner organisation will be independent controllers of your information and you should refer to their privacy policy for information about how they may process your data. Any processing of your information through OMED will be covered in this notice, or as part of other information provided to you.
There may be instances where we refer you to a partner organisation, in which case, the other organisation will be the data controller for any data submitted to them.
4.2 Lawful basis
Consent: You have given consent to the processing of your personal data for one or more specific purposes. You may withdraw this consent at any time, either through the channel in which you provided your consent, or by getting in touch via the contact us section below.
- Legitimate Interest: processing is necessary for the purposes of our legitimate interests (i.e., our business interests), except where such interests are overridden by your interests or fundamental rights and freedoms.
- Consent: You have given consent to the processing of your personal data for one or more specific purposes. You may withdraw this consent at any time, either through the channel in which you provided your consent, or by getting in touch via the contact us section below.
- Legal obligation: processing is necessary for compliance with our legal obligations.
- Contractual Obligation: processing is necessary to deliver a contractual service to you or for us to do something at your request before entering into a contract with you.
4.3 Sensitive data
Whether you engage with us as a patient to receive our healthcare services or as a customer attending our Inside Insights breath test, you will be asked to provide certain medical information. This may be in relation to (a) carrying out a medical assessment, helping with any diagnosis and treatment plan(s) from one of our healthcare professionals for your digestive health symptoms; or as part of submitting your “fitness declaration” to confirm suitability for certain product; or (b) your Inside Insights breath test where the relevant medical information directly contributes to the report summarising your test outcomes. Information about your medical history may include medical history of your biological mother or father, siblings and first grandparents. All such information is sometimes called ‘special category data’.
We may also collect special category data where you agree to take part in one of our user groups or market research activities.
We will process special category data to provide our healthcare services or otherwise under limited circumstances (e.g. as part of user group research) and where you provide your explicit consent for us to do so. Less commonly, we may use such data for scientific research purposes, for health or social care purposes, or to establish, exercise or defend legal claims. You may withdraw this consent at any time by contacting us via the contact us section below. Sensitive data will be managed in accordance with our usual high standards of security.
4.4 Purpose
We may use your data to:
| Processing activity | Type of Data | Lawful basis |
| Contact you, following your enquiry, reply to any questions, suggestions, issues, or complaints you have contacted us about, or to otherwise send you service messages. | Contact Data; Communications Data | Legitimate Interest (to communicate with you regarding the App and our services/your queries)
|
| Meet our high security standards in managing your personal data, our systems and our website. | Contact Data; Online Data; Communications Data; Health Data; Market Research Data; Financial Data; Transaction Data | Legitimate Interest (to maintain the security of all services, networks, systems and data) |
| Assess your digestive health concerns and outputs generated by the App, and advise on appropriate treatment plan(s). | Contact Data; Communications Data; Health Data/ special category data | Consent/ Explicit Consent
Contractual Obligation Legitimate Interest (to process and share your data where needed to provide the described services and where consent/contract are not appropriate) |
| Ask you for a fitness declaration in relation to buying certain products. | Contact Data; Health Data | Consent/Explicit Consent
|
| Process your purchase order for our product(s), services, medications or to issue refunds. This may include managing payments, fees and charges; collecting and recovering money owed to us; and sending you service message relating to your order. | Contact Data; Communications Data; Financial Data; Transaction Data | Legitimate Interest (to fulfil orders made via an organisation for which you work)
|
| To carry out a test and prepare a report of our findings. | Contact Data; Health Data; Biographical Data; Analytical Data | Contractual Obligation |
| Exchange data with our clinical or pharmacy partners to assist with their diagnosis and treatment plans, or to dispense a medical prescription. | Contact Data;
Health Data |
Legitimate Interest
Health and Social Care |
| Further our scientific research to improve accessibility and accuracy of early-stage detection of disease, therefore help us achieve our mission , increasing chances of finding cures and saving lives. This data will not be directly linkable to you, and where possible, will be anonymised. | Health Data | Legitimate Interests (to meet our core objectives in improving healthcare and to develop our products/services)
Scientific Research |
| Provide you with our customer support when required in relation to any technical, medical or other issues or queries. | Contact Data; Communications Data Health Data | Health and Social Care
Contractual Obligation Legitimate Interest (to communicate with you regarding the App and our services/your queries) |
| Send marketing communications where you are an existing customer and have bought or negotiated to buy products and services from us in the past and have not opted out of receiving such communications. You will be given the opportunity to opt-out in every communication. | Contact Data; Communications Data | Legitimate Interest (to identify whether you are interested in additional products and services that we believe could be of interest to you) |
| Send marketing communications, including where you have attended events or webinars. You will be given the opportunity to opt-out in every communication. | Contact Data; Communications Data | Consent |
| Add you to the OMED Waitlist to provide you with information relating to our products prior to release in your location and for an indefinite period post-release. | Contact Data; Communications Data | Consent |
| Generate marketing/analytics from our website using cookies. | Online Data | Consent |
| Facilitate your participation in webinars or online user groups. | Contact Data; Communications Data | Legitimate Interest (to obtain valuable feedback to help improve our products and services) |
| (*Inside Insights breath test customers only) Further our scientific research using our Breath Biopsy VOC Atlas® database | Health Data; Analytical Data |
Consent |
| Conduct market research on your use of our products and services and your background and health. | Contact Data; Market Research Data; Communications Data; Health Data | Consent/Explicit Consent |
| Comply with applicable laws, lawful requests, and legal process, where appropriate/necessary.
|
Typically Contact Data and Communications Data (although could include other data items depending on legal need) | Legal Obligation |
| Comply with regulatory monitoring and reporting obligations, where appropriate/necessary.
|
Typically Contact Data and Communications Data (although could include other data items depending on legal need) | |
| Protect the legitimate interests of Owlstone Medical by retaining a copy of medical records and communications generated in relation to you for legal and regulatory filings or to defend the company in any private or public/court proceedings. | Contact Data; Communications Data; Health Data | Legal Obligation |
4.5 De-identified data
In addition, we may create anonymous or aggregated data from your personal information and other individuals whose personal information we collect. We do this by excluding information that makes the data personally identifiable to you.
5. Who we might share your information with
We may share your personal data with trusted third-party organisations, subject to written agreements, as follows:
- With third party companies or individuals (data processors) to perform services on our behalf. This could include data storage and analytics companies; medical software suppliers (e.g. for prescriptions or video appointments); technology support; and communication services (email, web hosting, marketing, and advertising providers, etc.).
We only share your data with data processors that can provide sufficient guarantees that they will process your data securely and in accordance with Data Protection Legislation. Our data processors are not legally permitted to do anything with your personal information unless we have instructed them to do it. They have provided us with written agreements that they will not share your personal information with any organisation apart from us or further sub-processors (supporting an aspect of the same service, study, trial or otherwise) which must process your personal to the same high standards.
- With partners with whom we jointly process your data or otherwise process data as independent controllers. This may include clinical partners, or third-party contractors providing services on our behalf under the OMED Health brand.
- With professional advisors, such as lawyers, where necessary in the course of the professional services that they render to us.
- With government or law enforcement officials or private parties as required by law and disclose and use such information as we believe necessary or appropriate.
In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data. These situations will be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your information. We will honour these additional terms with respect to your information and thus, strongly recommend you review the additional terms prior to participating.
Further scientific research – Data in VOC Atlas
(Inside Insights customers only)
We have developed and are continuing to grow and improve our methods, libraries and databases which are intended to help us achieve our mission to save lives and healthcare costs. These serve as scientific research resources for OML and (in some cases) authorised third-party researchers.
We see our Breath Biopsy VOC Atlas® database (referred to as “Atlas”) as a natural extension of our overall research objectives, and would like to thank all volunteers who allow us to include their data in Atlas and are thus directly supporting us in our mission. Our Atlas work is endorsed and financially supported by the Gates Foundation (Foundation FAQ), promoting (secure) sharing of research data across the science community, which therefore allows us to directly contribute to global research and the drive to early detection of disease.
This section is intended to explain how we collect data, what form we collect it in and how we use it as part of Atlas.
5.1 The Breath Biopsy VOC Atlas
When you purchase our OMED Health Inside Insights breath test, you will have an option to indicate whether or not you are happy for us to use certain limited data obtained from you for the purposes of the test and its results in Atlas for scientific research purposes. Such data may include your age, disease history, chemical molecules on your breath together with other analytical and contextual information (“Atlas Data”), but will exclude any personally identifiable information such as your name, contact details or date of birth. Whenever you provide your consent to such use of data, you will always have the option and opportunity to withdraw your consent if you change your mind in the future.
5.2 Data in Atlas
Atlas will not be collecting any additional personal information to what has already been collected as part of your Inside Insights test. We have therefore broken down the data types as follows, which we believe will be of more use to you.
- Pseudonymised Data. The data we hold in Atlas is pseudonymised, which means you cannot be identified directly through Atlas alone. The pseudonymised data set will contain a subject ID (allocated at random) and metadata from your test. This could include age, cohort, disease history and treatment history.
- Identifiable Data. While identifiable data will not be held in Atlas directly, OML may hold some identifiable data for other purposes and in other databases (for example, if you purchase or have purchased other services from OML, or if you participate or have previously participated in one of our clinical trials or research studies as a volunteer). This means that a very limited number of employees may be able to access some of your identifiable data (such as name and contact details) and your pseudonymised data. These individuals are prohibited from matching the data sets, unless there is genuine cause to (e.g. you make an erasure request). They are subject to strict confidentiality provisions and are required to undertake regular data security training.
- Anonymised Data. Where any Atlas Data is shared with clinical partners, researchers or corporate affiliates, including via the Atlas website (see below), it is strictly anonymised or aggregated, so that the data cannot be linked back to you by any third parties. Any such recipients will be subject to acceptable use agreements regarding the data, where appropriate.
- Generated Data. We may generate further data to enhance our database based on the data that we already hold on you in Atlas. This includes, by way of example, biomarkers – which include common biomarkers, such as cholesterol, infectious disease markers, proteomic and metabolomic markers – and genetic data (ranging from genotype to exome sequence to whole genome sequence). For such activities, participants will always remain pseudonymised or anonymised, as relevant.
5.3 Data use in Atlas and Atlas website
Certain limited (anonymised or aggregated) data within Atlas may be viewed by approved registered users via the Atlas website: https://www.vocatlas.com/. Atlas is not designed or intended for use by the general public or anyone without a genuine interest in science and research. We take reasonable steps to check the credentials of anyone who seeks to register an account for access to Atlas, and will take steps to deny or revoke registration if the user’s credentials cannot be verified.
We only transfer your data to Atlas under this policy, if we have obtained your consent to do so. This consent is sought and collected as part of the Inside Insights test purchase and booking. We may rely on other legal basis for the use of your data in Atlas where we initially obtain such data through a clinical trial or a research study for one of our customers in which you have participated as a volunteer. You should refer to our OML privacy policy where this is the case: https://www.owlstonemedical.com/privacy-policy/.
Data in Atlas under this policy will be used as follows:
| Processing activity | Data processed | Lawful basis |
| To assess data from multiple clinical studies in order to better interpret the results and provide greater understanding of VOC capability, ranges and variabilities. | Pseudonymised and Generated Data as described in 5.2. | Consent
|
| To share Atlas Data with academic researchers, clinicians, students and post-doctoral researchers, charities and government departments that carry out significant research, who have registered with Owlstone to access Atlas Data using an online platform, in order to aid the global research community in making discoveries for the benefit of the public health at large. | Anonymised Data | Consent |
| To compare findings from one study with the general Atlas population to better evaluate findings, identify trends, etc. | Pseudonymised Data internally, Anonymised data for any sharing. | Consent |
| To facilitate your rights and withdrawals regarding Atlas, or otherwise communicate with you. | Identifiable Data | Consent |
All Atlas Data is stored in secure third-party, UK-based, cloud data centres or servers.
Data held in Atlas is stored for archiving, research and statistical purposes. OML therefore retains data in Atlas for as long as it has a legitimate interest in doing so – but has set an initial retention period of 10 years from the date of transfer to Atlas. Retention will be under periodic review and consideration as to its value and need to extended retention. OML has appropriate safeguards in place to protect your data held in Atlas.
Should you object to the processing (or withdraw your consent where valid), we will cease processing your data as part of Atlas.
There is no expectation for data in Atlas to be transferred outside of the UK or the EEA to countries not deemed by the ICO (and/or European Commission as relevant) to provide an adequate level of personal information protection. Should this be required in the future, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the data protection legislation, as detailed in section 6 of this notice.
The other sections of this privacy notice (excluding section 4) apply to this section 5, however, where there are conflicts between section 5 and other sections, the provisions in section 5 apply.
6. International transfers of information
Whenever we transfer your personal information to countries not deemed by the ICO (and/or European Commission as relevant) to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the data protection legislation, such as the specific contracts approved by the ICO (or European Commission as relevant) providing adequate protection of personal information.
7. How we keep you updated on our services
As identified in 4.4 above, we may contact you for several purposes.
We may send you service messages that provide you with information that we legitimately have cause to send you as a user of our products and services or in order to help us improve our products and services (feedback requests, market research, etc.). Such messages will not contain promotional material.
We may separately send you information regarding our products and services where we believe such messages are relevant and will be of interest to you. In such instances, we will contact you if you have provided your consent for the processing or where you are an existing customer that has bought or negotiated to buy products and services from us in the past and have not opted out of receiving such communications. Each email communication will have an option to object to the processing, if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences or by calling us on the number displayed on our website. If you are a business contact, we may send you relevant news about our services or products if we have a legitimate interest to do so.
7.1 OMED Waitlist
You can sign up to the OMED Waitlist (including to express an interest in our Inside Insights breath test) to receive information relating to our products prior to release in your location. As a subscriber to the Waitlist, we will send you release information, blog articles and other product information relevant to you.
You may also be offered the opportunity to participate in sales promotions, which may be in partnership with clinical partners and may require you to submit additional information.
Once products are live in your location, you may be contacted for up to a further 12 months, at which point your data will be deleted and you will not be contacted further unless you demonstrate renewed interest in our products. If we do not launch a product in your location within 24 months of you signing up to our Waitlist, your information will be deleted, and you will not be contacted further. You may withdraw your consent at any time.
8. Your rights over your information
8.1 The right to be informed about our collection and use of personal data
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal data protection policies and through this and other privacy notices. These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
8.2 Right to access your personal information
You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is referred to as a ‘Data Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will typically provide it to you or them free of charge and aim to do so within one month from when your identity has been confirmed.
If you would like to exercise this right, please contact us as set out below.
8.3 Right to rectify your personal information
If any of the personal information we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.
If you would like to exercise this right, please contact us as set out below.
8.4 Right to object or restrict our processing of your data
You have the right to object to us processing your personal information for particular purposes or have its processing restricted in certain circumstances.
If you would like to exercise this right, please contact us as set out below.
8.5 Right to erasure
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
If you would like to exercise this right, please contact us as set out below.
8.6 Right to portability
The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.
This right is unlikely to apply to OMED’s use of your data, but if you would like to discuss this right, please contact us as set out below.
8.7 For more information about your privacy rights
The Information Commissioner’s Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here https://ico.org.uk/for-the-public.
You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
9. How long we keep your information for
We will retain your personal information in order to provide you with a high-quality service, in accordance with Data Protection Legislation and for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means.
In some circumstances we may anonymise your personal information (so that it can no longer be associated with you).
10. Giving your reviews and sharing your thoughts
When using our websites, you may be able to share information through social networks like Facebook and Instagram. For example, when you ‘like’, ‘share’ or review our Services. When doing this, your personal information may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts, so you are comfortable with how your information is used and shared on them.
11. Security
Data security is of great importance to us and to protect your data we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure your collected data.
We take security measures to protect your information including:
- Limiting access to our buildings to those that we have determined are entitled to be there (by use of passes, key card access and other related technologies).
- Implementing access controls to our information technology.
- We use appropriate procedures and technical security measures (including pseudonymisation, strict encryption and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.
12. Changes to Our Privacy Notice
We may change this privacy notice from time to time (for example, if the law changes or we expand our processing). We recommend that you check this notice regularly to keep up to date.
13. How to contact us
If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this notice, the way your personal information is processed, please contact us by one of the following means:
By email: Privacy@Owlstone.co.uk
By post: Owlstone Medical Limited, 183, Cambridge Science Park, Milton Road, Milton, Cambridge, CB4 0GJ
By phone: 01223 428200
If you are based in Europe, you can contact our EU Representative, The DPO Centre Europe Ltd: By email: EuRep@Owlstone.co.uk
By post: The DPO Centre Ltd, Rue des Poissonniers 13, 1000 Brussels, Belgium
By phone: +32 2 786 19 61
Please note, if you are exercising one of your data subject rights, we may need to ask for proof of identity and sufficient information about your interactions with us, as permitted by Data Protection Legislation.
Thank you for taking the time to read our privacy notice.
This notice was last updated on 3 July 2025.
Take control of your health through a simple at-home tests.
