Privacy Notice
Last modified on 2 October 2024
1. Introduction
This is the Ultromics privacy notice. The Ultromics Group has a parent company, Ultromics Ltd, which is based in the UK and a subsidiary, Ultromics Inc, which is based in the US. Ultromics Ltd and Ultromics Inc are two separate legal entities. This privacy notice is issued on behalf of the Ultromics Group so when we mention Ultromics, "we", "us" or "our" in this privacy notice, we are referring to the relevant company in the Ultromics Group responsible for processing your data. Ultromics is registered with the Information Commissioner’s Office (ICO) with registration number ZA756042. We will let you know which entity will be the Controller for the personal data we hold about you.
We are committed to being transparent about how we collect, store and manage your personal data, where we decide the purpose and means of the information processing (as a Controller) or we otherwise process it (as a Processor) under the authorisation of another organisation. This privacy notice will also tell you about your rights when it comes to your data.
It is in your interests that you read this privacy notice together with any other privacy information we have provided, or which may have been given to you by a third party which is using our services and providing your data to us. It is important that you do this so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and is not intended to override them.
Ultromics Ltd
Office address: 4630 Kingsgate, Cascade Way, Oxford Business Park South, Oxford, OX4 2SU. Telephone number: 0808 196 8558
Ultromics Inc
Office address: Atlanta Financial Center, 3343 Peachtree Rd NE Ste 145-1626, Atlanta, GA, 30326. Telephone number: 877-577-3420
Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO), HelloDPO who can be contacted at the following address: hello@hellodpo.com.
2. What we do
Ultromics is a global health technology firm. We have developed and manufactured a suite of software products and services, called EchoGo®. Our products are each classed as a medical device. EchoGo® uses artificial intelligence to assist with automating analysis and calculations. EchoGo® reports are delivered to and are under the control of the treating physician, who ultimately decides the treatment pathway for the patient.
This profiling analysis is mostly carried out by Ultromics as a Processor, acting on behalf of our healthcare sector customers. Ultromics acts as a Controller when we carry out our own research and development work to test hypotheses and improve our products and services. Where we are a Controller, personal data is shared only between us and our research collaborators for the purpose of the research study with full ethical approval and compliant data sharing procedures in place. Reports generated for research or validation purposes are not used clinically within a patient’s treatment pathway.
3. What data we have
As a Data Controller, Ultromics collects your personal data for the purposes of software development, research and for general business administration. The information we collect depends on your interaction with our company and on the choices you might be asked to make at time of data collection. You are not obliged to provide any personal data to us. If you choose not to provide information, we may not be able to respond to your queries or provide our services to you or your organisation.
As a Data Processor, Ultromics act on lawful instructions of our business customers (hospitals or healthcare organisations, for instance) who control what personal information we are sent, store and use. EchoGo® product and services are intended for use by our business customers. This means that Ultromics is Processor and not data Controller for most of the personal data (patient personal information) we collect and process through EchoGo®. In this context, if you are a patient of one of our business customers and have privacy related questions or concerns about our access to your personal information, please contact them directly or review their organisations' privacy notice.
Please note that Ultromics is not responsible for the privacy or security practices of its business customers, which may differ from those we have set out in this notice.
Ultromics collects data from you:
- When you use and engage with our brand website(s);
- When you enquire about, take up use of, or need support on use of our products and services (personal identifiers and contact details);
- When you visit our offices or engage with us at conferences and events (personal identifiers, cctv images and contact details);
- When you supply our business with products or services (personal identifiers and contact details);
- When you engage with us for career development and recruiting activities (personal identifiers, contact details, resume, screening results, references);
- When you sign up to our marketing newsletters and promotions (personal identifiers and contact details);
- When you contact us through any means for example social media, website forms, website chat function, survey responses, other enquiry routes;
- When you participate in research or clinical studies and trials led by us; and
- When your data is used to support product development.
Our use of data for research purposes
When you agree to take part in a research study under our control or joint control, we will process your personal data, comprising your echocardiogram images and limited health data, for the purposes of:
- Carrying out independent or joint academic research in the public interest;
- Further developing and refining our technology to improve its capabilities and our related services – for example training our algorithms and data models to better interpret and consistently measure the images provided, towards improving and extending our product and service functionality; and
- Assisting us in commercially delivering our product and service to market with the overall aim being to help improve patient care and bring diagnostic quality and resource savings (time and cost) to the healthcare sector – for example simplified operation of our software device with more consistent results.
Where we are processing data for our internal commercial research and development purposes to develop and improve our product and services, we only use health data in a de-identified / pseudonymised format; in a way that it does not specifically identify any individual by reference to name or other identifying data.
The personal information we use is provided to us under an agreement with healthcare providers, who supply the data.
Marketing and advertising
Where you have subscribed to our newsletter, we may contact you from time to time with information about our products and services. Most messages we send will be by email.
You can change your preferences at a later date by clicking on the “unsubscribe” or “manage preferences” link at the bottom of our marketing messages. You can also let us know that you do not wish to receive further marketing communications at any time by sending an email to unsubscribe@ultromics.com.
Cookies and online tracking
Our website uses cookies to enable, optimise and analyse website operations, provide personalised content and allow you to connect to social media.
Please see Cookie Notice for more information.
What types of personal data do we collect
We collect and use the following types of data:
- Identifying information
- Device information
- Behavioural information
- Social information
- Health information
4. Why we have your data
Under the UK data protection laws, where we are a Processor or Controller (independent or joint), we have your data for the following reasons:
Purpose/activity |
Data Type |
Lawful Basis |
Managing our business or carrying out research in our own business interests to assess, further develop, or maintain, or support our EchoGo® product and/ or services.
When your data is used to support product development |
Medical images, physical characteristics, health history, health record details when you agree to take part in our research studies, or your healthcare provider engages with our services and provides your data to us or shares it with us under agreement as a Controller or a Joint Controller. |
Product Development: The lawfulness of the processing for product development is Article 9(2)(h); processing is necessary for the purposes of preventive or occupational medicine…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services (with a basis in law).
Product Maintenance: The lawfulness of the processing for product maintenance is: Article 9(2)(i) Processing is necessary for reasons of public interest in the area of public health, such as…ensuring high standards of quality and safety of…medical devices (with a basis in law).
For each of product development and maintenance, the associated conditions in the UK Data Protection Act 2018 are: Schedule 1, part 1, 3 – Public health. The processing is necessary for reasons of public interest in the area of public health for fighting and treating cardiovascular diseases.
|
When you need support on use of our products and services |
Personal identifiers and contact details |
Performance of a contract |
Receipt of public funding for research and/ or we are a joint or independent Controller partner for research with respect to the Department of Health, an NHS hospital, or a UK university.
When you participate in research or clinical studies and trials led by us |
Medical images, physical characteristics, health history, health record details when you agree to take part in our research studies, or your healthcare provider engages with our services and provides your data to us or shares it with us under agreement as a Controller or a Joint Controller. |
Ultromics processes special category personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical research purposes. (Article 9(2)(j)) The associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018, is (4) Research etc. The processing is necessary for scientific research and statistical purposes. It is carried out in accordance with UK GDPR Article 89 (1). The processing is in the public interest. |
When you enquire about, take up use of our products and services |
Personal identifiers and contact details |
Legitimate business purpose |
We collect your details for sending you our marketing newsletters on request, or for our use of cookies. Where this is the case, you can withdraw this consent.
When you sign up to our marketing newsletters and promotions |
Personal identifiers and contact details |
Legitimate business purpose and Time-bound consent |
When you contact us through any means, for example social media, website forms, website chat function, survey responses, other enquiry routes |
Personal identifiers and contact details
|
Legitimate business interest |
We collect your details for recruitment with a view to your joining us as an employee.
When you engage with us for career development and recruiting activities |
your professional qualifications, educational background and your public life when you communicate with us through our website or email, for careers purposes, or have otherwise made publicly available. (personal identifiers, contact details, resume, screening results, references) |
Legitimate business interest and performance of a contract |
We have a duty to keep a register and associated records, or where laws and authorities may require us to do so. |
Names, roles and contact details (telephone, email, address), photographs and video or call recordings such as may be provided by you when filling out our forms, visiting our offices, or provided by you or your organisation for engagement with us for the purposes of supplying our services or collaborating with us on projects. |
Compliance with a legal obligation |
You might visit our office and have an accident or need medical attention whilst on our site |
Names, roles and contact details (telephone, email, address), photographs and video or call recordings such as may be provided by you when filling out our forms, visiting our offices |
To protect your vital interests |
We process health data in our own interests as a Controller, we will process this information under the additional lawful basis of one of the following:
Where local personal data protection laws require patient explicit consent to process the data, this will be organised by and through our data source partners e.g. hospital or healthcare provider.
Health data is provided to us under legal agreement with the Controller organisation. This may be for example, an NHS hospital in the UK or a Covered Entity (CE) in the US.
|
Medical images and associated patient information, is referred to as special category data under UK and EU laws and protected health information (PHI) or identifiable/de-identified health information under US law. It is also sometimes referred to as sensitive data. Medical images, physical characteristics, health history, health record details when you agree to take part in our research studies, or your healthcare provider engages with our services and provides your data to us or shares it with us under agreement as a Controller or a Joint Controller. |
Public interest in the area of public health, medical device safety; OR health and social care; OR it is necessary for archiving, scientific research or statistical purposes. |
When you visit our offices or engage with us at conferences and events (personal identifiers, cctv images and contact details) |
Access tracking if you visit our offices in person and are provided with a temporary access fob for entry to our office building.
|
Legitimate business interest |
When you supply our business with products or services (personal identifiers and contact details) |
names, roles and contact details (telephone, email, address), photographs and video or call recordings such as may be provided by you or your organisation for engagement with us for the purposes of supplying our services or collaborating with us on projects. |
Performance of a contract |
When you use and engage with our brand website(s); |
IP address, browser information, device type such as may be provided by you when you connect to our website, fill in our online forms
Browsing behaviour if you have agreed to our use of non-essential cookies when you interact with our website |
Consent |
Device usage |
IP address, browser information, device type such as may be provided by you in the context of your organisation’s use of our medical device. |
Performance of a contract |
Processing for recruitment and employment
For more information about our processing personal data with respect to recruitment, please refer to our Applicant Privacy Notice on this website. Similarly, if you are employed by us please refer to our Employee (Staff) Privacy Notice, which you can find in our Company Handbooks or which is available from our People team.
Health Data Processing
Where local personal data protection laws require patient explicit consent to process the data, this will be organised by and through our data source partners e.g. hospital or healthcare provider.
Health data is provided to us under legal agreement with the Controller organisation. This may be for example, an NHS hospital in the UK or a Covered Entity (CE) in the US.
5. What sub-processors we use
We may share your personal information with the following third parties:
- Service providers and advisors. We may share your personal information with third party vendors and other service providers that perform services for us or on our behalf. This may include providing storage and hosting services, de-identification services, network services, marketing, email or call handling, chat services, fraud prevention, web hosting, professional business services (such as legal, accounting, auditing and insurance), consulting services, or providing analytic services.
- Purchasers and third parties in connection with a business transaction. Your personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business. This is under the provision that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.
- Law enforcement, regulators and other parties for legal reasons. We may share your personal information with third parties as required by law or if we reasonably believe that such action is necessary to (i) comply with the law and the reasonable requests of law enforcement; (ii) detect and investigate illegal activities and breaches of agreements; and/or (iii) exercise or protect the rights, property, or personal safety of Ultromics, its users, or others.
A list of our current sub-processors is available on request by contacting privacy@ultromics.com.
- Third-party links on this website. There are social media links on our website, such as LinkedIn, Twitter and Facebook. From time to time we may also publish links to other third-party sites such as links to academic publications, or medical associations and organisations. Clicking on these links or enabling those connections may enable the third-party to collect or share data about you. For example, when you click on the social media links you land on our social media page relevant to the link. If you are logged into your social media account and you click through to these from our website, the social media service provider may collect information indicating that you have visited our website and link the site visit to your social media profile.
We do not control these third-party websites and are not responsible for their privacy notices or practices. When you leave our website, we recommend that you read the privacy notice of the sites you choose to visit.
Some of the sub processors who we share personal data with are based outside the UK so their processing of your personal data will involve a transfer of personal data outside the UK.
Whenever we transfer your personal data out of the UK we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is in place:- We may transfer your personal data to countries that have been granted an adequacy decision by the UK Secretary of State confirming that the country in question provides an adequate level of protection for personal data; or
-
- We may use specific contracts approved by the UK Government (as applicable) which ensure that personal data is adequately protected. When we rely on this measure, we will conduct risk assessments and take appropriate measures to ensure that the third-party can comply with the provisions of such contracts and we have confirmed that the country to which the personal data is transferred provides enforceable data subject rights and effective legal remedies for data subjects are available there; or
-
- A specific exception applies under data protection law.
- A specific exception applies under data protection law.
6. How we keep your personal information secure
We are ISO/IEC 27001:2013 and Cyber Essentials certified; representative of our focus on ensuring that we have implemented reasonable and appropriate technical and organisational measures to securely protect the personal information we process against accidental or unlawful destruction, loss, change or damage.
Despite these safeguards, no internet-based transmission or information storage technology can be guaranteed 100% secure so we cannot promise that our security measures won’t be overcome. We will follow our incident response procedures should this occur.
If you are a user of our product and service and we have provided you with login credentials for that purpose, then you are responsible for maintaining the security of them, including any password details and all activities that take place under your account.
Should you receive a communication which represents to be from Ultromics, and which asks you to provide sensitive data or account information via email, or which otherwise seems strange, please treat this as unauthorised and suspicious and report it to our support team, or contact us at security@ultromics.com.
7. Where we process your personal data
We have set up and use infrastructure in the UK and US. Your data may be processed in any of these areas; the processing location is dependent on the nature of the relationship we have with you or the agreement between us and the Controller organisation providing the data and their geographic location.
We currently use the following data centres to process your data with respect to our product and services:
- UK: Microsoft Azure
- North America: Microsoft Azure
These regions only dictate the geographic location where EchoGo related data is stored and where our SaaS computer server resources are run from. Note that whilst your data will be stored in the above regions, it may also be accessed by Ultromics group company staff located in the UK (overseen by US staff), but only to the extent necessary to be able to support, secure and maintain our services in accordance with our customer contracts.
Our business administration activities depend on the nature of that administration activity. We use service providers and other third parties which can support our business administration by processing in the UK, US, Canada, New Zealand, EEA and EU.
We have appropriate legal agreements in place, based on adequacy decision, appropriate safeguards or standard contractual clauses with those supporting organisations, for the transfer of your data outside the UK or EEA where this is restricted.
8. How long we keep your personal data
We will store the personal information we collect for our own purposes for no longer than necessary for the purposes set out and in accordance with our legal obligations and legitimate business interests.
Research and development
For research participants, long-term use (and, where applicable, re-use) and retention of your personal information in connection with the specific research study or project you are participating in is explained in the patient information sheet provided to you by our trial partner(s). This retention time period can vary; information will generally be kept for the duration of the specific research project and then additionally for an agreed time afterwards which could be up to 10 years from the end of the research project.
Should we decide to keep the research data indefinitely, we will then no longer use it for any other activities. Once we no longer have a use for the data we will either delete it or anonymise it in such a way that it can no longer be attributed to an identifiable individual.
Business administration
Unless stated otherwise, we keep your personal data for as long as we have a continued legitimate business need, legal obligation or agreement allows. This can be anything from 30 days to 15 years depending upon the associated business record type after the end date trigger, or indefinitely where this is required for legal reasons. Ultromics maintains record retention details in our Record Retention Schedule.
EchoGo Product and service
Data will be kept for as long as agreed in contractual documents with our business customers. Data will be destroyed or returned in accordance with agreements unless we have negotiated with our business customer the permission to retain some of the information for our own research and development reasons as a Controller. Processed data through the EchoGo service is retained for 30 days for support purposes.
9. Your personal data rights
Where we are acting as a data Controller and depending on your location and subject to applicable law, you may have information rights. This is particularly the case if you are resident in the UK or European Union. If you wish to exercise one of these rights, please contact us. If you are the patient of an organisation which is using our EchoGo® services, please contact that Controller organisation in the first instance with your request. Research participants should get in touch with their primary organisation contact. Under UK and EU data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right of rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances, such as it is no longer necessary for the purposes we originally collected it for. This is also known as the right to be forgotten.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances. However we may not need to stop if we can give strong and legitimate reasons to continue using it. You also have the right to withdraw consent, where our processing of your data is on the basis of consent previously given by you.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
- Your right not to be subject to automated processing – Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law. You also have certain rights to challenge decisions made about you. We do not make any automated decisions about you. Ultromics does not currently carry out any automated processing.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Before we can process your request, we may need information from you to help us confirm your identity.
10. Children's Privacy
Our business, services and our website is not directed at, or intended for, persons under 13 years old, and we do not knowingly collect personal information from or relating to children. If you believe, or become aware, that a child under 13 years may have provided us with personal information, then please contact us so that we can take steps to remove such information.
11. How to raise questions, complaints or exercise rights
Please contact us at any time should you have any questions, complaints regarding this privacy notice or our associated practices, or wish to exercise your personal data protection rights. All communication will be investigated thoroughly. Please use the contact us form on our website or send an email to privacy@ultromics.com.
You also have the right to lodge a complaint to the Information Commissioner’s Office (ICO), or your national data protection authority. If you would like to complain to the ICO about how we have dealt with your request, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
If you are outside of the UK, please check with your local data protection authority for advice.
The European Data Protection Board member authorities list can be found here.
Change history
October 2024
- We have updated our ICO registration details.
- We have updated our process on how we transfer personal data to third parties.
- We have updated our process of how we respond to Data Subject Requests.
October 2023
- We updated the contact details for Ultromics Inc, our DPO and the ICO.
- We simplified Cookies and online tracking, and created link to new Cookies Notice.
- We updated record retention information in How long we keep your personal data.
- We enhanced Your personal data rights.
- We enhanced How to raise questions, complaints or exercise rights.