Skip to content

Privacy Notice

Ultromics General Privacy Notice

Welcome to the Ultromics privacy notice.

Ultromics respects your privacy and is committed to protecting your personal data. This privacy notice will tell you about how we collect, store, manage and look after your personal data where we decide the purpose and means of the information processing (as a Controller) or we otherwise process it (as a Processor) under the authorisation of another organisation. It will tell you about your privacy rights and how the law protects you.

It is in your interests that you read this privacy notice together with any other privacy information we have provided, or which may have been given to you by a third party which is using our services and providing your data to us. It is important that you do this so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

Our privacy notice is provided in a layered format so that you can click through to the specific areas set out below.

This notice was last modified on: [03/03/2022]

Alternatively, you can download a pdf version of the policy here: [https://www.ultromics.com/privacy-notice].

1.      Who We Are

The Ultromics Group has a parent company, Ultromics Ltd, which is based in the UK and a subsidiary, Ultromics Inc, which is based in the US. Ultromics Ltd and Ultromics Inc are two separate legal entities. This privacy notice is issued on behalf of the Ultromics Group so when we mention Ultromics, "we", "us" or "our" in this privacy notice, we are referring to the relevant company in the Ultromics Group responsible for processing your data. We will let you know which entity will be the Controller for the personal data we hold about you.

  • Contact Information

Please use the ‘contact us’ form on our website. Existing customers, clients and business partners should either contact us through their designated Customer Experience Manager (CEM) or raise a support ticket through our Customer Service Desk support.

Ultromics Ltd

The registered office address for Ultromics Ltd is 4630 Kingsgate, Cascade Way, Oxford Business Park South, Oxford, OX4 2SU

Ultromics Ltd is a company registered in England and Wales under Company Registration No. 10684811.

Ultromics Inc

The registered office address for Ultromics Inc is 539 W. Commerce St #1679, Dallas, Texas, 75208.

  • We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZA756042

 

  • Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) who can be contacted at the following address: privacy@ultromics.com

Our DPO is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this notice, including any requests to exercise your information rights, please contact the DPO using any of the postal address, contact us form or email address details set out above (1.1 and 1.2).

 

2.      Changes to Our Privacy Notice and Duties for Keeping Informed

  • We keep our privacy policy under regular review. We may change it from time to time, so we encourage you to review this notice periodically. When we change this privacy notice in a material way, we will update the last modified date which can be found at the beginning of this notice in our “Welcome to the Ultromics Privacy Notice” section. Historic versions of this notice are held by our DPO.
  • It is important that the personal data we hold about you is accurate and current, particularly your contact information. Please keep us informed, through our support channels and contact us forms, where your personal data needs updating during your relationship with us.

  • If we need to provide you with information about something, whether for legal, marketing or other business-related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through email or, for general public purposes, by placing a notice on our website.

 

3.      What We Do

  • Ultromics are a global health technology firm. We have developed and manufactured a suite of software products and services, called EchoGo®. Our products are each classed as a medical device. They serve as an aid to medical staff for assessing individuals’ heart health. As a diagnostic support tool, EchoGo® can help medical staff make fast, accurate decisions when diagnosing cardiovascular disease (CVD) in patients.

  • The EchoGo® suite is offered by Ultromics to the healthcare sector. It is cloud-based and supplied as software as a service (SaaS). Ultromics is a business-to-business company and does not currently supply its product or service direct to individuals for personal use.
  • Automated profiling and analysis

EchoGo® uses artificial intelligence to assist with automating analysis and calculations. EchoGo® reports are delivered to and are under the control of the treating physician, who ultimately decides the treatment pathway for the patient.

EchoGo® Core looks at medical image data and automatically makes measurements from what it sees based on the training (supervised machine learning) its algorithms have received prior to their deployment. Expert accredited echocardiographers and board-certified cardiologists have been involved with and assisted in its training.

EchoGo® Pro can also provide an indication of the likelihood of heart disease (coronary artery disease – CAD) risk in a patient, based on the profiling training it has had. From its specialised image-based machine learning of cardiac profile characteristics, it can make an assessment of the health of the human heart when images are submitted to it. This helps treating physicians to provide appropriate care and improve health outcomes for patients. Patients at risk can be identified quickly for treatment and those determined not at risk are spared from unnecessary tests, surgery and treatment.

This profiling analysis is mostly carried out by Ultromics as a Processor, acting on behalf of our healthcare sector customers. Ultromics acts as a Controller when we carry out our own research and development work to test hypotheses and improve our products and services. Where we are a Controller, personal data is shared only between us and our research collaborators for the purpose of the research study with full ethical approval and compliant data sharing procedures in place. Reports generated for research or validation purposes are not used clinically within a patient’s treatment pathway.

 

4.      Our Collection and Use of Personal Data

As a healthcare technology company, Ultromics collects your personal data for the purposes of software development and research, together with our general business administration. The information we collect depends on your interaction with our company and on the choices you might be asked to make at time of data collection. You are not obliged to provide any personal data to us. If you choose not to provide information, we may not be able to respond to your queries or provide our services to you or your organisation.

Our EchoGo® product and services are intended for use by our business customers. This means that for most of the personal data (patient personal information) we collect and process through EchoGo®, we act as a data Processor and not a Controller. In this context, our business customers (hospitals for instance) control what personal information we collect and how we use it. If you are a patient of one of our business customers and have privacy related questions or concerns about our access to your personal information, you should contact them directly or review their organisations' privacy notice.

Please note that Ultromics is not responsible for the privacy or security practices of its business customers, which may differ from those we have set out in this notice.

  • When do we collect your personal data
  • When you use and engage with our brand website(s);

  • When you enquire about, take up use of, or need support on use of our products and services;

  • When you visit our offices or engage with us at conferences and events;

  • When you supply our business with products or services;

  • When you engage with us for career development and recruiting activities;

  • When you sign up to our marketing newsletters and promotions;

  • When you contact us through any means for example social media, website forms, website chat function, survey responses, other enquiry routes;

  • When you participate in research or clinical studies and trials led by us.

You may provide such personal data to us directly but sometimes we may be given the data by a third party, for example a healthcare provider. This is particularly in the case of our research and development activities; also when we are acting as a Processor providing our services to another organisation, our business customer, e.g. hospital, which is the Controller.

  • Our use of data for research purposes

When you agree to take part in a research study under our control or joint control, we will process your personal data, comprising your echocardiogram images and limited health data, for the purposes of:

  • carrying out independent or joint academic research in the public interest;

  • further developing and refining our technology to improve its capabilities and our related services – for example training our algorithms and data models to better interpret and consistently measure the images provided, towards improving and extending our product and service functionality;

  • assisting us in commercially delivering our product and service to market with the overall aim being to help improve patient care and bring diagnostic quality and resource savings (time and cost) to the healthcare sector – for example simplified operation of our software device with more consistent results.

Where we are processing data for our internal commercial research and development purposes to develop and improve our product and services, we only use health data in a de-identified format; in a way that it does not specifically identify any individual by reference to name or other identifying data.

The personal information we use is provided to us under an agreement with healthcare providers, who supply the data.

  • Marketing and advertising

Where you have subscribed to our newsletter, we may contact you from time to time with information about our products and services. Most messages we send will be by email.

You can change your preferences at a later date by clicking on the “unsubscribe” or “manage preferences” link at the bottom of our marketing messages. You can also let us know that you do not wish to receive further marketing communications at any time by sending an email to unsubscribe@ultromics.com

  • Cookies and Online Tracking

Our website uses cookies to enable, optimise and analyse site operations, as well as to provide personalised content and allow you to connect to social media. Cookies are small files of letters and numbers which are stored on your browser or device. We have cookies for both essential (strictly necessary cookies) and non-essential functions. There are first party cookies, which we set directly, and third party cookies which are set indirectly. Some of these cookies can track your activity online when enabled.

You can control what cookies are used and find out more details about the specific cookies themselves, including how long they are stored, through our cookie settings manager. This tool [is/ should be] visible as a small tab at the bottom left hand corner of your screen when on our website. You can adjust your cookie and associated data processing preferences there at any time.

If you do not enable these non-essential function cookies, they will not be downloaded to your device and you will not be tracked. Your website visitor experience however, in terms of functionality and performance, may be affected. Once you leave our website, to follow a link for example, we are not responsible for the privacy practices of that website provider and you should check the cookies and online tracking situation when you first visit should this be a concern to you. (See also section 6, covering third party links.)

  • What types of personal data do we collect

We collect and use the following types of data:

  • Identifying information – for example, names, roles and contact details (telephone, email, address), photographs and video or call recordings such as may be provided by you when filling out our forms, visiting our offices, or provided by you or your organisation for engagement with us for the purposes of supplying our services or collaborating with us on projects.

  • Device information – for example, IP address, browser information, device type such as may be provided by you when you connect to our website, fill in our online forms, or in the context of use of your organisation’s use of our medical device.

  • Behavioural information – for example, browsing behaviour if you have agreed to our use of non-essential cookies when you interact with our website, or access tracking if you visit our offices in person and are provided with a temporary access fob for entry to our office building.

  • Social information – for example, your professional qualifications, educational background and your public life when you communicate with us through our website or email, for careers purposes, or have otherwise made publicly available.

  • Health information – for example, medical images, physical characteristics, health history, health record details when you agree to take part in our research studies, or your healthcare provider engages with our services and provides your data to us or shares it with us under agreement as a Controller or a Joint Controller.

 

5.      Our Lawful Basis for the Processing

Under the UK data protection laws, where we are a Controller, independent or joint, our lawful basis for processing your data will be one of the following:

  • legitimate interest – for example where we are managing our business or carrying out research in our own business interests to assess, further develop, or maintain, or support our EchoGo® product and/ or services.

  • public task – for example where we are in receipt of public funding for research and/ or we are a joint or independent Controller partner for research with respect to the Department of Health, an NHS hospital, or a UK university.

  • consent – for example where we collect your details for sending you our marketing newsletters, or for our use of cookies. Where this is the case, you can withdraw this consent at any time.

  • performance of a contract – for example where we collect your details for recruitment with a view to your joining us as an employee.

  • compliance with a legal obligation – for example where you are a shareholder and we have a duty to keep a register and associated records, or where laws and authorities may require us to do so.

  • to protect your vital interests – for example where you might visit our office and have an accident or need medical attention whilst on our site.
    • Processing for recruitment and employment

For more information about our processing personal data with respect to recruitment, please refer to our Applicant Privacy Notice on this website. Similarly, if you are employed by us please refer to our Employee Privacy Notice, which you can find in our Company Handbook or which is available from our HR team.

  • Processing of health data

Personal information concerning health, such as medical images and associated patient information, is referred to as special category data under UK and EU laws and protected health information (PHI) or identifiable/ de-identified health information under US law. It is also sometimes referred to as sensitive data. Processing of this data is subject to higher protection and compliance requirements.

Where we process health data in our own interests as a Controller, we will process this information under the additional lawful basis of one of the following:

  • public interest in the area of public healthg. medical device safety); OR
  • health and social care; OR
  • it is necessary for archiving, scientific research or statistical purposes.

Where local personal data protection laws require patient explicit consent to process the data, this will be organised by and through our data source partners e.g. hospital or healthcare provider.

Health data is provided to us under legal agreement with the Controller organisation. This may be for example, an NHS hospital in the UK or a Covered Entity (CE) in the US.

 

6.      Recipients or Categories of Recipients – sub-processors

As required, and in accordance with how we use your personal information, we may share your personal information with the following categories of recipients:

  • Service providers and advisors. We may share your personal information with third party vendors and other service providers that perform services for us or on our behalf. This may include providing storage and hosting services, de-identification services, network services, marketing, email or call handling, chat services, fraud prevention, web hosting, professional business services (such as legal, accounting, auditing and insurance), consulting services, or providing analytic services.

  • Purchasers and third parties in connection with a business transaction. Your personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business. This is under the provision that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.

  • Law enforcement, regulators and other parties for legal reasons. We may share your personal information with third parties as required by law or if we reasonably believe that such action is necessary to (i) comply with the law and the reasonable requests of law enforcement; (ii) detect and investigate illegal activities and breaches of agreements; and/or (iii) exercise or protect the rights, property, or personal safety of Ultromics, its users, or others.

  • A list of our current sub-processors is available on request by contacting privacy@ultromics.com.

  • Third-party links on this website

There are social media links on our website, such as LinkedIn, Twitter and Facebook. From time to time we may also publish links to other third-party sites such as links to academic publications, or medical associations and organisations. Clicking on these links or enabling those connections may enable the third-party to collect or share data about you. For example, when you click on the social media links you land on our social media page relevant to the link. If you are logged into your social media account and you click through to these from our website, the social media service provider may collect information indicating that you have visited our website and link the site visit to your social media profile.

We do not control these third-party websites and are not responsible for their privacy notices or practices. When you leave our website, we recommend that you read the privacy notice of the sites you choose to visit.

 

7.      Information Security

  • We have ISO 27001 certification and have implemented reasonable and appropriate technical and organisational measures to protect the personal information we process against accidental or unlawful destruction, loss, change or damage. We limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They are under agreement with us to only process your personal data under our instructions and are subject to a duty of confidentiality. We will work carefully to ensure that your personal information is treated securely and in accordance with applicable law and this privacy policy.

Despite these safeguards, no internet-based transmission or information storage technology can be guaranteed 100% secure so we cannot promise that our security measures won’t be overcome. We will follow our incident response procedures should this occur.

  • If you are a user of our product and service and we have provided you with login credentials for that purpose, then you are responsible for maintaining the security of them, including any password details and all activities that take place under your account.

Should you receive a communication which represents to be from Ultromics, and which asks you to provide sensitive data or account information via email, or which otherwise seems strange, please treat this as unauthorised and suspicious and report it to our support team, or contact us at security@ultromics.com

  • If you wish to inquire further about the security safeguards we use, please contact us using the details set out at the start of this privacy notice.

 

8.      Details of International Transfer of Data

We have set up and use infrastructure in the UK and US. Your data may be processed in any of these areas; the processing location is dependent on the nature of the relationship we have with you or the agreement between us and the Controller organisation providing the data and their geographic location.

  • We currently use the following data centres to process your data with respect to our product and services:
  • UK: Microsoft Azure and Aimes
  • North America: Microsoft Azure

These regions only dictate the geographic location where data is stored and where our SaaS computer server resources are run from. Note that whilst your data will be stored in the above regions, it may also be accessed by Ultromics group company personnel located in the UK, but only to the extent necessary to be able to support, secure and maintain our services in accordance with our customer contracts.

Our business administration activities take place in either the UK or the US depending on the nature of that administration activity. We use service providers and other third parties which can support our business administration by processing only in UK, US or the EEA.

We have appropriate legal agreements in place with those supporting organisations for the transfer of your data outside the UK or EEA where this is restricted.

 

9.      How long do we keep your personal data

We will store the personal information we collect for our own purposes for no longer than necessary for the purposes set out and in accordance with our legal obligations and legitimate business interests.

  • Research and development

For research participants, long-term use (and, where applicable, re-use) and retention of your personal information in connection with the specific research study or project you are participating in is explained in the patient information sheet provided to you by our trial partner(s). This retention time period can vary; information will generally be kept for the duration of the specific research project and then additionally for an agreed time afterwards which could be up to 10 years from the end of the research project.

Should we decide to keep the research data indefinitely, we will then no longer use it for any other activities. Once we no longer have a use for the data we will either delete it or anonymise it in such a way that it can no longer be attributed to an identifiable individual.

  • Business administration

Unless stated otherwise, we keep your personal data for as long as we have a continued legitimate business need, legal obligation or agreement allows. This can be anything from 6 months (or less) to 15 years after the end date trigger, or indefinitely where this is required for legal reasons.

  • Product and service use

Data will be kept in line with each agreement we have with our business customers. Data will be destroyed or returned in accordance with the agreement unless we have negotiated with our business customer the permission to retain some of the information for our own research and development reasons as a Controller.

 

10. Your rights in respect of your personal information

Where we are acting as a data Controller and depending on your location and subject to applicable law, you may have information rights. This is particularly the case if you are resident in the UK or European Union. If you wish to exercise one of these rights, please contact us using the contact details at the beginning of this privacy notice. If you are the patient of an organisation which is using our EchoGo® services, please contact that Controller organisation in the first instance with your request. Research participants should get in touch with their primary organisation contact.

  • Right of access. You have the right to obtain:
  • confirmation of whether, and where, we are processing your personal information;

  • information about the categories of personal information we are processing, the purposes for which we process your personal information and information as to how we determine applicable retention periods;

  • information about the categories of recipients with whom we may share your personal information; and
  • a copy of the personal information we hold about you.

    • Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another organisation or person.

    • Right to get data corrected. You have the right to obtain correction, or deletion, of any inaccurate or incomplete personal information we hold about you without undue delay. This is known as the right to rectification.

    • Right to get data deleted. You have the right to erasure, in some circumstances. You can require us to delete your personal information without undue delay if the continued processing of that personal information is not justified. This is also known as the right to be forgotten.

    • Right to limit how we use your data. In some circumstances you can limit the way we use your personal data if you are concerned about the accuracy of the data or how we are using it. If necessary, you can also stop us deleting your data. Together, these opportunities are known as your right to restriction. This right is closely linked to your rights to challenge the accuracy of your data and to object to its use.

    • Right to object. In some circumstances, you have the right to object to our using your personal data. This effectively means that you can stop or prevent us from using your data. However we may not need to stop if where we can give strong and legitimate reasons to continue using it. You also have the right to withdraw consent, where our processing of your data is on the basis of consent previously given by you.

    • Right to lodge a complaint. If you have a complaint about our processing of your personal data, please contact our DPO in the first instance so that we can address your concerns. We will be happy to help.

You also have the right to lodge a complaint to the Information Commissioner’s Office (ICO), or your national data protection authority. The ICO has some helpful guidance on how to raise a concern to an organisation, and how to raise a concern directly to them. If you are outside of the UK, please check with your local data protection authority for advice. (The European Data Protection Board member authorities list is here.)

 

11. Our policy towards children

Our business, services and our website is not directed at, or intended for, persons under 13 years old, and we do not knowingly collect personal information from or relating to children. If you believe, or become aware, that a child under 13y may have provided us with personal information, then please contact us so that we can take steps to remove such information and terminate any account that child has created with us.

 

12. Questions, concerns or complaints

Please contact us at any time should you have any comments, questions, concerns or complaints regarding this privacy notice or our associated practices. We will be happy to look into it for you. Please contact us at privacy@ultromics.com