Privacy policy

Kheiron Medical Technologies

We are Kheiron Medical Technologies (‘Kheiron’), with companies and offices in London and Budapest. Our services help radiologists identify potential cancers.

This privacy notice tells you about what Kheiron may use your personal data, how we process it, what are your rights and how you can exercise them.

We process personal data about various classes of people: clients, suppliers, staff, other people we work with and people who contact us as a part of a service we provide. We also process limited health-related data on behalf of the healthcare professionals and organisations we work with.

People have rights which they may freely exercise where data that identifies them is processed. We explain what these are and, how and when you can exercise them.

We use various third-party data processors to provide cloud-based technologies on which we securely process personal data.

We may place some cookies on your device when you visit our website, but only with your consent.

You can contact us for more information about how, what and when we process personal data about you and to request access.

You can contact your data protection supervisory authority if you do not think we have handled your data correctly.

Kheiron Medical

Kheiron Medical Technologies Ltd., Kheiron Medical Technologies Inc., Kheiron Medical Technologies BV. and Korlátolt Felelősségű Társaság (Kheiron Medical Technologies in Hungary) are a group of companies which specialise in applying Artificial Intelligence and Machine Learning science to improve the detection and diagnosis of cancers.

Introduction

The General Data Protection Regulation (GDPR) is data privacy law that applies to organisations (and sometimes people) that are established in the European Economic Area (the ‘EEA’ are countries of the European Union plus a number of other countries).  Kheiron is committed to protecting personal data in compliance with GDPR and the UK legislation based on GDPR.

For people outside of the EEA and UK, Kheiron is committed to complying with local national and state data protection laws, supplementary to the principles and requirements of GDPR as advised by legal counsel.

The General Data Protection Regulation and relevant Member State laws require us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints. This Privacy Notice provides that information in a way we have tried to make clear and transparent. 

If you would like more information about what data we process, for what purpose or how long we keep it for, please use the contact options provided to ask us. 

Personal data processed

We process the following personal data for the purposes listed (we are also the Controller of the data processed listed within the Data Processor section below):

Classes of Data SubjectPurposes of processingCategories of DataRetention periodLawful basis
EU citizensTo communicate with the EU citizen and respond to questions, requests and concerns.Names Email addresses Telephone numbersTo the end of our mandate with each client or each service contract with a healthcare provider.Legal obligation (Article 27 GDPR)
UK citizens To communicate with the UK citizen and respond to questions, requests and concerns.Name, Email address Telephone numberTo the end of our mandate with each client or each service contract with a healthcare provider.Legal Obligation GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019
Individuals in the care of a Partner or Client healthcare providerMia service provision – pseudonymisation (a step to remove personal identifiable data before radiological images are analysed)Minimised health record data directly related to radiological imagesTo the end of our mandate with each client or each service contract with a healthcare provider.Contract
Individuals in the care of a Partner or Client healthcare providerMia service provision supporting Client and Partner radiologists –  image processing (analysis)Pseudonymised (unidentifiable) minimised data related to radiological imagesTo the end of our mandate with each client or each service contract with a healthcare provider.Contract
Individuals in the care of a Partner or Client healthcare providerTraining Mia machine learning models improving cancer detection –  image processing (analysis)Pseudonymised (unidentifiable) minimised data related to radiological imagesTo the end of our mandate with each client or each service contract with a healthcare provider.Contract
Clients, Partners and  related staff of organisations associated with projects.Project management Financial recordsPersonal data Names Work email address Work telephone numbers8 years after the last paymentContract
Suppliers, Staff of suppliers associated with projects or other normal business operations.Financial records Account managementPersonal data Names Work email address Work telephone numbers8 years after the last supplyContract
Current staff Benefits Employment contract Sickness Holiday Pension Payroll Emergency contact in case of injury or illnessPersonal data Name Email address Telephone number Address Date of birth NI no Emergency contact details8 years after leavingLegal obligation Contract with the employee or PAYE worker
Past UK staffPension Basic staff record to allow for factual employment verification.Personal data Name Email address Telephone number Address Birthday NI noWe will follow the pension regulator retention scheduleLegal obligation
RecruitmentRecruitment and appointment, Prospective employment.
Personal contact details (Name, Address, Email address, Telephone number); CV or resume and other information voluntarily provided to us in support of the application including any voluntary disclosure of gender, citizenship or nationality, medical information, racial or ethnic origin; reference summaries and results of background checks that we may undertake.12 months after successful appointmentContract with the employee
AssociatesProvision of professional services through Kheiron to end clientsPersonal contact details (Name, Address, Email address, Telephone number); CV or resume and other information requested by us in support of the engagement including citizenship or nationality; reference summaries and results of background checks that we may undertake.5 years after last engagementProfessional services contract
Potential clientsMarketing of services Invitations to eventsPersonal data Name Email address Telephone number Organisation Job title2 years from last contactConsent
Supervisory authorities and other regulatorsRequests by the Supervisory Authorities across the EU and UK in relation to data subjects who have contacted the Supervisory Authority or where we have escalated on behalf of a client (EEA Representative, UK Representative and DPO service)Personal data Name Email address Telephone number Other related personal data for that case/enquiryTo the end of our mandate with client or for those participating in clinical trial 10 years after last contact (EEA/UK Representative). To the end of our mandate with client or for 7 years after last contact – medical technology (EEA/UK Representative). To the end of our contract or in accordance to client’s retention schedules (DPO)Legal obligation (Article 27, Article 38(4) GDPR and UK GDPR and Data Protection Act 2018, as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019

Data protection rights

The General Data Protection Regulation secures various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Listed below are the rights and an indication of when they apply related to the table above:

RightMeaningEngagement by lawful basis (see above)
Access GDPR Article 15You may request a copy of the data held by a controller about you.This is a fairly universal right with minor exemptions for staff disciplinary records and legal opinions.
Rectification GDPR Article 16If you think data held by a controller about you is wrong, you may request that it is corrected.This is a fairly universal right with minor exemptions.
Erasure GDPR Article 17You can request that your data is deleted by a controller.This is a fairly universal right with minor exemptions.
Restriction GDPR Article 18There are circumstances in which a data subject may ask a controller to stop processing their data but in which the controller must otherwise retain the data, for example where required by law.This right is more complex to apply, but that doesn’t mean it would be respected.
Portability GDPR Article 19You can ask for a copy of your data in a format that can be readily transferred to an alternative controller.This right is only engaged where your data is processed on the basis of consent.
Objection GDPR Article 21You can object to the processing of your personal data when the controller is relying on a legal obligation or public duty for their legal basis, or they are claiming that it is in their legitimate interest, especially direct marketing.Engaged where the lawful basis for processing is GDPR article 6(1)(e) or 6(1)(f).
Automated decisions GDPR Article 22Where a computer makes a decision about you without a human intervention, for example if an online loan application, you have the right to know how the decision was arrived at.Where automated decision-making takes place without a human intervention.

Cookies

Our website is at www.www.kheironmed.com. 

Our website has a tool to allow people to choose whether or not to allow cookies to be stored on their computer. A cookie is a small file that websites read when you browse them, and which sometimes tell those websites about you and your preferences.

Our website uses the following cookies:

Cookie namePurposePersistence
OptanonConsentStores the visitor’s cookie consent preferences1 year
LinkedIn tracking cookiesThis stores the technical characteristics of a visitor’s browser as an identity to help understand how they use the site. Visitors may opt-out of this cookie using the consent form when first visiting our website.

LinkedIn cookie policy can be found here
Up to 2 years
gstatic.comLinks to Google content delivery service providing static web site content to reduce page load times.Session only
HubSpotUsed to store filled form information to avoid the visitor needing to re-type the same information.Session only

Data processors

Below is a list of companies whose services and products we have contracted and who process personal data on our behalf:

Supplier and service(s) providedClasses of Data SubjectPersonal Data processedPurposes for the processing 
Web host sub-processor:
WP Engine. Privacy policy can be found here.
Customers (including subscribers to our mailing lists), and Staff.Personal data
Get in touch form. Name and other contact information. 
Team page – providing details of our staff – name, photograph and biography.

We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including: Providing the requested service and/or information to you. Responding to your queries. User registration to access our products and services. Transmitting Personal Information between our functions for internal administrative purposes. For further information about cookies we use, see the relevant section in this document.
Sub-processor:
HubSpot.

Privacy policy can be found here.
Customers (including subscribers to our mailing lists).Personal data
Get in touch form. Name and other contact information.
We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including: 
Providing the requested service and/or information to you. 
Responding to your queries. 
User registration to access our products and services. 
Transmitting Personal Information between our functions for internal administrative purposes.
Sub-processor: LinkedIn. Privacy policy can be found here.All public site visitors including customers, partners and staff.Visitor’s browser matching and site movement tracking.Used to understand how visitors move around the site and to support contact via LinkedIn. 

It is in our legitimate interests in the course of our business to understand which information pages are useful so that we can improve the usability of the website and improve visitor experience.

Visitors may opt-out of this using the cookie consent form when they first visit our website.
Google Meet 
Meeting communications, presentation and recording system. The privacy notice for Google Meet is here. 
Meeting attendeesPersonal data Name, email address and other basic contact details.
Delegates wanting to attend meetings we manage agree to their name and basic contact details (email, phone number) to be used for that purpose.  A delegate can opt out of a meeting at any time through declining their email invitation.
Survey Monkey Online survey tool which is used for evaluation of events, training, services and products provided by us. Their privacy notice can be found here.Customers and delegates who have attended our events, including training.Personal data: Name, email address and other basic contact details.Delegates wanting to attend events we manage register and agree to their name and basic contact details (email, phone number) to be used solely for the management of that event. This includes evaluation. A delegate can opt out of an event at any time through cancelling their registration and any evaluation.
Microsoft Office 365 and Google Workspace
Provided to store and process and record staff and customers details.   These are controlled through access control levels and can be reviewed through audit logs.  Policies and procedures exist for all staff prior to access. This includes an Acceptable Use Policy as well as other related IG policies and procedures. 
Microsoft privacy notice can be found here.
Google privacy notice can be found here.
Customers (including subscribers to our mailing lists), and Staff.Customers and subscribers – name, email address and other basic contact details. Staff – basic contact details and sensitive information such as employment contract details.Customer and subscribers  We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including; providing the requested service and/or information to you; responding to your queries; user registration to access our products and services.
Staff  We process personal data to provide HR services including payroll and pensions where third parties are used.

Contact details

If you have any queries regarding data protection matters, please contact our London office.

Phone: +44 (0) 207 039 3500

Email: [email protected]

Write: Kheiron Medical Technologies Ltd. 2nd floor, Stylus Building, 116 Old Street, London EC1V 9BG

Complaints

If you are unhappy with how we process your personal data, and after you have first made a complaint to us, you can complain to your national or state data privacy supervisory authority.