We are Kheiron Medical Technologies (‘Kheiron’), with companies and offices in London and Budapest. Our services help radiologists identify potential cancers.
This privacy notice tells you about what Kheiron may use your personal data, how we process it, what are your rights and how you can exercise them.
We process personal data about various classes of people: clients, suppliers, staff, other people we work with and people who contact us as a part of a service we provide. We also process limited health-related data on behalf of the healthcare professionals and organisations we work with.
People have rights which they may freely exercise where data that identifies them is processed. We explain what these are and, how and when you can exercise them.
We use various third-party data processors to provide cloud-based technologies on which we securely process personal data.
We may place some cookies on your device when you visit our website, but only with your consent.
You can contact us for more information about how, what and when we process personal data about you and to request access.
You can contact your data protection supervisory authority if you do not think we have handled your data correctly.
Kheiron Medical Technologies Ltd., Kheiron Medical Technologies Inc., Kheiron Medical Technologies BV. and Korlátolt Felelősségű Társaság (Kheiron Medical Technologies in Hungary) are a group of companies which specialise in applying Artificial Intelligence and Machine Learning science to improve the detection and diagnosis of cancers.
The General Data Protection Regulation (GDPR) is data privacy law that applies to organisations (and sometimes people) that are established in the European Economic Area (the ‘EEA’ are countries of the European Union plus a number of other countries). Kheiron is committed to protecting personal data in compliance with GDPR and the UK legislation based on GDPR.
For people outside of the EEA and UK, Kheiron is committed to complying with local national and state data protection laws, supplementary to the principles and requirements of GDPR as advised by legal counsel.
The General Data Protection Regulation and relevant Member State laws require us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints. This Privacy Notice provides that information in a way we have tried to make clear and transparent.
If you would like more information about what data we process, for what purpose or how long we keep it for, please use the contact options provided to ask us.
Personal data processed
We process the following personal data for the purposes listed (we are also the Controller of the data processed listed within the Data Processor section below):
|Classes of Data Subject||Purposes of processing||Categories of Data||Retention period||Lawful basis|
|EU citizens||To communicate with the EU citizen and respond to questions, requests and concerns.||Names Email addresses Telephone numbers||To the end of our mandate with each client or each service contract with a healthcare provider.||Legal obligation (Article 27 GDPR)|
|UK citizens||To communicate with the UK citizen and respond to questions, requests and concerns.||Name, Email address Telephone number||To the end of our mandate with each client or each service contract with a healthcare provider.||Legal Obligation GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019|
|Individuals in the care of a Partner or Client healthcare provider||Mia service provision – pseudonymisation (a step to remove personal identifiable data before radiological images are analysed)||Minimised health record data directly related to radiological images||To the end of our mandate with each client or each service contract with a healthcare provider.||Contract|
|Individuals in the care of a Partner or Client healthcare provider||Mia service provision supporting Client and Partner radiologists – image processing (analysis)||Pseudonymised (unidentifiable) minimised data related to radiological images||To the end of our mandate with each client or each service contract with a healthcare provider.||Contract|
|Individuals in the care of a Partner or Client healthcare provider||Training Mia machine learning models improving cancer detection – image processing (analysis)||Pseudonymised (unidentifiable) minimised data related to radiological images||To the end of our mandate with each client or each service contract with a healthcare provider.||Contract|
|Clients, Partners and related staff of organisations associated with projects.||Project management Financial records||Personal data Names Work email address Work telephone numbers||8 years after the last payment||Contract|
|Suppliers, Staff of suppliers associated with projects or other normal business operations.||Financial records Account management||Personal data Names Work email address Work telephone numbers||8 years after the last supply||Contract|
|Current staff||Benefits Employment contract Sickness Holiday Pension Payroll Emergency contact in case of injury or illness||Personal data Name Email address Telephone number Address Date of birth NI no Emergency contact details||8 years after leaving||Legal obligation Contract with the employee or PAYE worker|
|Past UK staff||Pension Basic staff record to allow for factual employment verification.||Personal data Name Email address Telephone number Address Birthday NI no||We will follow the pension regulator retention schedule||Legal obligation|
|Recruitment||Recruitment and appointment, Prospective employment.||Personal contact details (Name, Address, Email address, Telephone number); CV or resume and other information voluntarily provided to us in support of the application including any voluntary disclosure of gender, citizenship or nationality, medical information, racial or ethnic origin; reference summaries and results of background checks that we may undertake.||12 months after successful appointment||Contract with the employee|
|Associates||Provision of professional services through Kheiron to end clients||Personal contact details (Name, Address, Email address, Telephone number); CV or resume and other information requested by us in support of the engagement including citizenship or nationality; reference summaries and results of background checks that we may undertake.||5 years after last engagement||Professional services contract|
|Potential clients||Marketing of services Invitations to events||Personal data Name Email address Telephone number Organisation Job title||2 years from last contact||Consent|
|Supervisory authorities and other regulators||Requests by the Supervisory Authorities across the EU and UK in relation to data subjects who have contacted the Supervisory Authority or where we have escalated on behalf of a client (EEA Representative, UK Representative and DPO service)||Personal data Name Email address Telephone number Other related personal data for that case/enquiry||To the end of our mandate with client or for those participating in clinical trial 10 years after last contact (EEA/UK Representative). To the end of our mandate with client or for 7 years after last contact – medical technology (EEA/UK Representative). To the end of our contract or in accordance to client’s retention schedules (DPO)||Legal obligation (Article 27, Article 38(4) GDPR and UK GDPR and Data Protection Act 2018, as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019|
Data protection rights
The General Data Protection Regulation secures various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Listed below are the rights and an indication of when they apply related to the table above:
|Right||Meaning||Engagement by lawful basis (see above)|
|Access GDPR Article 15||You may request a copy of the data held by a controller about you.||This is a fairly universal right with minor exemptions for staff disciplinary records and legal opinions.|
|Rectification GDPR Article 16||If you think data held by a controller about you is wrong, you may request that it is corrected.||This is a fairly universal right with minor exemptions.|
|Erasure GDPR Article 17||You can request that your data is deleted by a controller.||This is a fairly universal right with minor exemptions.|
|Restriction GDPR Article 18||There are circumstances in which a data subject may ask a controller to stop processing their data but in which the controller must otherwise retain the data, for example where required by law.||This right is more complex to apply, but that doesn’t mean it would be respected.|
|Portability GDPR Article 19||You can ask for a copy of your data in a format that can be readily transferred to an alternative controller.||This right is only engaged where your data is processed on the basis of consent.|
|Objection GDPR Article 21||You can object to the processing of your personal data when the controller is relying on a legal obligation or public duty for their legal basis, or they are claiming that it is in their legitimate interest, especially direct marketing.||Engaged where the lawful basis for processing is GDPR article 6(1)(e) or 6(1)(f).|
|Automated decisions GDPR Article 22||Where a computer makes a decision about you without a human intervention, for example if an online loan application, you have the right to know how the decision was arrived at.||Where automated decision-making takes place without a human intervention.|
Our website is at www.www.kheironmed.com.
Our website has a tool to allow people to choose whether or not to allow cookies to be stored on their computer. A cookie is a small file that websites read when you browse them, and which sometimes tell those websites about you and your preferences.
Our website uses the following cookies:
|OptanonConsent||Stores the visitor’s cookie consent preferences||1 year|
|LinkedIn tracking cookies||This stores the technical characteristics of a visitor’s browser as an identity to help understand how they use the site. Visitors may opt-out of this cookie using the consent form when first visiting our website.|
|Up to 2 years|
|gstatic.com||Links to Google content delivery service providing static web site content to reduce page load times.||Session only|
|HubSpot||Used to store filled form information to avoid the visitor needing to re-type the same information.||Session only|
Below is a list of companies whose services and products we have contracted and who process personal data on our behalf:
|Supplier and service(s) provided||Classes of Data Subject||Personal Data processed||Purposes for the processing|
|Web host sub-processor:|
|Customers (including subscribers to our mailing lists), and Staff.||Personal data|
Get in touch form. Name and other contact information.
Team page – providing details of our staff – name, photograph and biography.
|We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including: Providing the requested service and/or information to you. Responding to your queries. User registration to access our products and services. Transmitting Personal Information between our functions for internal administrative purposes. For further information about cookies we use, see the relevant section in this document.|
|Customers (including subscribers to our mailing lists).||Personal data|
Get in touch form. Name and other contact information.
|We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including: |
Providing the requested service and/or information to you.
Responding to your queries.
User registration to access our products and services.
Transmitting Personal Information between our functions for internal administrative purposes.
It is in our legitimate interests in the course of our business to understand which information pages are useful so that we can improve the usability of the website and improve visitor experience.
Visitors may opt-out of this using the cookie consent form when they first visit our website.
|Google Meet |
Meeting communications, presentation and recording system. The privacy notice for Google Meet is here.
|Meeting attendees||Personal data Name, email address and other basic contact details.||Delegates wanting to attend meetings we manage agree to their name and basic contact details (email, phone number) to be used for that purpose. A delegate can opt out of a meeting at any time through declining their email invitation.|
|Survey Monkey Online survey tool which is used for evaluation of events, training, services and products provided by us. Their privacy notice can be found here.||Customers and delegates who have attended our events, including training.||Personal data: Name, email address and other basic contact details.||Delegates wanting to attend events we manage register and agree to their name and basic contact details (email, phone number) to be used solely for the management of that event. This includes evaluation. A delegate can opt out of an event at any time through cancelling their registration and any evaluation.|
|Microsoft Office 365 and Google Workspace|
Provided to store and process and record staff and customers details. These are controlled through access control levels and can be reviewed through audit logs. Policies and procedures exist for all staff prior to access. This includes an Acceptable Use Policy as well as other related IG policies and procedures.
Microsoft privacy notice can be found here.
Google privacy notice can be found here.
|Customers (including subscribers to our mailing lists), and Staff.||Customers and subscribers – name, email address and other basic contact details. Staff – basic contact details and sensitive information such as employment contract details.||Customer and subscribers We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including; providing the requested service and/or information to you; responding to your queries; user registration to access our products and services.|
Staff We process personal data to provide HR services including payroll and pensions where third parties are used.
If you have any queries regarding data protection matters, please contact our London office.
Phone: +44 (0) 207 039 3500
Email: [email protected]
Write: Kheiron Medical Technologies Ltd. 2nd floor, Stylus Building, 116 Old Street, London EC1V 9BG
If you are unhappy with how we process your personal data, and after you have first made a complaint to us, you can complain to your national or state data privacy supervisory authority.