Privacy Policy

Learn how and why we collect and process your data – and what we do to keep it safe. (Version 4)
Updated on 22 June 2023

About this privacy policy

Cyted (‘we’ or ‘us, ‘our’) is committed to respecting and protecting your privacy. This Privacy Policy explains how we collect, store, manage and protect your personal data. We take our responsibilities around the correct collection, use and destruction of personal data seriously and are committed to openness and fairness in the handling of any personal data. We aim to be clear when we collect information about you and not do anything you wouldn’t reasonably expect.

This privacy policy is intended for:

  • Users of our website
  • Parties interested in Cyted Ltd/Cyted UK Ltd
  • Organisations purchasing medical diagnosis reports products or services from us (“Customers”)
  • Organisations supplying goods or services to us (“Suppliers”)
  • Staff and other representatives of our Suppliers or Customers (“Representatives”)
  • Job applicants

Who is the data controller?

Where Cyted Ltd is the controller of personal information, we will tell individuals the reasons for processing their personal data, how we will use such data and the legal basis for the processing in our privacy notices. We will not process Personal Data of individuals for other reasons. Cyted will update personal data promptly if an individual advises that their information has changed or is inaccurate.

Where Cyted is considered the Data Processor or sub-processor, we will only process the Personal Data in accordance with the applicable laws, rules, regulations, and as specifically directed by the data controller.

We are a limited company registered in England and Wales (company number 11478299). Our registered address is 22 Station Road, Cambridge, United Kingdom, CB1 2JD.

Under the Data Protection Act 2018, Cyted is registered with the Information Commissioner’s Office (Registration number: Cyted Ltd ZA513427, Cyted UK Ltd ZA224395).

Our contact details and how you can facilitate your rights

We have appointed a Data Privacy Lead who is responsible for handling questions concerning the operation of our privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our Data Protection Lead. Our Data Protection Lead can be contacted at:

Data Protection Ltd, Cyted, 22 Station Road, Cambridge, CB1 2JD, United Kingdom


Personal data that we collect

We may collect personal data from you in the course of running our business, including through your use of our website, the use of our products or services, when you contact or request information from us, as a result of you applying for a job with us, or as a result of your relationship with one or more of our staff or customers.

Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been anonymised.

We also collect aggregated data such as statistical or demographic data for any purpose. For instance, if you visit our website, we will use your usage data to calculate the number of users accessing a particular web page.

The following is a non-exhaustive list of the categories of personal data that we collect which is grouped by data category:

Data category
Data description
Identity data includes
First name, last name, username or similar identifier, gender, marital status, title, date of birth, passport info, car registration, picture, physical characteristics.
Contact data includes
Postal address, postcode, email address and telephone numbers.
Financial data includes
Bank account and payment card details used to purchase products or services from us or to make payments to us.
Biographical data includes
Information about a data subject such as held in CVs.
Transaction data includes
Details of products and services you have purchased from us or we have purchased from you, details about payments to and from you.
Technical data includes
Internet protocol (IP) address, browser type and version, your login data, time zone setting and location, operating system and platform, browser plug-in types and versions, error reporting, performance data and other technology on the devices you use to access the Website or in relation to communications we send to you electronically.
Employment data includes
Information relevant to any job application you make to us.
Profile data includes
Your username and password, purchases or orders made by you or any interests communicated to us to enable the personalisation of services, preferences, feedback and survey responses.
Usage data includes
Information about how you use the website and products and services we provide including the features you used, the setting selected, pages visited etc.
Health data includes
Information relating to your health status to enable us to provide our health services to you.
Marketing and Communications data includes
Your preferences in receiving marketing from us [and our third parties] and your communication preferences.
Authentication data includes
If you visit us we may collect information (Identity data) that we need in order to identify you and complete any security checks. We may collect your image on CCTV.
Special Category data includes
“Any personal that is considered in law to be special category data such as health data,

Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership

Genetic data, Biometric data for the purpose of uniquely identifying a natural person, Data concerning health, or

Data concerning a natural person’s sex life or sexual orientation.”
Criminal conviction data includes
Criminal conviction data including processing related to offences, or related security matters.
Miscellaneous data includes
Any other information relating to you which you may provide to us.

Nature of provision of personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.

How we obtain your personal information

We collect personal information from you and others as necessary in the course of running our business.

Most of the personal data we process is provided directly to us by you for one of the following reasons:

  • When you or your organisation makes an enquiry or uses any of our products or services
  • When you or your organisation provides products or services to us
  • When you communicate with us by phone, electronic messaging, in writing, or directly when you meet with our staff
  • When you or your organisation browse our website, complete a form or communicate via the website or our other electronic services
  • When you or your organisation participates in our marketing events, recruitment events or other promotional events
  • When you agree to receive marketing communications from us
  • When you or your organisation gives feedback (for example completing a survey)
  • When provided by a publicly available source such as public lists of registers e.g. electoral register, Companies House and others

We also receive personal data indirectly, in the following scenarios:

  • When provided by a third party organisation, such as an identity verification agency if you had applied for employment with us ; by an analytic provider such as Google if you use the internet; from payment providers if you bought something from us; by a delivery organisation if you took delivery a from us; from a regulatory authority such as HMRC if you are employed by us
  • When provided by our customer, such as a request for medical diagnosis or investigation where we provide a medical diagnosis report
  • When you interact with our website or use our systems, we may automatically collect data about your access device and browsing session, using cookies and other technologies. We may also receive technical data about you if you visit other websites using our cookies

As part of Cyted’s corporate function, we process special category and criminal conviction data. We have an appropriate policy document that explains our safeguarding policy for special category and criminal conviction data.

Why we use your personal information

We will only process your personal data when we have a lawful basis to do so.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these will apply whenever we process personal data:

  1. Consent: we have your consent to process your personal data for a specific purpose. You are able to remove your consent at any time. You can do this by contacting: Data Protection Lead, Cyted UK Ltd, 2 Falcon Road, Hinchingbrooke, Huntingdon, Cambridgeshire, United Kingdom, PE29 6FG; email:
  2. Contract: the processing is necessary as we have a contractual obligation
  3. Legal obligation: the processing is necessary for compliance with a legal obligation
  4. Vital interests: the processing is necessary for us to protect the vital interests of the data subject or of another natural person;
  5. Public task: the processing is necessary for us to perform a task in the public interest or in the exercise of official authority vested in the controller;
  6. Legitimate interests: the processing is necessary for our legitimate interests as controller or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which
    overrides those legitimate interests

In most cases, we do not rely on consent as a legal basis for processing your personal data with the exception in relation to sending direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us at the above address.

We will not use your personal data for making any automated decisions.

How we use your personal data

Cyted will only use your personal data fairly and where we have a lawful basis to do so. Most commonly, we will use your personal data in the following circumstances:

Purpose of data processing
Type of data
Legal basis for processing
Registering you or your organisation as a client
Identity data
Contact data
Financial data
Performance of a contract
Legal or regulatory obligation
Legitimate interest (to manage our customer relationships, to confirm credit worthiness)
To supply our products or services
Identity data
Contact data
Financial data
Performance of a contract
Legal or regulatory obligation
Legitimate interest (to recover outstanding debts to us)
To process employment applications
Identity data
Contact data
Financial data
Biographical data
Employment data
Health data
Special Category data
Performance of a contract
Legal or regulatory obligation
Legitimate interest (assessing your skills, suitability prior to employment offer)
To promote our products and services
Identity data
Marketing and Communications data
Contact data
Profile data
Legitimate interest (to promote our products and services)
To handle enquiries and requests
Identity data
Contact data
Transaction data
Performance of a contract
Legitimate interest (to respond to enquiries from customers and others)
To process payments, invoicing, delivery and collections
Identity data
Contact data
Financial data
Transaction data
Performance of a contract
Legal or regulatory obligation
Legitimate interest (to collect outstanding money owed)
To monitor and review the supply of our products, services and communications, including notification of changes in terms or policy; Completing feedback surveys; market research
Identity data
Contact data
Profile data
Usage data
Transaction data
Marketing and Communications data
Performance of a contract
Legal or regulatory obligation
Legitimate interest (to obtain feedback to help improve the quality of products and services provided)
To track and audit compliance with our policies, processes and procedures
Identity data
Profile data
Usage data
Transaction data
Performance of a contract
Legal or regulatory obligation
Legitimate interest (to ensure compliance for legal and operational purposes)
To visit our premises
Identity data
Legitimate interest (to maintain security)

Processing special category data

When we process special category data, we need to identify both a lawful basis for processing and a special category condition to ensure compliance with Article 9 GDPR. We consider Criminal offence information within special category data.

Purpose of data processing
Type of data
Special Category condition for processing
To process job applications involving special category data e.g. processing a DBS request
Special category data such as health data. We also include criminal offence data in this category
Processing is necessary for employment purposes Art 9 2(b) and our obligations in employment and the safeguarding of staff fundamental rights and article 9(2)(h) for assessment of employee work capacity.

Also Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
To produce a patient diagnosis report
Health dataIdentity data
Processing is necessary for medical diagnosis Art 9 2(h)

Also Schedule 2 paragraph 2 2018 Data Protection Act provides for processing that is necessary for health or social care purposes which we take to be (c) medical diagnosis and (d) the provision of healthcare or treatment

Recipients of personal data we process

Access to personal data is strictly controlled to maintain its privacy and security.

We may share personal data for the purposes mentioned in the above tables with the following recipients or categories of recipients:

  • Our Staff – we share personal data with our staff involved with the delivery of our medical diagnosis services
  • Our Healthcare professionals – we share personal data with our healthcare professionals involved with the delivery of our medical diagnosis services
  • Our Customers – we share personal data with representatives of the medical organisation that commissioned our services
  • Government and other regulatory bodies – we may be required to share personal data with regulators to comply with our legal, regulatory and statutory obligations such as the Care Quality Commission, Department of Work and Pensions, HMRC, Coroners Court
  • Service providers – we may share personal data with service providers acting as processors who provide IT and system services
  • Third parties – We may also be required to pass personal information to third parties acting as data processors of joint controllers such as law enforcement agencies, our insurers, our auditors, the courts and our professional adviser’s

These recipients or categories of recipients are only allowed to process personal data for specified purposes and where they are processing personal data on our behalf, they must do so in accordance with our instructions.

Also, we may share your personal data with other third parties in the context of a possible sale or restructuring of the business.

Transfer to third countries

If our recipients are based outside the European Economic Area (EEA) or the United Kingdom (UK) the processing of your personal data will involve a transfer of data outside the EEA or the UK. Whenever we transfer your personal data outside the EEA, we will ensure that a similar degree of protection of personal data is given by ensuring at least one of these safeguards is in place:

  • Countries are deemed adequate by EU Commission- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Use model contracts – We may use model contracts approved by the European Commission which give the same protection to personal data as afforded within EEA.

How long we keep your personal data

We will only retain your personal data for as long as it is necessary for the purposes we collected it for, which will include the purposes of meeting any legal, regulatory, accounting or reporting requirements. For further information about how long we hold personal data see our retention schedule that is available on request from our Data Protection Lead.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

  • Your right of access- You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. This right is commonly known as a “data subject access request” or “DSAR”.
  • Your right to rectification- You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
  • Your right to erasure- You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing- You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing- You have the right to object to processing in certain circumstances.
  • Your right to data portability- This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

Making an information request to us

You can make a request to exercise your privacy rights by contacting us at the address above. To respond we will need information from you to deal with the request such as to locate the information you are looking for. We will set up an electronic case file containing the details of your request. This normally will include your contact details and any other information that you have given us. If you are making a request about your personal data , or are acting on behalf on someone making a request, then we will ask for information to satisfy us of your identity.

You are not required to pay any charge for exercising your rights however we may charge a reasonable fee if your request for access is repeated and/or unfounded or excessive. We have one month to respond to you.

Your right to complain to a supervisory authority

If you have concerns about the way we handle your personal data, you can contact the ICO or raise a complaint. We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner’s Office so please contact us in the first instance.

If you remain dissatisfied, you have the right to make a compliant about the way we process your personal information by contacting the ICO.

  • by phone on +44 303 123 1113
  • by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • via their website at

Changes to this policy

We may change our privacy policy from time to time. If or when changes are made, we'll include them here, so be sure to check back occasionally.

Other third party links

Our website may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your information.

We may monitor the use and content of emails, calls and secure messages sent from and received by us so that we can, for instance, identify and take legal action against unlawful or improper use of our systems. The main examples of unlawful or improper use are attempting to impersonate Cyted, the transmission of computer viruses and attempts to prevent this website or its services from working.

Further processing

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.

The NHS National Opt-Out

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: covers health and care research); and covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Cyted Ltd is currently compliant with the national data opt-out policy.

Our Cookie Policy

For Full details on our Cookie Policy please visit the Cookie Policy page