Last Updated: 27 / 09 / 2022

This privacy policy explains the types of personal data that we may collect about visitors to our website, those who conduct business with us and job applicants. It covers how that personal data may be used, who we share it with and the rights you have in relation to that information. We are committed to protecting your personal data and to being transparent about the types of information that we hold.

Who we are and how to contact us

We are Cytomos Limited, a company registered in Scotland no. SC401416. Cytomos is responsible for and controls the processing of your personal data unless otherwise stated. If you have any questions or concerns about this privacy notice, please contact us via:​

Email: privacy@cytomos.com

Post: Privacy Officer, Cytomos Limited, 13 Melville Street, Edinburgh, EH3 7PE, Scotland

Personal data that we collect

We may collect the following personal data from you in the course of our usual business:

• Contact information such as name and title, email address, postal address, telephone and mobile numbers;
• Billing and payment information such as bank account details and billing address;
• Usage data such as information on how you use our website;
• Technical data such as Internet Protocol (IP) address, time zone and location, device and software being used for access our website;
• Biographical and personal information from CVs/resumes and job applications, such as data of birth, academic and professional qualifications gained and employment history.

We do not knowingly collect or process any special category data. Special category data is data or information regarding an individual’s health, race, ethnic origin, genetics, biometrics (where used for ID purposes), sexual orientation, religion, political views, or trade union membership.

​How and why we collect and process personal data

This section explains:

• The ways in which we collect your personal data;
• The purpose for processing your personal data;
• The lawful basis we rely on for processing your personal data (please note we can only process your personal data if we have a lawful basis for doing so).

When you visit our website

Web server logs

We use the third-party service provider WordPress to host our website. Cytomos.com collects non-personally identifying information that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. The purpose in collecting non-personally identifying information is to better understand how visitors use the website.

From time to time, WordPress.org may release non-personally identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website. WordPress.org also collects potentially personally-identifying information like Internet Protocol (IP) addresses. WordPress.org does not use such information to identify its visitors.  The WordPress privacy policy can be found at the following link: https://en-gb.wordpress.org/about/privacy/.  All information collected on WordPress.org is handled in accordance with GDPR legislation.

Purpose for processing the above data 

• To measure our website traffic and usage in order to improve the content of our website and to help us identify errors in the accessibility of our website.
• To prevent fraud and to ensure the security of our usual business activities.
• To evaluate marketing activities such as visitor retention, referral evaluation, and channel validation.

Legal basis for processing

The lawful basis we rely on to process your personal data is Article 6(1)(f) of the UK GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests, in order for us to run our business.

Analytics

We use the third party service Google Analytics to collect standard log data and behaviour patterns for visitors tour website. IP addresses are anonymised to prevent storage of full IP address information. Individuals cannot be identified from this information alone. Google Analytics collects this data solely on our behalf and we use the information to improve the content and performance of our website.

​Details on how you can control the information collect by Google from website or apps that use their services can be found here:

https://policies.google.com/technologies

​To opt out of Google Analytics, you can use a browser add-on, more information can be found here:

https://tools.google.com/dlpage/gaoptout

Cookies

We use cookies and other tracking technologies to generate or collect some information from your computer or device automatically as you use our website. Cookies are small data files that are stored on your device. Our website uses such technologies enabled by us or third parties in order to operate and personalise the website, track how you use the site and serve advertisements (ads) to you on other websites.

​We use a cookies tool on our website to request consent for any optional cookies that we use. Cookies that are strictly necessary for you to use and browse our website are always on (unless specifically deactivated by you via our cookie banner, or through adjusting your browser settings).

Strictly Necessary Cookies

These are needed to enable you to use and browse our website.

​Purpose for processing the above data

• To enable the core functionality of our website on your specific device;
• To store your preferences.

Legal basis for processing

The lawful basis we rely on to process your personal data is Article 6(1)(b) of the UK GDPR which allows us to process personal data when it is necessary to perform a contract or to take steps at your request to enter into a contract.

Cookies that we require your consent to use

Purpose for processing the above data

• To help us improve our website by collecting and reporting information on usage (analytical cookies);
• To enable us to improve the relevancy of marketing communications and advertising campaigns that you receive (marketing and online advertising cookies);
• To enable you to share certain pages of our website on social media (social sharing cookies).

Legal basis for processing

The lawful basis we rely on to process your personal data is Article 6(1)(a) of the UK GDPR which allows us to process your personal data when you have given us clear consent to do so for a specific purpose. Where we process your personal data based only on your consent, you can withdraw this consent at any time by contacting us at privacy@cytomos.com

​When you contact us

Send us an email

If you send us an email, we will collect your email address and any other information that you have provided. We use the third party provider Gmail for our email services. Their privacy policy can be found here: https://policies.google.com/privacy

​Please be aware that any emails we send or receive may not be protected in transit.

​Purpose for processing the above data

To respond to any communications that we receive and to keep a record of correspondence for accurate reference.

Legal basis for processing

The lawful basis we rely on for processing your personal data is either Article 6(1)(b) of the UK GDPR where the email relates to us providing you with information on our products or services and it is necessary in order to perform a contract; or Article 6(1)(f) where it is necessary for our legitimate interests, e.g. to keep a record of all correspondence that we receive.

Submit a job application to us

We collect information directly from you if you apply for a job with us or submit your CV/resume. This will include contract information and biographical information.

Purpose for processing the above data

To evaluate your suitability for a job with us.

Legal basis for processing

The lawful basis that we rely on to process your personal data is Article 6(1)(f) of the UK GDPR which allows us to process personal data when it is necessary for the purposes of our legitimate interests in order to run our business.

​Profiling and automated decision making

We do not perform profiling nor use automated decision making (making a decision solely by automated means without any human involvement).

​Sharing your data with others

We may share your data with third party processors who provide services for us. We have contracts in place with our data processors. We will only provide them with the information that they need to carry out their services and they may only use your data for the purpose(s) specified in our contract with them. When we stop using their services, any data they hold about you must either be deleted or anonymised, unless they require it for tax or financial reporting or to meet legal obligations.

​Personal data will only be shared within Cytomos between members of staff who legitimately need the information to carry out their normal duties in order to provide you with the information you have requested.

​In the event of a merger with or an acquisition by another company, your personal data will, where relevant, be transferred to the new owner under the terms of this privacy notice.

​We may disclose your personal data if we conclude that is required by law, such as to comply with a court order or similar legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

​Transfer of data to other countries

In limited and necessary circumstances, your information may be transferred outside of the United Kingdom (UK) to comply with our legal and contractual requirements, e.g. in the event of the merger with or acquisition by another company. In these circumstances, we would ensure adequate measures were in place and we would rely on lawful measures to transfer that information, such as UK Binding Corporate Rules or Standard Contractual Clauses, as amended from time to time.

​How long we keep personal data​

We will retain your personal data for a period no longer than is necessary. This period will depend on why it was collected, or if we have a continuing lawful basis to do so, such as to fulfil a contract between us, perform a service you have requested, or for our legitimate interests. Your personal data will be deleted if we no longer have a valid reason or legal requirement to process it. The following retention periods apply:

• Website server log information: we retain this information for 6 months;
• Analytics information: we retain this information for 24 months;
• Enquiries (including technical support requests): we will retain this information for an additional 12 months beyond the period required for us to respond to, and resolve, your query;
• Customer communications: we retain information for 6 years following the end of the financial year in which our business together ended, to abide by our legal obligation to keep records for tax purposes.

Information security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

​Your Rights

You have a number of rights with regards to your personal data:

• The right to be informed about the collection and use of your personal data;
• The right to access the personal data that we hold about you;
• The right to have your personal data rectified it is inaccurate or incomplete;
• The right to have your personal data erased, in certain circumstances;
• The right to restrict or suppress your persona data, in certain circumstances;
• The right to object to us processing any personal data that we are relying on the lawful basis of our legitimate interest to process;
• The right to data portability;
• The right to ask us not to use your personal data for marketing purposes.

​Further information about your rights can be found at the Information Commissioner’s Office (ICO) website: https://ico.org.uk/

Please contact us if you wish to exercise any of your rights via our contact details above. There is no charge for us providing you with this data and it will usually be provided within one month of the request (unless the request is unfounded or excessive).

​In order to protect your data, we may ask for proof of your identity before proceeding with any request you make under this privacy notice.

If you have provided consent for the processing of your data, you have the right (in certain circumstances) to withdraw that consent at any time. This will not affect the lawfulness of the processing before your consent was withdrawn.

You have the right to lodge a complaint to the ICO if you are unhappy with the way we have processed your personal data. We ask you contact us in the first instance so we may address your complaint in accordance with this privacy policy.

Children’s privacy

Our website and services are not aimed at children under the age of 16 and to the best of our knowledge we have not gathered personal data from any children under the age of 16. If you have reason to believe that a child under the age of 16 has submitted personal data to us, please contact us at privacy@cytomos.com so that we can delete it.

Links

Our website contains links to other websites. Please be aware that we are not responsible for the content or privacy policies of other sites. We encourage you to read the privacy statements on the other websites you visit.

Changes to our privacy policy

We will keep this information up to date and any changes we make will be posted on our website.