Your privacy is important to us.

This Privacy Notice informs you who we are, how we collect, use, secure and share personal information collected by us when you visit our website(s), enquire about or buy goods, products, and/or services from us, send to, or receive from us, communications, (including marketing messages), register or attend our events or webinars, visit our offices or media pages, and through any other interactions we have with you. This Privacy Notice also informs you how you can exercise your rights.

Closed Loop Medicine Ltd (‘Closed Loop’, ‘we’, ‘us’, and ‘our’) is committed to respecting and protecting the privacy of individuals and to fully complying with all the requirements of the UK GDPR and all other applicable data protection laws and regulations.

If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided elsewhere in this Privacy Notice.

 

Data Protection Officer

We have appointed a Data Protection Officer (DPO). If you wish to contact our DPO you can do so via: dpo@closedloopmedicine.com

This Privacy Notice applies to all our data subjects (an individual about whom we hold personal information) except Job Applicants/Candidate and our employees.

Employee and Job Applicant Privacy Notices are separate and are available on request to interested parties.

 

 What is personal information?

Personal information is anything that enables you to be identified or identifiable. Personal information is also called “personal data”. We collectively refer to handling, collecting, protecting, storing or otherwise using your personal information as ‘processing’.

 

If you fail to provide personal information

Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you or provide you with services you have requested.

 

 Collecting (obtaining) your Personal Information

Most of the personal information we process is provided to us directly by you, for example for one or more of the following reasons:

• You have visited our website(s) or used app(s) or platform and consented to our use of cookies or similar technologies
• You have provided details through our website contact form

We may also obtain your personal information indirectly, such as from:

• Social media.

 

The personal information we collect about you

We may collect and otherwise process different kinds of personal data about you which we have grouped together as follows:

• Contact Data includes postal and email address and telephone numbers.
• Identity Data includes names and similar identifiers, marital status, title, date of birth and gender.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and app.
• Usage Data includes information about how you use our website and app.

 

Lawful Bases (legal grounds) for Processing Personal Information

Our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it.

We will normally collect personal data from you on one or more of the following lawful bases:

• Consent: We may process your personal information after you have consented (agreed) to us doing so. Your consent may have been obtained by us, or by third parties on our behalf. You have the right to withdraw your consent at any time.
• Contract: We may process your personal information when we need to deliver a contractual service to you or because you have asked us to do something before entering into a contract (e.g., provide a quote).
• Legal obligation: We may process your personal information when we need to comply with a legal obligation.
• Legitimate interest: We may process your personal information when we need to for our or another’s legitimate interests, where these interests are not overridden by your rights.

 

Purpose(s) for Processing Personal Information

We have set out below a description of all the ways we plan to use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Please note that we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground(s) we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity	Type of data	Lawful basis for processing
To register a new client/customer	·       Contact ·       Identity	·       Contract
To process and deliver our service via our app	·       Contact ·       Identity	·       Contract ·       Legitimate interest (to recover debts due to us and to protect our business and your account from fraud and other illegal activities)
To manage our customer and business relationships	·       Contact ·       Identity	·       Contract ·       Legal obligation ·       Legitimate interest (to keep our records updated and to study how customers and business contacts and partners use our app)
To administer and manage our website	·       Contact ·       Identity ·       Technical	·       Legitimate interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
To develop our businesses and services	·       Contact Data ·       Identity Data ·       Technical Data ·       Usage Data	·       Legitimate interests (to develop our products/goods/services and grow our business)
To comply with our legal obligations	·       Contact Data ·       Identity Data ·       Technical Data ·       Usage Data	·       Legal obligation

 

Using your Personal Information for Marketing Purposes

We will not use your personal information for marketing purposes. 

We will not share your information with any third parties for the purposes of direct marketing.

 

Sharing your Personal Information

We may share your personal information with third parties (other organisations or individuals) for:

• The purpose(s) for which the information was submitted.
• The purposes listed under ‘Purpose(s) for Processing Personal Information’.
• As agreed between us.

We share personal information with third parties that act as data processors to provide elements of our service by processing personal information on our instructions (see ‘Data Processors’ below).

We may share your personal information with law enforcement, regulatory and other government agencies and professional bodies, as required by and/or in accordance with applicable law or regulation.

In some circumstances we are legally obliged to share information. For example, under a court order.

It is our policy to only share your personal information with third parties that are legally or contractually bound to protect your personal information to the same standards as we are, and that will flow those same standards to their subcontractors.

In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share your personal information.

We will not sell your personal information to any third party.

 

Data processors

Where we use data processors, we have contracts in place with them to ensure that they cannot do anything with personal information we have shared with them unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct them to.

These data processors may use sub-contractors (known as sub-processors) that have access to your personal data. If they do, they are required to have contracts in place with those sub-processors to ensure that they cannot do anything with personal information shared with them beyond what we have instructed our data processors to do with it.

The data processors which we mainly and routinely use* are:

We use Monday as our CRM. Here is a link to its Privacy Notice.

We use Greenlight Guru Clinical for Clinical Studies. Here is a link to its Privacy Notice.

We use Amazon Web Services to host user/patient data. Here is a link to its Privacy Notice.

*The above list identifies those data processors that we routinely use. It does not identify each and every data processor we use.

 

Transfers of your personal information to outside the UK

We do not transfer (send or access) your personal information outside the UK.

 

Retention (Storage) of Personal Information

We will retain your personal information only for as long as we need it for the purpose(s) for which it was collected, or as required to do so by law.

To determine the appropriate retention period for your personal information, we consider the amount, nature, and sensitivity of it, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which we process it and whether we can achieve those purposes through other means, as well as applicable legal requirements.

 

Examples of the periods for which personal information will be stored*

Personal data	Retention period
Client/customer records	As required by any applicable statutory retention period, or where no statutory retention period applies, two years after contractual relationship ends, or two years from our last date of contact, whichever is the latest.
Business contacts records	As required by any applicable statutory retention period, or where no statutory retention period applies, two years after business relationship ends.

 

*The above list, which gives examples and does not identify each and every, period for which individuals’ personal data will be stored. Further information about our retention of Personal Information is set out in our Retention Policy. If you would like a copy of our Retention Policy, please contact us.

 

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

• Your right of access: You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.You can read more about this right here.
• Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.You can read more about this right here.
• Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.You can read more about this right here. 
• Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.You can read more about this right here.
• Your right to object to processing: You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.You can read more about this right here. 
• Your right to data portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.You can read more about this right here.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

If you wish to exercise any of your rights, please contact us.

 

Security

We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data. Please be aware that, we cannot guarantee the security of all personal information transmitted to or by us.

 

Artificial Intelligence (AI)

We do not use Artificial Intelligence (AI) to process your personal data.

 

Video Conferencing

We use a third-party provider to enable us to have video conferences (‘meetings’). We may record these meetings and, by doing so, we will be processing the personal data of participants to:

• Establish participant identities and contact details;
• Create records of discussions, decisions and progress;
• Facilitate producing a transcript of meeting organisers’ and participants’ personal meeting contributions;
• Support participant accessibility.

The lawful bases for processing the personal data of participants at these meetings is one or more of the following:

• Participants have given consent to be recorded*;
• Recording is necessary to fulfil a contract to which the participant in the call is a party;
• Recording is necessary for fulfilling a legal obligation to which the recorder is subject;
• Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call which require protection of personal data.

The third-party provider for video conferences (‘meetings’) is:

• Microsoft Teams
• Zoom

*By continuing to attend these meetings (after you have been informed that you are being recorded), you will be consenting to your personal data being processed as detailed above, or for other purposes as will be made known, or are obvious, to you.

 

Automated Decision Making

We will not use your personal information for automated decision making or profiling

 

Children’s personal information

We do not provide services directly to children or proactively collect their personal information.

 

Visiting our premises

When you visit our premises, you may provide your name and other personal information for security and safety reasons.

 

Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

 

Our contact details

We can be contacted as follows:

• Email: dpo@closedloopmedicine.com
• Post: Closed Loop Medicine Ltd, Babraham Research Campus, Cambridge, CB22 3AT

 

Cookies

We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security and accessibility are set and are not deleted by the tool. For information about the cookies and any other similar technologies we use, please see our cookies policy.

 

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us and we’ll respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s office (ICO), the UK supervisory authority (data protection regulator). Please follow this link to see how to do that.

 

Updating

We may update this Privacy notice at any time by publishing an updated version here. So that you know when we make changes, we will amend the revision date at the bottom of this page. The new modified or amended privacy policy will apply from that revision date.

 

This Privacy Notice was last updated on 9 April 2025.