1. General Information

Bioxydyn Limited (We) conducts research to the highest standards of research. All our research is underpinned by policies and procedures that ensure we comply with regulations and legislation that govern the conduct of research. This includes data protection legislation: the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA).  

We promise to respect the confidentiality and sensitivity of the personal information that you, as a participant in our research, provide to us; that we get from other organisations; and that we share with other collaborating organisations, such as other companies, universities or our research funders. We will be clear with you when we collect your information how we intend to use it and will only do so with your consent. We will not do anything with your personal information that you wouldn’t reasonably expect. We will use your information only for the purpose of the research you are participating in and we will not usually use your information or contact you for any purpose other than research unless you have agreed to this. We commit to keeping your personal information safe and secure.  

2. What is research?

Research has a special status under GDPR. It is important, therefore, to specify what we mean by research. It is generally understood that research makes an original contribution to knowledge. Research conducted by our staff is always intended to make an original contribution to knowledge or to improve our products and services. Such research is often published in order to share that knowledge, or is used by us to make our products and services more attractive to healthcare providers or other customers. 

3. What is Personal Data (also referred to as personal information)?  

‘Personal data’ means any information which relates to or identifies you as an individual. This includes opinions about you or information which may not explicitly identify you (e.g. where your name has been removed) but which does make it possible to identify you if it is combined with other information that is readily available. For example, this might be because the information available contains a postcode, your gender and date of birth; in these circumstances it might be possible to identify you by using other information available elsewhere. Therefore, in these circumstances, we would treat the details we hold as personal information and protect it accordingly.

4. Who is responsible for my personal information?

When we manage research projects, we will usually be the Data Controller, which means that we will decide how your personal information is created, collected, used, shared, archived and deleted (processed). We will do so in line with the objectives of the research, ensuring we collect only what is appropriate and necessary and we have informed you of what we are collecting. For some research projects, a third party organisation may be funding the research and may lead on the decisions regarding your information, if this is the case, this will be made clear in the participant information sheet provided to you.

There are instances where two or more Data Controllers work together on a research project. When this happens, the organisations have agreements and/or contractual arrangements in place which document how they have agreed to share their responsibilities. In these circumstances this will be detailed in the Participant Information Sheet, you will be given.  

5. What personal information do we use within research projects?

The type of personal information collected and used will depend on the particular research objectives of the project you are taking part in. However, what we collect will always be proportionate to achieving those objectives. Details that are not necessary will not be asked for or collected. The Participant Information Sheet will inform you of what information will be collected about you.  

We may process some information about you that is considered to be ‘sensitive’, this is called ‘special category’ personal data. This may include information concerning your ethnicity and details about your health. These types of personal information require additional protections. Access to, and the sharing of, this more sensitive personal data is controlled very carefully and you will be specifically informed about this in your participant information sheet.

Your information will usually be shared within the research team conducting the project you are participating in. You will be made aware in the Participant Information Sheet if there are collaborators that are not employed by Bioxydyn Limited who will also access your information.

We will de-identify (anonymise), pseudonymise (remove identifiers such as your name and replace this with a unique code or key) or delete personal information collected as part of our research at the earliest opportunity. All personal information is kept in line with our policies or any regulatory requirements.

6. What safeguards do we have in place to protect your personal information?

In order to protect your rights and freedoms when using your personal information for research and to process special category information Bioxydyn Limited must have special safeguards in place to help protect your information. We have the following safeguards:  

• Policies and procedures that tell our staff how to collect and use your information safely.
• Training which ensures our staff understand the importance of data protection and how to protect your data.
• Security standards and technical measures that ensure your information is stored safely and securely.
• All research projects involving personal data are scrutinised and approved by a research ethics committee.
• Contracts with companies or individuals not associated with Bioxydyn Limited have confidentiality clauses to set out each party’s responsibilities for protecting your information. 
• If we use collaborators outside of Europe, we will ensure that they have adequate data protection laws or are part of privacy and security schemes such as the privacy shield in the US.   

In addition to the above safeguards the GDPR and the DPA also require us to meet the following standards when we conduct research with your personal information:  

(a) the research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain).

(b) the research is not carried out in order to do or decide something in relation to an individual person, unless the processing is for medical research approved by a research ethics committee.

(c) the Data Controller has technical and organisational safeguards in place (e.g. appropriate staff training and security measures).

7. Ensuring that the uses of your personal information are legal

Data protection law requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.  

In the context of research, the lawful basis upon which we will process your personal information is consent, i.e. “the individual has given clear consent for you to process their personal data for a specific purpose” (Article 6 of GDPR).

Where we also collect and use more sensitive personal information (Special Category data) we only do so where “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”. (Article 9 of GDPR).

8. Who will my personal information be shared with?

Your information is likely to be shared within the project team, primarily in a way that we can identify you as a participant. However, most personal information used in research will be de-identified before sharing more widely or publishing the research outcomes. If it is not possible to de-identify your information, we may ask for your consent to share or otherwise make your personal information available to others. It may sometimes be necessary to share your personal information with other researchers at other companies or universities for the purpose of achieving the research outcomes. If this is relevant to the research you are involved with, you will be provided with information about this in your Participant Information Sheet. If you have any further questions about research collaborations please ask the research team.

If we are working with other organisations and information is shared with them, we will inform you in the Participant Information Sheet. Information shared will be on a need to know basis, not excessive and with all appropriate safeguards in place to ensure the security of your information.  

We also sometimes use products or services provided by third parties who carry out a task on our behalf, such as CIMAR which is used for transferring data. These third parties are known as data processors and when we use them we have contractual terms, policies and procedures to ensure confidentiality is respected. This does not always mean that they access your information. Bioxydyn Limited remains responsible for your personal information as the Data controller and should we use another third party service to process personal your information we will provide you with details about the relationship we have with the service provider/supplier/collaborator on the Participant Information Sheet.

9. Your rights 

Under GDPR you have rights in relation to the personal information we hold about you. These include the right to:

• Access the information/receive a copy of the information;
• Correct any inaccurate information; 
• Have any information deleted; 
• Restrict or object to our processing of the information; 
• Move your information (“portability”).  

It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances a right may be limited if implementing it would prevent or seriously impair the research outcomes. If it is considered necessary to refuse to comply with any of your data protection rights you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner. It should also be noted that we can only implement your rights during the period upon which we hold personal identifiable information about you. Once the information has been irreversibly anonymised and becomes part of the research data set it will not be possible to access your personal information.

10. How long is my information kept?

Our staff will de-identify information as soon as possible (anonymisation or pseudonymisation). Information where you can be identified will, as such, be kept for a minimum amount of time and in accordance with the research objectives. We may, however, keep consent forms which contain personal information for a number of years after the research has been completed; this is sometimes a requirement the research’s funder.

For some research projects we cannot de-identify the information as it is necessary for achieving the outcome of the research. For such projects, we store your personal information as part of the research for the duration of the project and for a defined period after the project has ended. This is usually defined by external regulations but may be defined by our own policies and procedures.   

You will be informed in your Participant Information Sheet with regards to how long your personal information will be kept for.  

11. Who can I contact?

If you have any questions about how your personal information is used, or wish to exercise any of your rights, please contact Bioxydyn Limited’s Data Protection Officer, Prof. Geoff Parker ([email protected]) or write to:

The Data Protection Officer  

Bioxydyn Limited

St James Tower

7 Charlotte Street

Manchester M1 4DZ

12. How can I complain?

If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF (https://ico.org.uk/).

13. When was the privacy notice last updated?

This privacy notice was last updated in February 2026 and may be amended from time to time. The next review will take place before February 2028.