Privacy Policy
Effective Date: 11 November 2025 (Supersedes policy dated 10 July 2023)
Introduction and Data Controller
This Privacy Statement ('Statement') is issued by, and the data controller of your personal data is, Advanced Ophthalmic Systems Ltd, a company registered in England and Wales (company number 12874125) whose registered office is at The Old Rectory, Church Street, Weybridge, Surrey, KT13 8DE (referred to in this Statement as 'we' 'us' and 'our').
You can contact us by post at the address above (for the attention of the Data Protection Officer) or by email at dpo@aos-hub.com.
We respect your privacy and your rights to control your personal information. This Statement explains who we are, the personal information we collect from you, how long we hold it, and how and why we collect, store, use and share it. Personal information (also known as “personal data”) is any information that can be used to identify you or that we can link to you. It does not include data where the identity has been removed (anonymised data).
Our principal guidelines are simple. We keep the personal information we collect to a minimum, and we will be clear about the personal information we collect and why.
This Statement does not deal with the personal information we process on behalf of our customers (who are controllers of that personal data) and you should refer to those customers' own privacy notices for details of such processing.
What is the GDPR?
We protect your personal information in accordance with:
- the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025 (together, the "Data Protection Legislation")
- the EU General Data Protection Regulation 2016 (GDPR)
Part I: Website Data (Contact Us)
We collect personal information when you interact with our website, primarily through the 'Contact Us' page or if you sign up for our newsletters.
What we collect and why:
| Personal Data Collected | Purpose of Processing | Lawful Basis (UK/EU GDPR) |
|---|---|---|
| Name and Email Address | To process and respond to your specific enquiry or to send requested newsletters. | Contractual Obligation (to perform the request) and/or Legitimate Interest (to grow and develop our business by communicating with you). |
| Phone number (Optional) | To facilitate communication regarding your enquiry. | Legitimate Interest (efficient communication). |
| Geographical Location | To ensure your enquiry is directed to the most appropriate internal team. | Legitimate Interest. |
| Your Company/Organisation | To provide context for your enquiry and to verify user representation. | Legitimate Interest. |
| Other information you choose to share | To deal with your specific request fully. | Contractual Obligation or Legitimate Interest. |
If you do not provide certain personal data, we may be unable to respond fully to your enquiry.
Part II: Company Product Data (Anonymisation and Operational PII)
Our company products are integrated into our customers' systems. We are committed to minimising the collection of Personal Identifiable Information (PII) related to the use of our products.
A. Processed Results (Anonymised Data)
Our products collect and process data to generate clinical and analytical results for our customers.
- No PII Stored for Analysis: We separately store a copy of the media and results captured using our products for our own purposes (i.e., for product development, research, statistical, and benchmarking purposes) as a Data Controller.
- Anonymisation is Mandatory: The data stored by us for internal analysis are stored on a fully anonymised basis. They are stripped of all personally identifiable information, meaning they cannot be associated with any individual user or patient.
- Retention: As this data is fully anonymised and contains no PII, we may continue to store and use this data indefinitely for our legitimate business interest in product development and statistical purposes without further notice.
B. Operational and Functional PII
To ensure the product is functional, operational, and secure, we require minimal, temporary PII.
- What we collect temporarily: We collect business contact details (name and email address of the account representative) during the account registration process to manage the services and provide product support. We also process authentication details (email, encrypted password and two-factor authentication) to verify your access.
- Strict Retention: This PII is necessary for operational and functional reasons, but is only retained for the duration required to complete that function. For example, login and authentication PII are deleted immediately after the functional/operational requirement has been served.
- Support PII: We also collect business contact details from the individuals within our customers' organisations who are nominated representatives for the purposes of product service, billing, usage reporting and support.
The lawful basis we rely on for processing this operational PII is Contractual Obligation (to provide the agreed-upon service and support to your organisation).
Where your consent is required
We do not normally rely on consent for the processing of personal data related to providing our services. However, if we consider it necessary to obtain your consent for a certain planned use of your personal data, we will contact you specifically to request this consent. Where you do consent, you may withdraw that consent at any time by contacting us at dpo@aos-hub.com.
Automated decision making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Where do we store your personal information and how is it kept secure?
We are based in the UK and all our services are provided in the UK. We store your personal information on servers based in the UK and the EU.
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered or accidentally disclosed. We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Links to other websites
Our website may, from time to time, contain links to other websites which may be of interest to you. If you follow a link, please note that the other website will have its own privacy policy and you should check this before you submit any personal information to that website. We are not responsible and accept no liability for the content of other websites or their use of your personal information.
Who do we share your personal information with?
We are committed to minimising the sharing of your personal data.We do not share any personal data with partners or external parties for marketing, advertising, or general business purposes.
We will only disclose the minimal necessary personal data we hold about you to the following restricted categories of third parties:
- Service Providers: Third-party service providers acting as processors who provide essential IT, hosting, and system administration services that are necessary to provide our products and services.
- Professional Advisers: Professional advisers acting as controllers or processors including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and other professional and/or advisory service providers.
- Legal and Regulatory Disclosures: To comply with our legal and regulatory obligations, we may share your personal information with third parties if a legally compliant request for the disclosure of personal information is made (e.g., a court order).
- Business Change: Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets, or a successor in interest.
All third parties are required to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
How long do we keep your personal information?
We will not retain your personal information for longer than necessary for the purposes set out in this Statement.
| Circumstances in which personal information is collected | How long do we keep it? |
|---|---|
| Website Enquiry (Part I) | For the duration of your enquiry. |
| Operational and Support PII (Part II) | For the duration you are the account representative/end-user for your organisation, or a maximum of 7 years after termination of service, whichever is sooner. Operational PII for authentication is deleted immediately after the functional purpose is served. |
| Anonymised Data / Processed Results (Part II) | Indefinitely (as it contains no PII). |
When it is no longer necessary to retain your personal information, we will delete it or, in certain circumstances, we will anonymise it (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Our website is not intended for children
We do not provide services to children and our website is not intended for children. We do not intentionally collect personal information from those under the age of sixteen.
Your Rights Under certain circumstances, you have the right to
- Request access to your personal information (a “subject access request”). In line with the Data (Use and Access) Act 2025, we are required to carry out a reasonable and proportionate search to respond to your request. Please note that the one-month response deadline may be paused if we need to seek further information from you to verify your identity or clarify the scope of your request.
- Request correction of the personal information that we hold about you.
- Request erasure of your personal information (the "right to be forgotten").
- Object to processing of your personal information.
- Request restriction of processing of your personal information.
- Request the transfer of your personal information to you or to a third party (data portability).
If you wish to exercise any of these rights, please contact us using the details below. If you are a user of an AOS product, your personal information is also editable by you in the Administration page.
Automated Decision Making
We DO NOT use automated decision-making processes, including profiling, that produce a legal effect or similarly significant effect concerning you as defined under Article 22 of the UK GDPR.
Our software employs automated processing and artificial intelligence tools solely to provide clinical decision support. The final clinical assessment, diagnosis, and treatment pathway are determined by the human clinician, who uses their professional judgment and discretion.
Data Subject Complaints and Questions
You have a statutory right to complain directly to us about the processing of your personal data. If you wish to make a complaint:
- Please contact our Data Protection Officer using the details below.
- We will acknowledge your complaint within 30 days.
- We will respond to your complaint, informing you of the outcome and any appropriate steps we have taken, without undue delay.
Questions about this Statement and Complaints
If you have any questions about this Statement, or wish to complain, you may contact us in any of the following ways:
- Post: Data Protection Officer, The Old Rectory, Church Street, Weybridge, Surrey KT13 8DE, UK.
- Email: dpo@aos-hub.com
You have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority, if you are unhappy about the way in which we collect and use your personal information: www.ico.org.uk/concerns or telephone 0303 123 1113.
Updates to this Statement
This Statement is effective from 11 November 2025. We may modify or update this Statement from time to time. When we do, changes we make will be posted on this page and, where appropriate, notified to you in writing. Please review this page regularly to see any changes or updates to this policy.