News Contact

Privacy Notice

This privacy notice explains how Umedeor Ltd (company number 11067577) (“uMed”, “we”, “us”, or “our”) process your personal data as researchers, GP practice staff, or users of our website. It applies when you interact with our services, such as applying for research access, contributing GP data, or using our website (www.umed.io).

This notice covers administrative and professional data only. For patient data processed on behalf of GP practices, see our separate Patient Privacy Notice. If you are a patient, this notice does not apply to you.

We are committed to protecting your privacy and complying with the UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025. Umedeor Ltd is the data controller for the purposes described here.

Contact address: 8 Warner Yard, London, EC1R 5EY
Data Protection Officer (DPO): dpo@umed.org

Who we are

uMed supports GP practices in identifying eligible patients for ethically approved medical research studies, helping advance treatments and improve patient care. We work with researchers to facilitate secure access to pseudonymised data and with GP practices to streamline research opportunities.

This notice applies to:

  • Researchers: Those applying for data access via our platform (e.g., eligibility searches, study invitations) or using our tools for study support.
  • GP practices: Staff contributing data or using our platform for patient engagement and research facilitation.
  • Website users: Visitors to www.umed.io, including those submitting enquiries or registering for updates.

For full details on our services, visit www.umed.io. If your query relates to patient data sharing, refer to the Patient Privacy Notice.

What data we collect from you and where it comes from

We collect personal data directly from you or automatically through our systems. We only collect what is necessary for our services.

Personal data you provide directly

  • Professional contact details: Name, job title, email address, phone number, organisation (e.g., research institution or GP practice).
  • Account information: Login credentials, preferences, and application details when registering for our platform or applying for research access.
  • Enquiries and communications: Feedback, support requests, or study proposals submitted via forms, email, or our contact system.

Data collected automatically (website and platform use)

  • Device and usage data: IP address, browser type, device type, screen resolution, pages visited, and time of access.
  • Log data: Date/time of logins, activities on our platform (e.g., search queries or eligibility checks), linked to your account or IP for security.

Sources

  • Directly from you: Via website forms, account registration, or email.
  • From your organisation: GP practice details if contributing data under our Data Processing Agreement (DPA).
  • Automatically: Through cookies and analytics tools (see Cookies section below).

We do not collect sensitive personal data (e.g., health information) under this notice unless it forms part of a research application, in which case it is handled per our Patient Privacy Notice and with explicit safeguards.

What we do with your data

We use your data fairly and transparently for the following purposes:

  • To respond to enquiries, process research applications, and vet suitability for data access.
  • To manage accounts, provide platform access (e.g., eligibility searches), and support study delivery (e.g., scheduling or surveys).
  • To facilitate GP data contributions and ensure accurate, up-to-date feeds for research opportunities.
  • To improve our services through analysis, market research, and system enhancements.
  • To ensure security, prevent fraud, and comply with legal obligations (e.g., auditing platform access).
  • To notify you of updates, service changes, or relevant research opportunities (with opt-out).

We will not sell, rent, or share your data for marketing purposes without consent.

Legal grounds for processing

Our processing is lawful under UK GDPR:

  • Public task (Article 6(1)(e)): For tasks in the public interest, such as supporting NHS research facilitation and GP obligations to offer study opportunities. This applies to GP contributions and researcher vetting.
  • Legitimate interests (Article 6(1)(f)): To operate and secure our platform (e.g., log data for fraud prevention), improve services, and respond to enquiries. We balance this against your rights.
  • Contract (Article 6(1)(b)): When fulfilling agreements, such as DPAs with GP practices or research access licences.
  • Consent (Article 6(1)(a)): For optional uses, like marketing emails (easily withdrawn).

Cookies

We use cookies to enhance your experience and analyse site usage. Essential cookies enable core functions; analytics cookies (e.g., Google Analytics) track non-identifying data for improvements. Data is anonymised where possible.

See our Cookie Policy for details, including how to manage preferences. You can opt out of non-essential cookies via your browser settings or our cookie banner. Transfers to the EEA (e.g., for Google Analytics) use standard safeguards.

Sharing your information

We share data only when necessary and under strict controls:

  • Within the uMed group: Between Umedeor Ltd and Cohort Science for internal operations.
  • With third parties: Approved service providers (e.g., secure cloud hosts or analytics tools) acting as processors under contracts ensuring UK GDPR compliance.
  • For legal reasons: To comply with laws, court orders, or regulatory requests (e.g., fraud prevention).
  • In business changes: As part of mergers, acquisitions, or restructurings (with notice where possible).

We never share for unrelated marketing. All recipients are bound by confidentiality.

How we protect your data and keep it secure

We use robust technical and organisational measures to protect your data:

  • Encryption: Data in transit (e.g., HTTPS) and at rest.
  • Access controls: Role-based permissions, audit trails for platform activity, and multi-factor authentication.
  • Pseudonymisation: Where applicable, to minimise risks during processing.
  • Certifications: NHS Data Security and Protection Toolkit assured, ISO 27001:2022, Cyber Essentials Plus, and full UK GDPR compliance. Regular independent audits.

Third-party processors must meet equivalent standards.

Storage and retention

Your data is stored securely in the UK or EEA using approved providers.

We retain data only as long as needed:

  • Active accounts or contributions: For the duration of your engagement plus 2 years (to handle queries or disputes).
  • Enquiries: Up to 5 years after resolution.
  • Log data: 6 months for security, or longer if required by law (e.g., up to 7 years for audits).

Data is securely deleted or anonymised at the end of retention periods.

International transfers

We do not transfer personal data outside the UK/EEA unless essential (e.g., for global research collaborators), in which case we use UK GDPR-approved safeguards like adequacy decisions or standard contractual clauses.

Links to other websites

Our site may link to external resources (e.g., HRA or ICO). We are not responsible for their privacy practices – please review their notices.

Marketing

We may send you updates on research opportunities or service news if you opt in. You can unsubscribe at any time via email links or by contacting us. We respect the Email Preference Service.

Your data rights

Under UK GDPR, you have rights over your personal data. These include:

  • Right to be informed: This notice fulfils this.
  • Right of access: Request a copy of your data (free, in machine-readable format if possible).
  • Right to rectification: Correct inaccurate or incomplete data.
  • Right to erasure (‘right to be forgotten’): Delete data where no longer needed (subject to legal exceptions).
  • Right to restriction: Limit processing in certain cases (e.g., while accuracy is verified).
  • Right to data portability: Receive your data in a structured format for transfer.
  • Right to object: To processing based on public task or legitimate interests (we will stop unless compelling reasons).
  • Rights re automated decisions: Not applicable here, but we will inform if introduced.

To exercise rights, email dpo@umed.org with your details and request. We aim to respond within 1 month (extendable for complexity). No fee unless requests are excessive.

For full guidance, see ico.org.uk/for-the-public.

Right to complain

If you are unhappy with our handling, contact our DPO first. You can also complain to the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint

Changes to this privacy notice

We may update this notice to reflect legal or service changes. Check the version date above. We will notify you of material updates via email or our website.

Questions and complaints

Contact our DPO for any queries:
Email: dpo@umed.org

12-Nov-2025