WEBSITE PRIVACY NOTICE

Theolytics Ltd. (“Theolytics”, “we”, “us” and “our”) is committed to protecting and respecting your privacy.

​

This Privacy Notice (this “Notice”) explains how we collect, use, disclose and protect your personal data when you use our Website (as defined below) and / or engage with us, including online, through our Website, by email or by telephone. It also explains your rights and choices under applicable data protection and privacy laws including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR)  (the UK GDPR and the EU GDPR together referred to as “GDPR.

​

This Notice applies regardless of where you are located when accessing our Website and whether you are a business contact or website visitor.

​

Please read this Notice, and any other privacy notice, or fair processing notice we may provide on specific occasions, carefully. This Notice supplements such other privacy notices and privacy notices and is not intended to override them.

​

For the avoidance of doubt, this Notice does not apply to personal data collected as part of participation in clinical trials, which is covered by separate privacy notices provided to trial participants

​

WHO WE ARE

We are Theolytics Ltd., a company  registered in England and Wales (Company No. 11001290) and having its registered office located at The Sherard Building, Edmund Halley Road, Oxford Science Park, Oxford, Oxfordshire, England, OX4 4DQ.  We are  a biotechnology company, harnessing viruses to combat cancer. We are responsible for personal information that we hold about you.

We are the party responsible for operating and providing the website at www.theolytics.com (the “Website”) and are accordingly the controller and party responsible for your personal data when using the Website. This means that Theolytics determines what personal data is collected, how this personal data is used and how it will be protected in accordance with applicable data protection laws.

 

2.     HOW TO CONTACT US

We have appointed GRCI Law Limited as our Data Protection Officer (or DPO).  Our DPO is responsible for overseeing questions in relation to this Notice.

If you have any questions or queries about this Notice, our privacy practices or how we handle your personal data, you can contact our DPO using the following details:

 

By email:          DPO@theolytics.com

By post:           FAO DPO

The Sherard Building

Edmund Halley Road

Oxford Science Park

Oxford

England, OX4 4DQ

 

For all other enquiries please contact enquiries@theolytics.com

 

5.       WHAT IS MEANT BY PERSONAL DATA / PERSONAL INFORMATION

Personal data (sometimes also referred to as “personal information”) is information which identifies you as an individual.  Examples of personal data include anything which may identify you, such as your name, address, email address, internet protocol (IP) address, username or another identifier.

Certain types of personal data are considered more sensitive and therefore require a higher level of protection under data protection law. This is known as ‘special category data’ and includes information such as information about your health, genetic or biometric data, racial or ethnic origin, and religious or philosophical beliefs. We apply additional safeguards when processing this type of information.

Further information about sensitive or special category data and how we process that is given in the section of this Notice entitled ‘SENSITIVE OR SPECIAL CATEGORY DATA’.

 

6.       WHERE WE GET YOUR PERSONAL DATA FROM

We collect personal information from or about you:

Directly: for example when you:

• send us information, such as when you contact us with an enquiry or feedback;

• send us information when you enquire about, or request further information in relation to, participation in our clinical trials; 

• otherwise correspond with us by e-mail, telephone or through our social media platforms.

• apply for a vacancy with us or send us prospective job enquiry.

 

Indirectly: for example:

• through your browsing activity while on our Website.  This may include (but is not limited to) information about the time and date you visit the Website and the pages you access.  

• from third parties and / or service providers for example via business networking platforms, such as X and LinkedIn, or recruiters advertising on our behalf

• We will also collect information indirectly using the technologies such as cookies and tracking technologies

​

​

7.       WHAT PERSONAL DATA WE COLLECT ABOUT YOU

​

We may collect, use, store and transfer different kinds of personal data about you.  What types of personal data we collected about you will depend on our relationship with and may include the following:

​

Candidate Data: This may include information you have provided to us in your curriculum vitae, skills summary, covering letter and/or application particulars, including name, title, address, telephone number(s), personal email address, date of birth, job title, job role, location, employment history, education history and qualifications, areas of specialisms, registrations with professional bodies and salary expectations.

​

Communication Data: Includes information you provide when contacting us via the Website or by email or other communication channels.  This may include personal data you voluntarily choose to provide to us even where we do not ask for same and / or actively advise you not to provide such data.

​

Contact Data: This may include (business and / or private) email address, telephone number(s) and addresses.

​

Employment Data: This may include your employer, organisation, job title, and professional contact information (such as work email or billing address) where relevant to your application or customer relationship.

​

Financial Data (suppliers / partners only); Includes payment information required to process payment transactions, such as billing address, transaction dates and amounts, and tax or invoice data as applicable.

​

Identity Data: This may include name, title, gender, date of birth, age and any other identity data that you may include in your communications with us (including, but not limited to) where you submit a CV or job application to us. 

​

Images: Includes photographs

​

Location Data: This may include information about your geographic location which we may collect either directly (e.g. when you provide it voluntarily in your communications with us) or indirectly (e.g. through your IP address or device settings). Your location data may include country, region, city, or in limited cases, more precise location data depending on your browser or device permissions. [We use location data to help deliver analytics, or to comply with region-specific legal requirements]. You can control location sharing through your browser or device settings.

​

Professional Data: This may include job title, industry sector or and organisation worked for or represented.

​

Publicly Available Data: This may include personal data made publicly available from professional sources such as X or LinkedIn where relevant to our service delivery, business development or recruitment efforts.

​

Sensitive Data: This may include special category data as described in this Notice such as information relating to your health, race, ethnicity, religion, disability status and / or sexual orientation.

​

Technical Data: This may include your IP address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our Website.

​

Usage Data This may  include website user stats and information about how you use our Website and information regarding what pages are accessed and when.

n.

8.       SENSITIVE OR SPECIAL CATEGORY DATA

​

We do not actively seek to collect special category personal data (such as information about health) through the Website or your use of it. However, we may receive and process such data in l

​

8.       SENSITIVE OR SPECIAL CATEGORY DATA

We do not actively seek to collect special category personal data (such as information about health) through the Website or your use of it. However, we may receive and process such data in limited circumstances, including where you:

​

•  submit a job application to us; or

• provide information to us in unsolicited communications (such as (but not limited to) where you make and enquiry about participation in our clinical trials).

• This may include information relating to:

•  health (such as medical conditions or disabilities); or

•  diversity characteristics (such as race, ethnicity, religious beliefs or sexual orientation), where voluntarily provided.

​

We will only process such data where permitted by applicable law, including where it is necessary to comply with our obligations under employment law or where you have provided your explicit consent (for example, in relation to voluntary diversity monitoring in the context of our recruitment processes).

​

We implement appropriate safeguards to protect special category data in accordance with applicable data protection laws to ensure the secure and lawful processing of special category data. For more information on these safeguards, or to request further details about how we handle this type of data, please contact us using the contact details provided in this Notice.

​

For the avoidance of doubt, we do not request or require you to provide special category personal data (including information about your health) when making general enquiries to us and we ask that you do not include such information in any communications with us. Where you nevertheless choose to provide special category personal data to us on an unsolicited basis, we will assess whether there is a lawful basis to retain and process that information. In the absence of such a basis, we will securely delete the data without undue delay and will not use it for any further purpose.

​

Where retention is necessary (for example, to comply with a legal obligation), we will ensure that appropriate safeguards are applied and that the data is retained only for as long as strictly necessary. Please note, we do not use personal data collected via the Website or as set out in this Notice for clinical trial purposes. Personal data processed in connection with participation in our clinical trials is subject to separate privacy notices which are provided to relevant individuals.

​

9.       CHILDREN’S DATA

Our Website is not specifically directed at children under the age of 16 ( “Minors”) and we do not knowingly collect and or process personal data relating to Minors 

​

If you are a parent or guardian or you otherwise believe that a Minor’s personal data has been provided to us without appropriate authority, please contact using the contact details set out at the “HOW TO CONTACT US” section of this Notice. If we become aware that we have inadvertently collected personal information from or relating to a Minor without appropriate parental or legal guardian’s  consent, we will take steps to delete the information as soon as possible.

​

10.      DATA ACCURACY

​

It is important that the personal data we hold about you is accurate and current. You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

​

Please keep us informed if the personal data we hold about you changes during your relationship with us.  You can do this by contacting us using the contact details set out in the “HOW TO CONTACT US” section of this Notice.

​

11. OUR LAWFUL BASIS FOR PROCESSING YOUR PERSONAL INFORMATION

​

We are required to have a lawful basis for using your personal information. Which lawful  basis we rely on depends on what personal information we process, and why. Most commonly we will use your personal information in the following circumstances:

• Consent: where you have given us clear consent for us to process your personal information for a specific purpose

• Performance of a Contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract

• Legal Obligation: where our use of your personal information is necessary for us to comply with the law (not including contractual obligations)

• Legitimate Interests: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal information which overrides our legitimate interests). Where we process on the basis of our legitimate interest, we ensure that your interests, rights and freedoms are carefully considered.

 

12.       YOUR RIGHTS

Depending on your location and applicable data protection laws, you may have certain rights regarding your personal data. These rights may include the right to access, correct, update, or delete your data; the right to restrict or object to certain types of processing; the right to data portability; and the right to withdraw your consent where processing is based on consent. You may also have the right to lodge a complaint with a supervisory authority.

To exercise your rights or for more information, please contact us using the contact details set out in the “HOW TO CONTACT US” section of this Notice. We will review and respond to your request in accordance with applicable data protection laws.

Please note that we may need to verify your identity before processing certain requests.

 

13.      WHO WE SHARE YOUR PERSONAL DATA WITH

 

Internally:

We may share information within Theolytics.  We may do this for legitimate business purposes, such as for the purposes of providing our Website, for managing our internal operations (including, but not limited to, our recruitment practices), and / or for managing and improving our external-facing relationships.

Externally:

We will only share personal information with third parties where there is a lawful basis for us to do so. Where we share your personal data with third parties, we will only do so insofar as is reasonably necessary to enable us to deliver our Website to you and for the purposes set out in this Notice.  We shall ensure that such third parties are bound to maintain the confidentiality, safety, and security of the personal data we share with them and shall handle it in accordance with applicable data protection laws. 

​

We may share your personal data with the following third parties:

​

1. Service providers, including those offering IT, system administration, administrative support, hosting and software services.

2. Analytics providers, such as Google Analytics, to assist us with insight analytics.

3. Professional advisers, including lawyers, auditors, accountants, and insurers who provide services to us in the normal course of business.

4. Third parties involved in our business transactions: for example, as part of a proposed sale, reorganisation, transfer, financial arrangement, asset disposal, or similar transaction related to our business or assets.

5. Other parties where explicitly authorised by you.

 

This list is non-exhaustive, and there may be other situations where we need to share your personal data in order to provide our Website, operations and services. 

​

We only share your personal data with organisations that implement appropriate measures to protect your information. Contractual obligations are imposed on these organisations to ensure they use your data solely for the services they provide to us or to you.

We or the third parties mentioned above occasionally also share personal data with:

​

• our and their external auditors, e.g., in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;

• our and their professional advisors, such as lawyers, accountants and insurers in which case the recipient of the information will be bound by confidentiality obligations, for example (but not limited to circumstances) where reasonably necessary for the establishment, exercise or defence of a legal claim;

• law enforcement agencies, judicial bodies, tax authorities, or other government and regulatory entities to comply with our legal and regulatory obligations, for example where we are required to disclose information under a subpoena, court order or other mandatory reporting requirements ;

• other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency.  Usually, information will be anonymised, but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

​

We will not share your personal data with any other third party without your explicit consent, unless required or permitted by law. The specific information shared will depend on your interactions with us and will always be limited to only what is necessary for the intended purpose.

 

14.      INAPPLICABILITY OF THIS NOTICE TO THIRD PARTIES

 

Please note, this Notice does not apply to personal data collected directly by third parties who may share information with us. We strongly encourage you to review the privacy policies of any third-parties before submitting your personal data to them.

 

15.      TRANSFERRING YOUR PERSONAL DATA OVERSEAS

 

The personal information we collect may be transferred to and stored in countries which are outside of the jurisdiction you are in and which are located outside the United Kingdom (UK) and European Economic Area (EEA).

​

Such countries may not have the same data protection laws as the country in which you are located. 

​

To safeguard your personal information, we ensure that all international transfers comply with applicable data protection laws, including the GDPR.

We undertake thorough due diligence and risk assessments before any data transfer, ensuring your information has an appropriate level of protection. Where required, we implement legal safeguards such as Standard Contractual Clauses (SCCs) or other approved mechanisms to ensure your personal data is handled securely and lawfully.

​

For further details about the measures, we use to protect your personal information when it is transferred internationally, please contact us at DPO@theolytics.com.

 

16.      THIRD PARTY LINKS

​

Our Website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

​

We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy notice of every website you visit.

 

17.      WITHDRAWAL OF CONSENT

​

In cases where we rely on consent to process your personal data you have the right to withdraw your consent to our doing so at any time. However, your withdrawal of consent will not affect the lawfulness of any processing carried out before you withdraw your consent.

Please also be aware that if you withdraw your consent, we may not be able to supply certain services to you.

If you wish to withdraw your consent, please contact us by contacting us using the contact details set out in the “HOW TO CONTACT US” section of this Notice.

 

18.      AUTOMATED DECISION MAKING AND PROFILING

 

We do not engage in any automated decision-making or profiling that produces legal or similarly significant effects on individuals (as defined under the GDPR or other global privacy laws).

 

19.      KEEPING YOUR PERSONAL DATA SECURE

 

We are committed to protecting your personal data and have implemented a range of appropriate technical and organisational measures to safeguard it from loss, misuse, unauthorised access, alteration, or disclosure. These measures include secure IT infrastructure, access controls, encryption, and regular staff training on data protection.

​

Access to your personal data is restricted to employees, agents, contractors, and other third parties who have a legitimate business need to know. They are required to follow our instructions when handling your data and are bound by duties of confidentiality.

​

We continuously monitor and review our security practices in line with changes in technology, evolving threats, and updated legal or regulatory requirements. However, no security system is entirely foolproof. While we take all reasonable steps to protect your data within our systems, we cannot guarantee the security of information transmitted over the internet or processed outside our direct control. You are responsible for using caution when sharing personal data online. We do not control the security of your device and do not have any control over what happens between your device and the boundary of our information infrastructure.

 

20.  STORAGE AND RETENTION OF YOUR PERSONAL DATA

​

Theolytics will retain your personal information only for as long as is necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, reporting or other valid business requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the relevant personal information, the risk of harm from unauthorised use or disclosure of it, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

21.     COOKIES AND OTHER TRACKING TECHNOLOGIES

When you access and use our Website we may automatically obtain certain personal data, subject to your location and any permissions you have provided. This may include technical information about your device, as well as details regarding your interactions with the Website, such as browsing behaviour, usage patterns, and viewed content. We use cookies and other similar technologies such as pixels, tags and other identifiers to support service functionality, evaluate performance, and enhance your overall experience. These technologies may be temporarily stored on your device. Some cookies and similar technologies are used to retrieve personal information, like an IP address, that you have previously provided.

​

Where legislation requires it, including under the GDPR, we will ask for your consent before deploying cookies that are not strictly necessary. You have the option to adjust your browser or device settings to block or restrict non-essential cookies, or to receive notifications when cookies are in use. However, if you choose to limit or disable cookies, certain Website features may not operate as intended or may be unavailable.

​

You may review and modify your cookie preferences at any time via our cookie management tool or through your browser settings.

For more information about cookies, please visit Your Online Choices at http://www.youronlinechoices.com/uk/.  To learn more about our practices concerning cookies and other tracking technologies please see our Cookie Policy.

​​

22.   Your rights

You have the following rights:

Access: the right to request a copy of the personal data we hold on you. In most cases, this will be free of charge, however in some limited circumstances, for example, repeated requests for further copies, we may apply an administration fee.

​

Rectification of personal data: this right enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

​

Erasure of personal data: you can ask us to delete or remove your personal information in some circumstances such as where there is no good reason for us to continue to process it. We may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you.

​

Restriction of processing personal data: this right enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

​

Objection to processing of personal data: you can ask us to stop processing your personal information, and we will do so, if we are relying on legitimate interests to process your personal information, except if we can show compelling legal grounds for the processing; or if we are processing your personal information for direct marketing purposes.

​

Automated decision making: you have the right to ask for a decision to be made manually, where a decision is made using automated means and this harmfully affects you. Please, however, note – we do not currently undertake any automated decision making using the personal data we gather in terms of this Notice.

​

Portability: you have the right to have personal data we hold about you transferred securely to another service provider in electronic form.

In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you. 

To exercise any of your privacy rights, please contact us using the contact details set out in the ‘HOW TO CONTACT US” section of this Notice.

​

23.     QUERIES AND FEEDBACK

​

We welcome your feedback regarding this Notice.

If you have questions, comments, or concerns about either one, please contact us by e-mail at DPO@THEOLYTICS.COM. We will respond in good faith to all privacy queries.

​

24.     UPDATES TO THIS NOTICE

We may modify or amend this Notice from time to time at our discretion to reflect changes in our practices, legal requirements, or for other operational reasons.

​

If we make material changes to this Notice, we will post the updated Notice on our Website. If required by applicable law, we will also notify you directly or request your consent before the changes take effect. The modified or amended Notice shall be effective as to the personal information governed by this Notice as of the revision date. 

We encourage periodic review of this Notice to view any updates, so that you may stay informed about how we protect your personal information.

​

The date this Notice was last revised is identified at the top of the page.

​

​