Privacy Policy

We are both the data controller and the processor ie handler of any personal data that we hold about you – which we do in strict compliance with both the spirit and the letter of applicable laws  including,  but not limited to, the General Data Protection Regulation 2016, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and/or any replacement or subsequent legislation that it is amended or replaced by, but in any event, working with and under the guidance provided by the Information Commissioner’s Office (‘ICO’) whose site can be visited at https://ico.org.uk.

The kind of data or information we collect and process ie handle, is your personal  data (which is any information that identifies you) such as for example:

• your name,
• your email address,
• your phone number,
• your account identification including username and some passwords used to access our Website.
• Any transactional and financial data relating to any services or subscriptions made.
• any other information that identifies you when you contribute to our discussion forum or upload content or otherwise communicate with us through the Website or any other means.

It would therefore not include data from which identifying details have been removed rendering the data anonymous.

No. Biosample Hub does not process, store, or directly handle individual patient data or identifiers. Such information remains strictly confidential and is managed exclusively by biobanks and biotech companies.

We have in place appropriate technical and administrative measures to prevent your data being accidentally lost or accessed maliciously or without our authority. Your personal data is limited in being shared with others, including any agents or contractors, on the basis of a business need to know and subject to a duty of confidentiality in how it is processed.

We monitor our Website to protect against and deal with any potential or suspected threats of data breaches. We will take appropriate measures to mitigate and notify relevant parties if a breach were to occur in accordance with current good practice guidance and our legal obligations.

Our security measures include:

• Encryption: Data is encrypted in transit using secure protocols (HTTPS) and at rest on our servers.
• Access controls: Access to personal data is restricted to authorised personnel who require it for their role, and is subject to confidentiality obligations.
• Anonymisation: Where possible, we anonymise or pseudonymise data. For example, IP addresses are stored in hashed (anonymised) form.
• Token security: Access tokens used for portal links expire after a set period and are generated using secure methods.
• Input validation: All user input is validated and sanitised to protect against common security threats.
• Audit logging: We maintain logs of system activity to detect and investigate potential security incidents.
• Secure hosting: Our database and services are hosted with reputable cloud providers who maintain industry-standard security certifications.

We  use information held about you in the following ways, depending on the nature or purpose of the personal data being held:

• to communicate and manage our Website relationship with you in relation to any query, request, service or other communication you make with us via our Website or by any other means (by post, telephone, email or text message.
• to communicate with other users and third parties where this is necessary for the proper provision of services to you or otherwise necessary for the proper functioning and management of our Website, including any accounting or regulatory needs in maintaining the Website.
• for the purpose of carrying out data analytics to enable us to review and improve our services to ensure that content is presented in the most effective way and in a manner that holds relevance, use, and value to you; and as part of our efforts to keep our Website safe and secure – for more details on this please see our Cookie Policy.

IMPORTANT NOTICE:

Please note that we do not collect information about individual patient samples and so it is a requirement for use of the Website that any patient data provided is aggregate data which is not identified or coded – such data is thereby anonymous ie it does not  identify you and would not count as personal data.

Biosample Hub offers MatchEngine, an automated matching service that connects sample requests with biobanks. This section explains how we collect and process data from both company members (who submit requests) and biobank members (who respond to requests).

7.1 Data We Collect from Company Members

When you submit a sample request through MatchEngine as a company member, we collect and process the information you provide, including:

• Disease or tissue type being requested
• Sample format and quantity requirements
• Geographic preferences
• Contact details (name and email address)
• Any additional details you provide about your research needs

7.2 Data We Collect from Biobank Members

When you participate in MatchEngine as a biobank member, we collect and process the information you or your organisation provides, including:

• Biobank name and contact details
• Disease areas and specialties
• Sample types and formats available
• Geographic location
• Responses to sample requests (including feasibility and terms)
• Response rates and communication history (used to calculate responsiveness scores)

7.3 How We Use This Data

This information is stored in our database and used to:

• Calculate match scores using our algorithmic matching system
• Facilitate communications between company members and biobanks
• Track the progress of requests and any resulting interactions
• Calculate biobank responsiveness scores based on response history
• Improve our matching service

7.4 Automated Communications

MatchEngine sends automated emails on behalf of both company members and biobanks to facilitate the matching process. These communications are logged to track status, enable follow-ups, and maintain records for service improvement and audit purposes.

7.5 Security

Access to your MatchEngine portal is protected by secure, unique tokens that expire after a set period. Your data is protected by the security measures described in Section 5 above.

Biosample Hub offers an Expert Assistant feature that uses artificial intelligence to provide guidance on topics such as Material Transfer Agreements, shipping logistics, and regulations. This section explains how we collect and process data when you use this feature.

8.1 Data We Collect

When you use the Expert Assistant, we collect and process the following information:

• The questions you submit
• The AI-generated responses provided to you
• Your IP address (stored in hashed/anonymised form)
• Session identifiers and timestamps

8.2 Purposes of Processing

We process data from the Expert Assistant for the following purposes:

• To provide and improve our services
• To ensure quality and accuracy of AI-generated responses
• To maintain safety and prevent misuse of our platform
• To analyse usage patterns and improve user experience

8.3 Human Review

Conversations with the Expert Assistant may be reviewed by members of our team for quality assurance and safety purposes. This review helps us ensure that the AI is providing accurate and appropriate guidance. Reviews are conducted by authorised personnel only and are subject to confidentiality obligations.

8.4 Legal Basis for Processing

We process data from the Expert Assistant on the basis of our legitimate interests in providing and improving our services, and in maintaining the safety and security of our platform. Where required, we will seek your consent before processing.

8.5 Security

Your privacy is protected when using the Expert Assistant through the following measures: your IP address is stored only in hashed (anonymised) form; human reviews are conducted only by authorised personnel under confidentiality obligations; and all data is protected by the security measures described in Section 5 above.

We will only retain your personal data for as long as it is reasonably needed for the purposes it was provided and/or for as long as it necessary to comply with our legal requirements to retain data. We may need to retain it for longer than normal if, for instance, there is any ongoing issue such as a complaint or any other outstanding query after the initial purpose for collection has expired.

We will at all times endeavour to minimise retention of your personal data to mitigate the potential risk of breach or unauthorised use but please be aware we are required to keep certain data for 6 years after the end of our Website relationship including contract, identity, financial and transactional data. 

In some circumstances we may be able to anonymise your personal data in which case we will be able to keep hold of it at our discretion.

Data from your interactions with MatchEngine and the Expert Assistant is retained for as long as reasonably necessary to fulfil the purposes described in Sections 7 and 8 above. You may request deletion of your data in accordance with your rights set out in Section 11.

This website is not intended for use by persons under the age of 18 and thus no personal data is collected and/or retained from any person whom we know or suspect to be under the age of 18.

You have a number of rights over your personal data and how it is processed. You are entitled to do the following:

• access your personal data.
• require us to rectify any inaccurate personal data.
• require us to erase personal data. Please bear in mind that this will only apply where we no longer need to use the personal data to achieve the purpose it was collected for; or where you withdraw your consent if collection was based on your consent; or where you object to the way we processed your data.
• A right to restrict to our processing of personal data.
• A right to object to our processing of personal data.
• A right to withdraw your consent to our use of your personal data such as, for example, withdraw consent (previously given) to receive information about our services or
• A right to have your data transferred to another party (largely intended for utility and telecommunications services – generally referred to as ‘interoperability’).

Your first port of call in the event that you wish to enquire about or exercise any of your rights is to contact us. 

We will do our best to provide a prompt and helpful response but additionally you can, should you wish, obtain further detailed information from the Information Commissioner’s Office (‘ICO’) which maintains a very useful site at https://ico.org.uk.

The Information Commissioner’s Office is also the regulator that receives any complaints you may have and if appropriate, take necessary enforcement action against any organisation that flouts your privacy rights. Generally, we believe the ICO will want you to first approach us if you have any privacy issues to see if we can resolve them, but this is without prejudice to your right to complain. That said, we are always happy to listen to, and hopefully, address any concerns you may have.

Please note that external websites have their own privacy policies over which we exercise no control. We do not accept any responsibility or liability for potential defects or breaches of privacy by these third parties. We invite and encourage you to read their privacy policies and use your  own discretion with appropriate due diligence and checks before providing any personal data to externally linked websites.

We use third-party service providers to help us deliver our services. These include:

• Email delivery services (for sending communications on your behalf)
• Cloud hosting providers (for storing data securely)
• AI service providers (for powering the Expert Assistant feature only)

These providers process data on our behalf and are bound by data processing agreements that require them to protect your data and use it only for the purposes we specify. We do not sell your personal data to third parties.

If you have any questions about this Privacy Policy or wish to exercise any of your rights, please contact us through the Contact Us page on our website.