Privacy Policy
Global Privacy and Biometric Notice
Published August 2024
This Global Privacy and Biometric Notice (this “Notice”) consists of two parts:
- the OMS Privacy Notice; and
- the OMS Biometric Policy and Notice.
Please read both parts carefully, to ensure you understand how we use your information when you access and use our website and services. If you do not agree to our use of your information in the manner set out in this Notice, you should discontinue use of the website and services, and delete any OMS software you have downloaded.
We may update this Notice from time to time, either to comply with applicable laws, or to adapt to changes to our products and services. If you are a registered user of our products and services, you will be notified of an update the next time you login to the OMS services. The current version of this Notice will always be available for review at https://oxfordmedicalsimulation.com/privacy/.
Part 1: OMS Privacy Notice
We hope that you enjoy using our services, safe in the knowledge that we are committed to protecting your privacy and security online.
Who we are and what this policy is for
We are:
Oxford Medical Simulation Limited, a company registered in England and Wales under company number 10587122 with its registered office at 201 Borough High Street, London, England, SE1 1JA; and
Oxford Medical Simulation Inc, a company registered in Delaware with its office at 240 Elm Street, 2nd and 3rd Floors, Suite 226, Somerville, MA 02144,
(together, “OMS”, “we”, “us” or ”our”).
Our customers are medical service training providers. They use our services to provide worldwide computer-based and virtual reality simulation training to their employees and students.
When you use our website and access our online platform, under the definitions used in the UK General Data Protection Regulation (the “UK GDPR”) we are the ”controller” for some of your information. This means that we decide what personal data we collect from you and how it is used.
Where you are employed or engaged by, or are an enrolled student of one of our clients (which we’ll refer to in this notice as your “Organisation”) , and they have arranged for you to be given access to our service, we process some of your information on their behalf. Here, (under the UK GDPR) they are the ”controller” and we are their ”processor”. This means that the Organisation decides which of your personal data we process, and how we use it. As a processor, we must follow the instructions of the Organisation.
This notice explains how we collect, use and store your information when you use our ”Services” – that is, where you access and use our websites, WebApp, any other software, and any other platforms or services (including any support services), which we operate.
We have appointed a data protection officer (a “DPO”), who has responsibility for monitoring and managing our compliance with the UK GDPR and other data protection legislation. You can contact our DPO by emailing [email protected].
1. Your information – what information we collect and who we receive it from
1.1 “Personal Data” is any information that can (or could) be used to identify you, whether digital or hardcopy. We will never ask you to provide any particularly sensitive Personal Data (which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, certain categories of biometric data, data concerning your health, sex life or sexual orientation) in relation to yourself or others. This type of information is not required to use our Services.
1.2 We have grouped together the types of Personal Data that we collect and who we receive it from below:
1.2.1 Information you may provide to us directly:
- contact information: such as your name, company name, job title, address, student ID, e-mail address and phone number.
- additional optional information: information about how you use our products, and other demographic information.
- voice data: we will collect and process your voice data when you use voice control to interact with the Services (we call this service ‘OMS Voice’).
- usage data: usage records in relation to your use of our Services (scenarios played, inputs to the scenarios, scenario assessment scores, etc.), =reflection notes, comments, questions, requests, and orders you may make when interacting with our Services.
- account usage information: your preferred voiceover gender, other log-in information, including, if applicable, social media account information for login purposes.
- marketing and communications information: such as your preferred methods of communication and product types in which you are interested, and whether you consent to receive marketing information from us.
1.2.2 Information we gather via cookies when you interact with our online Services:
- Device and browser information: such as your device type, browser type, internet protocol (IP) address, operating system, and device identifier.
- Usage information: such as content viewed or downloaded, features used, links clicked, promotional emails opened, and dates and times of interactions, other information about how you use our products.
- Location information: we can only access precise real-time location information type of information where you have given us specific permission to do so, but we are able to collect imprecise location information derived from other data we collect, for example your IP address or postal code.
You can find more information about what cookies (and similar technologies) are and how we use them by reading our Cookie Notice, which can be found on our website.
1.2.3 Information we may receive from your Organisation:
- account set up details: where an Organisation (likely your employer, or the institute where you are enrolled as a student) has asked us to create accounts on their behalf, they provide contact information about you to us in order for us to do so. This may include information such as your name, job title, student ID, address, e-mail address, and phone number.
1.3 When we collect Personal Data we sometimes anonymise it (so it is no longer possible to identify who it relates to), and then combine it with other anonymous information. This combined anonymous information is called ’aggregated data’, and it helps us improve our products and identify trends (for example, how successful an advertising campaign was). This type of information is not subject to data protection law (because it is now just statistical, and cannot be used to identify individuals).
2. How we use your Personal Data
2.1 This table explains which legal reason (or ‘ground’) we rely on when we use your Personal Data, either as a processor or a controller. If we intend to use your Personal Data for a new reason that is not listed in the table, we will update this privacy notice and notify you.
Purpose | Legal ground |
Taking steps to enter into the contract with an Organisation or individual | Performance of contract (where our customer is an individual) Legitimate interests (where our customer is an organisation, as necessary to conclude our contract with such organisation and obtain contact details for key contracts) |
Processing payments and collecting and recovering monies owed to us | Performance of contract (where our customer is an individual) Legitimate interests (where our customer is an organisation, as necessary to recover debts due to us) |
Handling requests for technical support | Performance of contract (where our customer is an individual) Legitimate interests (where our customer is an organisation, as necessary to perform our contractual obligations to provide technical support) |
Administering and protecting products, services and systems (and those of our processors) | Legitimate interests (necessary to provide our products and services, monitor and improve network security and prevent fraud) |
Providing insight on how our products and services are being used, and how well they are functioning. Using these insights to improve our products and services (including as set out in Part 2 (OMS Biometric Policy) of this Notice) | Legitimate interests (necessary to improve and optimise our products and services) Legitimate interests (where our customer is an organisation, to provide an overview of their users’ engagement with the service) |
Sending you marketing communications by email | Consent (where you are a private individual, sole trader or partner in a partnership) Legitimate interests (where your email address belongs to an organisation which is a corporate body) |
Asking you to participate in surveys and other types of feedback | Legitimate interests (necessary for product and service improvement purposes) |
Notifying you about changes to our privacy notice | Legal obligation (necessary to comply with our obligations under data protection law) |
3.1 We share (or may share) your Personal Data with the following parties:
- Our personnel: OMS employees or other workers bound by contracts containing confidentiality and data protection obligations. Our personnel may work for any company that is a part of the OMS group.
- Your Organisation: where your Organisation requests that we provide to them the Personal Data we process on their behalf, we will do so, in accordance with our contractual obligations.
- Our supply chain: other businesses help us to provide our Services (including Heroku as our customer relationship managers, AWS, who provide cloud storage and other services, Alphabet (Google), who provide the email and storage services we use to operate our communications and internal document processing, Intercom who operate our helpdesk and SendGrid who provide email delivery support, HubSpot, who provide marketing and customer relationship management support, Photon, who support the enabling of our Multiplayer scenarios, and Microsoft Azure, who provide us with the ability to enable voice control scenarios). We ensure these organisations only have access to the information required to provide the support we use them for, and that they are bound by contracts containing confidentiality and data protection obligations.
- Our business partners: such as resellers and distributors of our products and services (businesses that sell OMS Services on our behalf). We ensure these organisations abide by our privacy policy, and are bound by contracts containing confidentiality and data protection obligations, limiting their use of your Personal Data to that required for us to provide the OMS Services to you and your Organisation.
- Our professional advisers: such as our accountants or legal advisors, who are bound by confidentiality obligations, and contracts containing data protection obligations.
- Regulatory authorities such as national tax authorities (for example, HM Revenue & Customs in the United Kingdom).
- Complainants (or their professional advisors) where we receive a valid request for information in relation to a claim that you have infringed someone’s legal rights.
- Specific third parties: where you have indicated you are happy for us to do so, we occasionally contact you in relation to specific offers or surveys from other types of third parties. We will always identify the third party and give you the option to change your mind (and stop your information being shared with them).
- Any actual or potential buyer of our business.
If we are asked to provide your information, we follow strict internal processes to ensure it is a valid request and carefully consider the potential impact on you before we decide to share information. We may decide to seek legal advice to help us decide whether to respond to or reject a request.
4. Where we may share your Information
4.1 We offer a worldwide service, which means your information is transferred between different countries. Generally, your information will be stored securely in the country where your Organisation is based. However, where required for the purposes set out above in Section 2, we may need to transfer some information outside of that country. Such transfer will be limited to the period and duration of that purpose.
4.2 We always identify which legal mechanism we rely on to share information internationally – whether internally between the OMS Group entities or with our service providers (for example, by using contracts approved by the European Commission or UK Secretary of State). You can ask us for this information by emailing 8.6 To make a request, please email [email protected]..
4.3 If you use our Services because you have been enrolled by an Organisation (such as your employer or educational institution) or access our Services remotely, then your Personal Data may be stored on servers located in the same country that the Organisation or you are based.
5. Marketing
5.1 Where you have indicated you are happy for us to do so, we use your information to keep you informed of OMS and third party products, services, promotions and events.
5.2 You can ask us to stop sending you marketing at any time by emailing [email protected].
6. How long do we keep hold of the information?
6.1 How long we keep your Personal Data will vary, depending on the purpose for which the information has been collected. There are legal requirements that we keep some types of data for specific periods.
6.2 As processor: Where we act as a processor of your Personal Data on behalf of your Organisation, we will keep information for the duration of the licence agreement with the Organisation.
6.3 As controller: If we have been processing your Personal Data for the purposes of performing a contract with your Organisation, after the agreement with your Organisation has terminated, we may, acting as controller, retain your Personal Data for a period of up to 12 months, for some or all of the purposes set out above in section 2. Where we obtain your Personal Data for marketing purposes, we will retain your Personal Data for as long as the purpose for which it was collected remains valid (usually no longer than 3 years from our last contact with you), or until you notify us that you no longer consent to our holding your data for marketing purposes (whichever is earlier).
6.4 Once the periods specified in sections 6.2 and 6.3 have expired, we will either permanently delete, or anonymise, your Personal Data, so that it is no longer identifiable as being your information.
6.5 You can ask us for further information about specific retention periods by emailing [email protected].
7. Keeping your information safe
7.1 We follow strict security procedures to reduce the risk of your information being accidentally or illegally lost, misused or accessed by unauthorised individuals. Some of the measures we have implemented include:
- technical security measures: such as anti-virus, firewalls and back-up files
- account set–up: such as 2-step verification and strong password requirements
- internal processes: such as business continuity and incident reporting procedures, adherence to, Cyber Essentials Plus and ISO 27001 standards
- organisational measures: internal IT and data protection training, at least annually
- procurement processes: such as due diligence questionnaires for our suppliers, using suppliers with specific accreditations (e.g. ISO27001 or SOC 2) where possible.
7.2 We, or other users may post third party links on our website, and you use them at your own risk. OMS has no control over the security of those links or how those third parties use your information once you visit their website.
7.3 Our Services may allow users to publicly comment on training content. Any information you choose to post on these interactive areas is in the public domain, which means it can be viewed by any person using the internet in any part of the world, and may show up in search engine results. Please be careful about what you choose to share on such forums, as any information you post will be at your own risk.
8. Your rights with respect to your Personal Data
8.1 Data protection laws in the UK and EEA provide individuals certain rights with respect to their Personal Data. We extend these rights to all of our users. As such, you have the right to:
- Access: you must be told if your Personal Data is being used. You can ask for a copy of your Personal Data, as well as information about how we are using it, to make sure we are abiding by the law.
- Correct: you can ask us to correct your Personal Data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
- Delete (also known as the right to be forgotten): you can ask us to delete or remove your Personal Data if there is no good reason for us to continuing holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
- Restrict: you can ask us to restrict how we use your Personal Data and temporarily limit the way we use it (e.g. whilst you check that the Personal Data we hold for you is correct)
- Object: you can object to us using your Personal Data if you want us to stop using it. We always comply with your request if you ask us to stop sending you marketing but in other cases, we decide whether we will continue. If we think there is a good reason for us to keep using your information, we will let you know and explain our decision.
- Move (also known as the right to portability): You can ask us to send you or another organisation an electronic copy of your Personal Data.
- Complain: we hope that we can answer any questions or respond to any concerns you might have, so please contact us in the first instance by emailing [email protected]. However, if you are unsatisfied with our response or would prefer to escalate immediately, you can contact the Information Commissioner’s Office. Their website contact page is linked here.
8.2 It is usually free for you to exercise your rights, and we aim to respond within 30 days (although we may ask you if we can extend this deadline up to a maximum of 60 days if your request is particularly complex or we receive multiple requests at once).
8.3 We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. If this happens we will always inform you in writing.
8.4 The only time we may charge a fee is if we decide to proceed with a request that we believe is unfounded or excessive.
8.5 We do not respond directly to requests which relate to Personal Data for which we act as the processor. In this situation, we will forward your request to the relevant controller (your organisation) and await their instruction before we take any action.
8.6 To make a request, please email [email protected].
9. Additional information for individuals based in the State of California only
9.1 Any reference to Personal Data in this notice include references to personal information as defined under the California Consumer Privacy Act (CCPA).
9.2 As a resident of California, you have specific legal rights under the CCPA. They are the right to:
- Access and delete: the rights to access and delete information under the CCPA as described in section 8.1 is limited to the Personal Data that we have collected over the previous 12 months and are subject to the exceptions set out in the CCPA.
- Opt-out of sale of information: we do not sell your Personal Data but you are free to inform us that you wish us to continue with this policy.
- Non-discrimination: you must not face any discrimination for exercising your legal rights under the CCPA (such as denying you access to our Services).
9.3 We confirm that we have not sold any Personal Data in the past 12 months.
9.4 For the purposes of the CCPA, we are deemed to routinely undertake disclosures of personal information to third parties for business purposes. We enter contracts with those third parties which include binding confidentiality clauses and restrictions which prevent them using your information for any other purpose. In the past 12 months we have disclosed all of the categories of personal information listed at section 1.2 with our supply chain for the purposes of hosting and providing our Services, detecting and protecting against security incidents, and debugging to identify and repair errors.
9.5 You (or another person authorised by you and registered with the California Secretary of State) can make a request under the CCPA by emailing [email protected].
Part 2: OMS Biometric Policy and Notice
Section 1 – Purpose of this notice
Protecting the confidentiality and integrity of Biometric Data is a critical responsibility that must be taken seriously at all times. This Part 2 applies to all Biometric Data collected, maintained, transmitted, stored, retained, or otherwise used by the Company regardless of the media on which that information is stored. Please note that Biometric Data may also be Personal Data (as defined in Part 1 of this Notice). Where there is any conflict between Part 1 and Part 2 of this Notice, the more restrictive Part will apply.
Section 2 – Definitions
OMS provides services across the US, the UK and beyond, and so, to ensure we comply with all relevant biometric data legislation, we adopt a broad definition of Biometric Data.
OMS uses the term “Biometric Data” to mean, collectively, all Biometric Identifiers, Potential Biometric Data, and Biometric Information.
The term “Biometric Identifiers” means any data generated by measurements of an individual’s biological characteristics, which can be used to identify that individual, such as:
- Retina or iris scans.
- Fingerprints.
- Voiceprints.
- Scans of hand or face geometry.
- Genetic data.
“Potential Biometric Data” is a broader concept, and is used to cover data or information which is not a Biometric Identifier, but which could be used to create a Biometric Identifier. This includes, for example, voice recordings and photographs.
“Biometric Information” means information, regardless of how it is captured, converted, stored, or shared, that is based on a Biometric Identifier. Biometric Data does not include information derived from items or procedures excluded under the definition of Biometric Identifiers.
Section 3 – Biometric Data We May Collect from Users
Currently, OMS only collects the following types of Biometric Data from our users:
- Potential Biometric Data – Voice Recordings.
OMS Voice is an option for some OMS virtual reality simulation scenarios. It allows users to interact with the scenario using speech control. In order to use speech control, OMS Voice collects voice recordings from the user during the scenario, which are collected, stored, and then processed using a speech-to-text translator. The translated text is then used to inform the reactions of the scenario to the speech input.
Section 4 – How We Use The Biometric Data We Collect
The voice recordings are stored in secure storage, and transmitted to the speech-to-text translator via a secure, encrypted transfer method. The speech-to-text translator does not retain a copy of the voice recordings after translation. The third parties we use to store and translate the voice recordings are listed below in Section 5.
OMS retains the voice recordings for up to 12 months after they are created. After this period, voice recordings are permanently deleted. During this period, we may use the voice recordings to analyse and improve the performance of our products and services, including to improve the accuracy and efficacy of the proprietary machine learning voice recognition models we use to operate OMS Voice.
OMS does not use the voice recordings for any other purpose (including for the creation of any Biometric Identifiers). We do not disclose the voice recordings to any third parties for any other purpose.
OMS will inform our clients and users if we collect any other Biometric Data, or if we change the manner or purpose in which we collect and use the Biometric Data listed above.
Section 5 – How OMS Obtains Individual Consent to Our Use of Biometric Data
OMS obtains consent to the processing of the Biometric Data in the manner, and for the purposes, set out in Section 3 and Section 4, when users download and use the OMS Software and Services for the first time. Each user will be presented with the OMS End User Licence Agreement, and this Notice, and asked whether they ‘Agree’ to the terms of these documents. Agreeing to the terms of these documents is a condition of downloading and using the OMS Software and Services – in relation to this Notice, this is because we cannot operate the software and services without using the Biometric Data and Personal Data in the manner described. Therefore, if a user does not agree, they will not be able to use the OMS Software and Services.
If, once you’ve used the OMS Software and Services, you wish to withdraw your consent, and ask us to delete the Biometric Data we have collected from you, you can contact us at any time at [email protected] to let us know.
Section 6 – Third Party Processors of Biometric Data
We use the following third parties to process Biometric Data on our behalf, in accordance with Section 3 – Biometric Data We May Collect from Users:
Name of Vendor | Biometric Data Processing |
Microsoft – Azure AI | Voice-to-text transcription of voice recordings – no storage of data. |
AWS | Storage of voice recordings |