Privacy Policy
Last updated: June 27, 2025.
This Privacy Notice informs you who we are, how we collect, use, secure and share personalinformation collected by us when you visit our website(s), enquire about or use our products andservices (including WeDosify), send to, or receive from us, communications, (including marketingmessages), register or attend our events or webinars, visit our offices or media pages, and through anyother interactions we have with you. This Privacy Notice also informs you how you can exercise your rights.
Closed Loop Medicine Ltd ('Closed Loop', 'we', 'us', and 'our') is committed to respecting and protecting the privacy of individuals and to fully complying with all the requirements of applicable data protection laws and regulations, including the UK GDPR and US state privacy laws where applicable.
If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided elsewhere in this Privacy Notice.
Data Protection Officer
We have appointed a Data Protection Officer (DPO). If you wish to contact our DPO you can do so via:dpo@closedloopmedicine.com
This Privacy Notice applies to all our data subjects (an individual about whom we hold personal information) except Job Applicants/Candidates and our employees. Employee and Job Applicant Privacy Notices are separate and are available on request to interested parties.
What is personal information?
Personal information is anything that enables you to be identified or identifiable. Personal information is also called "personal data". We collectively refer to handling, collecting, protecting, storing or otherwise using your personal information as 'processing'.
Geographic Processing and Data Location
For WeDosify Users (US Market): WeDosify is designed specifically for the US market and is hosted on servers located within the United States. When you use WeDosify, your personal information is processed and stored within the US to ensure optimal performance and compliance with US healthcare standards.
For Other Services: For our other products and services, personal information is primarily processed within the UK and is not transferred outside the UK unless specifically noted.
This Privacy Notice applies to all our data subjects (an individual about whom we hold personal information) except Job Applicants/Candidate and our employees.
Employee and Job Applicant Privacy Notices are separate and are available on request to interested parties.
If you fail to provide personal information
Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you or provide you with services you have requested.
Collecting (obtaining) your Personal Information
Most of the personal information we process is provided to us directly by you, for example for one or more of the following reasons:
You have visited our website(s) or used our applications and consented to our use of cookies or similar technologies
You have provided details through our website contact form
You have registered for or used WeDosify
You have contacted us for support or information
We may also obtain your personal information indirectly, such as from:
Social media platforms
The personal information we collect about you
We may collect and otherwise process different kinds of personal data about you which we have grouped together as follows:
Contact Data includes postal and email address and telephone numbers
Identity Data includes names and similar identifiers, marital status, title, date of birth and gender
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and applications
Usage Data includes information about how you use our website and applications
WeDosify Application Data includes anonymized clinical decision support interactions and usage patterns (no patient data is collected or stored)
Lawful Bases (legal grounds) for Processing Personal Information
Our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it.
We will normally collect personal data from you on one or more of the following lawful bases:
Consent: We may process your personal information after you have consented (agreed) to us doing so. Your consent may have been obtained by us, or by third parties on our behalf. You have the right to withdraw your consent at any time.
Contract: We may process your personal information when we need to deliver a contractual service to you or because you have asked us to do something before entering into a contract (e.g., provide a quote).
Legal obligation: We may process your personal information when we need to comply with a legal obligation under UK or US law.
Legitimate interest: We may process your personal information when we need to for our or another's legitimate interests, where these interests are not overridden by your rights.
Purpose(s) for Processing Personal Information
We have set out below a description of all the ways we plan to use your personal information, andwhich of the legal bases we rely on to do so. We have also identified what our legitimate interests arewhere appropriate.
| Purpose/Activity | Type of Data | Lawful Basis for Processing |
|---|---|---|
| To register a new client/customer |
• Contact • Identity |
• Contract |
| To process and deliverWeDosify services |
• Contact • Identity • Technical • Usage • WeDosify Application Data |
• Contract • Legitimate interest (to provideclinical decision support tools and improvepatient outcomes) |
| To manage our customer and business relationships |
• Contact • Identity |
• Contract • Legal obligation • Legitimate interest (to keep our recordsupdated and to study how customers use ourservices) |
| To administer and manageour website andapplications |
• Contact • Identity • Technical |
• Legitimate interest (for running our business,provision of administration and IT services,network security, to prevent fraud) |
| To develop our businesses and services |
• Contact Data • Identity Data • Technical Data • Usage Data |
• Legitimate interests (to develop ourproducts/services and grow our business) |
| To comply with our legal obligations |
• Contact Data • Identity Data • Technical Data • Usage Data |
• Legal obligation |
Using your Personal Information for Marketing Purposes
We will not use your personal information for marketing purposes without your explicit consent.
We will not share your information with any third parties for the purposes of direct marketing.
Sharing your Personal Information
We may share your personal information with third parties (other organizations or individuals) for:
The purpose(s) for which the information was submitted
The purposes listed under 'Purpose(s) for Processing Personal Information'
As agreed between us
We share personal information with third parties that act as data processors to provide elements of our service by processing personal information on our instructions (see 'Data Processors' below).
We may share your personal information with law enforcement, regulatory and other government agencies and professional bodies, as required by and/or in accordance with applicable law or regulation.
In some circumstances we are legally obliged to share information. For example, under a court order.
It is our policy to only share your personal information with third parties that are legally or contractually bound to protect your personal information to the same standards as we are, and that will flow those same standards to their subcontractors.
In any scenario, we'll satisfy ourselves that we have a lawful basis on which to share your personal information.
We will not sell your personal information to any third party..
Data processors
Where we use data processors, we have contracts in place with them to ensure that they cannot do anything with personal information we have shared with them unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct them to.
The data processors which we mainly and routinely use are:
For all services:
We use Monday as our CRM. Here is a link to its Privacy Notice
We use Greenlight Guru Clinical for Clinical Studies. Here is a link to its Privacy Notice
For WeDosify (US-hosted service):
We use Amazon Web Services (AWS) US regions to host WeDosify data. Here is a link to its Privacy Notice
For other services:
We use Amazon Web Services to host user data in UK regions. Here is a link to its Privacy Notice
*The above list identifies those data processors that we routinely use. It does not identify each andevery data processor we use.
Transfers of your personal information to outside the UK
For WeDosify: Personal information is processed and stored within the United States on AWS USservers to ensure optimal performance and compliance with US healthcare standards.
For other services: We do not transfer (send or access) your personal information outside the UK.
International transfers from UK/EU: When we transfer personal data from the UK or EU to the US forWeDosify services, we rely on adequacy decisions or implement appropriate safeguards such asStandard Contractual Clauses to ensure your data remains protected.
Retention (Storage) of Personal Information
We will retain your personal information only for as long as we need it for the purpose(s) for which itwas collected, or as required to do so by law.
To determine the appropriate retention period for your personal information, we consider the amount,nature, and sensitivity of it, the potential risk of harm from unauthorised use or disclosure of it, thepurposes for which we process it and whether we can achieve those purposes through other means,as well as applicable legal requirements.
Examples of the periods for which personal information will be stored
| Personal data | Retention period |
|---|---|
| WeDosify user records | As required by any applicable statutory retention period, or where no statutoryretention period applies, three years after last account activity or contractualrelationship ends, whichever is the latest. |
| Client/customer records(other services) | As required by any applicable statutory retention period, or where no statutoryretention period applies, two years after contractual relationship ends, or two yearsfrom our last date of contact, whichever is the latest. |
| Business contacts records | As required by any applicable statutory retention period, or where no statutoryretention period applies, two years after business relationship ends. |
*The above list gives examples and does not identify each and every period for which individuals' personal data will be stored. Further information about our retention of Personal Information is set out in our Retention Policy. If you would like a copy of our Retention Policy, please contact us.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information and your location.
For all users:
Your right of access: You have the right to ask us for copies of your personal information
Your right to rectification: You have the right to ask us to rectify information you think is inaccurate or complete information you think is incomplete
Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances
Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances
Your right to object to processing: You have the right to object to processing if we are processing your information for legitimate interests
Your right to data portability: You have the right to ask that we transfer information you gave us from one organisation to another or give it to you (applies only to information you have given us and where processing is automated)
Additional rights for California residents:
Right to know what personal information is collected, used, shared or sold
Right to delete personal information
Right to opt-out of the sale of personal information (we do not sell personal information)
Right to non-discrimination for exercising privacy rights
Additional rights for Virginia, Colorado, and other applicable state residents: Similar rights as California residents, with some variations as specified by state law.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
If you wish to exercise any of your rights, please contact us using the details below.
Security
We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data.
For WeDosify, we implement additional security measures appropriate for healthcare-related applications, including encryption in transit and at rest, access controls, and regular security assessments.
Please be aware that we cannot guarantee the security of all personal information transmitted to or by us.
Artificial Intelligence (AI)
WeDosify uses AI and machine learning technologies to provide clinical decision support. However, we do not use AI to make automated decisions about individuals, and all AI-generated recommendations are provided as decision support tools only. No patient data is used to train our AI models.
Video Conferencing
We use third-party providers to enable us to have video conferences ('meetings'). We may record these meetings and, by doing so, we will be processing the personal data of participants to:
Establish participant identities and contact details
Create records of discussions, decisions and progress
Facilitate producing a transcript of meeting organisers' and participants' personal meeting contributions
Support participant accessibility
The third-party providers for video conferences ('meetings') are:
Microsoft Teams
Zoom
By continuing to attend these meetings (after you have been informed that you are being recorded), you will be consenting to your personal data being processed as detailed above.
Automated Decision Making
We will not use your personal information for automated decision making or profiling that produces legal or similarly significant effects.
Children’s personal information
We do not provide services directly to children under 16 or proactively collect their personal information. WeDosify is intended for use by healthcare professionals only.
Visiting our premises
When you visit our premises, you may provide your name and other personal information for security and safety reasons.
Links to other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.
Our contact details
We can be contacted as follows:
Email: dpo@closedloopmedicine.com
Post: Closed Loop Medicine Ltd, 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom
Cookies
We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security and accessibility are set and are not deleted by the tool. For information about the cookies and any other similar technologies we use, please see our cookies policy.
Your right to complain
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us and we'll respond.
UK/EU residents: If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner's office (ICO), the UK supervisory authority.
US residents: You may also have the right to lodge a complaint with your state's attorney general or relevant privacy authority.
Updating
We may update this Privacy notice at any time by publishing an updated version here. So that you know when we make changes, we will amend the revision date at the top of this page. The new modified or amended privacy policy will apply from that revision date.
Note: WeDosify is only for use within the United States of America (50 states and the District of Columbia). It is not approved for use in U.S. territories or internationally. Use outside of these jurisdictions may not comply with local regulations and is not supported by the manufacturer.