Book a demo

Prostate cancer pathway, perfected

Privacy Policy Overview

Lucida Medical Ltd is committed to protecting your privacy. Our privacy policies set out how we use, process, and protect personal data that you or others may provide to us. As a website user, our Privacy Policy for Business Contacts, which is set out below, applies to your use of the website and any contacts between you and us resulting from this.

Our Sample Privacy Notice for Patients, which is also set out below, outlines the general principles of how we process patient data using Pi™ to support cancer diagnosis. Please note that we do not provide care to patients ourselves and act as a data processor working with a healthcare provider who acts as data controller. If you are a patient, you should contact your healthcare provider, not Lucida Medical Ltd, for more details about their privacy policies, about the processing of your data, or about any aspect of the care that you receive.

Privacy Policy for Business Contacts

1        Introduction

This privacy notice applies to business contacts (including interested parties, customers, business partners, suppliers and investors) of Lucida Medical Ltd, Allia Future Business Centre, King’s Hedges Road, Cambridge, CB4 2HY, United Kingdom.

We are committed to the responsible protection and processing of personal data. This privacy notice is to inform you of the types of data we process about you, the reasons for processing your data, the lawful basis for processing, your rights and the retention periods of your data.

2        Scope and Definitions

This privacy notice applies to all business contacts as defined above. The term “business contact” includes current, previous and prospective or potential business contacts and applies to individuals, groups of individuals and organisations as applicable. The terms “we”, “our” and “us” refer to Lucida Medical Ltd.

3        Data Protection Principles

We hold and process personal data according to a set of core principles set out in applicable law. In accordance with these principles, we will ensure that:

  1. processing is fair, lawful and transparent
  2. data is collected for specific, explicit, and legitimate purposes
  3. data collected is adequate, relevant and limited to what is necessary for the purposes of processing
  4. data is kept accurate and up to date
  5. data is not kept for longer than is necessary for its given purpose
  6. data is processed with appropriate security measures taking into account the risks that arise from the processing.

4        Types of Data Held

Personal data that we collect will normally include your name, e-mail address or addresses, phone numbers, job title, professional qualifications and employer details. In some cases we will also store and process your home and/or business address.

5        Collecting Your Data

We may receive your data from several different sources, including:

  • when you speak to or meet us, for example on the phone or at a conference
  • when you contact us or provide us with your details, for example by attending an event that we participate in or organise, through a social media platform such as LinkedIn, Instagram or X (Twitter), or through our website, by email or post
  • through our website, which uses cookies as described in our cookie policy
  • if a third party introduces you to us.

6        Lawful Basis for Processing

If we receive your details through one of the channels set out above, we will store your personal data and use it to send you information about Lucida Medical, on the basis that you have consented to receive information from us. You may withdraw your consent at any time by e-mailing or contacting us.

If we have a contract with you or your employer, or work on a business proposal that may lead to a contract, we may use and store your information, and may contact you by phone, e-mail or post, in connection with the contract or proposal on the basis of our legitimate interest and to meet our legal obligations. For example, we may contact you about a project, and store information about the project or contract in our e-mail, accounting and legal records. 

If we are in touch with you for our business, for example as a current, potential or former customer, investor, supplier or business partner, we may also use and store your information, and contact you by phone, e-mail or post, in connection with this business relationship on the basis of our legitimate interest to do business with you and to meet our legal obligations.

7        Protecting, Sharing and Holding Your Data

We take reasonable steps to protect your data from unauthorised use, disclosure or loss. We have a data processing agreement in place with any third parties we use to process your data under our instructions, to ensure data is protected. 

We may employ other companies to provide services for us, for example e-mail, cloud storage, backup and project sub-contractors. With reasonable safeguards, these companies may have access to personal data needed to perform their functions and not for any other purpose. If our business is merged with or acquired by another company, your information may be disclosed to our new partners or owners.

We primarily store and process personal data in the UK and EU. However, in some cases we may transfer your personal information outside of the UK and the EU, and in these cases we ensure it receives additional protection as required by law. To keep this privacy notice as short and easy to understand as possible, we haven’t set out the specific circumstances when each of these protection measures are used. You can contact us for more detail on this. 

We will retain information for a reasonable period, or as long as required by law, bearing in mind the nature of the information and the purposes for which we hold it.

8        Automated Decision Making

Automated decision-making means making decision about you using no human involvement e.g. using computerised algorithms or programmes. 

We do not presently undertake any automated decision making with personal data received in connection with this privacy notice. 

9        Your Rights and Consent

You can always contact us to ask us about our privacy policy, use or processing of your data, or if you have an objection. You also have the right to access the information that we hold about you, and the right to request that this information is corrected, deleted, restricted, or transferred to another organisation. You can exercise these rights at any time by contacting us.

Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time by contacting us. In some cases, for example where we have contractual or legal obligations or if we have to retain some of your data to meet your requests, we may still continue to process your data, and we will explain the reasons for this as part of our response.

10    Updating this Notice

We may change this privacy notice in future by posting it to our website.

11    Making a Complaint

If you have any concern about how we process personal data, please contact us through our website or by email so that we can take reasonable steps to understand and respond to your wishes and to ensure you are satisfied with our handling of your data.

However, you are entitled to raise a complaint with the Information Commissioner (ICO) if you are not satisfied. You can contact the ICO at https://ico.org.uk/concerns/ or by telephone on 0303 123 1113 (local rate) or 01625 545 745.

Lucida Medical Ltd

https://lucidamedical.com/

Last update: 11 April 2026.

Sample Privacy Notice for Patients whose scans are processed using Pi™

This privacy notice tells you what to expect us to do with your personal information when your healthcare provider uses our services. The privacy notice is based on a standard NHS England Health and care Template privacy notice (PN). This version is general and is intended to provide information about how we normally process identifiable patient data as a data processor working with a healthcare provider who acts as data controller. If you are a patient, you should contact your healthcare provider, not Lucida Medical Ltd, for more details about their privacy policies, about the processing of your data, or about any aspect of the care that you receive.

Our contact details

Name: Lucida Medical Ltd

Address: Allia Future Business Centre, King’s Hedges Road, Cambridge CB4 2HY, UK

For general inquiries please use our contact page to get in touch.

Website: https://lucidamedical.com

Controller contact details

The data controller responsible your data is usually the healthcare provider who provides you with care. Please ask them to provide you with the contact details of their data protection officer. Many healthcare providers make this information publicly available on their website in their privacy policy, which is often linked at the bottom of their home page.

How do we get information and why do we have it?

We receive and process your personal data to help doctors screen for, diagnose, monitor and treat cancer. They use our Pi™ software to analyse data and produce outputs that they then review. They may also ask us to provide them with technical support, improvements to our product, and further analysis such as evaluating or auditing how the software works. Pi™ does not provide a direct diagnosis, and the relevant doctor or medical team has full responsibility for your diagnosis and treatment.

We collect and use personal information for the following reasons: 

  • you have provided information to seek care – this is used directly for your care, and also to manage the services that we and your healthcare provider provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care.

We also receive personal information about you indirectly from others, in the following scenarios:

  • from other health and care organisations involved in your care so that we can provide you with care.

What information do we collect?

Personal information

In most cases, we do not receive personally identifiable information because our Pi™ software is used by hospitals to provide you with care. However, in certain circumstances, we may process identifiable information. Where we do this, we currently collect and use the following personal information:

  • personal identifiers (for example, name and hospital ID)
  • date of birth.

More sensitive information

We process the following more sensitive data (including special category data):

  • data concerning physical or mental health (for example, details about your appointments, clinical history, reasons for referral, scans, biopsies, diagnosis, treatment and monitoring)
  • data revealing racial or ethnic origin, where this is provided to us as part of your data (for example because different ethnic groups may be differently affected by cancer).

Who do we share information with?

We may share information with the following types of organisations:

  • hospitals and doctors involved in providing care to you
  • third party data processors (such as IT systems suppliers)
  • planners of health and care services (such as Integrated Care Boards)
  • healthcare systems (such as NHS England, NHS Scotland and NHS Wales).

In some circumstances we are legally obliged to share information. This includes:

  • when required by the NHS or similar national body to develop national IT and data services
  • when a court, regulatory body or regulation requires us to do so
  • where a public inquiry requires the information.

We will also share information if the public good outweighs your right to confidentiality. This could include:

  • where a serious crime has been committed
  • where there are serious risks to the public or staff
  • to protect children or vulnerable adults.

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons, in particular to develop and evaluate improvements in how we screen for, diagnose and treat cancer.

Where is my information stored or transferred?

 For healthcare providers based in the UK, our data is hosted in the UK but is only available to our staff and technical support staff in the UK and EU.

 For healthcare providers based in the EU, European Economic Area (EEA) or other countries, our data may be hosted in the UK, EU and/or the same country as the healthcare provider but is only available to our staff and technical support staff in the UK and EU.

What is our lawful basis for using information?

Personal information

 Under the UK and EU General Data Protection Regulation (GDPR), the lawful basis we rely on for using personal information is:

(b) We have a contractual obligation – between us and the healthcare organisation that provides you with care

(c) We have a legal obligation – the law requires us to do this, for example where NHS England or the courts, a regulatory body or regulation require us to do so

(e) Your healthcare provider uses your information to perform a public task – a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation or the equivalent in your country, is required to undertake particular activities by law.

More sensitive data

Under GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

(h) To provide and manage health or social care (with a basis in law).

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  • you have provided us or your healthcare provider with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • we have a legal requirement to collect, share and use the data.

How do we store your personal information?

 Your information is securely stored for the time periods specified in our contract with your healthcare provider. In general, we only keep your identifiable personal information for as long as required for the specific purposes of processing your data, typically no longer than 1 month but in some cases up to 12 months.

  • When we have finished processing your data we will securely dispose of it by deleting copies stored on electronic platforms, shredding paper records and wiping hard drives to legal standards of destruction.
  • For business continuity and legal purposes, backups may be confidentially stored in our backup system, which is not normally accessible, for up to 6 years.
  • We may use sub-processors to store your data to support our processing where your healthcare provider agrees with this. For example, we and the NHS may use Microsoft services to exchange data for technical support and audit purposes.

What are your data protection rights?

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information (known as a subject access request).

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. We recommend that you contact your healthcare provider if you want to make a request. If you make a request direct to us, we have one month to respond to you, but please note that generally we will have to refer you to the healthcare provider responsible for your care, because they are the data controller in charge of your data. 

Please contact us through our contact page if you wish to make a request direct to us.

Automated decision making

We do not perform automated decision making with your data, and we require healthcare providers to ensure that all diagnostic decisions are made by a suitably trained healthcare professional because Pi™ does not make a direct diagnosis. 

National data opt-out

 We do not apply the national data opt-out because we are not using confidential patient information for planning or research purposes. 

Updating this notice

 We may change this privacy notice in future by posting it to our website.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at or by writing to:

Data Protection Officer
Lucida Medical Ltd

Allia Future Business Centre
King’s Hedges Road
Cambridge CB4 2HY
UK.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:    

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF 

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk 

Date of last review

11 April 2026, version 1.0. This document is reviewed each calendar year.