Site Logo
Site Logo

CANDIDATE PRIVACY NOTICE

WHAT IS THE PURPOSE OF THIS DOCUMENT?

The OrganOx group of companies includes OrganOx Limited, OrganOx (Europe) Limited and OrganOx Inc. In this privacy notice, we refer to any OrganOx group company as OrganOx, we, our or us.

OrganOx is committed to protecting your privacy and security of your personal data.

The relevant OrganOx entity to whom you apply is the controller in relation to your personal data. The controller is responsible for deciding how to hold and use personal information about you. With regards to OrganOx Inc, please note that this privacy notice will only apply to OrganOx Inc to the extent it processes your personal data as a controller and you are based in the UK or EEA.

This privacy notice makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise (whether you apply to work with us as an employee, worker or contractor), and how long it will usually be retained for, in accordance with UK, EU and Swiss data protection laws (if applicable).

DATA PROTECTION PRINCIPLES

We will comply with data protection law and principles, which means that your data will be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely.

WHO IS YOUR PERSONAL INFORMATION COLLECTED FROM?

We collect personal information about candidates from the following sources, for example:

  • You, the candidate.
  • Recruitment agency, who typically provides us with information that you provide as part of the recruitment process such as curriculum vitae and cover letter, as well as feedback regarding interviews and application process.
  • Background check provider, who typically provide us with information related to your work history, education, and confirmation of your identity and references (we will comply with local laws when we do this and the scope of any background check will depend on the role that you apply for).
  • Credit reference agency, who typically provide us with information such as your name, date of birth, your linked addresses, your previous names/aliases, addresses linked to these names/aliases, electoral register status, county court judgements, any criminal convictions, individual voluntary arrangement, bankruptcy, re-possessions, details of any credit accounts, payment history and any outstanding balances in your name (we will comply with local laws when we do this and the scope of any credit reference check will depend on the role that you apply for).
  • In the UK, the Disclosure and Barring Service in respect of criminal convictions.
  • Your named referees such as your former employer, who would usually share information about the dates of your employment with them and roles held.
  • Any information published about you published online on publicly accessible sources such as LinkedIn, Facebook, Instagram, public records and otherwise.

We may also receive personal information from you from another OrganOx group company.

THE KIND OF INFORMATION WE HOLD ABOUT YOU

In connection with your application for work with us, we will collect, store, and use the following categories of personal data about you:

  • The information you have provided to us in your curriculum vitae, covering letter or application form (as applicable) including your name, title, address, telephone number, personal email address, immigration status, information about your right to work in the UK, EU or Switzerland, education history, qualifications and employment history.
  • Any information you provide to us during the application or interview process including relocation preferences, information regarding previous roles, and assessment responses and results.
  • Information that you have provided to us in relation to any previous application made to us (including any OrganOx group company) and/or any information related to previous employment with us (including any OrganOx group company).
  • Information obtained from sources other than yourself as previously referred to in this privacy notice.
  • CCTV (and video doorbell) footage in the event that you visit our premises as part of the recruitment process.
  • This may involve us collecting, storing and using the following types of more sensitive personal information:
  • Information about your race or ethnicity, religious or philosophical beliefs, sexual orientation.
  • Information about your health, including any medical condition, health and sickness records.
  • Information about criminal convictions and offences.

HOW WE WILL USE INFORMATION ABOUT YOU

We will use the personal information we collect about you to:

  • Assess your skills, qualifications, and suitability for the role.
  • Carry out background and reference checks, where applicable.
  • Communicate with you about the recruitment process.
  • Keep records related to our hiring processes.
  • Comply with legal or regulatory requirements.

It is in our legitimate interests to decide whether to appoint you to the role you have applied for since it would be beneficial to our business to appoint someone to that role.

We also need to process your personal information to decide whether to enter into a contract with you.

It is in our legitimate interest to process your image (and potentially audio recording) when you visit our premises to ensure the safety of you and our personnel at our premises, as well as ensure the security of our premises. We will also process this data for crime prevention purposes.

If you fail to provide personal information

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION

Where appropriate we will use your particularly sensitive personal information in the following ways:

  • We use information about disability to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
  • We use information about racial or ethnic origin, religious or philosophical beliefs, disability or sexual orientation to ensure meaningful equal opportunity monitoring and reporting.

We understand that positions under local law can vary in relation to monitoring (for example in relation to equal opportunities monitoring), and we only carry out such activities in accordance with relevant laws. In the UK (or in respect of UK based data subjects), where we process special category data for prospective employment purposes, we have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.

INFORMATION ABOUT CRIMINAL CONVICTIONS

We envisage that we will process information about criminal convictions.

We will collect information about your criminal convictions history if we would like to offer you the role (conditional on checks and any other conditions, such as references, being satisfactory). We are entitled to carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role.

We understand that positions under local law can vary in relation to information about criminal convictions, and we only carry out such activities in accordance with relevant laws. In the UK (or in respect of UK based data subjects), where we process criminal offence data for prospective employment purposes, we have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.

AUTOMATED DECISION-MAKING

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

DATA SHARING

Why might you share my personal information with third parties?

We will only share your personal information with the following third parties for the purposes of processing your application:

  • other entities within our OrganOx group;
  • service providers (for example, IT service provider, hosting services or benefit providers) who may have access to your personal data;
  • professional advisers including lawyers, bankers, auditors, accountants, business advisers, brokers and insurers;
  • relevant government organisations or other law enforcement agencies; and
  • third parties to whom we may choose to sell, transfer or merge parts of our business or our assets or who may choose (or contemplate) to invest in us. Alternatively, we may seek to acquire other business or merge with them.

All our third-party service providers and other entities in the OrganOx group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will also share your personal data with recruitment agents relevant to any application for recruitment process relevant to you (for example communicating the outcome of any interviews, whether or not an offer is made to you, and relevant details of that offer). Recruitment agents typically act as data controllers and will have their own privacy notices.

Depending on the third party that data is transferred to, your information may be sent outside of the UK, European Economic Area (EEA) and/or Switzerland such as the US.

Whenever we transfer personal data outside the UK, EEA and/or Switzerland to countries which have laws that do not provide the same level of protection as the UK, EU and/or Swiss law, we always ensure that as similar degree of protection is afforded to it by ensuring that the following safeguards are implemented:

  • We use specific standard contractual terms approved for use in the UK by the UK government, the EEA by the European Commission and/or Switzerland by the Swiss government, in each case which give the transferred personal data the same protection as it has in the UK, the EEA and/or Switzerland (as applicable).
  • We will only transfer your personal data to countries that have been to provide an adequate level of protection for personal data by the UK government, European Commission or Swiss government, as applicable.

If you require further information in respect of the safeguards used by OrganOx, please contact our DPO using the details set out below.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

DATA RETENTION

How long will you use my information for?

We will retain your personal information for a period of 12 months after we have communicated to you our decision about whether to appoint you to the role. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy.

If we would like to retain your personal information on file, on the basis that we might be able to consider you for an opportunity that may arise in future, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period for that purpose.

RIGHTS OF ACCESS, RECTIFICATION, ERASURE, OBJECTION, RESTRICTION AND DATA PORTABILITY

Your rights in connection with personal information

Under certain circumstances, by law you have certain rights explained below. These rights apply in respect of our UK entities irrespective of where you are based. However, if you are based in the UK, EEA or Switzerland, the above rights will also apply in respect of our US entity.

Your rights are:

  • Request access to your personal information (commonly known as making a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our data protection officer (DPO) whose contact details are privacy@organox.com.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. If there are reasons why we cannot comply with your request, we will explain this to you.

QUESTIONS OR COMPLAINTS

OrganOx Limited has appointed a DPO, and OrganOx (Europe) Limited and OrganOx Inc have appointed a data compliance officer to oversee compliance with this privacy notice. A reference to DPO in this privacy notice includes the data compliance officer. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO.

If you have any questions or concerns about this privacy notice or how we handle your personal information, please contact our DPO who has been appointed to oversee compliance with this privacy notice and whose contact details are privacy@organox.com.

You have the right to make a complaint at any time to the UK’s Information Commissioner's Office (ICO) who is responsible for data protection issues in the UK or any other relevant supervisory authority in the country in which you are based.

Last updated 2 May 2025.

—------------------------------------------------------------------------------------------------------------------

PRIVACY AND COOKIE POLICY

1. IMPORTANT INFORMATION AND WHO WE ARE

This Privacy & Cookies Policy gives you information about how the OrganOx Group collects and uses your personal data when you interact with us, including any data you may provide when you:

  • visit our website (https://www.organox.com/) (Website);
  • subscribe to receive news and other information from us;
  • use our services and applications, including metra® Assist and mApp;
  • attend our events;
  • engage with us on social media;
  • request information from us or provide information to us;
  • supply goods or services to us (or you work for an organisation that does);
  • attend our offices; or
  • contact us by any means.

The Website is not intended for children and we do not knowingly collect data relating to children.

This Privacy & Cookies Policy also applies to Shareholder Data that we might process from time to time (as described below).

This Privacy & Cookies Policy does not apply:

  • to the processing of personal data by an OrganOx Group Company as part of a clinical trial or research. Trial or research participants will be provided with a separate privacy information in respect of this.
  • where you are applying to work for an OrganOx Group Company, please find our Candidate Privacy Notice here, which provides you with further information on how we process your personal data during the recruitment process.

Controller

The OrganOx Group is made up of the following different legal entities:

  • OrganOx Limited (company number 06557113);
  • OrganOx (Europe) Limited (company number 15961354); and
  • OrganOx, Inc.

This Privacy & Cookies Policy is issued on behalf of the OrganOx Group so when we mention OrganOx, we, us or our in this Privacy & Cookies Policy, we are referring to the relevant company in the OrganOx Group responsible for processing your data. In some cases, we will specify the relevant OrganOx Group company.

OrganOx Limited is the controller and responsible for the Website. OrganOx Limited has appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy & Cookies Policy. If you have any questions about this Privacy & Cookies Policy, including any requests to exercise your legal rights, please contact the DPO using the information set out below.

OrganOx (Europe) Limited is the controller and responsible for our applications, including metra® Assist and mApp.

Processor

In some circumstances, we may process your personal data as a data processor on behalf of another organisation, who would be the controller. This may apply, for example, where we process your personal data in the course of providing services to one of our customers who is your employer. Where this applies, the controller is responsible for responding to any questions you may have about how your personal data is processed, including any requests to exercise your legal rights, and we will pass your correspondence to them to respond.

2. THE TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU

Personal data means any information about an individual from which that person can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, title/ job title, username or similar identifier, as well as organisation details.
  • Contact Data includes email address and telephone numbers.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you interact with and use the Website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
  • Shareholder Data includes information relating to actual, potential or former individual shareholders of OrganOx, as well as representatives of institutional or corporate shareholders of OrganOx, which may include details of your participation in OrganOx's affairs as an individual shareholder or representative of an institutional or corporate shareholder (as applicable), such as attendance at and contribution to meetings, voting records etc, details of your respective shareholdings and any other information which is required to be recorded about you as a shareholder by law or which we hold in relation to your current or former shareholding or which we may acquire in connection with any discussions relating to potential shareholding.

We do not collect Special Category Data about you (i.e. details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data) except in very limited circumstances. For example, you might provide such information to us if you were to inform us of any dietary requirements in connection with religious or health reasons, or particular access requirements due to any health reasons if you were to be attending an event that we organise.In this case, your provision of the information would indicate your consent to us using the data for this purpose.

We (and service providers that we use) also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with the Website to help improve the Website and our service offering. We, or our service providers, may collect and aggregate individuals' Usage Data in an anonymised form to assess how features that are provided are used and make service improvements and for other business purposes. In some circumstances we also may have access to and use anonymised data from which we cannot identify any individuals.

3. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you including through:

  • Your interactions with us. You may give us your personal data by filling in online forms, by corresponding with us by post, phone, email or otherwise or when you visit our premises. This includes personal data you provide when you interact with us as set out above.
  • Automated technologies or interactions. As you interact with the Website and applications, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see the ‘Cookies’ section below for further details.
  • Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
    1. Technical Data is collected from the following parties:
      1. analytics providers;
      2. advertising networks; and
      3. search information providers.
    2. Contact and Transaction Data is collected from providers of technical and delivery services.
    3. Identity and Contact Data is collected from publicly available sources such as Companies House and social media platforms such as LinkedIn.

4. HOW WE USE YOUR PERSONAL DATA

Legal basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

  • Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you or the organisation that you work with the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter. In some cases, such as where we carry out a clinical trial, we would also request your specific consent.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Use

Type of data

Legal basis

To manage our relationship with your organisation as a customer, including:

  1. to register your organisation as a new customer for any of our applications;
  2. to provide support services in respect of any of our products or applications; and
  3. to communicate with you on social media platforms.

(a) Identity

(b) Contact

(c) Profile

Necessary for our legitimate interests (to perform our obligations under a contract with your organisation)

To process and deliver goods and services to your organisation, including:

  1. Manage payments, fees and charges
  2. Collect and recover money owed to us

(a) Identity

(b) Contact

(c) Marketing and Communications

Necessary for our legitimate interests (to perform our obligations under a contract with your organisation and to recover debts due to us)

To manage our relationship with your organisation as a supplier of goods or services to the OrganOx Group

(a) Identity

(b) Contact

Necessary for our legitimate interests (performance of a contract with your organisation)

To manage our relationship with you which will include:

  1. Notifying you about changes to our terms or Privacy & Cookies Policy
  2. Dealing with your requests, complaints and queries

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)

To liaise with sites and partners in managing clinical trials and any market research (including post market activities)

a) Identity

(b) Contact

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)

To administer clinical trials and any market research (including post market activities) (including clinician related data)

a) Identity

(b) Contact

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)

To file vigilance and incident reports

(a) Identity

(b) Contact

Necessary to comply with a legal obligation

To enable you to complete a survey

(a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and the Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity

(b) Contact

(c) Technical

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you

(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve the Website, products/services, customer relationships and experiences and to measure the effectiveness of our communications and marketing

(a) Technical

(b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep the Website updated and relevant, to develop our business and to inform our marketing strategy)

To enable us to host an event

(a) Identity

(b) Contact

(c) Special Category Data

(a) Necessary for our legitimate interests (for promoting out business)

(b) Where you provide us with Special Category Data, your consent

To provide your organisation as an investor into the OrganOx Group with access to the investor portal on the Website

(a) Identity

(b) Contact

Necessary for our legitimate interests (to perform our obligations under a contract with your organisation)

To access any of our premises (recording your visit and book meetings)

(a) Identity
(b) Contact

(a) Necessary for our legitimate interests (for example, to protect the welfare of our staff, establish a business relationship with you / your organisation and promote our business)

(b) Necessary to comply with our legal obligation

In respect of Shareholder Data, to manage our relationship with our shareholders and to administer our business

(a) Identity
(b) Contact
(c) Shareholder

(a) Performance of a contract if we have entered into one with you (for example, shareholders agreement, investment agreement or deed of adherence)

(b) Necessary for our legitimate interests (for the proper administration of OrganOx, in connection with potential investments, undertaking due diligence exercises or compliance with applicable laws, regulations and procedures, and in respect of any other activities relevant to managing personal data relating to actual, potential and former shareholders)

(c) Necessary to comply with our legal obligation

To contact you in a case of emergency relating to one of our staff members who has provided your details

(a) Identity
(b) Contact

(a) Necessary to comply with our legal obligation

(b) Necessary for our legitimate interests (for example, to protect the welfare of our staff)

Direct marketing

During the registration process on the Website or any of our applications when your personal data is collected, you will be asked to indicate your preferences for receiving direct marketing communications from OrganOx via email.

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which products, services and offers may be of interest to you so that we can then send you relevant marketing communications (we are either sending you direct marketing communications because you have asked us to send you such communications or we are otherwise legally allowed to send you such communications).

Third-party marketing

We will not share your personal data with any third party for their own direct marketing purposes.

Opting out of marketing

You can ask to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us.

If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes for example relating to updates to our Terms and Conditions.

5. DISCLOSURES OF YOUR PERSONAL DATA

We will share your personal data with other entities in the OrganOx Group. We may also share your personal data with the following third parties in accordance with this Privacy & Cookies Policy, including:

  • Vendors and service providers who support our respective operations, such as by providing IT and system administration services, hosting services for any of our applications, customer service support, email delivery and administration, and data storage and analysis.
  • Our professional advisors, including lawyers, auditors, insurers and consultants who provide legal, accounting, insurance and other services.
  • The organisation that you represent, who is our customer.
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets (or with whom we may discuss any such activities) or who may (or contemplate) invest in us or any part of OrganOx’s Group. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy & Cookies Policy.
  • Shareholders and investors who we provide with information as part of our reporting activities.
  • HM Revenue and Customs, Medicines and Healthcare products Regulatory Agency, Food and Drug Administration, regulators, law enforcement, public authorities or other third parties where necessary to exercise our rights or comply with a legal obligation.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. INTERNATIONAL TRANSFERS

Whenever we transfer your personal data out of the UK, EEA or Switzerland (for example, to the US), we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK government, the European Commission or Swiss government, as applicable.
  • We use specific contracts approved for use in the UK by the UK government, the EEA by the European Commission and/or Switzerland by the Swiss government, in each case which give the transferred personal data the same protection as it has in the UK, the EEA and/or Switzerland, as applicable.

Please contact us using the contact details above if you want further information on the specific mechanism used by us when transferring your personal data out of the UK, EEA or Switzerland.

7. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. DATA RETENTION

How long will you use my personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. YOUR LEGAL RIGHTS

You have a number of rights under data protection laws in relation to your personal data. These rights only apply if the OrganOx Group company is established in the UK / EEA / Switzerland or you are a resident in the UK / EEA / Switzerland.

You have the right to:

  • Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object. You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
    • If you want us to establish the data's accuracy;
    • Where our use of the data is unlawful but you do not want us to erase it;
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

If you wish to exercise any of the rights set out above, please contact us. If we intend to rely on legally permitted reasons not to comply with your request, we will explain this to you.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

10. CONTACT DETAILS

If you have any questions about this Privacy & Cookies Policy or about the use of your personal data or you want to exercise your privacy rights, please contact us at:

  • Email address: privacy@organox.com
  • Postal address: 3500 John Smith Drive, Oxford Business Park, Oxford, OX4 2WB, United Kingdom

Last updated on 26 June 2025.

EU establishment

For the purposes of Article 27 of the General Data Protection Regulation ((EU) 2016/679), OrganOx (Europe) Limited considers that it has an establishment in the EEA (namely, the Netherlands) and OrganOx Limited has appointed OrganOx (Europe) Limited as its EEA representative. The EEA representative's details are as follows:

  • Email address: privacy@organox.com

11. COMPLAINTS

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). If you are based in the EEA, you also have a right to complain to your national data protection regulator. We would, however, appreciate the chance to deal with your concerns before you approach the ICO or your national data protection regulator so please contact us in the first instance.

12. CHANGES TO THIS PRIVACY & COOKIES POLICY AND YOUR DUTY TO INFORM US OF CHANGES

We keep this Privacy & Cookies Policy under regular review. This version was last updated on 6 May 2025.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

13. THIRD-PARTY LINKS

The Website and applications may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not (to the extent legally permitted) responsible for their privacy statements. When you leave the Website or any of our applications, we encourage you to read the privacy policy of every website you visit.

14. COOKIES

The Website and our applications use cookies to distinguish you from other users. This helps us to provide you with a good experience when you use the Website, applications and services and also allows us to improve the Website and our applications.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of the Website. They include, for example, cookies that enable you to log into secure areas of the Website.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

Cookie Name

Purpose

More information

You can use your browser settings to block all cookies (including essential cookies), however, you may not be able to access all or parts of the Website, any of our applications and services if you do so.

—---------------------------------------------------------------------------------------------------------------------

ORGANOX CLINICAL TRIAL PRIVACY NOTICE

The privacy of your personal and medical information is important to us and we are committed to protecting your privacy. This privacy notice provides you with information about the processing of personal information as required under United Kingdom (UK) data protection laws.

This privacy notice applies to participants in a clinical trial sponsored either by OrganOx or by another organisation with whom OrganOx collaborates for the purpose of such trial (Trial) and it provides you with information about our processing of your personal information during and after the Trial. In certain circumstances, this privacy notice also applies to individuals whose details we obtain in relation to a Trial, but who have also been provided with an informed consent form in respect of the Trial.

This privacy notice is supplemental to the Trial information sheet and Trial consent forms, as applicable, that you have been provided with (including our privacy notice provided to you already within these documents), as well as any protections you are otherwise provided with under the laws of the country where the Trial is taking place (for example, US laws if the Trial takes place in the US). Under UK data protection laws, "consent" to processing of personal information has a specific meaning and requirements, and is one of a number of available lawful reasons for processing personal information. OrganOx does not rely on your consent for the processing your information in relation to the Trial but on other lawful reasons, and this will be explained to you in our privacy notice provided to you in connection with the Trial.

We also provide this website privacy notice for further transparency in relation to our processing of personal information in relation to Trials.

1. IMPORTANT INFORMATION ABOUT US

OrganOx Limited (company number 06557113) (OrganOx, we, our or us) is the controller for the Trial and responsible for your personal information. If the Trial is sponsored by another organisation with whom OrganOx collaborates for the purpose of the Trial, OrganOx and the sponsor of the Trial are joint controllers. Notwithstanding this, that sponsor may or may not be subject to UK data protection laws.

This privacy notice only sets out how OrganOx processes your personal information, but does not set out how the sponsor of the Trial with whom we collaborate with will process your personal information. Please contact the sponsor of the Trial for further information on how they will process your personal information.

The clinical trial site processes your personal information on our and, if applicable, the sponsor's behalf with regards to the Trial. However, the clinical trial site is still responsible and in control of your personal information (for example, within your medical record) when providing patient care to you and will have independent responsibilities to you in that regard.

OrganOx has appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the information set out below.

2. THE TYPES OF PERSONAL INFORMATION WE PROCESS

We will process different kinds of personal information about you, which we have grouped together as follows:

  • Identity Data includes your name, date of birth, sex, patient ID or other unique identifier (e.g. trial ID).
  • Contact Data includes your phone number, address and email address.
  • Health Data includes protected health information, laboratory, medical or clinical treatment data and full medical records.
  • Trial Data includes any Trial specific data (including information provided on questionnaires and interviews, as well as any research office visits and tests) and outcome data;

As mentioned above, we will have access and may further process your full medical record as agreed with the clinical trial site.

We (and service providers that we or the sponsor use) also collect, use and share aggregated data such as statistical or demographic data which is not personal information as it does not directly (or indirectly) reveal your identity.

3. HOW IS YOUR PERSONAL INFORMATION COLLECTED?

The clinical trial site collects your personal information as part of your medical care. The patient information sheet will have provided you with information how the clinical trial site works with us.

4. HOW WE USE YOUR PERSONAL INFORMATION

We have set out below a description of all the ways we plan to use the various types of your personal information, and which of the legal bases we rely on to do so. Under UK data protection laws, we need a lawful basis when processing personal information, and we have explained how we rely on these legal bases below. Typically this will be where we process personal information to fulfil a "legitimate interest" such as carrying out the Trial or to comply with legal obligations.

Purpose/Use

Type of information

Legal basis

Conducting the Trial

Identity Data, Contact Data, Health Data and Trial Data.

Legitimate interest and scientific research in the wider public interest

Conducting market research and post trial activities

Identity Data, Contact Data, Health Data and Trial Data.

Legitimate interest and scientific research in the wider public interest

Use for regulatory approvals (including any inspections carried out by the regulator) to commercialise our product

Identity Data, Contact Data, Health Data and Trial Data.

Legitimate interest and reasons of public interest in the area of public health (i.e. clinical trial regulations)

Vigilance reporting and incident reporting

Identity Data, Contact Data and Health Data

Compliance with legal obligation and reasons of public interest in the area of public health (i.e. safety reporting obligations and clinical trial regulations)

To monitor the safety of the Trial

Identity Data, Contact Data, Trial Data and Health Data

Legitimate interest and reasons of public interest in the area of public health

Use for further research or studies

Identity Data, Contact Data, Health Data and Trial Data.

Legitimate interest and scientific research in the wider public interest

Anonymise your data

Identity Data, Contact Data, Health Data and Trial Data.

Legitimate interest and scientific research in the wider public interest

We may publish the results of the Trial or we may be otherwise be required to make the results (or information about the results) publicly available, however, the results / information about the results will not contain your personal information.

5. DISCLOSURES OF YOUR PERSONAL INFORMATION

We will share your personal information with OrganOx Inc (and, if applicable, the sponsor). We may also share your personal information with the following third parties, including:

  • Vendors and service providers who support our operations.
  • Our professional advisors.
  • Collaborators and researches for the purposes of carrying out further research or studies.
  • Medicines and Healthcare products Regulatory Agency, Food and Drug Administration, regulators, law enforcement, public authorities or other third parties where necessary to exercise our rights or comply with a legal obligation.

We require all third parties to respect the security of your personal information and to treat it in accordance with the law.

6. INTERNATIONAL TRANSFERS

OrganOx is established in the UK, which is why we need to ensure that a similar degree of protection is afforded to personal information, whenever we transfer your personal information out of the UK (for example, back to the US or any other jurisdiction). We do this by relying on the following safeguards:

  • We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the UK government; OR
  • We use specific contracts approved for use in the UK by the UK government, which gives the transferred personal information the same protection as it has in the UK.

Please contact us using the contact details above if you want further information on the specific mechanism used by us when transferring your personal information out of the UK.

7. DATA SECURITY

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

8. HOW LONG WILL WE RETAIN YOUR PERSONAL INFORMATION

We will retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period, we consider the applicable legal and regulatory requirements that apply to OrganOx and where the clinical trial takes place.

In some circumstances we will anonymise your personal information (so that it can no longer be associated with you) for further research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. YOUR LEGAL RIGHTS

You may have a number of rights under data protection laws in relation to your personal information depending on our lawful basis for processing.You can:

  • Request access to your personal information.
  • Request correction of the personal information that we hold about you.
  • Request erasure of your personal information in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your information. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
  • Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information.
  • Complaint. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

If you wish to exercise any of the rights set out above in relation to our processing of your personal information, please contact us (and not the sponsor of the Trial). If we intend to rely on legally permitted reasons not to comply with your request, we will explain this to you.

10. CONTACT DETAILS

If you have any questions about this privacy notice or about the use of your personal information or you want to exercise your privacy rights, please contact us at:

  • Email address: privacy@organox.com
  • Postal address: 3500 John Smith Drive, Oxford Business Park, Oxford, OX4 2WB, United Kingdom

Last updated on 26 June 2025.

—---------------------------------------------------------------------------------------------------------------------

DIVERSITY STATEMENT

OrganOx welcomes and promotes diversity in the workplace. We value and respect all employees, their ideas, and their perspectives. We are committed to providing equal employment opportunities for all employees irrespective of their race, color, creed, religion, national origin, citizenship, gender identity or expression, sexual orientation, marital status, pregnancy status, age, medical condition, disability, military or veteran status, or any other characteristic protected by law. Differing viewpoints that we each bring to the workplace challenge us collectively to think more broadly and allow us to be more creative in the products and processes we develop. We realize that the world we serve is diverse in its social customs and cultural traditions, and we respect and embrace those differences.

—---------------------------------------------------------------------------------------------------------------------

SLAVERY & HUMAN TRAFFICKING STATEMENT

OrganOx is at the forefront of changing the way donor organs are preserved in the critical time between donation and transportation. As an organisation, it is of the upmost importance that we and each of our suppliers collaborate with integrity, transparency and lead each initiative, improvement, and activity on an evidence-based approach. Consequently, we are committed to improving our practices to combat slavery and human trafficking in our business and supply chain.

Organisation's Structure

OrganOx was founded in 2008 as a spin-out from the University of Oxford to advance the normothermic perfusion technology invented by Professor Peter Friend and Professor Constantin Coussios. Our first product, the metra®, received CE mark approval in 2016 and FDA-approval in 2021. Since then, the metra has supported more than 5,000 transplants around the world, transforming the way donor livers are preserved and assessed, and helping to ensure more livers are available for transplantation.

We provide lifesaving technology in the organ transplant industry. We are a limited company organized under the laws of England and Wales.

Our Supply Chains

Our dedicated Operations team is responsible for overseeing and optimising the relationships between OrganOx and its suppliers, which includes responsibility for compliance with legal requirements and ethical standards.

Our Policies on Slavery and Human Trafficking

We will implement appropriate policies that underpin our commitment to ensure that there is no modern slavery or human trafficking in our supply chains or in any part of our business. This policy will reflect our commitment to acting ethically and with integrity in all our business relationships.

Due Diligence Processes for Slavery and Human Trafficking

As part of our initiative to identify and mitigate business and supply chain risk we have systems to:

  • Identify and assess potential risk areas in our supply chains.
  • Mitigate the risk of slavery and human trafficking occurring in our supply chains.
  • Monitor potential risk areas in our supply chains.
  • Protect whistle blowers.

Supplier Adherence to Our Values

We have zero tolerance to slavery and human trafficking. In accordance with our supplier management policy, we require all our suppliers to adhere to principles of ethical conduct, transparency, donor’s wishes and respect for patient rights, non-discrimination, and equitable treatment. All procurement activities are conducted in accordance with applicable laws and regulations.

If required by law, we expect our suppliers to have an environmental, social and corporate governance policy in place. Further, we expect our suppliers to have clear policies in place that prohibit modern slavery and the use of conflict minerals, with the necessary monitoring system to ensure ongoing compliance, where applicable.

Further Steps

Following a review of the effectiveness of the steps we have taken so far to ensure that there is no slavery or human trafficking in our supply chains we intend to take the following further steps to combat slavery and human trafficking:

  • Develop a conflict of interest framework, aligned with our supplier management policy;
  • Develop a Code of Conduct, aligned with our supplier management policy;
  • Implement a structure to ensure global compliance with conflict minerals legislation; and
  • To ensure a high level of understanding of the risks of modern slavery and human trafficking in our supply chains and our business, we will provide training to our staff, as applicable.

This statement is made pursuant to Section 54(1) of the Modern Slavery Act 2015 and constitutes the Company’s slavery and human trafficking statement for the financial year ending 31 December 2025. It was approved by the Board on 13 May 2025.