Please read this notice carefully. It sets out how we use your personal data and your rights as a data subject.
Please read this Privacy Notice together with any other privacy notice we may provide for specific circumstances when we process your personal data.
In particular, please see:
- Privacy Notice for Individuals involved in spinouts and startups
- Privacy Notice for users of the Startup Incubator
- Privacy Notice for University staff and students working with OUI
- Privacy Notice – CCTV
- Privacy Notice for Candidates
- Privacy Notice for Employees, Workers and Contractors
This Privacy Notice supplements those other notices; it does not replace them.
Personal data is information about an identifiable individual; anonymous or anonymised data about an individual is not personal data.
This Privacy Notice applies when we control the purposes for which your personal data is collected and used; it does not apply when we process personal data on behalf of someone else who controls how your personal data is used.
This Privacy Notice does not apply to how we handle our current or former employees’ or workers’ personal data or personal data of job applicants.
Data Protection law obliges us to:
- use your personal data lawfully, fairly and in a transparent way;
- collect your personal data only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- collect and hold personal data which is relevant to the purposes we have told you about and limited only to those purposes;
- keep your personal data accurate and up to date;
- keep your personal data only for as long as is necessary for the purposes we have told you about; and
- keep your personal data securely.
We are Oxford University Innovation Limited, a company registered in England with company number 02199542.
Our registered office is at University Offices, Wellington Square, Oxford, OX1 2JD.
We are registered with the UK Information Commissioner’s Office under registration number Z6557298.
We will use your personal data only for the purposes for which we collected it, unless:
- we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose; or
- we anonymise your personal data and use it for research or statistical purposes.
For an explanation as to how use of your personal data for a new purpose is compatible with the original purpose, please email us at email@example.com with ‘Personal Data Enquiry’ in the subject line of your email.
If we intend to use your personal data for an unrelated purpose, we will contact you to explain the legal basis which allows us to use your personal data for that unrelated purpose.
If we use we use your personal data for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes and we impose the safeguards required by the law, those purposes are treated as being compatible with the original purpose.
Unless you have requested us not to do so, we may send marketing materials to you at your home or work address. You have the right to opt out of this at any time. Please see Your Rights
We may send emails to you to marketing our products and services which are similar to those which you have previously acquired or negotiated to acquire, but you can always opt out.
Otherwise we will not send marketing materials to you at your email address or by text or fax unless we have your specific consent (which you can withdraw at any time).
We will not call you for marketing purposes if you are registered with a telephone preference service or you have asked us not to use your phone number for marketing purposes.
We do not use information about you for the purposes of automated decision making.
We may share your personal data with:
- anyone we have mentioned when informing you about how we use your personal data, including, where applicable the University of Oxford and OUI clients to whom we provide consultancy services;
- a purchaser of OUI or of our business or any business assets – we may disclose your personal data to the prospective buyer(s) and its or their professional advisers and, if our business assets are sold, personal data will be one of the assets transferred;
- any business with which we merge or merge part of our business;
- any company or business which we acquire;
- anyone we engage to process personal data for us, such as the provider of our IT systems. That person will be obliged to use your personal data only for our purposes, to process it only in accordance with our instructions and to have appropriate security measures in place to protect your personal data;
- if necessary to obtain advice, to our professional advisers who owe an obligation of confidence to us;
- to law enforcement agencies, if we know of think that you or your employer are/is engaged in any illegal activity;
- anyone, if necessary to comply with any law or regulation and
- anyone, if necessary to enforce our rights or to protect our property or to protect the rights or property of anyone else.
We may transfer your personal data outside the European Union (the EU), but we will not do so unless:
- we transfer it to a country which the European Commission has decided ensures an adequate level of protection for personal data or if the recipient has entered into the Standard Contractual Clauses published by the European Commission. If you wish to see a copy of the Standard Contractual Clauses, please email us at firstname.lastname@example.org with ‘Personal Data Transfer’ in the subject line of your email.
- you have given your explicit consent to the transfer of your personal data outside the EU. (If you have given that consent you may withdraw it at any time by emailing us at email@example.com with ‘Data Consent’ in the subject line of your email.
- we cannot perform a contract with you without making that transfer;
- we cannot take steps you have requested us to take without making that transfer;
- we cannot enter into or perform a contract with someone else and which is in your interests without making that transfer;
- the transfer is necessary for important reasons of public interest; or
- the transfer is necessary for the establishment, exercise or defence of legal claims.
Your personal data may be accessed by our staff when they are outside the EU, but the same safeguards will apply as though our staff were accessing your personal data from within the EU.
We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will process your personal data on only on our instructions and they are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will tell the Information Commissioner’s Office and you of a breach of security involving your personal data if the law obliges us to do so.
We will keep your personal data about you only for so long as is necessary to achieve the purpose for which we have collected that data, or as required by law, or as required for in order to meet any legal, accounting, or reporting requirements.
The law requires us to keep information about our customers (including their contact details, details of their identity, financial information and information about transactions with them for six years after they cease being customers.
When deciding what is the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from any unauthorised use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
OUI is guided by the University of Oxford’s Records Management Policy, which is available here:
In some circumstances you can ask us to delete your personal data. Please see Your Rights.
If we anonymise your personal data, it will no longer be personal data and we may use it indefinitely.
In certain circumstances you have the right to:
Request access to your personal data: You have the right to receive confirmation of whether or not we are holding or using your personal data and, if we are, to obtain a copy of your personal data.
Request the correction of your personal data: You have the right to have any incomplete or inaccurate personal data we hold about you corrected. We may need to verify the accuracy of any new data you provide.
Request the erasure of your personal data (the right to be forgotten): You have the right to ask us to delete or remove personal data where we have no good reason to continue using it.
You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to our using it (see below), where we may have used your personal data unlawfully or where we are required to erase your personal data to comply with the law. We may not always be able to comply with your request for erasure for legal reasons which we will inform you about if you request erasure.
Request a restriction on the processing of your personal data: You have the right to ask us to suspend the processing of your personal data in the following circumstances:
- if you want us to establish the data’s accuracy;
- where our use of your personal data is unlawful but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
Object to the processing of your personal data: You have the right to object, where we are relying on our legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data and that those grounds override your rights and freedoms.
Object to the use of your personal data for direct marketing purposes: You have the right to object where we are processing your personal data for direct marketing purposes.
Withdraw consent: Where you have given consent to our using your personal data for a specific purpose, you have the right to withdraw that consent at any time. Your withdrawal of consent will not affect the lawfulness of any use of your personal data based on your consent before you withdraw consent.
Request the transfer of your personal data (data portability): You have the right, where you provided your personal data to us, you gave consent to our using your personal data or we used that personal data to perform a contract with you and we have processed that data by automated means, to receive the personal data you have provided to us and to have us transmit that data to another person, if it is feasible to do so.
If you want to exercise any of the above rights please email us at firstname.lastname@example.org with ‘Personal Data Request’ in the subject line of your email.
We try to respond to all legitimate requests within a month. It may take us longer than a month if your request is complicated or you have made a number of requests. In this case, we will notify you and keep you updated.
Normally you will not have to pay a fee to access your personal data or to exercise any other right, but, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in those circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any other right. This is to ensure that personal data is not disclosed to a person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
You may decide not to give us any personal data, but
- if you do not provide data which is necessary for us to provide a service or to verify your identity we may not be able to provide and you may not be able to use that service; or
- we may not be able to comply with any request to exercise your rights if we are unsure about your identity.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party websites and we are not responsible for their privacy policies or statements.
This Privacy Notice does not apply to any website operated by a third party. If you visit a third party website, please read its Privacy Notice or privacy statement to find out how it uses your personal data.
We take any complaints we receive very seriously. Please bring it to our attention if you think that our collection or use of your personal data is unfair, misleading or inappropriate.
We also welcome any suggestions for improving our procedures.
This Privacy Notice was drafted with brevity and clarity in mind. It does not provide exhaustive details of our collection and use of personal data, but please feel free to contact us if you want any additional information or further explanation.
You have the right to make a complaint about the way we have used your personal data to the UK Information Commissioner’s Office (the ICO) at The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or www.ico.org.uk, but please give us a chance to address your concerns before you contact the ICO.
If you want to ask us about this Privacy Notice, please email us at email@example.com with ‘Privacy Notice Question’ in the subject line of your email.
We keep this Privacy Notice under review. It was last updated on 22nd May 2018.
It is important that your personal data is accurate and up to date. Please let us know if your personal data changes.