Skip to main content


OXFORD MEDICAL SIMULATION

Global Privacy Policy

Published September 2023


Privacy Policy


We hope that you enjoy using our services, safe in the knowledge that we are committed to protecting your privacy and security online.


Who we are and what this policy is for


We are:


Oxford Medical Simulation Limited, a company registered in England and Wales under company number 10587122 with its registered office at 201 Borough High Street, London, England, SE1 1JA; and


Oxford Medical Simulation Inc, a company registered in Delaware with its office at 101 Arch Street, 8th Floor, Boston, MA 02110, USA


(both OMS, we, us or our).


Our customers are medical service providers and they use our Software as a Service to provide worldwide computer-based and virtual reality training to their healthcare personnel.


When you use our website and access our online platform, we are the controller for some of your information (which means that we decide what personal data we collect from you and how it is used).


Where you are employed or engaged by our customer and they have given you access to our service, we process some of your information on their behalf. Here, they are the controller and we are their processor (which means we must follow the instructions they give us).


This policy explains how we collect, use and store your information when you use our Services (any training you access via our computer programmes, simulation platform, websites, mobile applications and other electronic sources we operate).


We update this policy from time to time, but the recent version will always be available on our website.


1.0 Your information – what information we collect and who we receive it from


1.1 Personal data is any information that can (or could be used) to identify you, whether digital or hardcopy. We will never ask you to provide any Special Category personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, certain categories of biometric data, data concerning your health, sex life or sexual orientation) in relation to yourself or others and we specifically prohibit our customers from providing this type of information to us.


1.2 We have grouped together the types of personal data that we collect and who we receive it from below:


1.2.1 Information you provide to us directly

  1. contact information: such as your name, company name, job title, address, e-mail address and phone number
  2. additional optional information: such as your gender, age, date of birth, nationality, professional associations and registration numbers, information about how you use our products, and demographic information
  3. voice data: we will collect and process your voice data when you use OMS Communicate
  4. comments, questions, requests and orders you may make when interacting with our Services.
  5. account usage information: log-in information, including, if applicable, social media account information for login purposes
  6. marketing and communications information: such as your preferred methods of communication and product types in which you are interested

1.2.2 Information we gather via cookies when you interact with our online Services

  1. Device and browser information: such as your device type, browser type, internet protocol (IP) address, operating system, and device identifier.
  2. Usage information: such as content viewed or downloaded, features used, links clicked, promotional emails opened, and dates and times of interactions, other information about how you use our products.
  3. Location information: we can only access precise real-time location information type of information where you have given us specific permission to do so, but we are able to collect imprecise location information derived from other data we collect, for example your IP address or postal code.

You can find more information about what cookies (and similar technologies) are and how we use them by reading our Cookie Policy.


1.2.3 Information we receive from our customers

  1. account set up details: where our customer (likely your employer or the institute organising your training) has asked us to create accounts on their behalf, they provide details such as contact information, such as name, company name, job title, address, e-mail address, and phone number.

1.3 When we collect personal data we sometimes anonymise it (so it is no longer possible to identify who it relates to) and then we combine it with other anonymous information. This combined anonymous information is called aggregated data and it helps us identify trends (for example, how successful an advertising campaign was). This type of information is not subject to data protection law (because it is now just statistical and cannot be used to identify individuals).


2. How we use your information


2.1 This table explains which legal reason we rely on when we use your information. If we intend to use your information for a new reason that is not listed in the table, we will update our privacy notice and send you a notification.

PurposeLegal ground
Taking steps to enter into the contract with our customerPerformance of contract (where our customer is an individual)
Legitimate interests (where our customer is an organisation, as necessary to conclude our contract with such organisation and obtain contact details for key contracts)
Processing payments and collecting and recovering monies owed to usPerformance of contract (where our customer is an individual)
Legitimate interests (where our customer is an organisation, as necessary to recover debts due to us)
Handling requests for technical supportPerformance of contract (where our customer is an individual)
Legitimate interests (where our customer is an organisation, as necessary to perform our contractual obligations to provide technical support)
Administering and protecting products, services and systems (and those of our processors)Legitimate interests (necessary to provide our products and services, monitor and improve network security and prevent fraud)
Providing insight on how our products and services are being usedLegitimate interest (necessary to improve and optimise our products and services)
Legitimate interests (where our customer is an organisation, to provide an overview of their users’ engagement with the service)
Sending you marketing communications by emailConsent (where you are a private individual, sole trader or partner in a partnership)
Legitimate interests (where your email address belongs to an organisation which is a corporate body)
Asking you to participate in surveys and other types of feedbackLegitimate interests (necessary for product and service improvement purposes)
Notifying you about changes to our privacy noticeLegal obligation (necessary to comply with our obligations under data protection law)

3. Who we share your information with


3.1 We share (or may share) your personal data with the following:

  1. Our personnel: OMS employees or other workers bound by contracts containing confidentiality and data protection obligations. Our personnel may work for any company that is a part of the OMS group.
  2. Our supply chain: other organisations to help us provide our Services (Heroku as our customer relationship managers, Bit Zesty Ltd who provide website application support and maintenance, Intercom who operate our helpdesk and SendGrid who provide email delivery support, HubSpot, who provide marketing and customer relationship management support, Photon, who support the enabling of our Multiplayer scenarios, AWS and Azure, OpenAI and HuggingFace who provide us with the ability to enable voice control scenarios). We ensure these organisations only have access to the information required to provide the support we use them for and are bound by contracts containing confidentiality and data protection obligations.
  3. Our business partners: such as resellers and distributors (businesses that sell OMS Services on our behalf). We ensure these organisations abide by our privacy policy and are bound by contracts containing confidentiality and data protection obligations.
  4. Our professional advisers: such as our accountants or legal advisors
  5. Regulatory authorities such as national tax authorities (for example, HM Revenue & Customs in the United Kingdom)
  6. Complainants (or their professional advisors) where we receive a valid request for information in relation to a claim that you have infringed someone’s legal rights.
  7. Specific third parties: where you have indicated you are happy for us to do so, we occasionally contact you in relation to specific offers or surveys from other types of third parties. We will always identify the third party and give you the option to change your mind (and stop your information being shared with them).
  8. Any actual or potential buyer of our business

If we are asked to provide your information, we follow strict internal processes to ensure it is a valid request and carefully consider the potential impact on you before we decide to share information. We may decide to seek legal advice to help us decide whether to respond to or reject a request.


4. Where we may share your Information


4.1 We offer a worldwide service which means your information is transferred between different countries.


4.2 We always identify which legal mechanism we rely on to share information internationally – whether internally between the OMS Group entities or with our service providers (for example, by using contracts approved by the European Commission or UK Secretary of State). You can ask us for this information by emailing infosec@oxfordmedicalsimulation.com.


4.3 If you use our Services because you have been enrolled by an organisation (such as your employer) or access our Services remotely then your personal data may be stored on servers located in the same country that the organisation or you are based.


5. Marketing


5.1 Where you have indicated you are happy for us to do so, we use your information to keep you informed of OMS and third party products, services, promotions and events.


5.2 You can ask us to stop us sending you marketing at any time by emailing unsubscribe@oxfordmedicalsimulation.com


6. How long do we keep hold of the information?


6.1 How long we keep your personal information will vary and will depend on the purpose and use of information collected. There are legal requirements that we keep some types of data for specific periods. We generally keep information for the duration of the licence + 6 years. Otherwise, we will retain it for no longer than is necessary for the purposes for which the data was collected (for example research and development).


6.2 You can ask us for further information about specific retention periods by emailing [infosec@oxfordmedicalsimulation.com]


7. Keeping your information safe


7.1 We follow strict security procedures to reduce the risk of your information being accidentally or illegally lost, misused or accessed by unauthorised individuals. Some of the measures we have implemented include:

  1. technical security measures: such as anti-virus, firewalls and back-up files
  2. account set–up: such as 2-step verification and strong password requirements
  3. internal processes: such as business continuity and incident reporting procedures, adherence to, Cyber Essentials Plus and ISO 27001 standards (we are working towards ISO 27001 accreditation)
  4. organisational measures: internal IT and data protection training, at least annually
  5. procurement processes: such as due diligence questionnaires for our suppliers, using suppliers with specific accreditations (e.g. ISO27001) where possible

7.2 We or other users may post third party links on our website and you use them at your own risk. OMS has no control over the security of those links or how those third parties use your information once you visit their website.


7.3 Our Services may allow users to comment on training content. Any information you choose to post on these interactive areas is in the public domain, which means it is can be viewed by any person using the internet in any part of the world and will show up in search engine results. Please be careful about what you choose to share as any information you post will be at your own risk.


8. Additional information for individuals based in UK or EEA


8.1 You have specific legal rights under local data protection law. These are equivalent in the UK and EEA so we have grouped them together. They are the right to:

  1. Access: you must be told if your personal data is being used. You can ask for a copy of your personal data as well as information about how we are using it to make sure we are abiding by the law.
  2. Correct: you can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
  3. Delete (also known as the right to be forgotten): you can ask us to delete or remove your personal data if there is no good reason for us to continuing holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
  4. Restrict: you can ask us to restrict how we use your personal data and temporarily limit the way we use it (e.g. whilst you check that the personal data we hold for you is correct)
  5. Object: you can object to us using your personal data if you want us to stop using it. We always comply with your request if you ask us to stop sending you marketing but in other cases, we decide whether we will continue. If we think there is a good reason for us to keep using your information, we will let you know and explain our decision.
  6. Move (also known as the right to portability): You can ask us to send you or another organisation an electronic copy of your personal data.
  7. Complain: we hope that we can answer any questions or respond to any concerns you might have, so please contact us in the first instance by emailing infosec@oxfordmedicalsimulation.com. However, if you are unsatisfied with our response or would prefer to escalate immediately, you can contact the Information Commissioner’s Office. Their website contact page is linked here.

8.2 It is usually free for you to exercise your rights and we aim to respond within 30 days (although we may ask you if we can extend this deadline up to a maximum of 60 days if your request is particularly complex or we receive multiple requests at once).


8.3 We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. If this happens we will always inform you in writing.


8.4 The only time we charge a fee if where we decide to proceed with a request that we believe is unfounded or excessive.


8.5 We do not respond directly to requests which relate to personal data for which we act as the processor. In this situation, we forward your request to the relevant controller and await their instruction before we take any action.


8.6 To make a request, please email infosec@oxfordmedicalsimulation.com.


9. Additional information for individuals based in the State of California


9.1 Any reference to personal data in this policy include references to personal information as defined under California Consumer Privacy Act (CCPA).


9.2 You have specific legal rights under the CCPA which differ from the rights granted to individuals based in the UK and EEA. They are the right to:

  1. Access and delete: the rights to access and delete information as described in section 8.1 is limited to the personal data that we have collected over the previous 12 months and are subject to the exceptions set out in the CCPA.
  2. Opt-out of sale of information: we do not sell your personal data but you are free to inform us that you wish us to continue with this policy.
  3. Non-discrimination: you must not face any discrimination for exercising your legal rights under the CCPA (such as denying you access to our Services).

9.3 We confirm that we have not sold any personal data in the past 12 months.


9.4 For the purposes of the CCPA, we are deemed to routinely undertake disclosures of personal information to third parties for business purposes. We enter contracts with those third parties which include binding confidentiality clauses and restrictions which prevent them using your information for any other purpose. In the past 12 months we have disclosed all of the categories of personal information listed at section 1.2 with our supply chain for the purposes of hosting our Services, detecting and protecting against security incidents and debugging to identify and repair errors.


9.5 You (or another person authorised by you and registered with the California Secretary of State) can make a request under the CCPA by emailing infosec@oxfordmedicalsimulation.com.


Cookie Policy


This policy explains what cookies we use and why we use them. We update this policy when the cookies we use change, but the most recent version will always be available on our website.


What are cookies?


A cookie is a text file containing small amounts of information which is downloaded to your computer, tablet or mobile phone when you access a website. Cookies allow information gathered on one webpage to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience (like remembering your favourites) and the website owner with statistics about how you interact with their (and sometimes third party) webpages.


Cookies are not harmful to your devices (like a virus or malicious code) but some individuals prefer not to share their information (for example, to avoid targeted advertising).


Different types of cookies


  1. Session vs. persistent cookies: cookies have a limited lifespan. Cookies which only last a short time or end when you close your browser are called session cookies. Cookies which remain on your device for longer are called persistent cookies (these are the type of cookies allow websites to remember your details when you log back onto them).
  2. First party vs third party cookies: cookies placed on your device by the website owner are called first party cookies. When the website owner uses other businesses’ technology to help them manage and monitor their website (for example, they use Google Analytics to see how many visitors their website has), the cookies added by the other business are called third party cookies.
  3. Necessary vs. performance vs. marketing cookies: cookies can be grouped by what they help the website or website owner do. Necessary cookies are cookies which help the website to run properly (when they are strictly necessary cookies it means their only function is to help the website work). Performance cookies help a website owner understand and analyse how website visitors use their website. Marketing cookies tailor online adverts to reflect the content you have previously browse and help inform companies about your interests so they can show you relevant adverts.

What do OMS use cookies for?


We use cookies to:

  1. to track how you use our website
  2. to record whether you have seen specific messages we display on our website
  3. to keep you signed into our site
  4. to record your answers to surveys and questionnaires on our site while you complete them
  5. to record the conversation thread during a live chat with our support team
  6. Where we put videos on our website, we use cookies to capture and analyse visitor information such as number of views and shares

The cookies that OMS use

COOKIEDOMAINTYPEDESCRIPTIONDURATION
__adrolld.adroll.comAdvertisementThis cookie is set by AdRoll Group, to identify the device when the users move between different Digital Properties, for the purpose of serving targeted advertisements.1 year 1 month
__adroll_shared.adroll.comAdvertisementThe domain of this cookie is owned by Adroll. This cookie is used for collecting user data across websites. The collected data is used to serve more relevant advertisements.1 year 1 month
bscookie.linkedin.comAdvertisementThis cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.2 years
_fbp.oxfordmedicalsimulation.comAdvertisementThis cookie is set by Facebook to deliver advertisements when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.3 months
fr.facebook.comAdvertisementThe cookie is set by Facebook to show relevant advertisements to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.3 months
__adroll_fpc.oxfordmedicalsimulation.comAdvertisementThis cookie is set by AdRoll Group, to identify the device when the users move between different Digital Properties, for the purpose of serving targeted advertisements.1 year
__ar_v4.oxfordmedicalsimulation.comAdvertisementThis cookie is associated with Google DoubleClick. This cookie is used for advertising purposes. It helps in tracking the ads conversion rates.1 year
_ga.oxfordmedicalsimulation.comAnalyticsThis cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.2 years
_gid.oxfordmedicalsimulation.comAnalyticsThis cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, the source where they have come from, and the pages visited in an anonymous form.1 day
lang.ads.linkedin.comFunctionalThis cookie is used to store the language preferences of a user to serve up content in that stored language the next time a user visits the website.session
lang.linkedin.comFunctionalThis cookie is used to store the language preferences of a user to serve up content in that stored language the next time a user visits the website.Session
bcookie.linkedin.comFunctionalThis cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.2 years
lidc.linkedin.comFunctionalThis cookie is set by LinkedIn and used for routing.1 day
__cfduid.oxfordmedicalsimulation.comNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hsforms.netNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hs-scripts.comNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hsforms.comNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hsadspixel.netNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hs-banner.comNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hs-analytics.netNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hscollectedforms.netNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
__cfduid.hubspot.comNecessaryThe cookie is used by CDN services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.1 month
_gat_gtag_UA_99096242_1.oxfordmedicalsimulation.comOtherNo description1 minute
_dc_gtm_UA-99096242-1.oxfordmedicalsimulation.comOtherNo description1 minute
UserMatchHistory.linkedin.comOtherLinkedin – Used to track visitors on multiple websites, in order to present relevant advertisements based on the visitor’s preferences.1 month
AnalyticsSyncHistory.linkedin.comOtherNo description1 month
page_view.google.comAnalyticsThe cookie is triggered by Google Analytics to record each time the page loads, or the browser history state is changed by the active site.24 months
scroll.google.comAnalyticsThis cookie is triggered by Google Analytics when the first time a user reaches the bottom of each page (i.e. when a 90% vertical depth becomes visible).24 months
click.google.comAnalyticsThis cookie is triggered by Google Analytics each time a user clicks a link that leads away from the current domain.24 months
view_search_results.google.comAnalyticsThis cooke is triggered by Google Analytics each time a user is presented with a search results page, as indicated by the presence of a URL query parameter.24 months

video_start

video_progress

video_complete

.google.comAnalytics

This cookie is triggered by YouTube when:

  • a video starts playing
  • the video progresses past 10%, 25%, 50%, and 75% duration time
  • the video ends
24 months
file_download.google.comAnalytics

This cookie is triggered by Google Analytics when a user clicks a link leading to a file (with a common file extension) of the following types:

  • Document text
  • Executabl presentation
  • Compressed file video/audio
24 months

form_start

form_submit

.google.comAnalyticsThis cookie is triggered by Google Analytics:
  • | the first time a user interacts with a form in a session
  • when the user submits a form
24 months

Cookies from other websites


We include content from other websites and give you the option to share content on social media, such as Twitter. When you share information from our website please be aware that these websites may place cookies on your device. We are not responsible for these so please check their policies for full details of what they do.


Accepting or declining cookies (and how to delete them)


We can only use cookies with your permission (you click ‘accept’ on the cookie banner when you visit one of our webpages).


You can choose to decline cookies but if you turn off necessary cookies, some pages and functions on our websites may not work properly.


You can manage cookies through your browser settings (the websites All About Cookies and About Cookies have helpful guides) or device settings (your user manual should contain additional information).


You can also delete cookies directly with the relevant third parties (for example, you can disable Google Analytics on their website)


Sometimes when you choose the option ‘block all cookies’ this will prevent some websites from tracking your decision to decline cookies.


Contact Us


If you have any questions or concerns, we’d be happy to help you. You can drop us a line on our website or write to us at:

Oxford Medical Simulation Ltd
201 Borough High Street
London, UK
SE1 1JA