DYSPLAI Oncology Intelligence API: Privacy Policy
Version: 1.0 · Last reviewed: 2026-07-02 · Applicable law: UK GDPR & Data Protection Act 2018
1. Who we are
Dysplasia Diagnostics Limited (company number 14361617, registered office 85 Great Portland Street, London, England, W1W 7LT), trading as DysplasiaDx, is the data controller for personal data processed in the operation of the DYSPLAI Oncology Intelligence API (the "Service"), except where we act as a processor on your behalf (see Section 4). We are registered with the UK Information Commissioner's Office (ICO) under data-protection registration reference ZB404788. Data-protection contact: contact@dysplasiadx.com.
This policy explains what data we process, why, on what legal basis, who we share it with, where it is stored, and your rights.
2. Scope and the Research Use Only model
The Service processes de-identified research molecular data. It is not an EHR, LIMS, or clinical records system, and customers are contractually required to de-identify data and remove direct patient identifiers before submission (see the EULA §7 and the Acceptable Use Policy). This policy covers:
- Account and billing data: for which we are the controller.
- Customer Data (submitted molecular data, metadata, and derived results): for which we act as a processor on the customer's behalf.
3. Account and billing data (we are controller)
| Category | Examples | Purpose | Legal basis (UK GDPR) |
|---|---|---|---|
| Account identifiers | name, work email, organisation, role | provision and manage the tenant | Contract (Art. 6(1)(b)) |
| Marketplace entitlement | Google consumer project number, plan, status | activate and bill the subscription | Contract |
| Authentication | API key prefixes, key metadata (never the secret in logs) | authenticate and secure access | Legitimate interests (Art. 6(1)(f)): security |
| Usage and metering | operations, credits consumed, request metadata | billing, quotas, fraud prevention | Contract; Legitimate interests |
| Support records | correspondence with our support team | provide support | Contract; Legitimate interests |
| Audit events | provisioning, key lifecycle, cross-tenant access attempts, offboarding | security, compliance, dispute resolution | Legal obligation; Legitimate interests |
We do not sell personal data and do not use it for advertising.
4. Customer Data (we are processor)
When you submit molecular data and metadata, we process it only to provide and support the Service and on your documented instructions, as set out in the EULA, the Data Retention guide, and any data processing agreement (DPA) between us. You are the controller of Customer Data and are responsible for the lawful basis, de-identification, and any ethics/IRB/data-sharing approvals for it.
We expect Customer Data to be de-identified. If you submit personal data in breach of the EULA, you remain the controller and are responsible for that processing; we will process it under the same processor terms until it is purged.
5. What we deliberately do not collect or log
By design, the Service never logs personal/patient identifiers, raw genomic data, molecular feature arrays, API key secrets, access tokens, or signed storage URLs. Webhook payloads carry operational signals and authenticated links only: never molecular results.
6. How we use data
- Provide, operate, secure, and support the Service.
- Authenticate requests and enforce tenant isolation and limits.
- Meter usage and bill through the Google Cloud Marketplace.
- Detect, prevent, and investigate misuse, security incidents, and breaches of the Acceptable Use Policy.
- Comply with legal obligations and enforce our agreements.
- Produce aggregated, de-identified operational statistics to run and improve the Service (these do not identify you or any individual).
We do not use Customer Data to train models except where expressly agreed in writing with you.
7. Sharing and sub-processors
We share data with service providers ("sub-processors") who process it on our behalf under contract, including:
| Sub-processor | Role | Location of processing |
|---|---|---|
| Google Cloud (Google Cloud EMEA Ltd / Google LLC) | hosting, compute, storage, Marketplace billing (Service Control), and a managed large-language model used by the interpretation service (de-identified research text only) | tenant home region: the model runs on a regional Vertex AI endpoint in the home region (e.g. UK europe-west2); see Section 8 |
The interpretation service's fallback and clinical-context model runs on DDXL-operated, self-hosted inference infrastructure and is not a third-party LLM sub-processor; the de-identified research text it processes is not sent to any third-party model provider.
We maintain a current sub-processor list and will provide it and reasonable prior notice of changes on request via the DPA. We may also disclose data where required by law, to enforce our agreements, or to protect rights, safety, and the integrity of the Service. We do not sell personal data.
The interpretation service is configured to call this model through a regional Vertex AI endpoint in the tenant's home region, so the model's processing of de-identified research text stays within that region and does not, by itself, move data to another region or outside the UK/EEA.
8. International transfers and data residency
Each tenant is assigned a home region at provisioning, and molecular data does not leave the home region by default. Available regions include the UK (London, europe-west2), the EU (Frankfurt, Netherlands), and the US (Iowa). Cross-region replication is opt-in per tenant, limited to approved artefact classes, and recorded as an auditable event.
The managed model runs on a regional Vertex AI endpoint in the tenant's home region and so does not itself move data out of region. Where personal data is nonetheless transferred outside the UK/EEA (for example, certain control-plane operations), we rely on an adequacy decision or appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or EU Standard Contractual Clauses. The self-hosted inference infrastructure is operated in DDXL-controlled environments and does not introduce an additional third-party transfer.
9. Retention
We retain data per the Data Retention guide: raw inputs for a default of 30 days (configurable per tenant), results and reports for 180 days (Research) or as contracted, and immutable audit logs. On offboarding, API keys and storage access are revoked, and for Enterprise/Enterprise Plus, CMEK scheduled key deletion cryptographically destroys the data it protected. We retain account and audit data as needed for legal, accounting, and security purposes.
10. Security
The Service uses tenant isolation (row-level or dedicated schema/bucket), short-lived internal authentication tokens, encryption in transit and at rest, Confidential Compute (AMD SEV) for genomic workloads, optional customer-managed encryption keys (CMEK) for Enterprise, and immutable audit logging of sensitive operations. No system is perfectly secure; we will notify affected customers and regulators of a personal-data breach as required by law.
11. Your rights
Subject to applicable law, individuals have rights to access, rectify, erase, and restrict processing of their personal data, to data portability, and to object to processing. Because most Customer Data is de-identified and we act as processor for it, requests relating to Customer Data should normally be directed to the customer (controller); we will assist as required by the DPA. For account data, contact contact@dysplasiadx.com. You may also complain to the UK Information Commissioner's Office (ICO).
12. Changes and contact
We may update this policy and will post the revised version with a new date; material changes will be notified. Questions, requests, or complaints: contact@dysplasiadx.com or Dysplasia Diagnostics Limited, 85 Great Portland Street, London, England, W1W 7LT.
Dysplasia Diagnostics Limited (trading as DysplasiaDx) · Research Use Only · Not for use in diagnostic procedures.