TopMD Precision Medicine Ltd is a company registered in England and Wales. We develop and operate a cloud-based precision medicine analytics platform that enables research scientists, clinical researchers, and pharmaceutical organisations to perform advanced genomic and transcriptomic analysis.
For the purposes of UK data protection law, TopMD Precision Medicine Ltd is the data controller in respect of personal data collected through our website (topmd.co.uk) and platform (app.topmd.co.uk).
This Privacy Notice explains what personal data we collect about you, why we collect it, how we use it, and what your rights are. It applies to visitors to our website, registered platform users, and contacts at organisations we work with.
We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
When you register for or use the TopMD platform, we collect:
When you use the platform we automatically collect:
If you contact us by email, submit an enquiry, or correspond with us regarding licensing or support, we retain records of that correspondence including your name, email address, and the content of messages.
For organisational licence holders, we retain records of the licence type, issue date, and the contact details of the designated licence administrator at your organisation. Payment processing (where applicable) is handled by a third-party payment processor; we do not store full payment card details.
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and manage your platform account | Account and identity data | Contract |
| Deliver analysis jobs and return results | Account data, uploaded research files, job configuration | Contract |
| Authenticate users and enforce access controls | Account credentials, session identifiers | Contract / Legitimate interests |
| Manage organisational licences | Account data, licence records | Contract / Legal obligation |
| Respond to support and licence enquiries | Communications data | Legitimate interests |
| Monitor platform performance and diagnose errors | Usage data, log data | Legitimate interests |
| Improve our platform and services | Aggregated, anonymised usage statistics | Legitimate interests |
| Comply with legal and regulatory obligations | Any relevant personal data | Legal obligation |
| Prevent fraud and protect platform security | Usage data, log data, account data | Legitimate interests |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
Where processing is necessary to provide the platform services you have requested — creating your account, running analysis jobs, delivering results, and managing your licence.
Where we have a legitimate business interest in processing that is not overridden by your rights and interests. This applies to security monitoring, error diagnostics, fraud prevention, responding to enquiries, and generating anonymised usage analytics.
Where processing is required to comply with a legal obligation, for example maintaining records for tax or regulatory purposes, or responding to a lawful request from a regulatory authority.
We rely on consent only for non-essential cookies. Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of prior processing.
We do not process any special category data relating to platform users as personal data. Research datasets containing genomic or transcriptomic data that you upload are processed on your behalf as part of the service and are subject to the provisions in Section 5 below.
Files you upload to the platform (such as FASTQ files, gene expression matrices, or clinical metadata) are:
If your uploaded datasets contain personal data (for example, sample IDs that could be linked back to individual research participants), TopMD Precision Medicine Ltd acts as a data processor on your behalf in respect of that data, and you remain the data controller. If you require a data processing agreement, please contact us at privacy@topmd.co.uk.
We do not sell your personal data to any third party. We share data only with the following categories of service providers, strictly for the purposes of delivering our platform:
| Recipient | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: compute, storage (S3), database (DynamoDB), authentication (Cognito), job execution (Batch). AWS acts as a data processor under a Data Processing Addendum. | UK (eu-west-2 London, primary) |
| Anthropic | Where you request AI-assisted interpretation of analysis results, anonymised result summaries may be sent to Anthropic's API. No uploaded research data or personally identifiable information is transmitted. | United States (with appropriate safeguards) |
| Email service provider | Transactional email (account verification, notifications). Limited to email address and message content. | EU / UK |
We may also disclose personal data if required to do so by law, court order, or in response to a lawful request from a regulatory or law enforcement authority.
Our primary infrastructure runs in AWS eu-west-2 (London) and your data is stored and processed in the UK by default.
Where data is transferred outside the UK — for example, to Anthropic's API for AI interpretation features — we ensure that appropriate safeguards are in place in accordance with UK GDPR, including the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses approved by the ICO.
You can request details of the specific safeguards in place for any transfer by contacting us at privacy@topmd.co.uk.
| Data category | Retention period | Reason |
|---|---|---|
| Account data (active users) | Duration of account plus 12 months after closure | Service delivery; reasonable run-off period |
| Uploaded research files (FASTQs, matrices) | 90 days from upload, then automatically deleted | Results retrieval window; minimisation principle |
| Analysis results and job records | 12 months from job completion | Results access; audit trail |
| Licence records | 7 years from licence expiry | Legal and contractual obligation |
| Platform logs (access, error) | 90 days | Security monitoring; fault diagnosis |
| Support and communications records | 3 years from last contact | Continuity of support; legitimate interests |
Under UK GDPR you have the following rights in relation to your personal data:
Request a copy of the personal data we hold about you (Subject Access Request).
Ask us to correct inaccurate or incomplete personal data.
Request deletion of your personal data where there is no legitimate reason for us to continue processing it.
Ask us to suspend processing of your data in certain circumstances.
Request a copy of data you have provided to us in a structured, machine-readable format.
Object to processing based on legitimate interests.
We do not carry out solely automated decision-making with legal or significant effects.
Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
To exercise any of these rights, contact us at privacy@topmd.co.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113. We would welcome the opportunity to address any concern before you contact the ICO.
These cookies are essential for the website and platform to function and cannot be disabled. They include session authentication tokens issued by AWS Cognito and CSRF protection tokens.
With your consent, we use analytics cookies to understand how visitors use our website. These help us improve our content and user experience. Analytics data is aggregated and does not identify individuals.
You can manage cookie preferences through the cookie banner on your first visit, or by adjusting your browser settings. Note that disabling strictly necessary cookies will prevent the platform from functioning correctly.
We review this Privacy Notice periodically and will update it when our practices change or when required by law. The date at the top of this page shows when it was last updated.
For significant changes that affect how we use your personal data, we will notify registered users by email before the change takes effect and, where required, seek fresh consent. Previous versions of this notice are available on request.
For any questions about this Privacy Notice, to exercise your data rights, or to request a data processing agreement: