PRIVACY NOTICE

OtoImmune Ltd ("we", "us", or "our") respects your privacy and we are committed to keeping your personal data and other data confidential and secure.

'mOI' and 'mOI Health' are trading names of OtoImmune for the provision of products and services described in this Privacy Notice. OtoImmune operates the website www.moihealth.com and the app 'mOI'.

1. Who we are

We are the controller responsible for the personal data we collect and use about you. Our full details are OtoImmune Ltd (company number 15799123), a private company limited by shares and registered in England and Wales. Our registered office is located at 20 Wenlock Road, London, N1 7GU.

This privacy notice tells you the types of personal data we collect about you when you visit our website (www.moihealth.com), use our applications (such as the mOI app), products and services, interact with us offline, or where we otherwise obtain personal data either directly from you, or from another party. It also outlines how we use that personal data and how we may share it.

We aim to comply with the highest applicable data protection and healthcare standards, including the UK GDPR and, where relevant, HIPAA-equivalent principles.

Our website and app may include links to third-party websites, plug-ins, applications or other services and products. Clicking on those links or enabling those connections may allow third parties to collect or share data about you in accordance with their privacy notices. These third parties are separate and independent from us and we are not responsible for their privacy notices. When you leave our website and app, we encourage you to read the privacy notice of every website you visit.

2. Data we collect and use about you

Personal data, or personal information, means any information about an individual from which that person can be identified.

We have grouped together the different types of personal data we collect and use about you into the following categories:

  • Health Data including information derived from or related to autoantibody testing, complete blood counts (CBC) and related blood panels, faecal immunochemical tests (FIT), calprotectin levels, and gut microbiome analyses (which may include incidental human genetic material) and digital and other health data, including medical history, symptoms, diagnoses, medication, appointments, mental health, activity, biometric and other vital sign data, allergies and intolerances and your unique patient identification number.
  • Genetic Data such as data derived from whole genome sequencing (WGS), transcriptome sequencing and/or other analyses of biological samples that reveal inherited or acquired genetic characteristics including data concerning chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis composition and/or variation.
  • Identity Data including full name, date of birth, nationality, gender, username or similar identifier, title and ID documentation.
  • Contact Data including billing address, delivery address, email address and telephone numbers.
  • Financial Data including bank account, payment methods and identifiers, subscription payments and history, payment card details, gift vouchers and credits and monies that you may have pooled, or wish to pool, to pay for our products and/or services.
  • Transaction Data including details about payments to and from you and other details of products and services you have purchased or wish to purchase from us.
  • Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
  • Profile Data including your username and password, account credentials, purchases or orders made by you, your feedback and survey responses, plus your interest in being part of our wider activities, including clinical trials (and participation therein), research and development activities (including drug discovery) and partnerships and joint ventures.
  • Usage Data including information about how you use our website (including websites and/or services integrated with the same (e.g. Stripe)), our app, products and services, your interests and preferences.
  • Communications Data including communications you send to us, such as customer service inquiries, product reviews and other feedback regarding our products, services and the website, and your communications with other users of the website. Given the free text nature of some of our forms and methods of communication, you may, at your option, provide us with additional forms of personal data not listed above.
  • Marketing and Related Data including your preferences in receiving marketing from us and our selected third parties, your communication preferences, and the segment(s) we assign to you for online marketing purposes.

The law considers certain data about your health and data about your genetic characteristics to be sensitive data which is subject to stricter rules.

3. How we collect personal data about you

When you use our website, apps, products or services, or otherwise interact with us, we collect and use the following personal data about you.

You may provide your personal data to us when you fill in forms on our website and app, order health tests from our website and/or app, download our app or correspond with us, whether by social media, chat platforms, post, phone, email or otherwise. This includes personal data you provide when you:

  • register with us and create an account;
  • undertake and complete onboarding, post-onboarding and other exercises via our website and/or app;
  • order and/or use our products or services;
  • subscribe to any part of our services or publications;
  • make a purchase through our website or app;
  • use our website and/or the mOI app;
  • request marketing to be sent to you; or
  • give us feedback or contact us.

As you interact with our website or app, we will automatically collect certain technical data about your equipment, browsing actions and patterns.

We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites that use our cookies. Please see below for further details.

If you choose not to provide certain personal data to us, we may not be able to provide you with access to and/or use of (in whole or in part) our products and services.

We may receive personal data about you from certain third parties and public sources including:

  • social media sites;
  • from your other healthcare providers (including the NHS and other private and/or non- or quasi-governmental healthcare providers);
  • from our own or our partners' laboratories, research centres, pharmaceutical and/or biotech partners and/or other engaged third parties (e.g. analysis providers, phlebotomist providers, etc) if you purchase one of our products and/or otherwise wish to use any of our services; and
  • our marketing partners, pharma and biotech partners, advertising networks and analytics providers.

4. The purposes for which we use your personal data and the lawful bases

We will only use your personal data when the law allows us to. We set out below the purposes for which we use your personal data and the relevant lawful bases that we rely on:

Clinical Trials and Research

With your explicit consent, we may use your health and genetic data, together with information you provide about your medical history, symptoms and treatments, mood, appointments and preferences, to identify and recommend potential clinical trials or similar trials and opportunities that may be relevant to you.

Where appropriate, we may facilitate introduction between you and pharmaceutical partners, clinical research organisations or trial sponsors or otherwise provide your details to them. Where data is shared with such parties and for such purposes(s), we will take suitable steps to anonymise or pseudonymise your data wherever possible.

Biobanking

We may, with your explicit consent, retain and securely store your biological samples or any parts of such samples (for example, blood, serum, stool or other specimens) for future testing ("Biobanking").

These samples may be re-analysed by us or on our behalf to:

  • provide to you future goods and/or services;
  • provide to your existing and future healthcare providers your samples and/or provide to them on your behalf future goods and/or services;
  • provide to you recommendations on future goods and/or services;
  • validate or improve existing assays and/or create novel assays or workflows;
  • develop new intellectual property, including antibodies, autoantibodies, new signatures and/or diagnostic or monitoring tests;
  • support quality assurance or product development, and
  • conduct internal research or collaborative projects with trusted academic, research or commercial partners, including pharmaceutical, biotech and nutraceutical organisations.

Any such use will be governed by applicable law and subject to appropriate contractual and other safeguards.

Collaborative Research and Development Activities

We may partner with academic institutions, research consortia, healthcare providers, pharmaceutical, biotech, or nutraceutical companies to advance research in immune health, population and/or general health and related areas.

Where data is shared with such parties and for such purposes(s), we will take suitable steps to anonymise or pseudonymise your data wherever possible.

We will only share identifiable information where you have provided explicit consent or where another lawful basis applies, and all partners will be contractually required to protect your data and use it only for the agreed purposes.

Further Purposes

The following table sets out the purposes for which we use your personal data, the lawful bases we rely on, and the basis for processing sensitive data:

Purpose Lawful basis Basis for sensitive data
Use of Health Data and Genetic Data for genetic analysis and re-analysis purposes Consent Explicit consent
Retention and biobanking of biological samples for future testing, validation or research Consent / Legitimate interest in improving our products and services Explicit consent
Use of Identity Data and Contact Data for registration and account management Legitimate Interest to facilitate your registration and account
Use of Financial Data and Contact Data to manage payments and transactions for our products Legitimate interest to process your payment for our product
Use of Identity Data and Contact Data to manage our relationship with you and respond to your queries/ concerns Legitimate interest to manage our relationship with you
Use of Usage Data to customise the user experience Legitimate interest to ensure that your experience is relevant for you
Use of Usage Data in data analytics to improve our website, products/services, marketing user relationships and experiences Legitimate interest to improve our products and services and learn from analysis what to change
Use of Communications Data and Identity Data to monitor the effectiveness of our products Legitimate interest to respond to any concerns you raise about our products
Use of Marketing and Communications Data to deliver relevant marketing communications, website content and advertising to you, and measure and understand the effectiveness of the advertising we serve to you Legitimate interest to provide you with relevant marketing content and understand how effective it is
Use of Contact Data and Profile Data to make recommendations to you about clinical trials/research that we think may be of interest to you Consent Explicit consent
Facilitation of introductions to clinical trial sponsors, CROs, or research organisations Consent Explicit consent
Use of Technical Data to administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, hosting data) Legitimate interest to protect our business and website
Use of all data types to detect, prevent and prosecute crime, fraud or other unlawful activity Legitimate interest to prevent, detect and prosecute any illegal or unlawful activity To prevent or detect unlawful acts for reasons of substantial public interest
Use of all data types to comply with applicable laws or regulations Compliance with our legal obligations For reasons of public interest in the area of public health
Use of all data types to take steps to protect our interests or the interests of a third party Legitimate interest to protect our or a third party's interests To establish, exercise or defend legal claims
Use of anonymised and/or pseudonymised Health and Genetic Data for research, product, service and model development (including collaborations with third party organisations) and product or service improvement Legitimate interest advancing scientific research and innovation N/A – data anonymised/pseudonymised
Collaboration with third-party organisations (e.g. academic institutions, pharma, biotech, or nutraceutical partners) for research, co-development or partnership opportunities in immune health and related areas Legitimate interest in advancing scientific research and innovation / explicit consent (where required) Explicit consent (where required).
Sharing of anonymised or aggregated insights for scientific, statistical, or public-health purposes Legitimate interest / Public interest in the area of public health N/A – data anonymised

Where we rely on (explicit) consent as a lawful basis for processing your personal data (such as in relation to the processing of your Health Data or for direct marketing), you have the right to withdraw such consent at any time by contacting us at dataprotection@moihealth.com.

5. Security Tokens and Cookies

At the time of writing, we do not use cookies or similar tracking technologies for analytics, advertising, or user behaviour profiling. However, in order to maintain the security and integrity of our platforms we use a strictly necessary security token. This token is stored on your device or browser to:

  • authenticate your access to our services;
  • maintain your session while you are logged in; and
  • protect our systems against unauthorised access.

This security token is functional in nature and is not used to identify you across third-party services or to track your online activity outside of our platform. It expires automatically and contains only the minimum information required to provide secure access to our services.

If in the future we introduce cookies or similar technologies for additional purposes (for example, improving our services or measuring usage), we will update this Privacy Policy and, where required by law, provide you with clear notice and the ability to consent to such use. We may also introduce a separate Cookie Policy at that time, which will set out in detail the types of cookies used and the options available to manage your preferences.

6. Disclosing your personal data to third parties

When using your personal data, depending on the type of personal data and the purposes of processing, we may disclose it to:

  • third party service providers, subcontractors, agents and other organisations who provide services to us in connection with the operation of our business or to you on our behalf such as payment service providers and other financial service providers, laboratories, kit providers, phlebotomy providers, third party CRM providers, automation software providers, third party services providing genetic analysis services (including variant calling) IT and cloud hosting providers, administrative services, and software providers;
  • professional advisers including lawyers, bankers, auditors, accountants and insurers;
  • anyone authorised by you, as specified by you or in any contract with you;
  • third parties, where we choose to raise private finance and other monies and/or sell, transfer or merge parts of our business or our assets;
  • regulators who regulate how we operate;
  • any person or organisation to whom disclosure is required or permitted under applicable laws and regulations;
  • In limited circumstances, and only with your explicit consent (or where otherwise permitted by law/a lawful basis):
    • research institutions, universities, and NHS or non-NHS healthcare organisations;
    • commercial research and development partners, including pharmaceutical, biotechnology and nutraceutical companies; and/or
    • clinical trial sponsors and contract research organisations (CROs) for the purpose of matching you with potential trials or facilitating introductions.

We will ensure that any third parties receiving such data are bound by appropriate contractual terms to maintain confidentiality, data security and regulatory compliance, and are prohibited from using your data for any unauthorised purposes. Wherever feasible, data shared with these parties will be anonymised or pseudonymised before transfer. Biological samples will only ever be shared under appropriate material-transfer agreements and ethical governance procedures.

Where third party service providers act as processors on our behalf, we do not allow them to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions.

7. International data transfers

We may transfer your personal data outside of the UK and European Economic Area (EEA). Where we transfer your personal data outside of the UK / EEA, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

  • We transfer your personal data to countries that have been deemed to provide an adequate level of protection by the UK Secretary of State or the European Commission.
  • We implement certain standard contractual clauses with the recipients of your personal data to safeguard transfers to countries outside of the UK / EEA. These are standard contractual clauses approved by the UK Government and/or European Commission as relevant.

Please contact us at dataprotection@moihealth.com if you would like further information about the specific mechanism used by us when transferring your personal data out of the UK / EEA.

8. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory and tax, accounting or other requirements.

Generally, we will only retain personal data for 7 years from the date you close your account. Where you use our website and services without an account we will generally only retain that personal data for a period of 12 months from our last record of activity from you.

In some circumstances you can ask us to delete your personal data (see your rights below).

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. Your rights

You have other rights regarding the processing of your personal data. Under certain circumstances, you have the right: to make a request to access, correct, erase or restrict the use of, or to object to the way in which we process, the personal data we hold about you, or to make a request to withdraw any consent previously given. If you would like to exercise any of these rights, you can contact us at: dataprotection@otoimmune.com.

We do not undertake solely automated decision-making which has a legal or similarly significant effect on you.

10. Contacting us

If you have questions, concerns or complaints about this privacy notice or our processing of your personal data more generally, please contact us at:

Please always address any concerns to us in the first place so that we have the opportunity to resolve your concerns.

You also have the right to complain to the applicable data protection authority. The data protection authority in the UK is the Information Commissioner's Office (https://ico.org.uk/make-a-complaint).

11. Changes to this privacy notice and your duty to inform us of changes

We update this privacy notice from time to time and you are advised to check this website regularly to make sure you are familiar with the most recent version. Where we make a significant change, we will use reasonable efforts to contact you to notify you of the change.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

This privacy notice was last updated on 07 November 2025.