Privacy Policy

Last updated: 18/02/2026

1. Who we are

BioPhotonix Limited (“BioPhotonix”, “we”, “us”) develops and supplies the Revolux photobiomodulation medical device and associated digital services for the management of early and intermediate dry age‑related macular degeneration.

Our registered office is:
BioPhotonix Limited, [the Beyond, SkyPark, 8 Elliot St, Glasgow G3 8EP] .​

We are the controller for personal data we collect through our website and, in some cases, for data processed through our devices and digital platforms. For many aspects of patient care, the treating clinic will be the controller and BioPhotonix will act as a processor (see section 4).

We do not currently appoint a Data Protection Officer. You can contact us about privacy or data‑protection matters at: info@biophotonix.co.uk.

This notice is governed by the law of Scotland, and any disputes will be subject to the jurisdiction of the Scottish courts, without affecting your statutory rights across the UK.​

2. Scope of this notice

This notice explains how we handle personal data when:

• You visit or use our website or any related online services.

• Clinics and clinicians use the Revolux clinician portal, APIs and connected services.

• Patients receive Revolux treatment in participating clinics and their data is processed via our platform.

Our website and core services are hosted in the UK, with primary hosting located in data centres in Scotland (Glasgow). We provide information and services across the UK.​

3. What data we collect

3.1 Website and enquiry data

We may collect:

• Contact details that you choose to provide (for example via contact forms), such as name, email address, phone number, organisation and message content.

• Technical information from your device, including IP address, browser type and version, device type, operating system and basic diagnostic information, to keep the site secure and functioning.

• Limited usage data, such as pages visited, time on page and referring URLs, via strictly necessary and (if enabled in future) optional analytics cookies (see section 9).

3.2 Clinic and professional data

For clinics and clinicians using Revolux and our portals, we may collect:

• Clinic information (name, address, contact details, practice type, identifiers).​

• Clinician and staff details (name, role, professional registration, business contact details, user accounts, activity logs).​

3.3 Patient‑related data

Revolux is designed to operate with minimal directly identifiable patient information on our systems, using pseudonymised identifiers where possible.

Through our platform we may process:

• Clinic‑assigned identifiers (e.g. patient ID/record number, appointment ID) instead of names or NHS numbers wherever feasible.

• Limited demographic information (such as age band and sex) where entered by the clinic.

• Clinical context recorded by the clinician, such as diagnosis of early or intermediate dry age‑related macular degeneration, best‑corrected visual acuity ranges and eligibility/contraindication flags.

• Treatment data generated during Revolux sessions (for example dates and times of sessions, which eye(s) were treated, therapy phases completed, clinician overrides, distance‑sensor status and chronotherapy‑window flags).​

• Physiological telemetry used to gate treatment, stored as session metadata only and not used to provide diagnoses.​

Revolux is not intended for paediatric patients, and we do not knowingly process children’s data through the platform.​

4. Roles and responsibilities (clinics vs BioPhotonix)

For most aspects of patient care:

• The treating clinic (for example optometry practice or eye clinic) is the controller of the patient’s clinical record, including decisions about eligibility, treatment and follow‑up.

• BioPhotonix acts as a processor, providing the device and platform under a data‑processing agreement, and processing patient‑related data on the clinic’s documented instructions.​​

For some activities, such as platform security, product improvement using pseudonymised data, regulatory compliance and operation of our own website, BioPhotonix may act as an independent or joint controller.​​

If you are a patient and have questions about your clinical record or wish to exercise your data‑protection rights, you should usually contact your treating clinic in the first instance. We will support clinics in responding to any data‑subject requests that involve our systems.

5. Why we use personal data and our legal bases

Under UK GDPR we must have a lawful basis for each use of personal data, and an additional condition for any “special category” data such as health information.

5.1 Providing our website and responding to enquiries

Purposes:

• Operating and securing our website and online forms.

• Responding to questions, support requests and other enquiries.​

Legal bases:

• Our legitimate interests in operating a secure website and responding to enquiries about our business.

• Where we enter into a contract (for example with a clinic), processing may also be necessary to take steps at your request or to perform that contract.

5.2 Providing Revolux and related clinical services

Purposes:

• Operating the Revolux device, app and clinician portal in line with their intended use, including recording treatment sessions, safety‑gating (distance, priming, chronotherapy window) and generating clinical reports.

• Supporting clinics with deployment, training and troubleshooting.​

Legal bases:

• For clinics and clinicians: performance of a contract with the clinic and our legitimate interests in providing and maintaining the service.​​

• For patient health data: processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment, or the management of health systems and services (UK GDPR Article 9(2)(h)), carried out under the responsibility of health professionals and subject to applicable UK law.

5.3 Safety, quality and regulatory compliance

Purposes:

• Ensuring device and platform safety, quality and performance, including calibration, post‑market surveillance and vigilance.

• Meeting our obligations under medical‑device regulation, product‑safety law and related guidance.​​

Legal bases:

• Compliance with legal obligations (e.g. regulatory reporting and record‑keeping).

• Substantial public interest in patient safety and high standards of quality and safety of health care and medical devices, where supported by UK law.

5.4 Security, misuse prevention and governance

Purposes:

• Protecting the confidentiality, integrity and availability of data and services, including secure boot, encryption, access control, logging and incident response.​

• Preventing misuse or fraud, for example through clinician‑presence attestation, geofencing of devices to registered clinics and immutable audit trails.​​

Legal bases:

• Our legitimate interests in securing our systems, preventing misuse and protecting patients, clinics and our business.

• For any health‑related data implicated, substantial public interest in maintaining security and preventing harm, as permitted under UK law.

5.5 Product improvement, analytics and research‑like activities

Purposes:

• Analysing anonymised or pseudonymised treatment data to understand usage, refine protocols, evaluate chronotherapy effects and improve design and workflow.

• Supporting regulatory submissions and evidence generation using aggregated data.​​

Legal bases:

• Our legitimate interests in improving our products and services, balanced against the privacy rights of patients and clinicians.

• For special‑category data, where applicable, research or public‑health‑related conditions under UK GDPR and relevant UK law, with appropriate safeguards such as pseudonymisation and access controls.

Where we rely on consent (for example, for a specific optional study or to send marketing emails to individuals), you can withdraw that consent at any time; this will not affect processing already carried out.

5.6 Communications and marketing to professional contacts

Purposes:

• Managing relationships with clinics and professional contacts, including service updates, clinical training and, where permitted, information about new features or programmes.​

Legal bases:

• Our legitimate interests in running and developing our business.

• Where electronic direct marketing to individuals is involved, we will obtain consent where required by PECR and provide an easy way to opt out.

We do not currently use your data for third‑party advertising or behavioural profiling.​

6. How we share personal data

We may share personal data with:

• Treating clinics and clinicians, to provide treatment records and reports and to support clinical decision‑making within the clinic’s responsibility.

• Service providers who process data on our behalf (for example hosting providers, security and monitoring services, support tools), under written contracts that meet UK GDPR requirements.​​

• Regulatory bodies, notified bodies, auditors, insurers or legal advisers where necessary to meet regulatory, safety or legal obligations, or to establish, exercise or defend legal claims.​​

• Successors or potential acquirers, in the context of a corporate transaction, subject to appropriate safeguards and, where required, additional notifications or consents.​

We do not sell individual patient data, and we do not share clinical data with third parties for unrelated advertising. Any public reports or presentations use de‑identified or aggregated information.​​

7. International transfers

Our core hosting for UK clinics and the website is located in the UK, currently with primary infrastructure in Scotland.​

If we transfer personal data outside the UK (for example if a supplier uses an overseas support team or backup location), we will ensure that appropriate safeguards are in place, such as:

• UK adequacy regulations for the destination country; or

• Standard contractual clauses or equivalent safeguards, plus technical and organisational measures to protect the data.

8. How long we keep your data

We keep personal data only for as long as reasonably necessary for the purposes set out in this notice and to meet legal, regulatory and accounting requirements.

Indicatively:

• Clinical and device‑related records needed for safety and regulatory purposes may be retained for the lifetime of the product and for a period afterwards, in line with medical‑device and health‑record requirements (commonly 7–10 years or more, depending on the context).​​

• Security logs and telemetry are kept for periods appropriate to monitoring, incident investigation and compliance obligations.​​

• Website and enquiry data is held for as long as needed to respond and for a reasonable period afterwards, or longer where required by law or to resolve disputes.​

• Marketing and professional‑contact data is held while you remain engaged with us and for a reasonable period afterwards, unless you object or opt out sooner.​

More specific retention periods may be set out in our agreements with clinics.

9. Cookies and similar technologies

We use cookies and similar technologies on our website and portals to:

• Make the site work (for example session management, security and load balancing).

• Remember certain preferences (such as cookie choices).

• In future, we may use privacy‑respecting analytics to understand how the site is used and to improve it.

At present:

• We do not use advertising cookies or third‑party marketing trackers.

• Any analytics tools we introduce will be configured to minimise personal data and, where required, will only run with your consent.

Under UK GDPR and the Privacy and Electronic Communications Regulations (PECR):

• Strictly necessary cookies can be set without consent.

• Non‑essential cookies (such as most analytics cookies) require your prior consent, which you can give or refuse via our cookie banner.

You can also manage cookies through your browser settings. For more detail, please see our separate Cookie Notice.

10. Your rights

Under UK GDPR you have a number of rights in relation to your personal data, subject to certain conditions and exemptions:

• Right to be informed about how your data is used (this notice and any clinic‑level privacy information).

• Right of access to your personal data.

• Right to rectification of inaccurate or incomplete data.

• Right to erasure in certain circumstances.

• Right to restrict processing in certain circumstances.

• Right to data portability where processing is based on consent or contract and carried out by automated means.

• Right to object to certain processing, including processing based on legitimate interests or direct marketing.

• Rights in relation to automated decision‑making and profiling, where applicable.

For clinical records, you will usually exercise your rights through your treating clinic, which is responsible for your clinical care and record. We will support clinics in dealing with such requests where our systems are involved.

To exercise your rights in relation to data for which BioPhotonix is controller (for example website data or certain platform data), please contact us using the details in section 11.

You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have handled your personal data:

Information Commissioner’s Office
ico.org.uk
Helpline: 0303 123 1113 (UK)

We would appreciate the chance to address your concerns before you contact the ICO, so please consider contacting us first.

11. Contact us

If you have questions about this notice or how we handle your personal data, or if you wish to exercise your rights, please contact:

BioPhotonix Limited
[the Beyond, SkyPark, 8 Elliot St, Glasgow G3 8EP]
Email: info@biophotonix.co.uk

For patient‑specific clinical questions, please contact your treating clinic, which can liaise with us where necessary.

12. Changes to this notice

We may update this privacy notice from time to time, for example if our services or legal obligations change. When we make significant changes, we will update the “Last updated” date and, where appropriate (for example for clinics using our platform), provide additional notice through our website or portals.​