Your Data Rights — EyeMap.ai Labs

EyeMap.ai Labs takes data protection seriously. This document explains in plain English how your personal and health data is collected, stored, used, and protected — and the rights you have over that data under the General Data Protection Regulation (GDPR).

Health data (including retinal images) is classified as a special category of personal data under GDPR Article 9 and is subject to additional safeguards. We handle it accordingly.

What data we collect

Retinal fundus images — colour photographs of the back of your eye, taken with a non-contact fundus camera at your study appointment
Questionnaire responses — age band, sex, known eye conditions, relevant health history (e.g. diabetes diagnosis)
AI analysis output — the classification produced by our models when applied to your fundus images
Consent records — a record that you provided consent, the date, and the version of the information sheet you received

We do not collect your name, date of birth, NHS number, or any other direct identifier as part of the research dataset. These are only held temporarily to manage your study appointment and are removed once your data is coded.

How your data is protected

Pseudonymisation: Your images and responses are assigned a participant code. The link between your identity and your code is stored separately, in a restricted access system, and handled by a named data custodian.
Encryption: All data is stored on encrypted servers. Data transfers use TLS encryption. Physical access to servers is restricted.
Access control: Only named members of the research team have access to identifiable data. Access to coded research data is logged and audited.
No commercial sale: Your data will never be sold to third parties. It will only be used for the research purposes described in the Participant Information Sheet.
Retention: Anonymised research data is retained for up to 10 years. Any remaining direct identifiers are deleted as soon as anonymisation is complete.

Your rights under GDPR

Art. 15

Right of Access

You may request a copy of the personal data we hold about you at any time.

Art. 16

Right to Rectification

You may ask us to correct inaccurate personal data we hold about you.

Art. 17

Right to Erasure

You may request deletion of your personal data. Note: once data is fully anonymised, it cannot be individually erased — this protects your identity.

Art. 21

Right to Object

You may object to processing of your personal data for research purposes. We will consider your objection and respond in writing.

Art. 20

Right to Portability

You may request your personal data in a machine-readable format where applicable.

Art. 77

Right to Complain

You have the right to lodge a complaint with the authority in your country — a full list is available at edpb.europa.eu if you believe your data rights have been violated.

Legal basis for processing

We process your health data on the basis of Article 9(2)(j) GDPR — processing necessary for scientific research purposes in accordance with Article 89(1) — combined with applicable national law provisions permitting health data processing for research. Consent remains a necessary component of participation even where this legal basis applies.

Data sharing

Anonymised, coded data may be shared in the following circumstances:

With academic research collaborators under a formal data sharing agreement
In aggregated, anonymised form in published research papers and conference presentations

Data will not be transferred outside the European Economic Area or UK without appropriate safeguards in place.

Data controller

EyeMap.ai Labs is the data controller for personal data collected in this study.
Contact: alex [at] eyemap [dot] ai

To exercise any of your rights, or if you have questions about how your data is handled, please contact the principal investigator at the address above. We will respond within 30 days.