Privacy Notice

This privacy notice will help you understand how OpalMedica uses and protects your personal data.

We are OpalMedica Ltd based at No3, Circle Square, 5 Hawkshaw Street, Manchester, M1 5BL, United Kingdom.

This applies to all interactions with OpalMedica Ltd via My Rare Journey platform, encompassing our services, products, and mobile and web applications (“Services”).

You can contact our voluntarily appointed Data Protection Officer at support@opalmedica.co.uk if you have any concerns or wish to exercise your rights.

Our Promises

We’re committed to your data privacy and security and never forget it’s your right to total transparency and control on how we use your data. As such we give you these promises:

• We will only collect data about you that is relevant and necessary.
• Your data will only be held on systems that meet compliance standards.
• Your data will only be accessed by those who need it, and we will minimise the amount of data that is processed, wherever possible.
• We won’t share or sell your data to any third party, except for the marketing of our own services to you, unless either you have agreed, we are required to share it by law, or we need to fulfil our service commitments to you through a third party that meets our own privacy standards.
• We will always remember that it is your personal data, not ours. As such we will ensure complete transparency and openness with you wherever possible.
• We respect your rights as outlined in the next section and will respond to all requests promptly.

Your Rights

You have the following rights over any data we hold about you:

• Your right of access. You have the right to ask us for copies of your personal information.
• Your right to rectification. You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure. You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing. You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing. You have the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability. You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

If you are dissatisfied with our response you also have the right to lodge a complaint with the Data Protection Authority. This can be done at https://ico.org.uk/concerns/

How we Collect your Data

The data we process is obtained via our website during sign-up/account creation and when you complete surveys.

What Data we Collect

We currently collect and process the following personal data:

• Name
• Email address
• Information you give us, for example when you request information, enter a contract with us or communicate with us
• Account and profile information
• Information or comments you share on our forum/message board, and messages sent to other platform users
• Special category data (health-related data)

We collect and store any content that you create, post, send, and share to our Services. This content includes any comments you post, emails and other communications that you send to us, and information you provide by responding to surveys or submitting a form. We also track how you engage with messages you receive in connection with our Services, such as notifications to complete an onboarding or learning activity.

When you visit our website, we may also capture details of your visits such as pages viewed and the resources that you access. Such information includes traffic data, location data and other communication data.

When you access or use our Services, we collect and store certain usage data. This includes the types of content you view or engage with, the frequency and duration of your activities, the scores you achieve in games/activities and your progression through the content.

We collect information about the people and groups you are connected to and how you interact with them, such as the people you communicate with the most.

Other users of our Services may provide information about you when they create or share content through our Services. For example, you may be mentioned by someone else on the forum/message board.

We collect anonymised information from or about the computers, phones, or other devices where you install or access our Services. We may associate the information we collect from your different devices, which helps us provide consistent services across your devices. Some examples of the device information we may collect include:

• Attributes such as the operating system, hardware version, device settings, file and software names and types, battery and signal strength, and device identifiers.
• Device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals. We will ask you to opt-in before we use GPS or other tools to identify your precise location.
• Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.

We constantly strive to improve our Services and often introduce new features that may require the collection of new information. If we collect materially different personal data or materially change how we use your data, we will notify you and may also modify this Privacy Notice.

How we Process your Data

We never resell or share bulk identifiable data to any other party other than in the circumstances where we are legally required by law to disclose your personal information or to further fraud protection and reduce the risk of fraud. We may license anonymised datasets containing your data for the purposes of rare disease research, where you have consented for us to do so.

Data is processed/stored mainly on encrypted cloud services such as Microsoft.

In addition, we may use Large Language Models (LLM) to help us fulfil some of our services. A full list of these systems can be provided on request. These services all have strong data security at the heart of their systems including ISO27001 and SOC2 certification.

We ensure that access to these services is strictly controlled and include strong authentication processes like Multi Factor Authentication.

If we connect on Social Media platforms, we may transfer this information to our platforms to track our interactions.

We operate internationally and may transfer personal information to other countries, where our servers and third-party service providers are located.

Data will be processed in either the UK, EEA/EU data centres or on US based servers that have demonstrated strong Data Security. We may also process your data in countries outside the UK or European Union from time to time in other aspects of our business.

Further to Section 119A of the Data Protection Act 2018 and noting Case C-311/18 in the European Court of Justice, if your data is transferred or processed outside of the UK or EEA, we ensure the safeguards of International Data Transfer Agreements (IDTAs) or Addendums are enforced. Where this is not possible, we ensure that European Standard Contractual Clauses are entered. For data transfer between the USA, we may rely on the Data Privacy Framework or the UK Extension Data Bridge.

Wherever your personal information is transferred, stored or processed by us, we will take reasonable steps to safeguard its privacy. If you have a complaint about our privacy compliance, please contact us at support@opalmedica.co.uk.

Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a My Rare Journey account, irrespective of which country you live in. If you later wish to withdraw your consent, you can delete your My Rare Journey account as described in the “Deleting your Account” section.

We regularly review suppliers for data security compliance to ensure your data is safe and track where your data is held.

All our processes are subject to various internal policies to ensure that your data privacy and security is upheld.

What we use your Data for

Our mission is to provide a community for people with rare diseases, facilitate sharing of rare disease diagnostic journeys, and use this information to develop tools to help earlier detection of rare diseases in clinical practice.

With these objectives in mind, we use the personal information we collect about you to:

• Provide and personalise our Services. We create and manage your account, and personalise our Services by using information about how you interact with them. For example, we may use your survey results to provide you with relevant follow-up surveys.
• Communicate with you. We communicate with you about our Services and let you know about any changes to our policies and terms. We also use your information to respond to your enquiries.
• Improve our Services. We conduct surveys and research to test, evaluate, and improve existing products and services, or develop new ones. We may also conduct audits and troubleshooting activities.
• Promote safety and security. We help verify accounts and activities to promote safety and security on and off of our Services. This includes enforcing our Terms of Use and other legal terms and policies.
• Aggregate insights. We use your data to produce and share aggregated insights that do not identify you. For example, we may use your data to generate statistics about our users, or to publish demographics for a Service or learning and behavioural insights.
• Clinical decision aid development. We may anonymise your data and use it to help develop clinical decision aid tools for use by primary care physicians.
• Rare disease research. We may license your anonymised data to third parties for the purposes of rare disease research.

Legal Basis for Processing your Data

Your data is only processed based on a defined legal basis. These are:

• Consent. By using our service you are consenting. You have consented to the use of your personal information in a particular way. When you consent, you can change your mind at any time by contacting us at support@opalmedica.co.uk.
• Performance of a contract. We need your personal information to provide you with services and products requested by you, or to respond to your enquiries. In other words, so we can perform our contract with you, like the Terms of Use.
• Legal obligation. We have a legal obligation to use your personal information, such as to comply with applicable tax and other government regulations or to comply with a court order or binding law enforcement request.
• Legitimate interests. We have a legitimate interest in using your personal information in the following cases:
  • To operate the OpalMedica business and provide you with tailored communications to assist you in better using OpalMedica Services. This may include advertising; however, you may opt out of receiving advertising communications at any time by contacting us at support@opalmedica.co.uk or by following the unsubscribe instructions in any such communications.
  • To analyse and improve the safety and security of our Services. We do this as it is necessary to pursue our legitimate interests in ensuring OpalMedica services are secure, such as by implementing and enhancing security measures and protections and protecting against fraud, spam and abuse.
  • To provide and improve our Services, including any personalised services. We do this as it is necessary to pursue our legitimate interests of providing an innovative and tailored offering to our users on a sustained basis.
  • To anonymise and subsequently use anonymised information.
• Protecting you and others. To protect your vital interests, or those of others.

Lawful Basis

The legal basis that OpalMedica will use/process user data will typically be:

• GDPR Article 6(1)(a): the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• GDPR Article 6(1)(b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• GDPR Article 6(1)(f): processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

You have the right to withdraw your consent at any time. Should you choose to do so, please contact us at support@opalmedica.co.uk.

Special Category Personal Data Conditions

To enable OpalMedica to process your special category of personal data, we will use one of the following conditions:

• GDPR Article 9(2)(a): Explicit Consent
• GDPR Article 9(2)(c): Vital Interests
• GDPR Article 9(2)(e): Made public by the data subject

If we request your explicit consent, we will ask you to complete a form, which specifies the nature/type of special category of data used and your explicit consent will be separate from any other consent we are seeking.

Your explicit consent will be freely given and specific and you can withdraw your explicit consent at any time. Should you choose to do so, please contact us at support@opalmedica.co.uk.

Who we Share your Data with

We will not sell your data, nor will we share your information with third party organisations except as part of providing a product or service to you and/or when legally obliged to. It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process your personal information only as instructed by us, and to flow those same obligations down to their sub-processors.

We may also disclose your personal information to law enforcement, regulatory and other government agencies and to professional bodies and other third parties, as required by and/or in accordance with applicable law or regulation including but not limited to prevention of fraud or minimising credit risk.

We may license your anonymised data to third parties for the purposes of rare disease research, with your explicit consent.

We share personal information in the following ways:

People you share and communicate with

Any content you share and communicate using our products and services will be visible to friends or connections connected to you through the My Rare Journey social network/forum/message board. In some cases, people you share and communicate with may download or re-share this content with others on and off our Services.

People that see content others share about you

Other people may use our Services to share content about you with the audience they choose. If you have concerns with someone’s post, you can report them by emailing us at support@opalmedica.co.uk.

Apps, websites, cloud/hosting and third-party integrations

When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share. Information collected by these apps, websites or integrated services is subject to their own terms and policies.

Sharing with third-party partners and organisations

We occasionally work with third party companies. For example, anonymised data (data with all user identifiable information removed) may be licensed to research organisations for the purposes of conducting approved rare disease research. We do not share information that personally identifies you with advertising, measurement or analytics partners unless you give us permission, or if we have aggregated the information so that it does not personally identify you.

Data Retention

Dependant on the data you provide us and for what purpose it is provided we may need to retain your data. Typically, we will retain your data for 3 years following our last engagement.

If you wish to find out more about your specific data retention, please contact us.

Deleting your Account

You can close your account at any time. When you close your account, you will no longer be able to access it. Things you have posted and accumulated, such as your status updates, personalised avatars, badges and achievements, will be deleted. Keep in mind information that others have shared about you is not part of your account and will not be removed when you close your account. Similarly, anonymised survey responses that have been used to develop clinical decision aids or licensed to third parties for research purposes will not be deleted.

If you request, we will delete or anonymise your personal data so that it no longer identifies you, unless we are legally allowed or required to maintain certain personal data, including situations such as the following:

• If there is an unresolved issue relating to your account, such as an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved.
• Where we are required to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law.
• Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.

Please note that, for technical reasons, there might be a delay in deleting your personal information from our systems when you ask us to delete it. However, we will process your request as quickly as possible.

To ensure transparency and ease of exercise of your rights, we have streamlined our internal processes. For any requests or enquiries regarding your personal data, please reach out to us via the contact details provided in this policy. We are committed to addressing your requests without undue delay and in any event within one month of receipt, subject to any applicable legal requirements and exceptions.

Data Permissions

Every marketing email sent from us allows you to opt out of receiving emails from us, except for the purposes of fulfilling any contractual arrangements.

You can also contact us at the email address above and request to opt out, view, export or delete your data.

If you request for your data to be deleted, your name and email address will be added to an exceptions list and all other data removed to the extent possible.

If you ask for us to send information to a relative or friend, you warrant you have the consent from them to share their data with us.

How we Protect Information we Collect

While no service is completely secure, we are dedicated to keeping personal information safe. We maintain administrative, technical and physical safeguards that are intended to appropriately protect against accidental or unlawful destruction, accidental loss, unauthorised alteration, unauthorised disclosure or access, misuse and any other unlawful form of processing of the personal information in our possession. We employ security measures such as using firewalls to protect against intruders, building redundancies throughout our network (so that if one server goes down, another can cover for it) and testing for and protecting against network vulnerabilities.

Legal Compliance

We seek to uphold our legal obligations as covered by the Data Protection Act 2018, Data Use and Access Act 2025 (DUAA) and the General Data Protection Regulation 2016. Our Data Protection Authority is designated as the Information Commission (IC) formally the Information Commissioner’s Office (ICO). This Privacy Notice is reviewed on a regular basis and was last reviewed in March 2026.

We retain the right to update this notice at any time. We will always document any changes and will publish the latest version on the company’s website.

Cookies

The Platform uses only essential cookies required for authentication and session management. We do not use advertising cookies, analytics cookies, or third-party tracking cookies. Our session cookie (__session) is httpOnly, secure, and set with a 7-day expiry.

Children

The Platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete the information.

Contact

For data protection enquiries or to exercise your rights, contact our Data Protection Officer at support@opalmedica.co.uk.

For general enquiries or to report issues, contact us at support@opalmedica.co.uk.

Dated March 2026.