Omi Scribe Cloud — UK Privacy Addendum

Version: 1.0

Effective: 11 May 2026

Provider: Omi Health B.V., Eindhoven, Netherlands

Contact: [email protected] · [email protected]

This addendum supplements the Omi Scribe Cloud — Privacy Notice at /legal/cloud-privacy and the Omi Scribe Cloud — Data Processing Addendum (DPA) for Customers established in, or processing personal data subject to the laws of, the United Kingdom.

Where this addendum conflicts with the Privacy Notice or DPA, this addendum controls for UK personal data.

1. Applicable law

This addendum applies to the processing of personal data subject to:

• UK GDPR (the United Kingdom General Data Protection Regulation), as retained in UK law under the European Union (Withdrawal) Act 2018
• The Data Protection Act 2018
• The Privacy and Electronic Communications Regulations (PECR), where relevant

References to “GDPR” in the Privacy Notice and DPA include the UK GDPR for UK Customer Content.

2. Hosting region — today and roadmap

UK Customers are currently served from the EU region (Azure Sweden Central). Customer Content is stored and processed in Sweden. A UK-resident hosting option (Azure UK South) is on the roadmap. The Customer will be notified before any change in hosting region.

3. International transfers

Where Customer Content or UK personal data is transferred from the UK to the EEA for processing in the EU region, Omi Health relies on the following safeguards in order of preference:

1. The UK government’s adequacy decision for the EEA, where applicable, recognising EEA‑based processing as providing essentially equivalent protection.

2. The UK International Data Transfer Agreement (IDTA) under section 119A of the Data Protection Act 2018, where adequacy does not apply.

3. The UK Addendum to the EU Standard Contractual Clauses (Version B1.0, in force 21 March 2022 or as updated), where data is also subject to EU SCCs.

Supplementary measures applied to all transfers of UK personal data include:

• Encryption in transit (TLS 1.2+) and at rest (Azure-managed plus application-layer AES‑256‑GCM for clinical content fields)
• Role‑based access control with least‑privilege scoping
• Audit logging of administrative and support access to Customer Content
• Network isolation and tenant separation
• Sub‑processor restrictions matching those listed at /legal/sub-processors

4. Supervisory authority and complaints

The supervisory authority for UK personal data is the Information Commissioner’s Office (ICO):

• Web: https://ico.org.uk
• Helpline: 0303 123 1113
• Postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

UK data subjects may exercise rights of access, rectification, erasure, restriction, objection, and portability under the UK GDPR by contacting [email protected]. Where Omi Health is a Processor for Customer Content, data subject requests should be directed to the Customer (the Controller) in the first instance; Omi Health will assist the Controller in fulfilling such requests as required by the DPA.

5. UK Representative

As a Processor established outside the UK, Omi Health B.V. is not required to designate a UK Representative under Article 27 UK GDPR where its processing meets the conditions of Article 27(2). Where appointment becomes required by virtue of changes in scope or volume of UK processing, Omi Health will appoint a UK Representative and update this addendum accordingly. Customers requiring an interim point of contact for UK regulatory matters may use [email protected].

6. NHS-specific obligations

For NHS Trusts and other NHS bodies, Omi Health will:

• Complete the NHS Data Security and Protection Toolkit (DSPT) standards on request, providing evidence under NDA.
• Cooperate with Information Asset Owner (IAO) and Data Protection Officer (DPO) processes specified by the Trust.
• Support Data Protection Impact Assessments (DPIAs) by providing technical inputs.
• Honour any National Data Opt-Out signals propagated by the Customer in its tenant configuration. Omi Health does not directly receive National Data Opt-Out signals; the Customer remains responsible for filtering content prior to submission where opt-outs apply.

7. Children

The Service is not intended for processing of personal data of children under the age of 13 under PECR direct marketing rules, or under the age of 18 in a paediatric clinical setting without appropriate parental/guardian authority obtained by the Customer.

8. Sub‑processors

The list of sub‑processors at /legal/sub-processors applies. UK Customer Content is processed in the EU region today; the sub‑processor list will be updated when UK-resident hosting goes live.

9. Liability and order of precedence

In the event of conflict between this UK Privacy Addendum and the Privacy Notice or DPA, this addendum controls for UK personal data. All other terms of the Privacy Notice and DPA remain in full force and effect.

10. Contact

• General privacy enquiries: [email protected]
• DPA and addendum execution: [email protected]
• Security incidents: [email protected]

Omi Health B.V. — Eindhoven, Netherlands