For the iesohealth.com/en-gb site (“Site”) and direct marketing/ business development emails
[N.B. There are separate, different, more detailed Privacy Notices on our therapy sites relevant to the collection and use of personal data in connection with receiving our online cognitive behavioural therapy (CBT) services, and further sets for the US website, employees, therapists and PWPs, UX participants, consultants, recruitment purposes and the therapist training site.]
Ieso Digital Health Limited (”We”) are committed to protecting and respecting your personal data and privacy.
These Privacy Notices cover personal information processing of data collected via the Site and/ or direct marketing/ business development emails, and reflect legal requirements and regulations. Here we explain what personal information we collect about you, how it is used, shared, secured, stored, and how you can exercise choices and manage your data. For the purpose of data protection legislation, the data controller is Ieso Digital Health Ltd of The Jeffreys Building, Cowley Road, Cambridge, CB4 0DS, registered with the Information Commissioner (ZA239229). Under the General Data Protection Regulations the different purposes of processing your data are legally permitted under Article 6 (1) (a) consent, Article 6 (1) (b) contract or Article 6 (1) (f) legitimate interests (Where the legal basis of the processing is Legitimate Interests, a legitimate interests assessment has been carried out and the legitimate interests identified as being able to inform existing customers about changes in the service, our attendance at conferences etc, or to make potential new customers aware that services/ opportunities to meet us exist (including within the NHS where there is public interest in individuals having access to services that support them with their mental health needs), to provide answers to questions posed by website visitors), or information to potential investors, business partners and/ or collaborators.
Information we collect
Information we collect from you
- When you check your eligibility for our service – date of birth and postcode. If you are eligible for our self referral service then you can also enter other information to proceed to our therapy site - email address, mobile number, password and answer to a security question
- If ineligible but you consent for us to hold your information to let you know if / when the service does become available to you – first name, email address
- When you complete the contact form on the Site – name, email address, company name if relevant, and your free-text message
- Where you are invited to access a specific form located on our site/ marketing automation system (by URL provided in a letter for example) – information collected is dependent on the form but may include your email address, reference number, date of birth, postcode, name, information preferences
- When you reply to a direct marketing communication – requests to unsubscribe and communication preferences, which are maintained alongside your identity and contact data
- When you email/ complete a bespoke online contact form as a potential investor, business partner or collaborator – your name, contact details, company name if relevant, and any other personal details you choose to share with us in the communication
- When you give us your details in person at a conference for example – usually name, email and job title
You are under no obligation to provide any such information. However, if you should choose to withhold requested information, we may not be able to provide you with certain services/ information.
Information collected automatically from you as a result of your interactions with the Site
- Unique system reference number
We do not collect any personal information from you on this site if you click on ‘Career opportunities’ or ‘Become an Ieso therapist’. In these instances, you are delivered to our recruitment site which has its own set of privacy notices and you personal details are collected there.
Information we collect from other sources For the purposes of direct marketing we may collect your identity and contact data including title, name, job title/ function, the organisation you work for or are engaged by, email address, telephone numbers, address from:
- The internet
- Purchased lists from GDPR compliant providers
How we use collected information
- To provide you with information about whether our service is available to you and if so, how you can register.
- To inform you when or if you become eligible for the service
- To evidence your consent where applicable
- To understand where new services are needed
- To respond to your messages delivered to us via the contact section of the Site and provide any information requested
- To action any request you make via an online form, for example to set up an account, or to contact you by phone or email if further information is required as a result of your completion of one of these specific forms
- To add to our customer relationship management and marketing automation systems where you are (or are potentially) a procurer of our services or a (potential) investor, business partner or collaborator, and it is our business development, product development, research, or senior leadership teams who are best placed to provide the information you have requested or to respond to your message
- For other direct marketing purposes where the method of communication depends on the relationship we have with you, any known preferences, and/ or our legitimate interests, where a legitimate interests assessment has been completed (e.g.s: relevant corporate 3rd parties such as HR directors; patients who registered an interest in treatment but did not reach account activation)
Sharing your information
Ieso takes care to ensure that only the right people have access to your personal data. We have internal procedures in place to safeguard your privacy and anyone within Ieso receiving information about you will be under an equal legal duty to keep it confidential.
If you require information requested via our ‘contact us’ website forms, or by email, that is best answered by our PR agency (with whom we have appropriate confidentiality and data protection agreements), your contact details will be passed to them to respond.
We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation or for any other reason than those set out in this policy without your knowledge or permission unless we have an overriding legal duty to do so.
If you are an individual representing an organisation for whom our company or services may be, or already are, of interest and are added to our customer relationship management system and or marketing automation system, then we may contact you in line with our marketing and business development communications protocols and Legitimate Interests Assessment for purposes such as informing you about Ieso services or attendance at conferences etc, and where we offer you the option of opting out of such communications.
In the event that we undergo re-organisation or all or a part of our business is sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third party, whether such acquisition is by way of merger, consolidation, or purchase of all or a portion of our assets, or in connection with any bankruptcy or reorganization proceeding brought by or against us.
We may disclose aggregate statistics about visitors to the Site in order to describe our services to prospective partners and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifiable information.
Transferring data outside the UK
We seek where possible to prevent any transfers of your personal information to countries which do not have adequate data protection standards.
The European Commission makes the decisions on the adequacy of the protection of personal data in third countries and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and 11 other territories without any further safeguards being necessary. (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).
Transfers outside these areas are only made when the data is stored/ processed by the SaaS providers we use – see ‘How we store your personal data’ below.
How we secure your personal data
We place great importance on the security of personal information. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against unauthorised access, loss, misuse and alteration of personal information under Our control.
We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We have achieved the International Standard certification for Information Security (ISO 27001) and maintain the Cyber Essentials Plus certification.
How we store your personal data
We use a small number of well known SaaS providers to store your information and we have Data Processor Agreements in place with each. These providers either store the data in the UK or EEA or have in place Binding Corporate Rules, EU-US Privacy Shield self certification, or EU Model Clauses to uphold your legal data protection rights.
If we are keeping your contact details to inform you of the service becoming available to you, we will ask you at 5 year intervals whether you wish us to continue doing this. (You can let us know that you do not want us to continue to do this at any intervening time.)
If you are in a self referral area and begin the referral process on this Site, your personal details will form part of your health record which we retain as a resource that you can return to at any time you wish. This can help you remember coping strategies, techniques or processes that you learnt in therapy. If you were to experience a setback between sessions or after you’ve completed treatment you may find it useful to refer to your therapy transcripts and messages. Also, if you were to require further therapy sessions at any time in the future, your therapists would be able to access all your therapy notes. We retain your clinical record by reference to the IGA Records Management Code of Practice for Health and Social Care guidance for managing health records https://digital.nhs.uk/information-governance-alliance and to support our legal obligations to be accountable for your care.
If you have sent a contact message via the website or a direct email, the retention periods for your personal information will vary. We will consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of it, and any applicable legal or regulatory requirements.
Our retention practices are reviewed at least annually in conjunction with industry standards and best practice.
Your data protection rights
Data protection law provides you with rights that Ieso Digital Health is committed to supporting you with:
Right to Access
You have the right to obtain:
- confirmation that your information is being used, stored or shared by the company
- a copy of information held about you
- If you only require only a particular part of your record, tell us and this can reduce the time it takes to provide it
- We will respond to your request within one month of receipt or will tell you when it might take longer.
- We are required to validate your identity including the identity of someone making a request on your behalf
If you feel there is an error of fact within your personal details held by us, please contact us. If we agree the information is incorrect, the alteration will be made, but if we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will be notified of either the correction or the note.
Data protection law also includes the right to make other requests to seek to erase, port, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health, employment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights may be restricted or not apply in practice. Where the legal basis of the processing is Legitimate Interests and the activity is direct marketing, the right to object is absolute.
For more detailed information on your rights visit https://ico.org.uk/for-the-public/.
If you need any assistance in these areas, please contact our Data Protection Officer.
A cookie is a small data file stored by your browser on your device's hard disk for record-keeping purposes and typically includes a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the same site.
Session cookies are stored only temporarily during a browsing session and are deleted from the user’s device when the browser is closed; Persistent cookies are saved on your computer for a longer, fixed period and are not deleted when the browser is closed and are used to remember you when you visit the website again; and Third party cookies are set by a different organisation to the owner of the website you are visiting. They might include cookies set for website visitor analytics or embedded content, for example Google Analytics. You can opt-out from the collection of this information by Google by downloading and installing a browser plug-in at https://tools.google.com/dlpage/gaoptout.
Most computers and some mobile devices will automatically accept cookies but, if you prefer you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the Site.
Any third-party websites you access because of your role as an employee of Ieso will be covered by their own cookie policies, which should be easily accessible on their sites, and are not the control or responsibility of Ieso.
Questions, comments and requests regarding these privacy notices or data protection should be addressed to our Data Protection Officer (DPO): Helen Simpson firstname.lastname@example.org
Changes to these Privacy Notices
Changes to your personal data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Third Party sites
Our site may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.