Privacy Notices for research participants volunteering in ieso’s engagement and acceptability study

[These notices do not govern our collection or use of personal information through any means other than through engagement in digital tool/ product research studies. There are separate, different, more detailed Privacy Notices on our therapy sites relevant to the collection and use of personal data in connection with receiving our online cognitive behavioural therapy (CBT) services delivered by therapists. In addition, there is a separate, different, Privacy Notice on our main website ( relevant to the collection and use of personal data when using our website.]

Research study: Evaluating engagement and acceptability of ieso’s 6-week digital programme for adults experiencing symptoms of anxiety

Approved by NHS West of Scotland Research Ethics Committee (REC).

Ieso Digital Health Limited is committed to protecting and respecting your personal data and privacy.  

These Privacy Notices describe the privacy practices of the Ieso Digital Health group of companies (Ieso Digital Health Ltd, Ieso Digital Health (UK) Ltd and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect via participation in our user experience and study programmes and reflect legal requirements and regulations. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers Z5383093 and ZA239229). If you require further information on anything below, please contact our Privacy team: Full details on how to contact us can be found below.    

Here, we explain what personal data we collect, how it is used, shared, secured, stored, and how you can exercise choices and manage your personal data.

Information we collect

Information we collect from you

As part of ieso’s engagement and acceptability study , we will collect the following information directly from you, including:

  • Answers to any screening questionnaires
  • Consent for the study
  • Messaging between you and the clinician assessing your eligibility for the study via asynchronous messaging on the platform
  • Written conversations when interacting with our digital guide in the app
  • Answers to health questionnaires in-app and outside the app
  • Your feedback/ opinions/ suggestions on some or all of: accessibility of, planning or conducting research activities; product development; experiences of, or attitudes towards, using ieso and/ or other digital mental health products; or experiences of living with mental health concerns. This may be via questionnaires, interaction with digital tools/ products or interviews with researchers
  • Demographic information
  • Summaries of phone calls 
  • Any request to withdraw consent
  • Audio/video recordings of semi-structured interviews (selected participants only) 

To become a volunteer of this study, you will either:

1. Sign up to the study via the website after viewing one of our online adverts, in which case, we will collect additional information, including:

  • Your full name and contact details, including your email address, mobile number.
  • Date of birth
  • GP details
  • Gender; or

 2.        Have been invited to take part in this study having been referred by your NHS provider, or self-referred, to ieso for typed therapy, and having met the initial eligibility criteria for participation. If you are eligible and consent to take part in the study, some of your personal data will be collected from your ieso record

You are under no obligation to provide any information. However, if you should choose to withhold requested information, we may not be able to include you in the research study.

NB – We recognise that participants may include personal data in responses within our digital tools/ products when not necessarily required, so we will treat all responses as personal data for data protection purposes.

Information we collect from other sources

After collecting your demographic information, we will use your postcode to obtain socioeconomic index using publicly available look-up data.

As above, if you were referred to ieso from an NHS provider, some of your personal data will be collected from them via your ieso record.

Information we collect automatically from your use of the app

Certain information is collected automatically from your use of this Service: 

  • Session activity information – we collect information on your use of the app, including when you login, when you start and complete a session, etc. 
  • Event data – this includes how the software has interpreted your responses.  
  • Device and log information – this includes information about the device you’re using, your Internet Protocol (IP) address and IP location.

Inferred Data

As the device uses the information you enter to make a conversational response, the digital tool will collect and categorize your comments to help better support you.

For example, if you tell the digital guide that you are worried about work, that may fit a category of ‘work concerns’ which the digital tool will use to learn how to respond to you in the future. This is known as ‘intent classification’ and ‘machine learning’. 

New data that is collected through this process is known as ‘inferred data’ or ‘profiling’, which is not data you have provided to us directly, however, the digital tool has drawn conclusions from the content of your discussions.

You can ask for information from our Privacy team at  

You always have the right to refuse to submit your personal data to us, but note that without this information, you will not be able to participate in this study.

How we use collected information

We use your personal data to:

  • Assess suitability and eligibility for the study (GP details are required as part of this purpose)
  • Manage and administer the study
  • Communicate with you
  • Understand your responses in the app, see Inferred Data above 
  • For research purposes to aid / improve the development of digital tools/ products to improve user access, user experience, user engagement, or the assessment or treatment of mental health concerns.
  • Notify your GP on your participation in the study.
  • GP details are required for our clinical risk management; if we believe you are at risk to yourself or another individual, we may contact your GP without your permission to help provide you with ongoing clinical support.
  • If you sign up to the study via our website after viewing one of our online adverts or through an email, we will use your information to create your account with ieso. 
  • If you consent in any feedback surveys or, agree to take part of a user research interview, we may use your free text/verbal responses externally. This will not be linked to you directly and any selected quotes will not include your personal data. This will never include your conversations with our digital guide.

Online interviews may be recorded (audio or video), with your consent, as a record of fact to revisit when writing up findings.

We are passionate about learning from data by conducting high-quality scientific research, including the use of machine learning, natural language processing (NLP) and artificial intelligence (AI), to inform product development, and ultimately improve outcomes and help more people get treatment earlier. We have internal procedures in place to safeguard your privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible, including anonymisation where possible. 

How your personal data is processed by artificial intelligence

The ieso programme is a smartphone app that you can engage with for help with your worries. It uses automated text chat to help people who might not be able to access other care, or people who may be waiting for therapy services to start. It provides tools and techniques to help with difficult feelings. So that the app responds in an engaging way with more personalised responses to the inputs that you provide, we use some artificial intelligence techniques, including machine learning and large language models. However, all of the content in the app that helps users to deal with their worries has been written exclusively by our trained therapists, and the app makes no autonomous decisions about what elements of this therapist-written content is provided.

If you have any questions, please contact us at

Legal basis for processing your personal data

We use your Personal Data only as permitted by law, for the purposes for which we collected it. Under the UK General Data Protection Regulations, the processing is legally permitted under Article 6 (1) (f) legitimate interests. You may withdraw from the study up until database lock, which will be within 4-6 months of our recruitment start date. Where you consent to publishing quotes externally, this will be processed under Article 6 (1) (a) consent.

We will process special category data during your interactions with us under Article 9 (2) (j) - scientific research. 

Sharing your information

ieso works hard to ensure that only the right people have access to your personal data, we have internal procedures in place to safeguard your privacy and anyone within ieso receiving information about you will be under an equal legal duty to keep it confidential. 

Within ieso, your data collected during this research study will be available to researchers, data scientists, and clinically qualified advisers on a need to see basis, dependent on their specific role and as deidentified as possible. Your personally identifiable information is only accessible to the team managing the study, clinicians involved in your assessment and eligibility check, as well as our Patient Services team for administrative purposes. If you are invited and consent to be in our user experience sub-sample,  our user researchers will also have access to your personally identifiable information.

Outside of ieso, if you were referred to ieso via an NHS service, we will update NHS Digital and your NHS Talking Therapies service provider with your questionnaire scores, and your local NHS Talking Therapies service with your clinical notes, see Therapy Site privacy notice here.

We share your personal data with Mayden House, provider of the iaptus patient management system (used by over 200 NHS customers and vetted by ieso), to store your research record and for the development and maintenance of this service.

We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation (including your GP, when applicable), or for any other reason than those set out in this policy without your knowledge or permission, unless we have an overriding legal duty to do so. 

Transferring your data outside the UK

We seek where possible to prevent any transfers of your personal information to countries which do not have adequate data protection standards. However, It may sometimes be necessary for subsets of information to be stored in well-known SaaS (Software as a Service) providers, see section below on “How we store your personal data”.  

The UK Information Commissioner makes decisions on adequacy of the protection of personal data in other countries and we have selected providers located in countries that the Commissioner has approved or, where the provider is based in a country that hasn’t received adequacy, have used safeguards that mean the transfer is lawful and appropriate.

How we secure your Personal Data

We place great importance on the security of personal information. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against unauthorised access, loss, misuse and alteration of personal information under our control. 

We use deidentified data for research where possible, we limit access to your personal data to those who have a genuine reason to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. 

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. 

We have been certified under the International Standard certification for Information Security (ISO 27001) since 2017, and maintain the Cyber Essentials Plus certification. 

How we store your Personal Data

ieso’s headquarters are in the United Kingdom (UK), and your personal data is stored securely in the UK and managed by ieso. Until our change of patient management system is complete, the storage will be hosted by Microsoft Azure; after a successful integration and migration stage, your data will be stored in the iaptus patient management system which is hosted by Amazon Web Services (in the UK). We have a Data Processor Agreement with Mayden House who develop and own iaptus. As detailed in the Security section of this Privacy Notice, such information is stored in an encrypted state, both in transit and at rest.

We may also use a small number of well-known SaaS (Software as a Service) providers (for example, to host questionnaire responses) to store smaller subsets of your information and enable the uses of information described in these notices , and if this is the case we will have/ put in place Data Processor Agreements with each. Where possible these providers store the data in the UK or EEA. If these are located outside the UK / EEA we ensure they are either party to an adequacy decision or have in place one of the additional safeguards necessary to make the transfer such as Binding Corporate Rules or Standard Contractual Clauses (with additional technological and organisational controls as necessary or appropriate) to uphold your legal data protection rights.

How long we retain your Personal Data

Research records and data are kept for up to 20 years in accordance with NHSX Records Management Code of Practice and/ or best-practice recommendations for research, except for video and audio recordings of user feedback, which will only be retained for up to 4 weeks. 

If you’re deemed ineligible for this study, we will retain your information for billing and data quality purposes, and will anonymise or delete your data within 1 month after the study closes. 

A list of those who have opted out of involvement in all user experience communications and research projects will be held perpetually to ensure no further contact.  

Your data protection rights

Data protection legislation provides with the following rights that ieso is committed to supporting you with: 

  • The right to be informed; 
  • The right of access; 
  • The right to rectification; 
  • The right to erasure; 
  • The right to restrict processing; 
  • The right to data portability; 
  • The right to object; and 
  • Rights in relation to automated decision making and profiling 

Several of these rights are not absolute, however, and restrictions may apply with respect to research exemptions where exercising such right would prejudice the study. For example, your right to access and/ or to rectification may be restricted insofar that your data has been anonymised, isn’t linked to you, or has been erased. Your right to rectification, and other rights, may be restricted once the database has been locked. If you’d like further information or to exercise your rights, please contact our Privacy team.

For more detailed information on your rights visit

Withdrawing from the study

If you wish to withdraw your data, you are free to do so until database lock at the end of the study. This will be within 4-6 months of our recruitment start date.


We use cookies or similar technologies such as device IDs, pixel tags and web beacons (collectively described here as 'cookies') to collect information about the access to and use of the ieso therapy site, but not the app. These typically include a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the Site or using the Service and that sometimes track information about a user.

The therapy site only uses necessary cookies. Click here for the therapy site Cookie Policy.

Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of this study or future products and services provided by ieso. 


Questions, comments and requests regarding these privacy notices or data protection should be addressed to our Privacy team 

Changes to these Privacy Notices

We reserve the right to change these privacy notices from time to time. If the change affects the way we process your personal data, then we will notify you by reasonable means. By continuing to volunteer after this notification, you confirm your acceptance of this revised privacy notice.

These privacy notices are effective from January 25th, 2024.

Changes to your Personal Data

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during this relationship with ieso.

The ieso programme app is available to use and download now

Alternatively, if you would like to find out about other mental health support options available in your area, visit the NHS website here.