Effective date: 26/05/2021
We are committed to protecting your privacy and confidentiality.
Information we collect from you
The first step that you need to take to access our products and services is to create an ieso account. Creating an ieso account helps you use and manage ieso products or services you are interested in. However, by simply registering for an ieso account you are not making a commitment to buy any Ieso product or service. These are the Privacy Notices that cover the creation and use of an online account with ieso.
Here we explain what personal information we collect, how it is used, shared, secured, stored, and how you can exercise choices and manage your data. These Privacy Notices reflect legal requirements, regulations, and best practice.
For the purposes of data protection legislation, we are a data controller registered with the Information Commissioner (registration number ZA239229). If you require further information or clarification on anything below, please contact our Data Protection Officer. Full details on how to contact us can be found in section 8 below.
By creating an online account with us, and agreeing to the associated terms and conditions, you will have entered into a contract with us which forms the legal basis for the processing of your personal information in relation to the account creation. If you subsequently purchase or receive any products or services from ieso, we will need to process more personal, potentially sensitive, personal information, and you will be provided with separate terms and conditions and notices.
We will not sell your personal information.
We reserve the right to change these Privacy Notices from time to time where we have the following valid reasons: to make them easier to read or understand, to reflect changes to the scope and function of your ieso account, our products or services or the technology used to provide them or to reflect changes in law. You shall have accepted those changes if you continue to use your Ieso Account after we have posted any changes to these Notices on our website. Alternatively, we may notify you of changes to the Notices by sending a message to your email address connected with your ieso account. Please read these Privacy Notices from time to time so that you are aware of any changes we may have made.
Information you provide to us when you set up an online account with ieso
Registration information: email address and password
Information collected automatically from your use of your online account
Whenever user experience program participants are required, a query will be sent to the therapy site which will automatically extract personal data from patients who have recently consented to their inclusion in the PEQ. These personal details will be some or all of: name, email address, gender, postcode, age group, diagnosis, and severity (questionnaire scores).
Session activity information - we collect information about you from your use of your account. (E.g. when you log on and your activity on the site)
Device information - this includes information about whether you are using the product on a mobile, tablet or computer. This helps us ensure optimisation for relevant different devices.
Log information - we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with your online Ieso account.
Read Section 7 below for further information on cookies.
We use the personal and health information that we receive under our terms with you to:
Enable sign-in, verify access to your account and assist with any log in issues.
We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation, or, for any other reason not set out in this policy unless we have an overriding legal duty to do so.
We have appointed a Data Protection Officer to seek to ensure that our procedures for handling your information meets with our obligations.
Information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential. The confidentiality of all information shared between yourself and Ieso is upheld to the highest level possible.
The sharing of information about you without your consent is strictly controlled by law. In exceptional situations therefore we may need to share information without your permission if we are required to do so by law. In such circumstances, we would inform you wherever possible.
Transferring data outside the UK.
We seek where possible to prevent any transfers of your personal information to countries which have not been assessed as having adequate data protection standards.
The European Commission makes the decisions on the adequacy of the protection of personal data in third countries, and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and 12 other territories without any further safeguards being necessary. (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)
Despite leaving the EU, the UK deal enables a continuation of personal data regulations for a temporary period of 6 months, during which time it is hoped the EU will reach an adequacy decision with regards to data flows to and from the UK.
Accessing your account when outside the EEA or another Adequate country is considered a transfer of data to a third country by data protection legislation. It is at your own risk if you decide to access your account whilst you are visiting countries not listed at the web reference above.
We place great importance on the security of personal identifiable information. We have put controls in place to safeguard the personal information that you provide, applying physical, technical and procedural measures against the loss, misuse and alteration of personal information under our control.
All information submitted by you is encrypted in transit using best-practice Transport Layer Security (TLS) with at least 128-bit encryption. All special category data is encrypted using the industry-standard AES-256 cipher.
We have achieved the International Standard certification for information security (ISO 27001), and Cyber Essentials Plus certification.
Remember also that you are responsible for keeping your password secret at all times when accessing your account.
These privacy notices merely cover the personal data required to set up an account with Ieso Digital Health online. For this purpose, we use Auth0, a SaaS (Software as a Service), with whom there is a Data Processor Agreement in place. They store data in the EEA but also in the United States of America, where Standard Contractual Clauses are in place to uphold your legal data protection rights.
The retention period for retaining your email address and password within Auth0 will depend on the products or services you subsequently obtain from Ieso. If you only create an account, we retain your information for 6 years.
Our data retention practices are reviewed at least annually in conjunction with industry standards and best practice.
You can access, update or amend your password and/ or email address directly through your account, or if you feel there is an error of fact in your personal held by us, you can contact us.
Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health, legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice.
If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the data you have provided please write to:
The Data Protection Officer, Ieso Digital Health,
Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
Or by email, For the Attention Of the Data Protection Officer (DPO), to email@example.com
If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office
In terms of merely registering an online account at Ieso, we use third party auth0 cookies for reasons including: to store the state of the sign in process; to identify if the user is currently authenticated; and to monitor the fact that a user is logged in and interacting with features.
These typically include a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next logging on.
Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of future products and services provided by ieso.
You can also learn more about the use of all cookies on our cookie policies on our therapy site here, our mood and symptom checker here and our company website here.
If you have any questions or comments about these notices, please let us know:
By email: firstname.lastname@example.org (or for technical support questions contact our technical support team: email@example.com)
By telephone: on 0800 074 5560
Or by post to:
Ieso Digital Health, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
To reach our DPO please use the above details and mark your communication for the attention of the Data Protection Officer.