Privacy Notices for NHS patients accessing ieso Therapy Services

Summary of changes to these Privacy Notices:

Introduction of counselling treatment to ieso services for eligible patients
Further clarified the legal basis of processing
Update on data sharing with Scottish Healthboards Cookie description updated
Cookie description updated

Effective Date: Thursday 30th January 2025

We are committed to protecting your privacy and confidentiality.

We have never, and will never, sell your personal data.‍

Introduction

These Privacy Notices describes the privacy practices of Ieso Digital Health (UK) Limited and our subsidiaries and affiliates (including Ieso Digital Health Limited and Ieso Digital Health, Inc.) (collectively, “ieso”,“we”, “us”, or “our”), and how we handle your personal data that we collect through the provision of Cognitive Behavioural Therapy and Counselling services delivered via either typed or video modality, and which is provided online through iesohealth.uk (the Site) as well as through other activities described in this Privacy Notice, such as our research and product development activities. Collectively, these form the Service. These Privacy Notices do cover the offering of our digital programme but do not cover their use. If you take up the offering of our digital programme, an additional privacy notice will be provided to you. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers ZA239229 and Z5383093). If you require further information on anything below, please contact our Data Protection Officer via privacy@iesohealth.com. Full details on how to contact us can be found in

section 9 below.

We understand that privacy is important to you, and we want to assure you that we take it seriously. Occasionally, we may need to up date our Privacy Notices to reflect changes in our services or legal requirements. When we do so, we’ll make sure to clearly communicate any material changes, viaa pop-up modal which will appear when you next log into your account following a change in policy. As always, your continued use of the Service after any update indicates that you have acknowledged the updated Privacy Notices.

‍Our responsibilities to you

‍We understand that the privacy and confidentiality of all the personal data you provide, especially the verbatim records of therapy sessions, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary. Please read this document carefully to understand how we protect your information.

‍What these Privacy Notices cover

‍These notices explain how ieso collect, process, store, share and secure your personal data, and how you can exercise your rights and manage your personal data.

1. Information we collect about you

To provide our Services, we need to collect data about you from yourself, your clinician, other organisations (such as your GP or local NHS Service), and automatically from your use of our Services.

A) Information you provide to us directly:

• Registration information – When you register, we collect contact information such as your name, date of birth, email address and mobile number. We also collect information to authenticate you as an eligible patient, such as your NHS number(or CHI number if your registered in Scotland), GP details and address.

• Demographic information – We collect information about you so we and the NHS can build a picture of the Services we deliver to different groups of people, monitor the quality of our standards (including by monitoring for potential bias and improve fairness. For example, to detect and mitigate accessibility barriers, or bias within our service delivery), and to ensure sufficient services are delivered to local communities. These questions include a ‘prefer not to say’ response so they’re voluntary to answer and do not impact on the quality of your care.

• Assessment information – Like the NHS, we collect information using standard patient assessment questionnaires to understand your clinical needs and build a treatment plan. Assessment information can include your experiences and how you are feeling, as well as your medical history, lifestyle, family, work and education.

• Delivering treatment – Like the NHS, we collect information whilst delivering treatment to you, including your conversations with your clinician inside and outside therapy, that are either written or in video (video sessions are converted into audio recordings to minimise the data we hold) appointments, and clinical questionnaires. You’re able to access your verbatim record at any time, to reflect on your treatment and care delivered to you. If your clinician believes it is necessary, they may put a risk management plan in place to help keep you safe, and they may ask you for next of kin details if appropriate.

• Additional information required by the NHS – We provide our Services on behalf of local NHS Services in England and nationally in Scotland, and they may require additional information to be collected or asked. For example, some NHS Services offer their patients employment support, so we may ask you this which is voluntary to take up.

• Your queries and comments – We collect information about you and your query, comment or complaint, for example, a question about our service or request for technical support. This may be shared with relevant teams who can answer your questions or address your comments.

You always have the option to refuse to submit personal information to us; however, without this information, we may not be able to provide you with our Services.

B) Information we collect about you from other sources, such as your referring provider:

• Referral information – If you are referred to ieso by your local NHS Service or by your GP, they will provide us with your name, date of birth, address, mobile number, demographic information, consent option to receive voicemails, email address, NHS number, reason for referral and any relevant information notes or questionnaire scores. NHS numbers may be obtained directly from the central NHS system, or your CHI number will be obtained directly from your GP if you reside in Scotland.

• Therapist notes – At the end of each session, your clinician will write a brief clinical summary of the session. These are usually shared routinely with your NHS Service who funds your treatment. (This does not include your verbatim records, which aren’t shared externally except in exceptional circumstances, such as in a serious clinical incident or when required by law).

• Supervision notes – Your clinician may share some of your details with their supervisor

(See section 2 below)

for feedback and/ or advice. Where this affects the treatment you receive, this will form part of your health record.

• Aggregated Demographic information – Other than demographic information collected directly by your or your referrer, we collect publicly available information that is aggregated and enables us to understand anonymous health and demographic information at a postcode level.

C) Information collected automatically from your use of the Services, such as from your device or by participating in sessions:

‍

Session activity information – we collect information about you from your use of the Service. (E.g., when you log on or join a session etc.)
Device information – this includes information about whether you are using the service on a mobile, tablet or computer. This helps us understand how people interact with our service so that we can ensure the Service is optimised for different devices.
Log information – we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with the Service.

See here or

read below for further information on cookies

2. How we use collected Personal Data (including sharing within ieso between group companies, and with our contracted therapists and psychological wellbeing practitioners)

We use your Personal Data to ensure that we provide you with the best possible treatments, both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to ensure that our procedures for handling patient information and requests meet with our obligations.

‍
To provide you with high-quality and tailored care, we use your Personal Data to provide this Service:

A) During your referral into our Service, determine your eligibility and deliver therapy, to:

‍

Enable account creation and sign-in – We use email address, password and mobile number to create you an account to login to your record and we will assist with any issues you may experience regarding this.
Assess your eligibility and suitability for our Service – We use your information to assess whether you’re eligible for our Service by ensuring you reside in an area where we’re contracted with an NHS Service to treat, you’re over the minimum age as agreed with the NHS Service, and are not a currently serving member of the British Armed Forces (please note, if you’re a serving member of the British Armed Forces, you’re able to receive priority mental health support directly from the British Armed Forces).

Your suitability is subsequently considered to ensure your clinical needs are treatable by ieso. For example, we provide services for mild to moderate mental health conditions, so if your condition is more serious, we will refer you back to the NHS Service who referred you or would’ve funded your treatment, or potentially, to a secondary care provider with your consent.

Provide you with different support options (where applicable) – Whilst we commonly deliver typed or video therapy, we may offer eligible patients the option to receive support via available digital programmes in the future. In these circumstances, we may use your information to ascertain suitability and to offer you a digital programme to complement your typed or video CBT, or as an alternative altogether.
Assess your treatment needs – If you self-referred to ieso, we will start your treatment journey by assessing your treatment needs to better tailor your treatment.
Provide your treatment – Your clinician will use your information to support your treatment and evaluate your progress, including messaging to arrange sessions, conducting sessions, assessing progress against treatment goals and maintaining your record. It’s your choice to decide what to share with your clinician, but the more information that your clinician has, the more likely it is that they will be able to provide you with highly effective and tailored treatment.
Your session may take place via typed or video modality, depending on the agreement with the NHS Service that funds your treatment. Where your session takes place via video, the recording will be converted to audio and retained.‍

Support your clinician with supervision – It’s good practice, and in many cases, a requirement for therapists to receive clinical supervision. This is required for therapists registered with the BABCP. Subject to appropriate safeguards, some of the details of your case may be shared in your therapist’s routine clinical supervision with their Clinical Supervisor, if they wish to obtain advice or assurance on the work you are doing together. A Clinical Supervisor is a therapist who has received additional training and is generally more experienced than the therapist. This is to ensure that the therapy you are receiving is the most helpful it can be and remains faithful to best practice evidence. Clinical supervision includes case discussions (and may include referring to messages/ transcripts/ audio recordings) either individually or within a group of therapists, all of whom are bound by confidentiality. Pseudonymised information is used rather than directly identifiable information where possible (e.g. use of case reference number rather than names.

Provide employment support (voluntary) – If an employment assistance programme is available in your area and your NHS Service asks us to, we will offer you the opportunity to speak to an employment assistance specialist which is entirely voluntary. The employment assistance programme may provide an additional privacy notice regarding their specific data practices.
Resolve technical issues – If we detect a technical issue, or you or your clinician reaches out for support with a technical issue, we will use the minimum information necessary to resolve the issue. This may include ieso-employed engineers responding to you directly if you email our support team.
Maintain your health record – From registration, we will maintain a record of your assessment and treatment, to help us maintain an accurate, accountable and effective service to you and our NHS Services.

Protect your information – We maintain a secure, confidential and safe environment to ensure the security of your personal data, including:
Securing staff and patient accounts with multi-factor authentication;
Authenticating user access controls to the Services;
Restricting staff access to limited data on a “need to know” basis with oversight of our Caldicott Guardian and Privacy team.
Continuously reviewing, and providing support to, our clinicians to ensure we continue to meet quality standards and developing learning/ training programmes;
Administering our professional compliance duties and obligations;
Providing specialist training to all staff annually, including training on the GDPR and NHS Data Security. Staff in patient facing roles receive additional training on health confidentiality; and,
Obtaining certification for ISO 27001 for Information Security and Cyber Essentials Plus, both of which require annual external audit. Additionally, we self-certify annually for the NHS Data Security and Protection Toolkit.

B) We will also use your Personal Data to communicate with you:

‍

By email, phone and SMS – We will contact you about your treatment, including for example, to book appointments, to remind you about appointments and to notify you when you’ve received a message from your clinician outside an appointment. We may also contact you to retrieve missing information. Occasionally, we may look to improve engagement and will contact you in different ways – these will always be related to your care, for example, to contact you to remind you to complete registration or incomplete questionnaires.
By leaving voicemails – If you’ve consented, we will leave a voicemail on your device.
Assessment and/ or discharge letters –After your treatment ends, and additionally after your assessment session, if you’re assessed by us, we will send you and your GP a brief summary of your experience. By default, this is sent electronically but may be sent via post if electronic sending is unavailable. ‍
For feedback and to check on your wellbeing –We may also contact you after you’ve completed treatment to ask for feedback and to check on your wellbeing.

‍To provide you with opportunities to improve or raise awareness of ieso’s mental health services –We may use your contact details to ask if you would be interested in helping raise awareness of ieso’s online therapy and/or to share your thoughts and feedback to help shape and improve our service. We might also use your presenting problem and demographic information to ensure we contact a diverse and representative group of people. When we contact you about such opportunities, your involvement/ participation will be entirely voluntary, and your choice would not impact the quality of your care; and we will provide you with different privacy notices that outline how your personal data will be processed for that specific opportunity, which you can freely decline if you so choose.
To let you know of any research studies/ user experience projects for which you may be eligible – We may contact you about trials, studies or projects for which you may be eligible, to see if you’re interested. This is entirely voluntary, and your choice does not impact on the quality of your care.

C) To meet NHS and legal requirements, we will use your Personal Data to:

‍

Uphold the National Data Opt-out in England – In England, patients can exercise their national data opt-out preference to opt-out of research opportunities. We will use your NHS number to check your opt-out preference and act accordingly. If you reside in Scotland, you can opt out directly with us but this won’t take effect for all NHS services (See Section 6 for more information).
Investigate queries from our NHS Services – We may process your information in response to a query or complaint from any NHS or governmental service.

D) To improve our Service and to develop new services, we will use your Personal Data to:

At ieso, we believe that everyone should have access to effective mental healthcare, when and where they need it. We want to make therapy as good as it can be – so that everyone receives the support that is right for them, first time.

We do this by providing types of therapy that already have a strong evidence base to show that they work. We then invest heavily in research to understand how to make therapy as effective as possible, for as many people as possible.

By analysing patterns in the minimum, aggregated, de-identified data from thousands of patients, sometimes using machine learning, natural language processing and large language models, our scientists and clinicians can learn how our patients’ treatment outcomes relate to the therapy they are given. This enables us to discover more about the causes of mental health conditions, why different people respond better to different types of therapy, and to track treatment progression (e.g. flag when a patient deviates from an expected path of recovery and may need extra/ different assistance/ care, or flag when a therapist may need extra supervision). We use this information to make our existing products and services more effective, and to develop new ones, which may include developing or finetuning models.

We are committed to being transparent about how we collect, use, retain, share and protect patient data for treatment and research, so that you can understand the benefits and risks, and make informed choices about how your data is used.

For any research studies, we will determine whether or not you are eligible and suitable for participation in one of our research studies. ieso are a data-driven, research-orientated company who passionately believe in responsible innovation to increase the understanding of mental health, improve treatments and widen access to treatment, and our team may review your Personal Data to identify participants.
Participation is entirely voluntary, and your choice does not impact your quality of care.
For retrospective research/ service evaluation, improvement and development/ new product development. Wherever possible we use a secondary database from which we have removed anyone who has an opt-out in place, and which has been effectively anonymised so that our researchers will not be able to identify the individual from whom a piece of data originated.

[We use an opt-out consent model in line with the National Data Opt out. If you'd prefer for ieso not to use your information for anonymisation and future research purposes, please exercise your opt-out preference here].

We may also work with reputable academic and research organisations or individuals to support our mission, including by sharing deidentified or anonymised information that can’t be linked to you, and within the constraints of strict contracts with partners.

‍

Legal basis for processing your Personal Data:

Whenever we use your Personal Data, we do so with a recognised “legal basis” under Article 6 of the GDPR. As our Services are provided under the Terms and Conditions, we process most of your Personal Data under the contract lawful basis, which means we process your Personal Data to fulfil our contract obligations to you.

We also process Personal Data that is sensitive, such as your health and demographic information, which requires additional protection under the GDPR, including an additional but separate basis under Article 9 of the GDPR. As out Services are provided to provide healthcare, our Article 9 basis is the provision of healthcare, unless stated otherwise in brackets below:

For delivering treatment, including communicating with you, we rely on contract.
For standard information sharing with GPs we rely on Public Task.
For referrals for secondary care, we rely on consent.
For safeguarding and the NHS minimum data set information, we rely on legal obligations, under the Health and Social Care (Safety and Quality) Act 2015.
·For sharing information with an employment assistance service, we rely on consent (Article 9 condition is explicit consent).
For sharing information with the emergency services when consent isn’t possible, we rely on vital interests (Article 9 condition is vital interests).
For providing medical information to your solicitor, we rely on consent (Article 9 condition is explicit consent).
For upholding the NHS National Data Opt-outs in England, we rely on public task.
For processing your information rights requests, we rely on legal obligation within GDPR (Article 9 condition is establishment, exercise or defence of legal claims).
For processing Sopenas and Court Orders from the authorities such as the Police, we rely on legal obligation within GDPR (Article 9 condition is establishment, exercise or defence of legal claims).
For the retention of your health record when treatment has ended, we rely on legitimate interests. Our legitimate interests are to enable us to meet our legal and contractual obligations (Article 9 condition is establishment, exercise or defence of legal claims, and may be of benefit to you to refer to previous advice given) .
For processing demographic information to monitor our services, including monitoring for bias and discrimination, seeking to improve fairness and to report to the NHS as required, we rely on legitimate interests. Our legitimate interests are to enable us ensure the services we provide are fair and free from bias and discrimination, and also to report to the NHS. (Article 9 condition is establishment, exercise or defence of legal claims.)
For service transfer. In the event that your NHS Service intends to transfer all or part of its NHStalking therapies programmes to a new provider, we will be under legal obligation to share certain information with the new provider to assist the NHS Service and any new provider with continuity of provision for you.
For research and service analytics, such as service evaluation, improvement and development, where we have used deidentified data rather than our anonymised database, werely on legitimate interests. Our legitimate interests are to enable us to improve our services and develop new ones, to improve the accessibility to, and delivery of, high quality mental health support, products and services. (Article 9 condition is sometimes scientific research rather than provision of health care).
For any other information held in establishment or defence of a legal claim or complaint, we rely on legitimate interests.

As part of our commitment to you and future patients, we are committed to continued improvement and development. Research supports us to provide you and all our patients with high-quality evidence-based care and products/ tools, and to help more people get treatment earlier. We publish findings (which only ever include aggregated and deidentified data) in peer reviewed scientific journals, satisfying the legal basis of the special category data processing being necessary for scientific research purposes, which we use for a subset of our research activities.

3. When we share your Personal Data

We appreciate and respect that the confidentiality of your treatment is of the utmost importance to you. That’s why we share informationon a strict need-to-know basis, and anyone receiving information about you will be under an equal legal duty to keep it confidential.

In delivering the Services to you, your Personal Data maybe shared with:

A) Health services and support
‍

‍Your NHS Service and / or your GP – It’s essential that for us to work closely with other NHS services involved in your care, including your local NHS England Service, Scottish Healthboard and / or your GP, to deliver safe, effective and accountable care.
‍
- ‍NHS Services – Your treatment is funded by your local NHS England Service, and we routinely update their patient management systems with your information (your appointment details, questionnaire scores, your clinician’s summery, referral information and correspondence) and treatment. This is irrespective of whether you're referred to our service or self-referred. (Please note, very few of our NHS England services do not maintain a PMS to update; under these contracts, information is not routinely shared with the provider, but we do submit the Minimum Data Set statistics to NHS England. If you're not suitable for ieso, we are required to share your information with the NHS England provider who would have funded your treatment). Your verbatim record (written or audio) is not routinely shared with NHS England providers, except in serious clinical incidents.
- Scottish NHS Healthboards (Patients who are registered with a Scottish GP and referred to ieso) - Your treatment is funded by your local NHS Healthboard and we send them fortnightly reports with your information. This includes your start and finishing clinical scores, session information, discharge reason, start and finish dates, treatment journey. We also share your CHI number so they can identify your information, this is done through a secure NHS email which has end-to-end encryption so there is reduced risk to your data. This is not applicable to patients who have self-referred unless consent has been obtained during therapy from the treating therapist. Your verbatim record (written or audio) is not routinely shared with NHS Scotland Healthboard providers, except in serious clinical incidents.
- Audit meetings – Some NHS Services require audit meetings to review feedback, which may very occasionally include the joint viewing of/ listening to specific verbatim records of sessions or messaging relating to investigations as a result of a serious clinical incident or significant complaint.‍
- Referral back to your NHS Service referrer or the NHS Service who would have funded your treatment if you self-referred – If we refer you back to your NHS provider, or the NHS provider who would've funded your treatment if you self-referred and aren't suitable for our service, we will provide them with a summary of your condition and the treatment we provided.‍
- For billing – We share pseudonymised information with the NHS provider that funds your treatment to enable billing.‍
- Your GP – to comply with expectations of our NHS payors we will notify your GP at assessment and discharge, which will comprise a brief summary of your assessment or treatment delivered. We will also share information with your GP in exceptional circumstances such as when we consider that you’re at risk of harming yourself or others. Please see Section 3 for more details.

Referral Tool – We aim to provide services that are accessible and engaging, so we use a third party front door solution provided by Wysa which enables patients to have a greater referral experience. This sharing will be limited and temporary, and it will include the information we need to onboard and triage you. You can find further information on Wysa here and in their Privacy Notices linked here.
NHS Secondary Care Services – Our service is designed for those with mild to moderate mental health conditions, so if we believe that more specialist care is required for a severe or long-enduring mental health condition, we will discuss this with you. If you consent, we will refer you to a psychiatric-led secondary care service, and we will share your health information with them.
NHS England (Patients who reside in England only) – Your treatment is funded by the NHS so we’re required to provide a specified set of data (the Minimum Data Set) to NHS England, who will use this data to understand how services are delivered in England. This includes your NHS number, gender, age and ethnicity. Please note, all reports published by NHS England are aggregated so your information will never be made publicly available.
Employment Assistance – If an employment assistance programme is available in your area, and your local NHS Service asks us to, we will offer you the opportunity to speak to an employment assistance specialist which is entirely voluntary. If you consent to a referral, we will share your basic contact details, presenting problem, GP details and some demographic information with the employment support assistance programme.
Maintaining our patient management system – Like the NHS, we maintain a PMS that records your information the treatment we deliver, which without, we wouldn’t be able to provide you with our service. Our PMS is iaptus, a system developed and hosted by Mayden House Ltd, which is trusted by many NHS Services. Acting as ieso’s Processor, Mayden will maintain health records on behalf of ieso and in accordance with our very strict instructions, including regarding its security, storage within the UK, and to enable streamlined sharing of data between ieso and your NHS Service, for development and maintenance of iaptus, and also to anonymise for research on aggregated data across providers. Your verbatim records (written or audio) are not stored on iaptus – these records are stored internally at ieso.
Service Transfer – Our Service is provided to you on our contract with your local NHS Service. If your NHS Service intends to transfer all or part of its NHS talking therapies programmes to a new provider, we will be under a legal obligation to share certain information with the new provider to assist the NHS Service and any new provider with continuity of provision for you. We will comply with our legal obligations when sharing such information.

B) Outside the normal course of providing our Services

If we ask you whether you would be interested in helping us raise awareness of ieso’s online typed therapy or to share your thoughts and feedbackto shape our service, for example, and you consent, we will use your contact details to provide you with more specific information. We may also use your demographic information to assess how we are performing in reaching a diverse and representative group of patients to aid fairness and equality. The minimum necessary information needed to facilitate this will be shared with the relevant teams within ieso.

If you leave a review of our services on an external site, e.g., Trustpilot, you do so at your own discretion and ieso is not responsible for how that data is processed by the platform you use to share your views or those who view the review. We may respond to your review.

C) Other circumstances in which we may share your Personal Data

‍

The sharing of Personal Data is strictly controlled by law, but as the Caldicott Principles highlight, “the duty to share information for individual care is as important as the duty to protect patient confidentiality” when required by law or to protect either yours or another person’s wellbeing.

We may share the minimum information with appropriate government agencies or local authorities, such as the police, without your permission if:

• A serious crime has been committed;

• Withholding information could endanger someone’s life;

• A child or vulnerable adult is at potential risk; or,

• We are ordered to do so by a court of law.

In such circumstances, we will try to inform you if it is appropriate to do so.

D) Transferring Personal Data outside of the UK or European Economic Area, and holidays during treatment

It is sometimes necessary for subsets of information to be stored in well-known software as a service (SaaS) provider which do transfer data to other regions with appropriate safeguards. See section below on “How we store your personal data.”

In the limited instances when data is shared overseas, the UK Government, in consultation for the ICO, make decisions on adequacy of the protection of personal data in other countries and we have selected providers located in countries that the Commissioner has approved or, where the provider is based in a country that hasn’t received adequacy, have used safeguards and contracts that mean the transfer is lawful and appropriate.

If you go on holiday outside the UK or EEA, you should exercise caution before accessing your account, as the country in which you are travelling through may not provide similar safeguards to which are provisioned within the UK and EEA. If you access your account from a country other than the UK or EEA, you do so at your own risk.

You may

if you want further information on the specific mechanism used by us when transferring your personal information out of the United Kingdom and the EEA.

We have not, and will never, sell your Personal Data.

4. How we secure your Personal Data

We take the security of your Personal Data very seriously.

We have implemented controls to safeguard the Personal Data that you provide, applying physical and organisational measures against loss, misuse and alteration of your Personal Data under our control.

All information you provide is encrypted in transit using the best-practice encryption (256-bit encryption) and secured in our trusted and vetted providers.

We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus and exceed the expectation of the NHS Data Security and Protection toolkit. To view these, please click here.

You must also take responsibility for the protection of your account by keeping your password secure and secret and all times when accessing or using our Service.

5. How we store your Personal Data

ieso is headquartered in the UK and information submitted about you via the Service is stored in the UK, and possibly the European Economic Area where this isn’t possible. Your health record will be stored in the iaptus PMS, which is hosted by Mayden House Ltd in the UK. Mayden has been subject to an extensive due diligence programme by ieso and is the trusted and chosen provider for around 200 separate NHS providers. We also maintain a separate copy of deidentified health information that is stored by Microsoft Azure, which is also stored in the UK and has been vetted by ieso. Both software providers may access your data in very limited, specific and approved circumstances, in order to provide their services to ieso, and we have Data Processing Agreements in place to govern such processing.

We also use a small number of well-known SaaS (Software as a Service) providers to process and/ or store smaller subsets of your Personal Data and enable the uses of the Personal Data as described in this privacy notice. We have Data Processor Agreements in place with each SaaS provider. Where possible these providers store the Personal Data in the UK or EEA; otherwise, we have implemented legal safeguards to ensure the transfer of data is legal and ethical.

How long we retain your Personal Data:

We retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it. We have taken considerable time and diligence to determine the most appropriate retention periods, considering the nature, amount and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and applicable legal and health care industry requirements.

We retain your records in accordance with the Records Management Code of Practice published by NHS England’s Transformation Directorate, which is accessible here.

For patients who receive any intervention, ieso retains your health record for 20 years after your treatment ends. This applies even if you don’t complete a full course of therapy, and it helps you to remember coping strategies, techniques, and processes that your learnt in therapy.
For individuals who refer into our service, complete their registration but do not receive any intervention, we retain your health record for 3 years.
Research records are retained for up to 20 years.

When we no longer require the Personal Data we have collected about you, we will either delete or anonymise it, or if this is not possible (for example, because your Personal Data has been stored in back up archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. Where we anonymise your personal information (so that it can no longer be associated with you), we may use this information without further notice to you.

6. Your access, rights and choices

You can access specific details relating to your treatment through the Service online at any time directly through your account, these will therefore remain resources available to you after the conclusion of your treatment. These include messaging between you and your therapist between sessions, the sessions themselves, the ‘homework’ activities, questionnaires completed, and any goal setting activities. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy.

If you feel there is an error of fact on your health record held by us, you can contact us, or in respect of your wider medical record your referring healthcare service or GP. If we agree the information is incorrect, the alteration will be made. If we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate but we will not alter the information, and you will be notified of either the correction or the note.

Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict Personal Data processing where certain limited grounds apply. Note however that Personal Data processed for health/ treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.

Your choices:

If you would like to opt out of ieso’s research and planning, please exercise your options via one of two methods explained here.
If you would like to opt out of a Service Transfer (as defined in Section 3), please email info@iesohealth.com.
If you would prefer not to receive appointment booking links and reminders via SMS, please email info@iesohealth.com.
If you would prefer to opt-out of GP notifications, and this is not restricted by your NHS Service, please email info@iesohealth.com.
If you would prefer not to receive voicemails, please email info@iesohealth.com.

If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the Personal Data you have provided (for example to your GP) please

Our complaints procedure is available on the site, and there is a link to it here.

If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office.

7. Cookies and Tracking

A cookie is a small data file stored by your browser on your device's hard disk for record-keeping purposes and typically includes a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the same site.

We use cookies to secure your login, authenticate your access, enable smooth navigation across the Service and its features, and to enable patients to resume from where they left off (e.g., patients can resume completing their routine questionnaires easily, rather than having to complete them in one sitting).

Cookies that are necessary for functionality, security and accessibility, are set and cannot be turned off by you. Analytics and X cookies can be set by you. We rely on consent as our lawful basis for processing the optional cookies we use. You can read more about how we use cookies, and how to change your preferences, by visiting our cookies policy.

You can also change your browser settings to prevent any automatic acceptance of cookies, or to notify you each time a cookie is set. You can learn more about cookies by visiting www.allaboutcookies.org which includes additional information on cookies and how to block them using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or service.

8. Specific information relevant to Children and Young People

Our Services are not intended for use by anyone under 16 years old. Our contract with your healthcare provider determines the lower age limit for our Services. As standard it is 18, but specific contracts also include 16- and 17-year-olds.

9. Your questions and how to contact us

If you have any questions or comments about this privacy notice, please let us know:

By email: info@iesohealth.com (for technical support, contact our technical support team: support@iesohealth.com)

By telephone: 0800 074 5560

By post: ieso, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS

To reach our data protection officer, please use the above details and mark your communication for the attention of the Privacy team.

In an emergency regarding your health, please contact:

Your GP surgery or local A&E
Your referring healthcare provider
Urgent Care (for out of hours access to GP) – call 111
The Samaritans – call 116 123 or email jo@samaritans.org
Emergency Services – call 999

10. Changes to your Personal Data

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

This Privacy Notice applies to any Site where it is referenced, regardless of the computer, mobile or other device you use to access or use the Service. The Site and Service may contain links to websites, mobile applications, and other online services operated by third parties. Unless the third-party site you access is our data processor, we do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices or content of such websites, mobile applications and online services you use.