Get started
What we treat
Why online therapy
How it works
How it works
Meet the therapists
Wellbeing blog
Log in

Privacy Notices for NHS patients accessing CBT services

Summary of changes to these Privacy Notices

This update does not introduce any material changes to how your personal data is collected or processed. The changes include:

  • Improving the format and readability of our privacy notices; and,
  • Improving the clarity of our legal bases for processing your personal data

We are committed to protecting your privacy and confidentiality.

Effective date:
19th December 2023

We reserve the right to change these Privacy Notices as appropriate, by updating the effective date and posting it on the Site. If we make material changes to how we process your personal data, we will notify you via a banner in your account or by email. In all cases, your use of the Service after the effective date of any modified Privacy Notices indicates you have read and understood the modified Privacy Notices.

You may contact us to obtain previous versions of this Privacy Notice.


These Privacy Notices describes the privacy practices of Ieso Digital Health (UK) Limited and our subsidiaries and affiliates (including Ieso Digital Health Limited and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect through the provision of Cognitive Behavioural Therapy services provided online through iesohealth.uk (the Site) as well as through other activities described in this Privacy Notice, such as our research and product development activities. Collectively, these form the Service. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers ZA239229 and Z5383093). If you require further information on anything below, please contact our Data Protection Officer via privacy@iesohealth.com. Full details on how to contact us can be found in

section 9 below.

We understand that the privacy and confidentiality of all the personal data you provide, especially the verbatim records of therapy sessions, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary.

What these Privacy Notices covers
These notices explain how ieso collect, process, store, share and secure your personal data, and how you can exercise and manage your personal data.

1. Information we collect

We collect the following Personal Data about you in several ways:

a) Information you provide to us when you register and use our Service

This includes:

• Registration information - When you register, we collect contact information such as your name, date of birth, email address and mobile number. We also collect information to authenticate you as an eligible patient, such as your NHS number (or CHI number if your registered in Scotland), GP details and address.

• Demographic information - We collect information about you so we and the NHS can build a picture of the services we deliver to different groups of people, monitor the quality of our standards (including to monitor potential bias and improve fairness), and to ensure sufficient services are delivered to local populations. These questions are entirely voluntary to answer and include questions regarding your ethnicity, religion, sexual orientation, etc.

• Assessment information - We collect information using standard patient assessment questionnaires to understand your clinical needs and build a treatment plan. Assessment information can include your experiences and how you are feeling, as well as your medical history, lifestyle, family, work and education.

• Delivering treatment - We collect information whilst delivering treatment to you, including the conversations you have with your clinician inside and outside therapy, appointments, the “homework” activities, setting goals, and clinical questionnaires. You’re able to access your verbatim record at any time, to reflect on the treatment and care delivered to you.

• Additional information required by the NHS - We provide our services on behalf of NHS Talking Therapies in England and nationally in Scotland, and we may collect additional information if it’s required by individual NHS Talking Therapies services. For example, some NHS Talking Therapies services collect employment information to provide optional employment support as appropriate.

• Your queries or comments - We collect information about you and your query, comment or complaint, for example, a question about our service or request for technical support.

You always have the option to refuse to submit personal identifiable information to us; however, without this information, we may not be able to provide you with our Service.

b) Information we collect from other sources

• Referral information - If you are referred to ieso by your local NHS Talking Therapies service or by your GP, we will usually collect your name, date of birth, address, mobile number, consent option to receive voicemails, email address, NHS number, reason for referral and any relevant information notes or questionnaire scores. NHS numbers may be obtained directly from the central NHS system.

• Therapist notes - At the end of each session, your clinician will write up a clinical summary of the session. For some NHS contracts, these will be routinely shared with your NHS Talking Therapies service. (This doesn’t include your verbatim records, which aren’t shared externally except in exceptional circumstances, such as in a serious clinical incident).

• Supervision notes – Your clinician may share some of your details with their supervisor

(See section 2 below)

for feedback and/ or advice. Where this affects the treatment you receive, this will form part of your health record.

c) Information collected automatically from your use of the Service, such as from your device or by participating in sessions:

  • Session activity information - we collect information about you from your use of the Service. (E.g., when you log on, accept an appointment, join a session etc.)
  • Device information - this includes information about whether you are using the service on a mobile, tablet or computer. This helps us understand how people interact with our service so that we can ensure the Service is optimised for different devices.
  • Log information - we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with the Service.

See here or

read below for further information on cookies
2. How we use collected Personal Data (includes sharing within ieso, and our contracted therapists and Psychological Wellbeing Practitioners)

We use your Personal Data to ensure that we provide you with the best possible treatments, both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to ensure that our procedures for handling patient information and requests meet with our obligations.

Under our terms, we use your Personal Data to provide this Service, to:

a) Onboard you into our Service, determine your eligibility and deliver therapy:

  • Assess your suitability and eligibility for CBT
  • Assess your eligibility for the ieso app, and where eligible, offer you access whilst you wait for your first appointment.
  • Register you with the Service - to consider requests for use of the Service and to enable sign-in and verified access and use of the Service.
  • Assess your treatment needs - to place you with an appropriate therapist, and to aid selection of exercises and questionnaires.
  • Provide your treatment – your Personal Data is shared with your therapist to support your treatment and evaluate your progress, including messaging to arrange sessions, conducting sessions, assessing progress against treatment goals and maintaining your case file. It’s your choice to decide what to share with your therapist, but the more information that your therapist has about you, the more likely it is that they will be able to provide you with highly effective treatment. Your therapist only has access to your Personal Data during your treatment and for 6 weeks after discharge to allow for reflection and/ or to consider any feedback from you.

    Subject to appropriate safeguards, some of the details of your case may be shared in your therapist’s routine clinical supervision with their Clinical Supervisor if they wish to obtain advice or assurance on the work you are doing together. The British Association of Behavioural & Cognitive Psychotherapies (“BABCP”) requires that all therapists must receive clinical supervision. A Clinical Supervisor is a therapist who has received additional training and is generally more experienced than the therapist. This is to ensure that the therapy you are receiving is the most helpful it can be and remains faithful to best practice evidence. Clinical supervision includes case discussions (and may include referring to messages/ transcripts/ audio recordings) either individually or within a group of therapists, all of whom are bound by confidentiality.
  • Offer you a referral to an employment assistance programme where an NHS customer offers such a service as appropriate to you.
  • Investigate and find solutions for any technical issues you ask us to resolve in association with your account, or technical issues we identify.
  • Protect you and/or others- and seek to maintain a confidential and safe environment. These measures include:
  • - user authenticated access controls to the service
  • - restricted access to patient identifiable information. Access to patient records within ieso is limited on a strictly ‘'need to know’' basis and wherever possible processed by reference to indirect rather than directly identifying information, such as case reference numbers.
  • - ongoing review of the care and help our professional therapists provide to make sure it meets our quality standards. developing learning/ training programmes for our therapists.
  • - administering our professional compliance duties and obligations.
b) We will also use your Personal Data to communicate with you, including:

  • via email, phone or the messages section of your file between sessions if/ when appropriate, to confirm appointments, remind about incomplete questionnaires, about Service availability and related Service updates or notifications, to resolve technical issues, or reply to your enquiries, requests or complaints.
  • via text message to remind you about upcoming appointments or alert you to messages in your account.
  • via voicemail (where you have agreed to this) for missing information or questionnaires.
  • via post at assessment and /or the end of treatment.
  • If you have indicated to us on a questionnaire or in response to an email that you would be happy to share your experience of receiving therapy provided by ieso to raise awareness of our service or for therapist training purposes, or to participate in some user experience evaluations, for example, we will use your contact details to give you more information. We may also use your diagnosis and demographic information to ensure we contact a representative and diverse population. If you subsequently consent, we will process your Personal Data further for this purpose, which would include wider sharing of your Personal Data as agreed with you. (A separate set of privacy notices will be provided for these specific purposes)
  • To let you know of any clinical trials/ studies/ projects for which you may be eligible (in which of course you can decline to take part).
  • We may also contact you after you’ve completed treatment to ask for feedback and to check on your wellbeing.
c) To meet NHS and legal requirements, we will use your Personal Data to:

  • Uphold the NHS Opt-out service in England. We submit all patient NHS numbers to the ‘Check for National Opt-outs service’ in order to apply data opt-outs in accordance with patient wishes.
  • To investigate queries from our NHS payers.  For example, investigating any delays in treatment or complaints.
d) To improve our Service and to develop new ones, we will use your Personal Data to:

  • Determine whether or not you are eligible and suitable for participation in one of our clinical trials/ studies. We are a data-driven, research-orientated company who passionately believe in responsible innovation to increase the understanding of mental health, improve treatments and widen access to treatment, and our team may review your Personal Data to identify participants.
  • Conduct analysis and research to improve the Service, the Site and/or to develop and/ or improve digital products/ tools to improve the access, assessment or treatment of mental health conditions, including using demographic data to monitor and improve our services for bias, discrimination and fairness. We are passionate about learning from your Personal Data by conducting high-quality scientific research to feed into treatment and product development to further improve outcomes and help more people get treatment earlier. We believe research can help provide a greater understanding of both the causes of mental illness and the effectiveness of treatments and interventions for different subgroups of patient. We have internal procedures in place to safeguard your privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible, including anonymisation where possible. Some of our research is based on the NHS Minimum data set (see section 3 below), but we also use machine learning, natural language processing (NLP) and artificial intelligence (AI), including large language models, on questionnaires, communications between you and your therapist, and on therapist summaries of the sessions
  • We will deidentify your personal data to improve health, care and services through research and planning, so our researchers will never know who you are. We may also anonymise your Personal Data where possible,

Truly transforming mental healthcare requires deeper research and innovation. We know that therapy can be highly effective, but currently clinicians are unable to reliably predict which therapies are most likely to work for particular people. This means that those seeking help for a mental health condition can face a lengthy process of trial-and-error before they find the right treatment, or combination of treatments, for them.  To understand how to make therapy more effective for more people, we need to learn how patients’ treatment outcomes (including their mental health measures, functional measures, emotional wellbeing, and achievement of personal goals) relate to the therapy they are given. The answers lie in health and care data; the key to unlocking them is research.  Our scientists have developed tools that use machine learning, natural language processing (NLP) and artificial intelligence (AI) to automatically label every element of therapy given to each patient. This means we can measure how much of each therapy session is spent on different activities, such as understanding a patient’s needs, delivering different therapy protocols, evaluating progress, and setting and reviewing between-session homework tasks. You can read more about research at ieso here.

If you’d like to opt out of ieso’s research and planning, please visit ieso Online Therapy | Research and your data (NHS) (iesohealth.com)

We only ever share the minimum information necessary to provide the best treatments, care and protection for yourself or others, to conduct our research, and/or to satisfy legal requirements. For example, depending on your referring healthcare provider, your Personal Data may be shared to update their records and/or as part of the Minimum Data Set required nationally by NHS England for all its patients. We have specific processes in place regarding verbatim records of sessions which are only shared internally, or externally in very limited circumstances, for example we may facilitate joint viewing of/ listening to specific verbatim records of sessions with the contracting NHS service in the case of a serious upheld complaint, see

Section 3 'When we share your Personal Data'.  

We will always seek your permission before disclosing your personal identifiable information to another person or organisation for any other reason than those set out in these privacy notices, unless we have an overriding legal duty to so do (for example, in the prevention and/or detection of a crime).

Legal bases for processing your Personal Data:
We use your Personal Data only as permitted by law, for the purposes for which we collected it. By agreeing to the terms and conditions of the Service you have entered into a contract with us which forms the legal basis for most of the processing of your Personal Data.

For most of our processing, our Article 9 condition to process special category data is provision of health care, except where indicated otherwise in brackets.

• For delivery of treatment, including communicating with you, we rely on contract.

• For the retention of your health record when treatment has ended, we rely on legitimate interests.

• For processing demographic information to monitor our services, including monitoring for bias and discrimination, seeking to improve fairness and to report to the NHS as required, we rely on legitimate interests.

• For safeguarding and NHS minimum data set information, we rely on legal obligations.

• For standard information sharing with GPs or during referrals for secondary care, we rely on consent.

• For sharing information with an employee assistance service, we rely on consent (Article 9 condition is explicit consent).

• For sharing information with the emergency services when consent isn’t possible, we rely on vital interests (Article 9 condition is vital interests).

• For information held in establishment or defence of a legal claim or complaint, we rely on legitimate interests.

• For upholding NHS Digital opt-outs in England, we rely on public task.

• For research and service analytics, such as service evaluation, improvement and development, we rely on legitimate interests (Article 9 condition is scientific research and provision of health care),

As part of our commitment to you, we are committed to continued improvement and development. Research supports us to provide you and all our patients with high-quality evidence-based care and products/ tools, and to help more people get treatment earlier. We publish findings (which only ever include aggregated data) in peer reviewed scientific journals, satisfying the legal basis of the special category data processing being necessary for scientific research purposes, which we use for a subset of our research activities.

3. When we share your Personal Data

We appreciate and respect that the confidentiality of your treatment is of the utmost importance to you. That’s why we share information on a strict need-to-know basis, and anyone receiving information about you will be under an equal legal duty to keep it confidential.

In delivering the Service to you, your Personal Data may be shared with:

a) Health services and support

  • Your GP and/ or your referring NHS Talking Therapies provider – Like all NHS services, it is important for us to work in collaboration with other health professionals, such as your GP or healthcare provider.
  • - Depending on the NHS provider that funds your treatment (regardless of whether you were referred or self-referred), we may update their patient management systems with updates from your appointments, including your questionnaire scores and your clinician’s summary. We will not routinely share your transcripts with the funder of your treatment.
  • -- NB. If you self-refer to ieso from a region where ieso do not directly submit Minimum Data Set statistics to NHS Digital in England, and are unsuitable for our services, ieso is required to share your Personal Data the NHS healthcare provider who would have funded your treatment with us.
  • - Some of the NHS services we work with also require audit meetings to review feedback, which may very occasionally include the joint viewing of/ listening to specific verbatim records of sessions or messaging relating to investigations as a result of a serious clinical incident or significant complaint.
  • - If we refer you back to your referring provider, or the provider that funds your treatment, we will provide them with a summary of your condition and the treatment we provided.
  • - We also share pseudonymised information with the NHS service that funds your treatment to enable billing.
  • - During registration, we may ask you if you are happy for your therapist to share information about your treatment with your GP, and you may decline this. If you consent, we will provide your GP with a summary of your treatment and your condition after your treatment has ended. If you’re also assessed by ieso, we will also provide your GP with a summary of your assessment.
  • NHS Secondary Care Services – Our service is designed for those with mild to moderate mental health conditions, so if we believe that more specialist care is required for a severe or long-enduring mental health condition, we will discuss this with you. If you consent, we will refer you to a psychiatric-led secondary care service, and we will share your health information with them.
  • NHS Digital (England patients only) – Your treatment is funded by the NHS and, in England, we’re required to provide a specified set of data (the Minimum Data Set) to NHS Digital, who will use this data to understand how services are delivered in England. This includes your NHS number, gender, age and ethnicity. Please note, all reports published by NHS Digital are aggregated so your information will never be made publicly available.
  • Employment Support – If employment support services are available in your area, you will be asked if you’d like to be referred. If you consent to a referral, we will share your basic contact details, presenting problem, GP details and some demographic information with the employment support agency.
  • Patient Management System (PMS) – All health organisations maintain health records of their patients’ treatment. We currently maintain our inhouse PMS but we are adopting Iaptus, a trusted PMS used by many NHS services provided by Mayden House Ltd. Mayden will maintain health records on behalf of ieso to enable streamlined sharing with your referring provider, for development and maintenance, and to anonymise for research on aggregated data across providers. (Your therapy transcripts will NOT be stored by Mayden or shared with them).

b) Outside the normal course of providing our Service

If you indicate to us on a questionnaire or in response to an email that you would be happy to share your experience of receiving therapy provided by ieso to raise awareness of our service or for therapist training purposes, or to participate in some user experience evaluations, we will use your contact details to give you more information and process your Personal Data further for this purpose if you subsequently give your consent, which would include wider sharing of your Personal Data as agreed with you.

If you leave a review of our service on an external site, e.g., Trustpilot, you do so at your own discretion and ieso is not responsible for how that data is processed. We may respond to your review.

c) Sharing your Personal Data without your agreement

The sharing of Personal Data is strictly controlled by law, but as the Caldicott Principles highlight, “the duty to share information for individual care is as important as the duty to protect patient confidentiality” when required by law or to protect either yours or another person’s wellbeing.

In exceptional circumstances, we may need to share information (only the minimum necessary) without your permission if:

  • A serious crime has been committed;
  • Withholding information could endanger someone’s life;
  • A child or vulnerable adult is at potential risk; or,
  • We are ordered to by a court of law.

In such circumstances, we would inform you wherever possible.

d) Transferring Personal Data outside the UK or European Economic Area, and holidays during treatment

We seek where possible to prevent any transfers of your Personal Data to countries which have not been assessed as having adequate data protection standards. However, it may sometimes be necessary for subsets of information to be stored in well-known SaaS (Software as a Service) providers which do transfer data to other regions with appropriate safeguards. See

section below on “How we store your personal data”.

In the limited instances when data is shared overseas, the UK Government, in consultation for the ICO,  make decisions on adequacy of the protection of personal data in other countries and we have selected providers located in countries that the Commissioner has approved or, where the provider is based in a country that hasn’t received adequacy, have used safeguards and contracts that mean the transfer is lawful and appropriate.

You may

contact us

if you want further information on the specific mechanism used by us when transferring your personal information out of the United Kingdom and the EEA.

We have not, and will never, sell your Personal Data for any purpose.

4. How we secure your Personal Data

We take the security of your Personal Data very seriously.

We have implemented controls to safeguard the Personal Data that you provide, applying physical and organisational measures against loss, misuse and alteration of your Personal Data under our control.

All information you provide is encrypted in transit using the best-practice encryption (256-bit encryption) and secured in our trusted and vetted providers.

We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus and exceed the expectation of the NHS Data Security and Protection toolkit.

You must also take responsibility for the protection of your account by keeping your password secure and secret and all times when accessing or using our Service.

5. How we store your Personal Data

ieso is headquartered in the UK and information submitted about you via the Service is stored in the UK or European Economic Area and managed by ieso. Until our change of patient management system is complete, the storage will be hosted by Microsoft Azure. After successful integration and migration, your patient file will be stored in Iaptus, used by over 200 NHS customers and vetted by ieso, which is owned by Mayden House Ltd and hosted in the UK. We will continue to use Microsoft Azure for storage of our research and service evaluation data. Both software providers may access your data in specific, approved circumstances, and we have Data Processing Agreements in place with Mayden and Microsoft.

We also use a small number of well-known SaaS (Software as a Service) providers to process and/ or store smaller subsets of your Personal Data and enable the uses of the Personal Data as described in this privacy notice. We have Data Processor Agreements in place with each SaaS provider. Where possible these providers store the Personal Data in the UK or EEA; otherwise, we have implemented legal safeguards to ensure the transfer of data is legal and ethical.

How long we retain your Personal Data

We retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it. We’ve taken considerable time and diligence to determine the most appropriate retention periods, considering the nature, amount and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and applicable legal and healthcare industry requirements.

In particular, we retain records in accordance with the Records Management Code of Practice developed by NHE England – Transformation Directorate, which is accessible here.

  • We retain your health records for 20 years post discharge. This can help you remember coping strategies, techniques or processes that you learnt in therapy. If you were to experience a setback between sessions or after you’ve completed treatment, you may find it useful to refer to the transcripts/ audio recordings of your therapy sessions and messages. It also supports our legal obligations to be accountable for your care.
  • We retain your health records for 2 years if your referral is not accepted, incomplete, or your account is not activated; or for 3 years where you may have received a triage or messaged your therapist but did not actually commence treatment.
  • We retain research records for up to 20 years.

When we no longer require the Personal Data we have collected about you, we will either delete or anonymise it, or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymise your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

6. Your access, rights and choices

You can access specific details relating to your treatment through the Service online at any time directly through your account, these will therefore remain resources available to you after the conclusion of your treatment. These include messaging between you and your therapist between sessions, the sessions themselves, the ‘homework’ activities, questionnaires completed, and any goal setting activities. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy.

If you feel there is an error of fact on your health record held by us, you can contact us, or in respect of your wider medical record your referring healthcare service or GP. If we agree the information is incorrect, the alteration will be made. If we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate but we will not alter the information, and you will be notified of either the correction or the note.

Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict Personal Data processing where certain limited grounds apply. Note however that Personal Data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.

If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the Personal Data you have provided (for example to your GP) please

contact us

Our complaints procedure is available on the site, and there is a link to it here.

If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office.

7. Cookies and Tracking

We use cookies or similar technologies such as device IDs, pixel tags and web beacons (collectively described here as 'cookies') to collect information about the access to and use of the Site and Service. These typically include a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the Site or using the Service and that sometimes track information about a user.

We use cookies to secure your login, authenticate your access, enable smooth navigation across the Service and its features, and to enable patients to resume from where they left off (e.g., patients can resume completing their routine questionnaires easily, rather than having to complete them in one sitting).

Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting http://allaboutcookies.org/ which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or Service. 

You can also learn more about our use of cookies by visiting our cookies policy.

8. Specific information relevant to Children and Young People

Our Services are not intended for use by anyone under 16 years old. Our contract with your healthcare provider determines the lower age limit for our Services. As standard it is 18, but specific contracts also include 16- and 17-year-olds.

9. Your questions and how to contact us

If you have any questions or comments about this privacy notice, please let us know:

By email: privacy@iesohealth.com (or for technical support, contact our technical support team: support@iesohealth.com)

By telephone: 0800 074 5560

By post: ieso, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS  

To reach our data protection officer, please use the above details and mark your communication for the attention of the Privacy team. In an emergency regarding your health, please contact:

  • Your GP surgery or local A&E
  • Your referring healthcare provider
  • Urgent Care (for out of hours access to GP) – call 111
  • The Samaritans – call 116 123 or email jo@samaritans.org
  • Emergency Services – call 999
10. Changes to your Personal Data

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

This Privacy Notice applies to any Site where it is referenced, regardless of the computer, mobile or other device you use to access or use the Service. The Site and Service may contain links to websites, mobile applications, and other online services operated by third parties. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices or content of such websites, mobile applications and online services you use.

Start the process

Our service is free for lots of NHS patients.
It only takes a minute or two to check if you are eligible for treatment.

Get started with ieso