Summary of changes to these Privacy Notices:
Effective Date: Saturday 8th June 2024
We are committed to protecting your privacy and confidentiality.
We have never, and will never, sell your personal data.
These Privacy Notices describes the privacy practices of Ieso Digital Health (UK) Limited and our subsidiaries and affiliates (including Ieso Digital Health Limited and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect through the provision of Cognitive Behavioural Therapy services delivered via either typed or video modality, and which is provided online through iesohealth.uk (the Site) as well as through other activities described in this Privacy Notice, such as our research and product development activities. Collectively, these form the Service. These Privacy Notices do cover the offering of our digital programme but do not cover their use. If you take up the offering of our digital programme, an additional privacy notice will be provided to you. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers ZA239229 and Z5383093). If you require further information on anything below, please contact our Data Protection Officer via info@iesohealth.com. Full details on how to contact us can be found in
We understand that privacy is important to you, and we want to assure you that we take it seriously. Occasionally, we may need to update our Privacy Notices to reflect changes in our services or legal requirements. When we do so, we’ll make sure to clearly communicate any material changes, usually via a banner in your account or via email where such change is particularly material. As always, your continued use of the Service after any update indicates that you have acknowledged the updated Privacy Notices.
Our responsibilities to you
We understand that the privacy and confidentiality of all the personal data you provide, especially the verbatim records of therapy sessions, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary. Please read this document carefully to understand how we protect your information.
What these Privacy Notices covers
These notices explain how ieso collect, process, store, share and secure your personal data, and how you can exercise your rights and manage your personal data.
To provide our Services, we need to collect data about you from yourself, your clinician, other organisations (such as your GP or local NHS Service), and automatically from your use of our Services.
This includes:
• Registration information – When you register, we collect contact information such as your name, date of birth, email address and mobile number. We also collect information to authenticate you as an eligible patient, such as your NHS number (or CHI number if your registered in Scotland), GP details and address.
• Demographic information – We collect information about you so we and the NHS can build a picture of the Services we deliver to different groups of people, monitor the quality of our standards (including by monitoring for potential bias and improve fairness. For example, to detect and mitigate accessibility barriers, or bias within our service delivery), and to ensure sufficient services are delivered to local communities. These questions include a ‘prefer not to say’ response so they’re voluntary to answer and do not impact on the quality of your care.
• Assessment information – Like the NHS, we collect information using standard patient assessment questionnaires to understand your clinical needs and build a treatment plan. Assessment information can include your experiences and how you are feeling, as well as your medical history, lifestyle, family, work and education.
• Delivering treatment – Like the NHS, we collect information whilst delivering treatment to you, including your conversations with your clinician inside and outside therapy, that are either written or in video (video sessions are converted into audio recordings to minimise the data we hold) appointments, and clinical questionnaires. You’re able to access your verbatim record at any time, to reflect on your treatment and care delivered to you. If your clinician believes it is necessary, they may put a risk management plan in place to help keep you safe, and they may ask you for next of kin details if appropriate.
• Additional information required by the NHS – We provide our Services on behalf of local NHS Services in England and nationally in Scotland, and they may require additional information to be collected or asked. For example, some NHS Services offer their patients employment support, so we may ask you this which is voluntary to take up.
• Your queries and comments – We collect information about you and your query, comment or complaint, for example, a question about our service or request for technical support. This may be shared with relevant teams who can answer your questions or address your comments.
You always have the option to refuse to submit personal information to us; however, without this information, we may not be able to provide you with our Services.
• Referral information – If you are referred to ieso by your local NHS Service or by your GP, they will provide us with your name, date of birth, address, mobile number, demographic information, consent option to receive voicemails, email address, NHS number, reason for referral and any relevant information notes or questionnaire scores. NHS numbers may be obtained directly from the central NHS system, or your CHI number will be obtained directly from your GP if you reside in Scotland.
• Therapist notes – At the end of each session, your clinician will write up a clinical summary of the session. These are usually shared routinely with your NHS Service who funds your treatment. (The does not include your verbatim records, which aren’t shared externally except in exceptional circumstances, such as in a serious clinical incident or when required by law).
• Supervision notes – Your clinician may share some of your details with their supervisor
for feedback and/ or advice. Where this affects the treatment you receive, this will form part of your health record.
• Aggregated Demographic information – Other than demographic information collected directly by your or your referrer, we collect publicly available information that is aggregated and enables us to understand anonymous health and demographic information at a postcode level.
See here or
We use your Personal Data to ensure that we provide you with the best possible treatments, both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to ensure that our procedures for handling patient information and requests meet with our obligations.
To provide you with high-quality and tailored care, we use your Personal Data to provide this Service:
At ieso, we believe that everyone should have access to effective mental healthcare, when and where they need it. We want to make therapy as good as it can be – so that everyone receives the support that is right for them, first time.
We do this by providing types of therapy that already have a strong evidence base to show that they work. We then invest heavily in research to understand how to make therapy as effective as possible, for as many people as possible.
By analysing patterns in the minimum, aggregated, de-identified data from thousands of patients, using machine learning, natural language processing and large language models, our scientists and clinicians can learn how our patients’ treatment outcomes relate to the therapy they are given. This enables us to discover more about the causes of mental health conditions, and why different people respond better to different types of therapy. We use this information to make our existing products and services more effective, and to develop new ones, which may include developing or finetuning models.
We are committed to being transparent about how we collect, use, retain, share and protect patient data for treatment and research, so that you can understand the benefits and risks, and make informed choices about how your data is used.
We may also work with reputable academic and research organisations or individuals to support our mission, including by sharing deidentified or anonymised information that can’t be linked to you, and within the constraints of strict contracts with partners.
Whenever we use your Personal Data, we do so with a recognised “legal basis” under Article 6 of the GDPR. As our Services are provided under the Terms and Conditions, we process most of your Personal Data under the contract lawful basis, which means we process your Personal Data to fulfil our contract obligations to you.
We also process Personal Data that is sensitive, such as your health and demographic information, which requires additional protection under the GDPR, including an additional but separate basis under Article 9 of the GDPR. As out Services are provided to provide healthcare, our Article 9 basis is the provision of healthcare, unless stated otherwise in brackets below:
We appreciate and respect that the confidentiality of your treatment is of the utmost importance to you. That’s why we share information on a strict need-to-know basis, and anyone receiving information about you will be under an equal legal duty to keep it confidential.
In delivering the Services to you, your Personal Data may be shared with:
If you consent to being contacted about opportunities, such as to raise awareness of ieso’s online typed therapy or to share your thoughts and feedback to shape our service, we will use your contact details to provide you with more specific information. We may also use your demographic information to assess how we are performing in reaching a diverse and representative group of patients to aid fairness and equality. The minimum necessary information needed to facilitate this will be shared with the relevant teams within ieso.
If you leave a review of our services on an external site, e.g., Trustpilot, you do so at your own discretion and ieso is not responsible for how that data is processed by the platform you use to share your views or those who view the review. We may respond to your review.
The sharing of Personal Data is strictly controlled by law, but as the Caldicott Principles highlight, “the duty to share information for individual care is as important as the duty to protect patient confidentiality” when required by law or to protect either yours or another person’s wellbeing.
We may share the minimum information with appropriate government agencies or local authorities, such as the police, without your permission if:
In such circumstances, we will try to inform you if it is appropriate to do so.
It is sometimes necessary for subsets of information to be stored in well-known software as a service (SaaS) provider which do transfer data to other regions with appropriate safeguards. See section below on “How we store your personal data.”
In the limited instances when data is shared overseas, the UK Government, in consultation for the ICO, make decisions on adequacy of the protection of personal data in other countries and we have selected providers located in countries that the Commissioner has approved or, where the provider is based in a country that hasn’t received adequacy, have used safeguards and contracts that mean the transfer is lawful and appropriate.
If you go on holiday outside the UK or EEA, you should exercise caution before accessing your account, as the country in which you are travelling through may not provide similar safeguards to which are provisioned within the UK and EEA. If you access your account from a country other than the UK or EEA, you do so at your own risk.
You may
if you want further information on the specific mechanism used by us when transferring your personal information out of the United Kingdom and the EEA.
We have not, and will never, sell your Personal Data.
We take the security of your Personal Data very seriously.
We have implemented controls to safeguard the Personal Data that you provide, applying physical and organisational measures against loss, misuse and alteration of your Personal Data under our control.
All information you provide is encrypted in transit using the best-practice encryption (256-bit encryption) and secured in our trusted and vetted providers.
We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus and exceed the expectation of the NHS Data Security and Protection toolkit.
You must also take responsibility for the protection of your account by keeping your password secure and secret and all times when accessing or using our Service.
ieso is headquartered in the UK and information submitted about you via the Service is stored in the UK, and possibly the European Economic Area where this isn’t possible. Your health record will be stored in the iaptus PMS, which is hosted by Mayden House Ltd in the UK. Mayden has been subject to an extensive due diligence programme by ieso and is the trusted and chosen provider for around 200 separate NHS providers. We also maintain a separate copy of deidentified health information that is stored by Microsoft Azure, which is also stored in the UK and has been vetted by ieso. Both software providers may access your data in very limited, specific and approved circumstances, in order to provide their services to ieso, and we have Data Processing Agreements in place to govern such processing.
We also use a small number of well-known SaaS (Software as a Service) providers to process and/ or store smaller subsets of your Personal Data and enable the uses of the Personal Data as described in this privacy notice. We have Data Processor Agreements in place with each SaaS provider. Where possible these providers store the Personal Data in the UK or EEA; otherwise, we have implemented legal safeguards to ensure the transfer of data is legal and ethical.
We retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it. We’ve taken considerable time and diligence to determine the most appropriate retention periods, considering the nature, amount and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and applicable legal and healthcare industry requirements.
In particular, we retain your records in accordance with the Records Management Code of Practice published by NHS England’s Transformation Directorate, which is accessible here.
When we no longer require the Personal Data we have collected about you, we will either delete or anonymise it, or if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymise your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
You can access specific details relating to your treatment through the Service online at any time directly through your account, these will therefore remain resources available to you after the conclusion of your treatment. These include messaging between you and your therapist between sessions, the sessions themselves, the ‘homework’ activities, questionnaires completed, and any goal setting activities. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy.
If you feel there is an error of fact on your health record held by us, you can contact us, or in respect of your wider medical record your referring healthcare service or GP. If we agree the information is incorrect, the alteration will be made. If we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate but we will not alter the information, and you will be notified of either the correction or the note.
Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict Personal Data processing where certain limited grounds apply. Note however that Personal Data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.
If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the Personal Data you have provided (for example to your GP) please
Our complaints procedure is available on the site, and there is a link to it here.
If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office.
We use cookies or similar technologies such as device IDs, pixel tags and web beacons (collectively described here as 'cookies') to collect information about the access to and use of the Site and Service. These typically include a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the Site or using the Service and that sometimes track information about a user.
We use cookies to secure your login, authenticate your access, enable smooth navigation across the Service and its features, and to enable patients to resume from where they left off (e.g., patients can resume completing their routine questionnaires easily, rather than having to complete them in one sitting).
Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or Service.
You can also learn more about our use of cookies by visiting our cookies policy.
Our Services are not intended for use by anyone under 16 years old. Our contract with your healthcare provider determines the lower age limit for our Services. As standard it is 18, but specific contracts also include 16- and 17-year-olds.
If you have any questions or comments about this privacy notice, please let us know:
By email: info@iesohealth.com (or for technical support, contact our technical support team: support@iesohealth.com)
By telephone: 0800 074 5560
By post: ieso, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
To reach our data protection officer, please use the above details and mark your communication for the attention of the Privacy team.
In an emergency regarding your health, please contact:
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
This Privacy Notice applies to any Site where it is referenced, regardless of the computer, mobile or other device you use to access or use the Service. The Site and Service may contain links to websites, mobile applications, and other online services operated by third parties. Unless the third-party site you access is our data processor, we do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices or content of such websites, mobile applications and online services you use.
Our service is free for lots of NHS patients.
It only takes a minute or two to check if you are eligible for treatment.