Home
Get started
What we treat
Why online therapy
Solutions
How it works
How it works
Meet the therapists
Wellbeing blog
Log in
FacebookTwitterLinkedinYouTube

Privacy Notices for NHS patients accessing CBT Services

Summary of changes to these Privacy Notices:

  • We have migrated to a new patient management system, iaptus, which is widely used and trusted by over 200 NHS organisations.
  • This will create a new user experience for patients, which we explain to you here. Some changes will be more noticeable than others, such as receiving SMS appointment reminders.
  • We are also deploying a new referral tool to improve the accessibility and engagement of our referral process for patients.
  • We’ve also simplified how you’re able to exercise your choices over your personal data, in Section 6.

Effective Date: Saturday 8th June 2024

We are committed to protecting your privacy and confidentiality.

We have never, and will never, sell your personal data.

Introduction

These Privacy Notices describes the privacy practices of Ieso Digital Health (UK) Limited and our subsidiaries and affiliates (including Ieso Digital Health Limited and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect through the provision of Cognitive Behavioural Therapy services delivered via either typed or video modality, and which is provided online through iesohealth.uk (the Site) as well as through other activities described in this Privacy Notice, such as our research and product development activities. Collectively, these form the Service. These Privacy Notices do cover the offering of our digital programme but do not cover their use. If you take up the offering of our digital programme, an additional privacy notice will be provided to you. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers ZA239229 and Z5383093). If you require further information on anything below, please contact our Data Protection Officer via privacy@iesohealth.com. Full details on how to contact us can be found in

section 9 below.

We understand that privacy is important to you, and we want to assure you that we take it seriously. Occasionally, we may need to update our Privacy Notices to reflect changes in our services or legal requirements. When we do so, we’ll make sure to clearly communicate any material changes, usually via a banner in your account or via email where such change is particularly material. As always, your continued use of the Service after any update indicates that you have acknowledged the updated Privacy Notices.

Our responsibilities to you
We understand that the privacy and confidentiality of all the personal data you provide, especially the verbatim records of therapy sessions, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary. Please read this document carefully to understand how we protect your information.

What these Privacy Notices covers
These notices explain how ieso collect, process, store, share and secure your personal data, and how you can exercise your rights and manage your personal data.

1. Information we collect about you

To provide our Services, we need to collect data about you from yourself, your clinician, other organisations (such as your GP or local NHS Service), and automatically from your use of our Services.

A) Information you provide to us directly:

This includes:

Registration information – When you register, we collect contact information such as your name, date of birth, email address and mobile number. We also collect information to authenticate you as an eligible patient, such as your NHS number (or CHI number if your registered in Scotland), GP details and address.

Demographic information – We collect information about you so we and the NHS can build a picture of the Services we deliver to different groups of people, monitor the quality of our standards (including by monitoring for potential bias and improve fairness. For example, to detect and mitigate accessibility barriers, or bias within our service delivery), and to ensure sufficient services are delivered to local communities. These questions include a ‘prefer not to say’ response so they’re voluntary to answer and do not impact on the quality of your care.

Assessment information – Like the NHS, we collect information using standard patient assessment questionnaires to understand your clinical needs and build a treatment plan. Assessment information can include your experiences and how you are feeling, as well as your medical history, lifestyle, family, work and education.

Delivering treatment – Like the NHS, we collect information whilst delivering treatment to you, including your conversations with your clinician inside and outside therapy, that are either written or in video (video sessions are converted into audio recordings to minimise the data we hold) appointments, and clinical questionnaires. You’re able to access your verbatim record at any time, to reflect on your treatment and care delivered to you. If your clinician believes it is necessary, they may put a risk management plan in place to help keep you safe, and they may ask you for next of kin details if appropriate.

Additional information required by the NHS – We provide our Services on behalf of local NHS Services in England and nationally in Scotland, and they may require additional information to be collected or asked. For example, some NHS Services offer their patients employment support, so we may ask you this which is voluntary to take up.

Your queries and comments – We collect information about you and your query, comment or complaint, for example, a question about our service or request for technical support. This may be shared with relevant teams who can answer your questions or address your comments.

You always have the option to refuse to submit personal information to us; however, without this information, we may not be able to provide you with our Services.

B) Information we collect about you from other sources, such as your referring provider:

Referral information – If you are referred to ieso by your local NHS Service or by your GP, they will provide us with your name, date of birth, address, mobile number, demographic information, consent option to receive voicemails, email address, NHS number, reason for referral and any relevant information notes or questionnaire scores. NHS numbers may be obtained directly from the central NHS system, or your CHI number will be obtained directly from your GP if you reside in Scotland.

Therapist notes – At the end of each session, your clinician will write up a clinical summary of the session. These are usually shared routinely with your NHS Service who funds your treatment. (The does not include your verbatim records, which aren’t shared externally except in exceptional circumstances, such as in a serious clinical incident or when required by law).

Supervision notes – Your clinician may share some of your details with their supervisor

(See section 2 below)

for feedback and/ or advice. Where this affects the treatment you receive, this will form part of your health record.

Aggregated Demographic information – Other than demographic information collected directly by your or your referrer, we collect publicly available information that is aggregated and enables us to understand anonymous health and demographic information at a postcode level.

C) Information collected automatically from your use of the Services, such as from your device or by participating in sessions:

  • Session activity information – we collect information about you from your use of the Service. (E.g., when you log on or join a session etc.)
  • Device information – this includes information about whether you are using the service on a mobile, tablet or computer. This helps us understand how people interact with our service so that we can ensure the Service is optimised for different devices.
  • Log information – we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with the Service.

See here or

read below for further information on cookies
2. How we use collected Personal Data (including sharing within ieso between group companies, and with our contracted therapists and psychological wellbeing practitioners)

We use your Personal Data to ensure that we provide you with the best possible treatments, both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to ensure that our procedures for handling patient information and requests meet with our obligations.


To provide you with high-quality and tailored care, we use your Personal Data to provide this Service:

A) During your referral into our Service, determine your eligibility and deliver therapy, to:

  • Enable account creation and sign-in – We use email address, password and mobile number to create you an account to login to your record and we will assist with any issues you may experience regarding this.
  • Assess your eligibility and suitability for our Service – We use your information to assess whether you’re eligible for our Service by ensuring you reside in an area where we’re contracted with an NHS Service to treat, you’re over the minimum age as agreed with the NHS Service, and are not a currently serving member of the British Armed Forces (please note, if you’re a serving member of the British Armed Forces, you’re able to receive priority mental health support directly from the British Armed Forces).

    Your suitability is subsequently considered to ensure your clinical needs are treatable by ieso. For example, we provide services for mild to moderate mental health conditions, so if your condition is more serious, we will refer you back to the NHS Service who referred you or would’ve funded your treatment, or potentially, to a secondary care provider with your consent.
  • Provide you with different support options (where applicable) – Whilst we commonly deliver typed or video therapy, we do offer some eligible patients the option to receive support via our digital programme. We may use your information to offer you the digital programme to complement your typed or video CBT, or an alternative altogether.
  • Assess your treatment needs – If you self-referred to ieso, we will start your treatment journey by assessing your treatment needs to better tailor your treatment.
  • Provide your treatment – Your clinician will use your information to support your treatment and evaluate your progress, including messaging to arrange sessions, conducting sessions, assessing progress against treatment goals and maintaining your record. It’s your choice to decide what to share with your clinician, but the more information that your clinician has, the more likely it is that they will be able to provide you with highly effective and tailored treatment.

    Your session may take place via typed or video modality, depending on the agreement with the NHS Service that funds your treatment. Where your session takes place via video, the recording will be converted into audio and retained.
  • Support your clinician with supervision – It’s good practice, and in many cases, a requirement for therapists to receive clinical supervision. This is required for therapists registered with the BABCP. Subject to appropriate safeguards, some of the details of your case may be shared in your therapist’s routine clinical supervision with their Clinical Supervisor, if they wish to obtain advice or assurance on the work you are doing together. A Clinical Supervisor is a therapist who has received additional training and is generally more experienced than the therapist. This is to ensure that the therapy you are receiving is the most helpful it can be and remains faithful to best practice evidence. Clinical supervision includes case discussions (and may include referring to messages/ transcripts/ audio recordings) either individually or within a group of therapists, all of whom are bound by confidentiality.
  • Provide employment support (voluntary) – If an employment assistance programme is available in your area and your NHS Service asks us to, we will offer you the opportunity to speak to an employment assistance specialist which is entirely voluntary. The employment assistance programme may provide an additional privacy notice regarding their specific data practices.
  • Resolve technical issues – If we detect a technical issue, or you or your clinician reaches out for support with a technical issue, we will use the minimum information necessary to resolve the issue. This may include ieso-employed engineers responding to you directly if you email our support team.
  • Maintain your health record – From registration, we will maintain a record of your assessment and treatment, to help us maintain an accurate, accountable and effective service to you and our NHS Services.
  • Protect your information – We maintain a secure, confidential and safe environment to ensure the security of your personal data, including:
    • Securing staff and patient accounts with multi-factor authentication;
    • Authenticating user access controls to the Services;
    • Restricting staff access to limited data on a “need to know” basis with oversight of our Caldicott Guardian and Privacy team.
    • Continuously reviewing, and providing support to, our clinicians to ensure we continue to meet quality standards and developing learning / training programmes;
    • Administering our professional compliance duties and obligations;
    • Providing specialist training to all staff annually, including training on the GDPR and NHS Data Security. Staff in patient facing roles receive additional training on health confidentiality; and,
    • Obtaining certification for ISO 27001 for Information Security and Cyber Essentials Plus, both of which require annual external audit. Additionally, we self-certify annually against the NHS Data Security and Protection Toolkit.
B) We will also use your Personal Data to communicate with you:

  • By email, phone and SMS – We will contact you about your treatment, including for example, to book appointments, to remind you about appointments and to notify you when you’ve received a message from your clinician outside an appointment. We may also contact you to retrieve missing information. Occasionally, we may look to improve engagement and will contact you in different ways – these will always be related to your care, for example, to contact you to remind you to complete registration or incomplete questionnaires.
  • By leaving voicemails – If you’ve consented, we will leave a voicemail on your device.
  • Assessment and/ or discharge letters – After your treatment ends, and additionally after your assessment session if you’re assessed by us, we will send you and your GP a brief summary of your experience to you. By default, this is sent electronically but may be sent via post if electronic sending is unavailable. If you’d prefer not to receive letters via post, please email info@iesohealth.com
  • To provide you with opportunities to improve or raise awareness of ieso’s mental health services – If you consented about being contacted about opportunities, such as to help raise awareness of ieso’s online therapy or to share your thoughts and feedback to shape our service, we will use your contract details to provide you with more specific information. We might also use your presenting problem and demographic information to ensure we contact a diverse and representative group of people. When we contact you about opportunities, we will provide you with different privacy notices that outline how your personal data will be processed for that specific opportunity, which you can freely decline if you so choose. This is entirely voluntary and your choice does not impact on the quality of your care.
  • To let you know of any research studies / user experience projects for which you may be eligible – We may contact you about trials, studies or projects for which you may be eligible, to see if you’re interested. This is entirely voluntary, and your choice does not impact on the quality of your care.
  • For feedback and to check on your wellbeing – We may also contact you after you’ve completed treatment to ask for feedback and to check on your wellbeing.
C) To meet NHS and legal requirements, we will use your Personal Data to:

  • Uphold the National Data Opt-out in England – In England, patients can exercise their national data opt-out preference to opt-out of research opportunities. We will use your NHS number to check your opt-out preference and act accordingly. If you reside in Scotland, you can opt out directly with us but this won’t take effect for all NHS services (See Section 6 for more information).
  • Investigate queries from our NHS Services– We may process your information in response to a query or complaint from any NHS or governmental service..
D) To improve our Service and to develop new services, we will use your Personal Data to:


At ieso, we believe that everyone should have access to effective mental healthcare, when and where they need it. We want to make therapy as good as it can be – so that everyone receives the support that is right for them, first time.

We do this by providing types of therapy that already have a strong evidence base to show that they work. We then invest heavily in research to understand how to make therapy as effective as possible, for as many people as possible.

By analysing patterns in the minimum, aggregated, de-identified data from thousands of patients, using machine learning, natural language processing and large language models, our scientists and clinicians can learn how our patients’ treatment outcomes relate to the therapy they are given. This enables us to discover more about the causes of mental health conditions, and why different people respond better to different types of therapy. We use this information to make our existing products and services more effective, and to develop new ones, which may include developing or finetuning models.  

We are committed to being transparent about how we collect, use, retain, share and protect patient data for treatment and research, so that you can understand the benefits and risks, and make informed choices about how your data is used.

  • For research studies, we will determine whether or not you are eligible and suitable for participation in one of our research studies. ieso are a data-driven, research-orientated company who passionately believe in responsible innovation to increase the understanding of mental health, improve treatments and widen access to treatment, and our team may review your Personal Data to identify participants.

    Participation is entirely voluntary, and your choice does not impact on the quality of care.
  • For retrospective research or service evaluation, improvement and development,  we will deidentify your personal data to improve health, care and services through research and planning, so our researchers will never know who you are. We may also anonymise your personal where possible.

    As we've implemented appropriate safeguards to safeguard patients' personal data, we use an opt-out consent model in line with the National Data Optout. If you'd prefer for ieso not to use your information, please exercise your opt-out preference here

We may also work with reputable academic and research organisations or individuals to support our mission, including by sharing deidentified or anonymised information that can’t be linked to you, and within the constraints of strict contracts with partners.

Legal basis for processing your Personal Data:


Whenever we use your Personal Data, we do so with a recognised “legal basis” under Article 6 of the GDPR. As our Services are provided under the Terms and Conditions, we process most of your Personal Data under the contract lawful basis, which means we process your Personal Data to fulfil our contract obligations to you.

We also process Personal Data that is sensitive, such as your health and demographic information, which requires additional protection under the GDPR, including an additional but separate basis under Article 9 of the GDPR. As out Services are provided to provide healthcare, our Article 9 basis is the provision of healthcare, unless stated otherwise in brackets below:

  • For delivering treatment, including communicating with you, we rely on contract.
  • For the retention of your health record when treatment has ended, we rely on legitimate interests. Our legitimate interests are to enable us to meet our legal and contractual obligations.
  • For processing demographic information to monitor our services, including monitoring for bias and discrimination, seeking to improve fairness and to report to the NHS as required, we rely on legitimate interests. Our legitimate interests are to enable us ensure the services we provide are fair and free from bias and discrimination, and also to report to the NHS.
  • For safeguarding and the NHS minimum data set information, we rely on legal obligations, under the Health and Social Care (Safety and Quality) Act 2015.
  • For standard information sharing with GPs or during referrals for secondary care, we rely on consent
  • For sharing information with an employee assistance service, we rely on consent (Article 9 condition is explicit consent).
  • For sharing information with the emergency services when consent isn’t possible, we rely on vital interests (Article 9 condition is vital interests).
  • For information held in establishment or defence of a legal claim or complaint, we rely on legitimate interests.
  • For upholding the NHS National Data Opt-outs in England, we rely on public task.
  • For research and service analytics, such as service evaluation, improvement and development, we rely on the original basis for collecting your Personal Data and legitimate interests (Article 9 condition is scientific research and provision of health care). Our legitimate interests are to enable us to improve our services and develop new ones, to improve the accessibility to, and delivery of, high-quality mental health support, products and services.

    As part of our commitment to you and future patients, we are committed to continued improvement and development. Research supports us to provide you and all our patients with high-quality evidence-based care and products/ tools, and to help more people get treatment earlier. We publish findings (which only ever include aggregated and deidentified data) in peer reviewed scientific journals, satisfying the legal basis of the special category data processing being necessary for scientific research purposes, which we use for a subset of our research activities.
3. When we share your Personal Data

We appreciate and respect that the confidentiality of your treatment is of the utmost importance to you. That’s why we share information on a strict need-to-know basis, and anyone receiving information about you will be under an equal legal duty to keep it confidential.

In delivering the Services to you, your Personal Data may be shared with:

A) Health services and support

  • Your NHS Service and / or your GP – It’s essential that for us to work closely with other NHS services involved in your care, including your local NHS Service and / or your GP, to deliver safe, effective and accountable care.

    • NHS Services – Your treatment is funded by your local NHS Service and we routinely update their patient management systems with your information (your appointment details, questionnaire scores, your clinician’s summery, referral information and correspondence) and treatment. This is irrespective of whether you're referred to our service or self-referred. (Please note, very few of our NHS services do not maintain a PMS to update; under these contracts, information is not routinely shared with the provider, but we do submit the Minimum Data Set statistics to NHS  England. If you're not suitable for ieso, we are required to share your information with the NHS provider who would have funded your treatment). Your verbatim record (written or audio) is not routinely shared with NHS providers, except in serious clinical incidents.
    • Audit meetings – Some NHS Services require audit meetings to review feedback, which may very occasionally include the joint viewing of/ listening to specific verbatim records of sessions or messaging relating to investigations as a result of a serious clinical incident or significant complaint.
    • Referral back to your NHS Service referrer or the NHS Service who would have funded your treatment if you self-referred – If we refer you back to your NHS provider, or the NHS provider who would've funded your treatment if you self-referred and aren't suitable for our service, we will provide them with a summary of your condition and the treatment we provided.
    • For billing – We share pseudonymised information with the NHS provider that funds your treatment to enable billing.
    • Your GP – as a matter of practice, we will notify your GP at assessment and discharge, which will include a brief summary of your assessment or treatment delivered. You may request to opt-out of notifying your GP, but this is only possible where the NHS Service allows it. Please address any questions regarding opt-outs to info@iesohealth.com.

      If you opt-out of GP notifications, we may still share information with your GP in exceptional circumstances such as you’re at risk of harming yourself. Please see Section 3 for more details.
  • Referral Tool – We aim to provide services that are accessible and engaging, so we may offer use a front-door solution provider to enable patients to have a greater referral experience. This sharing will be limited and temporary, and it will include the information we need to onboard and triage you.
  • NHS Secondary Care Services – Our service is designed for those with mild to moderate mental health conditions, so if we believe that more specialist care is required for a severe or long-enduring mental health condition, we will discuss this with you. If you consent, we will refer you to a psychiatric-led secondary care service, and we will share your health information with them.
  • NHS England (Patients who reside in England only) – Your treatment is funded by the NHS so we’re required to provide a specified set of data (the Minimum Data Set) to NHS England, who will use this data to understand how services are delivered in England. This includes your NHS number, gender, age and ethnicity. Please note, all reports published by NHS England are aggregated so your information will never be made publicly available.
  • Employment Assistance – If an employment assistance programme is available in your area, and your local NHS Service asks us to, we will offer you the opportunity to speak to an employment assistance specialist which is entirely voluntary. If you consent to a referral, we will share your basic contact details, presenting problem, GP details and some demographic information with the employment support assistance programme.
  • Maintaining our patient management system – Like the NHS, we maintain a PMS that records your information the treatment we deliver, which without, we wouldn’t be able to provide you with our service. Our PMS is iaptus, a system developed and hosted by Mayden House Ltd, which is trusted by many NHS Services. Acting as ieso’s Processor, Mayden will maintain health records on behalf of ieso and in accordance with our very strict instructions, including regarding its security, storage within the UK, and to enable streamlined sharing of data between ieso and your NHS Service, for development and maintenance of iaptus, and also to anonymise for research on aggregated data across providers. Your verbatim records (written or audio) are not stored on iaptus – these records are stored internally at ieso.
  • Service Transfer – Our Service is provided to you on our contract with your local NHS Service. If your NHS Service intends to transfer all or part of its NHS talking therapies programmes to a new provider, we will be under a legal obligation to share certain information with the new provider to assist the NHS Service and any new provider with continuity of provision for you. We will comply with our legal obligations when sharing such information. You may opt out of any potential transfer by email to info@iesohealth.com.

B) Outside the normal course of providing our Services

If you consent to being contacted about opportunities, such as to raise awareness of ieso’s online typed therapy or to share your thoughts and feedback to shape our service, we will use your contact details to provide you with more specific information. We may also use your demographic information to assess how we are performing in reaching a diverse and representative group of patients to aid fairness and equality. The minimum necessary information needed to facilitate this will be shared with the relevant teams within ieso.

If you leave a review of our services on an external site, e.g., Trustpilot, you do so at your own discretion and ieso is not responsible for how that data is processed by the platform you use to share your views or those who view the review. We may respond to your review.

C) Other circumstances in which we may share your Personal Data

The sharing of Personal Data is strictly controlled by law, but as the Caldicott Principles highlight, “the duty to share information for individual care is as important as the duty to protect patient confidentiality” when required by law or to protect either yours or another person’s wellbeing.

We may share the minimum information with appropriate government agencies or local authorities, such as the police, without your permission if:

  • A serious crime has been committed;
  • Withholding information could endanger someone’s life;
  • A child or vulnerable adult is at potential risk; or,
  • We are ordered to do so by a court of law.

In such circumstances, we will try to inform you if it is appropriate to do so.

D) Transferring Personal Data outside of the UK or European Economic Area, and holidays during treatment

It is sometimes necessary for subsets of information to be stored in well-known software as a service (SaaS) provider which do transfer data to other regions with appropriate safeguards. See section below on “How we store your personal data.”

In the limited instances when data is shared overseas, the UK Government, in consultation for the ICO,  make decisions on adequacy of the protection of personal data in other countries and we have selected providers located in countries that the Commissioner has approved or, where the provider is based in a country that hasn’t received adequacy, have used safeguards and contracts that mean the transfer is lawful and appropriate.

If you go on holiday outside the UK or EEA, you should exercise caution before accessing your account, as the country in which you are travelling through may not provide similar safeguards to which are provisioned within the UK and EEA. If you access your account from a country other than the UK or EEA, you do so at your own risk.

You may

contact us

if you want further information on the specific mechanism used by us when transferring your personal information out of the United Kingdom and the EEA.

We have not, and will never, sell your Personal Data.

4. How we secure your Personal Data

We take the security of your Personal Data very seriously.

We have implemented controls to safeguard the Personal Data that you provide, applying physical and organisational measures against loss, misuse and alteration of your Personal Data under our control.

All information you provide is encrypted in transit using the best-practice encryption (256-bit encryption) and secured in our trusted and vetted providers.

We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus and exceed the expectation of the NHS Data Security and Protection toolkit.

You must also take responsibility for the protection of your account by keeping your password secure and secret and all times when accessing or using our Service.

5. How we store your Personal Data

ieso is headquartered in the UK and information submitted about you via the Service is stored in the UK, and possibly the European Economic Area where this isn’t possible. Your health record will be stored in the iaptus PMS, which is hosted by Mayden House Ltd in the UK. Mayden has been subject to an extensive due diligence programme by ieso and is the trusted and chosen provider for around 200 separate NHS providers. We also maintain a separate copy of deidentified health information that is stored by Microsoft Azure, which is also stored in the UK and has been vetted by ieso. Both software providers may access your data in very limited, specific and approved circumstances, in order to provide their services to ieso, and we have Data Processing Agreements in place to govern such processing.

We also use a small number of well-known SaaS (Software as a Service) providers to process and/ or store smaller subsets of your Personal Data and enable the uses of the Personal Data as described in this privacy notice. We have Data Processor Agreements in place with each SaaS provider. Where possible these providers store the Personal Data in the UK or EEA; otherwise, we have implemented legal safeguards to ensure the transfer of data is legal and ethical.

How long we retain your Personal Data:

We retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it. We’ve taken considerable time and diligence to determine the most appropriate retention periods, considering the nature, amount and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and applicable legal and healthcare industry requirements.

In particular, we retain your records in accordance with the Records Management Code of Practice published by NHS England’s Transformation Directorate, which is accessible here.

  • For patients who receive any intervention, ieso retains your health record for 20 years after your treatment ends. This applies even if you don’t complete a full course of therapy, and it helps you to remember coping strategies, techniques and processes that your learnt in therapy.
  • For individuals who refer into our service, complete their registration but do not receive any intervention, we retain your health record for 3 years.
  • Research records are retained for up to 20 years.

When we no longer require the Personal Data we have collected about you, we will either delete or anonymise it, or if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymise your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

6. Your access, rights and choices

You can access specific details relating to your treatment through the Service online at any time directly through your account, these will therefore remain resources available to you after the conclusion of your treatment. These include messaging between you and your therapist between sessions, the sessions themselves, the ‘homework’ activities, questionnaires completed, and any goal setting activities. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy.

If you feel there is an error of fact on your health record held by us, you can contact us, or in respect of your wider medical record your referring healthcare service or GP. If we agree the information is incorrect, the alteration will be made. If we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate but we will not alter the information, and you will be notified of either the correction or the note.

Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict Personal Data processing where certain limited grounds apply. Note however that Personal Data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.

Your choices:
  • If you would like to opt out of ieso’s research and planning, please exercise your options via one of two methods explained here.
  • If you would like to opt out of a Service Transfer (as defined in Section 3), please email info@iesohealth.com.
  • If you would prefer not to receive appointment booking links and reminders via SMS, please email info@iesohealth.com.
  • If you would prefer to opt-out of GP notifications, and this is not restricted by your NHS Service, please email info@iesohealth.com.
  • If you would prefer not to receive voicemails, please email info@iesohealth.com.

If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the Personal Data you have provided (for example to your GP) please

contact us

Our complaints procedure is available on the site, and there is a link to it here.

If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office.

7. Cookies and Tracking

We use cookies or similar technologies such as device IDs, pixel tags and web beacons (collectively described here as 'cookies') to collect information about the access to and use of the Site and Service. These typically include a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the Site or using the Service and that sometimes track information about a user.

We use cookies to secure your login, authenticate your access, enable smooth navigation across the Service and its features, and to enable patients to resume from where they left off (e.g., patients can resume completing their routine questionnaires easily, rather than having to complete them in one sitting).

Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or Service.

You can also learn more about our use of cookies by visiting our cookies policy.

8. Specific information relevant to Children and Young People

Our Services are not intended for use by anyone under 16 years old. Our contract with your healthcare provider determines the lower age limit for our Services. As standard it is 18, but specific contracts also include 16- and 17-year-olds.

9. Your questions and how to contact us

If you have any questions or comments about this privacy notice, please let us know:

By email: privacy@iesohealth.com (or for technical support, contact our technical support team: support@iesohealth.com)

By telephone: 0800 074 5560

By post: ieso, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS

To reach our data protection officer, please use the above details and mark your communication for the attention of the Privacy team.

In an emergency regarding your health, please contact:

  • Your GP surgery or local A&E
  • Your referring healthcare provider
  • Urgent Care (for out of hours access to GP) – call 111
  • The Samaritans – call 116 123 or email jo@samaritans.org
  • Emergency Services – call 999
10. Changes to your Personal Data

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

This Privacy Notice applies to any Site where it is referenced, regardless of the computer, mobile or other device you use to access or use the Service. The Site and Service may contain links to websites, mobile applications, and other online services operated by third parties. Unless the third-party site you access is our data processor, we do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices or content of such websites, mobile applications and online services you use.

Start the process

Our service is free for lots of NHS patients.
It only takes a minute or two to check if you are eligible for treatment.

Get started with ieso