Effective date: 28/10/2022
ieso ("We") are committed to protecting and respecting your personal data and privacy.
These Privacy Notices cover personal data processing of data collected via this Site and/ or direct marketing/ business development emails and conference exchanges, and reflect legal requirements and regulations.
[N.B. There are separate, different, more detailed Privacy Notices on our therapy sites relevant to the collection and use of personal data in connection with receiving our online cognitive behavioural therapy (CBT) services.]
These Privacy Notices describe the privacy practices of Ieso Digital Health (UK) Ltd and our subsidiaries and affiliates (including Ieso Digital Health Limited and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect through the use of this site as well as through other activities described in this Privacy Notice. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers ZA239229 and Z5383093). If you require further information on anything below, please contact our Data Protection Officer: firstname.lastname@example.org. Full details on how to contact us can be found below.
Here we explain what personal data we collect, how it is used, shared, secured, stored, and how you can exercise choices and manage your personal data
Information we collect from you
Exclusively via this site:
If you use the eligibility checker:
You are under no obligation to provide any such information. However, if you should choose to withhold requested information, we may not be able to provide you with certain services/ information.
Information collected automatically from you as a result of your interactions with the Site
We do not collect any personal information from you on this site if you click on ‘Career opportunities’ or ‘Become an ieso therapist’. In these instances, you are delivered to our recruitment site which has its own set of privacy notices and your personal details are collected there.
Information we collect from other sources
For the purposes of direct marketing in a business context if relevant, we may collect your identity and contact data including title, name, job title/ function, the organisation you work for or are engaged by, email address, telephone numbers, address from:
How we use collected information
To respond to your messages delivered to us via the contact section of the Site and provide any information requested
Use of the personal data collected on the therapy site via the eligibility checker is to provide you with information about whether our service is available to you and, if so, how you can register
Legal basis for processing your personal data:
We use your Personal Data only as permitted by law, for the purposes for which we collected it. Under the UK General Data Protection Regulations the different purposes of processing your data are legally permitted under Article 6 (1) (a) consent, Article 6 (1) (b) contract or Article 6 (1) (f) legitimate interests. Where the legal basis of the processing is Legitimate Interests, a legitimate interests assessment has been carried out and the legitimate interests identified as being able to inform existing customers about changes in the service, our attendance at conferences etc, or to make potential new customers aware that services/ opportunities to meet us exist (including within the NHS where there is public interest in individuals having access to services that support them with their mental health needs), to provide answers to questions posed by website visitors), or information to potential investors, business partners and/ or collaborators.
ieso takes care to ensure that only the right people have access to your personal data. We have internal procedures in place to safeguard your privacy and anyone within ieso receiving information about you will be under an equal legal duty to keep it confidential.
If you require information requested via our ‘contact us’ website forms, or by email, that is best answered by our PR agency (with whom we have appropriate confidentiality and data protection agreements), your contact details will be passed to them to respond.
We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation or for any other reason than those set out in this policy without your knowledge or permission unless we have an overriding legal duty to do so.
If you are an individual representing an organisation for whom our company or services may be, or already are, of interest and are added to our customer relationship management system and or marketing automation system, then we may contact you in line with our marketing and business development communications protocols and Legitimate Interests Assessment for purposes such as informing you about ieso services or attendance at conferences etc, and where we offer you the option of opting out of such communications.
In the event that we undergo re-organisation or all or a part of our business is sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third party, whether such acquisition is by way of merger, consolidation, or purchase of all or a portion of our assets, or in connection with any bankruptcy or reorganization proceeding brought by or against us.
We may disclose aggregate statistics about visitors to the Site in order to describe our services to prospective partners and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifiable information.
We seek where possible to prevent any transfers of your personal information to countries which do not have adequate data protection standards.
The European Commission makes decisions on the adequacy of the protection of personal data in third countries and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and other listed territories without any further safeguards being necessary. Post UK departure from the EU, the UK has been granted adequacy by the EU, and the UK has accepted the European Commission’s adequacy decisions for the UK too, and also included Gibraltar.
If we transfer your Personal Data out of the EEA and the UK to a country not deemed by the relevant regulatory authority to provide an adequate level of personal information protection, the transfer will be performed (i) pursuant to the recipient’s compliance with standard contractual clauses or Binding Corporate Rules; (ii) pursuant to your consent; or (iii) as otherwise permitted by applicable data protection requirements.
We place great importance on the security of personal information. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against unauthorised access, loss, misuse and alteration of personal information under Our control.
We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We have achieved the International Standard certification for Information Security (ISO 27001) and maintain the Cyber Essentials Plus certification.
We use a small number of well-known SaaS (Software as a Service) providers to store subsets of your personal data and we have Data Processor Agreements in place with each SaaS provider. Where possible, these providers store the data in the UK or EEA. Where they are located outside the UK/ EEA we ensure they are party to an adequacy agreement or have in place one of the additional safeguards necessary to make the transfer such as Binding Corporate Rules or Standard Contractual Clauses (with additional technological and organisational controls as necessary or appropriate) to uphold your legal data protection rights.
If you have sent a contact message via the website or a direct email, the retention periods for your personal information will vary. We will consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of it, and any applicable legal or regulatory requirements.
If you are in a self referral area and begin the referral process on the therapy site via the eligibility checker part of this Site, your personal data will form part of your health record. If you subsequently receive treatment from ieso, we retain your personal data as a resource that you can return to for 20 years post discharge. This can help you remember coping strategies, techniques or processes that you learnt in therapy. We retain your clinical record in accordance with NHSX Records Management Code of Practice.and to support our legal obligations to be accountable for your care.
Data protection law provides you with rights that ieso is committed to supporting you with:
Right to Access
You have the right to obtain:
· confirmation that your information is being used, stored or shared by the company
· a copy of information held about you
· If you only require only a particular part of your record, tell us and this can reduce the time it takes to provide it
· We will respond to your request within one month of receipt or will tell you when it might take longer.
· We are required to validate your identity including the identity of someone making a request on your behalf
If you feel there is an error of fact within your personal details held by us, please contact us. If we agree the information is incorrect, the alteration will be made, but if we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will be notified of either the correction or the note.
Data protection law also includes the right to make other requests to seek to erase, port, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health, employment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights may be restricted or not apply in practice. Where the legal basis of the processing is Legitimate Interests and the activity is direct marketing, the right to object is absolute.
For more detailed information on your rights visit https://ico.org.uk/for-the-public/.
If you need any assistance in these areas, please contact our Data Protection Officer.
A cookie is a small data file stored by your browser on your device's hard disk for record-keeping purposes and typically includes a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the same site.
Session cookies are stored only temporarily during a browsing session and are deleted from the user’s device when the browser is closed; Persistent cookies are saved on your computer for a longer, fixed period and are not deleted when the browser is closed and are used to remember you when you visit the website again; and Third party cookies are set by a different organisation to the owner of the website you are visiting. They might include cookies set for website visitor analytics or embedded content, for example Google Analytics. You can opt-out from the collection of this information by Google by downloading and installing a browser plug-in at https://tools.google.com/dlpage/gaoptout.
Most computers and some mobile devices will automatically accept cookies but, if you prefer you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the Site.
Any third-party websites you access because of your role as an employee of ieso will be covered by their own cookie policies, which should be easily accessible on their sites, and are not the control or responsibility of ieso.
Questions, comments and requests regarding these privacy notices or data protection should be addressed to our Data Protection Officer (DPO): Helen Simpson email@example.com
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Our site may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.