Privacy policy

Introduction and summary of our privacy policy

Healios Limited (Healios) is a UK company which specialises in providing online Mental Health Services to children, young people and adults. We work with the NHS and private patients to deliver our services to you and we also undertake our own research projects to improve our services and to demonstrate how they can benefit patients.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 are data protection laws that apply to companies that are established in the UK. UK GDPR requires us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints.

Healios takes your privacy very seriously and is committed to protecting your personal information. This Privacy Notice provides that information in a way we have tried to make clear and transparent. If you would like more information about what data we process, for what purpose or how long we keep it for, please use one of the contact details provided to ask us.

Controller

Healios Limited (referred to as Healios, “we”, “us” or “our” in this privacy policy) is a limited company with registration number 08459279. Healios is Controller of the personal data to which this privacy policy relates. This means that we are responsible for making sure that we process your personal data in a safe and lawful way.

We have appointed a data protection officer (“DPO”) whose role includes overseeing questions in relation to how we process your personal data. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our DPO using the details set out below.

Contact details

Our contact details are:

Our full name: Healios Limited

DPO contact name: Hazel Dundee

Email and postal address for contacting us and our DPO:

Email address: [email protected]

Postal address:

Healios Ltd.

Vintage House

36-37 Albert Embankment

London

Greater London

SE1 7TL

Healios Service Users

Personal data processed

Personal data is any information we have that can identify you, such as your name, date of birth, medical history or credit card details.

Our data retention period, which is the length of time we hold your personal data, is informed by the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council.

We might also keep some information that doesn’t identify you to help improve our business and our services as well as helping with health research. We do this by removing your identifiable information (such as your name, date of birth, contact details) to form ‘de-identified’ data.

In accordance with national opt-out legislation, you can choose to opt out of your confidential information being used for research and planning. For more information on this, please visit the NHS data opt-out website.  If you have any concerns about this or wish to change your data preferences, please email the Governance team at [email protected] or call 0330 124 4222 between 8am and 6pm weekdays.

We process the following personal data for the purposes listed. Where we use personal data, we will only use the minimum necessary personal data for that purpose.

Purposes of processing Types of individuals Types of personal data Retention period Lawful basis
Providing health and care to NHS referred patients NHS Patients Name, demographics, health data, video and/or audio conversations recorded through clinical sessions as well as recorded calls and emails to support teams regarding your service with us, health experience questionnaires If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. Performing a task in the public interest [Article 6(1)(e)] and; The provision of health or social care or treatment [Article 9(2)(h)]
Providing  health and care to private paying patients Private paying patients Name, demographics, health data, video and/or audio conversations recorded through clinical sessions as well as recorded calls and emails to support teams regarding your service with us, health experience questionnaires If you are an adult service user, we will keep your data for 8 years. If you enquired about our service but decided not to proceed, we will keep your data for two years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; The provision of health or social care or treatment [Article 9(2)(h)]
Managing contract with private payers Private paying patients Name, address, payment details We keep your data for 8 years For compliance with a legal obligation [Article 6(1)(c)]
Communicating regarding any concerns, queries or complaints All patients Name, contact details, any relevant information including health We keep your data for 10 years Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)]
Quality assurance, quality improvement, training and security including conducting peer reviews of consultations conducted by clinicians delivering Healios services All patients Health data, video and/or audio conversations recorded through clinical sessions as well as recorded calls and emails to support teams regarding your service with us  If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)]
To conduct research Patients who register their interest and participate Name, contact details, study ID and health data, video and/or audio conversations recorded through clinical sessions
We remove any details that could identify you from this information. This includes your name, address and contact information.
We keep your data for up to 10 years, which will vary on the type of research Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For the public interest, scientific or statistical purposes [Article 9(2)(j)]
Further research purposes (see section “Helping with health research”) All patients Health data, video and/or audio conversations recorded through clinical sessions. Use of products like ThinkNinja.
We remove any details that could identify you from this information. This includes your name, address and contact information.
As part of our research, we may use your contact details to invite you to take part in clinical trials.
We keep your data for 8 years Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For the public interest, scientific or statistical purposes [Article 9(2)(j)]
ThinkNinja app use All patients IP address, device address, time of day, length of time, what screens visit, health data. If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)]
Complying with our legal or regulatory obligations, and defending or exercising our legal rights where necessary or in the vital interests of the data subject All patients All personal data held by Healios where necessary We keep your data for 8 years, although it may be longer to comply with legal requirements For compliance with a legal obligation [Article 6(1)(c) and Article 9(2)(f)] and; For reasons of substantial public interest [Article 9(2)(g)]
Supplier retention All suppliers Name, address, contact details and payment information We keep your contact details for the life of the contract plus 6 years for audit purposes Processing is necessary for the performance of a contract [Article 6(b)]

Where we rely on GDPR Article 6(1)(f) ‘legitimate interests’ are as follows:

  1. Providing health care to individuals
  2. Ensuring complaints and communications are handled appropriately
  3. Ensuring we provide and maintain a high level of quality of service
  4. Undertaking research to further improve our service
  5. Ensuring ThinkNinja app is working well, maintenance and improvement of the app

We receive personal data from several sources. If you are an NHS patient we will receive information from your NHS healthcare professionals and for our children’s assessment services this will also include information from the child’s school. If you are a private payer, we will receive information from your insurance provider if the service is provided in conjunction with them.

Helping with health research

When using your de-identified data to support health research, we aim to publish our research results in peer-reviewed journals or by working with academics. We may conduct research with partner organisations such as universities or other academic institutions.

We may also use data that does not identify you personally as part of statistics that we collect on certain types of illness, symptoms and conditions. This might include us contributing medical data to our partners and organisations such as NHS England. They will always be anonymised, which means you cannot be personally identified. This is so we can improve our medical knowledge, help deliver better care and help the general public.

Sharing your personal data

We will only share your personal data with organisations involved with your care (for example your GP or NHS Trust), unless we have a legal obligation to share with another party. Where personal data will be shared outside the purposes of providing you care we will inform you unless the law restricts us from doing so.

Where we store and process your data

Your data may be processed or stored outside of the UK and the European Economic Area (EEA). This is because we sometimes work with other companies who help us deliver our services to you and they might have servers outside of the UK or EEA.

This will always be in line with applicable data protection lawful mechanisms and protected by appropriate safeguards (such as EU-approved standard contractual clauses, a Privacy Shield certification, or a supplier’s Binding Corporate Rules).

For further information on how we protect your data if we transfer it outside of the EEA, contact us by email at: [email protected].

Further uses of personal data for corporate purposes:

Purposes of processing Types of individuals  Types of personal data Retention period  Lawful basis
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice) Patients and commissioners Financial, contact details, name We keep your data for 8 years Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For compliance with a legal obligation [Article 6(1)(c)]
Provide information in relation to new services offered by Healios as an existing client or potential new client, or to invite clients to participate in service development activities Patients and mail list subscribers Name, contact details We keep your data for 12 months Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)]

How to unsubscribe from our marketing communications

You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link at the bottom of our emails or emailing the Data Protection Lead at [email protected].

Please note customers cannot opt-out of receiving transactional emails related to their account or service with Healios.

Child-friendly privacy policy

To learn about how we use your information, read our child-friendly privacy policy.

Website users and social media platforms

Personal data processed

Purposes of processing Types of individuals  Types of personal data Retention period  Lawful basis
Collect analytics to understand user numbers accessing website, registering interest for our research All individuals access social media platforms that click on our adverts IP address, device address, time of day, length of time, what screens are visited We keep your data for 8 years Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)]

For website users and social media platforms, where we rely on GDPR Article 6(1)(f) our legitimate interests are as follows:

  1. Marketing our products, services and research.

Cookies

If you are a visitor to our website, Healios will also process personal data using cookies.

We use cookies on our website (Healios.org.uk) to help in order for the website to run and to provide a more personalised service to you. This policy describes how we use cookies and your options in regard to them.

What are cookies?

Cookies are a small piece of text which is downloaded on a device (such as a computer or mobile phone) when a user accesses a website which allows the website to understand the users preferences or past actions.

Healios uses a number of these cookies as outlined below. Healios will always ask for your consent before placing these cookies on your device, except where the cookie is necessary in order for our website to function. These are called ‘strictly necessary’ cookies.

All other cookies can be controlled via our cookie management system, which is available on our website pages.

We have outlined below the types of cookies we use, their purpose and how long the cookie is kept on your device.

Where you have consented to all non-strictly necessary cookies, you may withdraw this at any time by using our cookie management platform.

You may also contact us at [email protected] if you have any queries regarding the processing.

Strictly Necessary Cookies

We have two cookies that we use which are necessary to run our site. The purpose of these cookies are outlined below:

Name of Cookie Purpose Duration Third party?
cookiehub .www.healios.org.uk Used by Healios Ltd to store information about whether visitors have given or declined the use of cookie categories used on the site 365 days No
VISITOR_INFO1_LIVE .youtube.com A cookie that YouTube sets that measures your bandwidth to determine whether you get the new player interface or the old. 180 days Yes

Preferences Cookies

We operate the following cookies which allow you to set preferences regarding the use of our site:

Name of Cookie and host name Purpose Duration Third Party?
Lang
.ads.linkedin.com
Session-based cookie that remembers the user’s selected language version of a website. Session Yes
lidc
.linkedin.com
Used by LinkedIn for routing. 1 day Yes
CONSENT
.youtube.com
Used by Google to store user consent preferences 6109 days, 9 hours Yes

Analytical Cookies

We use the following cookies to analyse visitors to our website:

Name of Cookie and host name Purpose Duration Third Party?
_ga
.www.healios.org.uk
Contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions. 730 days No
_gid
.www.healios.org.uk
Contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions. 1 day No
_gat_gtag_UA_xxxxxxxxx .www.healios.org.uk These cookies are set by Google Analytics which is a simple tool that helps us measure how users interact with our website. As a user navigates between web pages, Google Analytics records information about the page a user has visited, for example the URL of the page. The cookies themselves are used to ‘remember’ what a user has done on previous pages and interactions with our website. 1 Hour No
YSC
.youtube.com
This cookie is set by YouTube video service on pages with YouTube embedded videos to track views. Session Yes
bcookie
.linkedin.com
This is a Microsoft MSN 1st party cookie for sharing the content of the website via social media 730 days, 12 hours Yes

Advertising

We use the following cookies for advertising:

Name of Cookie and host name Purpose Duration Third Party?
fbp
.www.healios.org.uk
Facebook Pixel advertising first-party cookie. Used by Facebook to track visits across websites to deliver a series of advertisement products such as real time bidding from third party advertisers 90 days No
fr
.facebook.com
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers. 90 days Yes
UserMatchHistory
.linkedin.com
Contains a unique identifier used by LinkedIn to determine that two distinct hits belong to the same user across browsing sessions. 30 days Yes
bscookie
.www.linkedin.com
Used by the social networking service, LinkedIn, for tracking the use of embedded services 730 days, 12 hours Yes
personalization_id
.twitter.com
This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website. 730 days Yes
IDE
.doubleclick.net /
Used by Google’s DoubleClick to serve targeted advertisements that are relevant to users across the web. Targeted advertisements may be displayed to users based on previous visits to a website. These cookies measure the conversion rate of ads presented to the user. 390 days Yes
AnalyticsSyncHistory
.linkedin.com
Used by LinkedIn to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries 30 days Yes

Your data protection rights

The UK GDPR allows various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Where you wish to exercise any of your rights, you may do so free of charge (unless in specific circumstances, where you will be informed in advance) by contacting us at [email protected]. We will respond within one month.

Under the GDPR (General Data Protection Regulation,) you (the data subject) have a right to access your personal data held by an organisation. To learn how to submit a Data Subject Access Request (DSAR) at Healios, download our guide.

Details of the rights within UK GDPR are below. You will be informed if the right is available to you upon application:

Right  Meaning 
AccessUK GDPR Article 15 You may request a copy of the data held by us about you.
RectificationUK GDPR Article 16 If you think the data held by us is wrong and you may request that it is corrected.
Erasure (Right to be forgotten)UK GDPR Article 17 You can request that your data is deleted by us.
Restriction UK GDPR Article 18 There are circumstances in which you may ask us to stop processing your data but we must otherwise keep the data. For example, where required by law.
Portability UK GDPR Article 19 You can ask for a copy of your data in a format that can be readily transferred to another company.
ObjectionUK GDPR Article 20 You can object to the processing of your personal data when we are relying on a legal obligation or public duty legal basis or where we are processing in our legitimate interest, especially for direct marketing.
Automated decisionsUK GDPR Article 22 Where a computer makes a decision about you without human intervention, for example in an online loan application you have the right to know how the decision was arrived at.

Complaints

If you have any complaints regarding our use of personal data, please contact us by one of the above means. In the event we cannot resolve your complaint, you have the right to complain to the Information Commissioners Office, the UK data protection regulator.

They can be contacted at:

Information Commissioner’s Office (www.ico.org.uk)

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113

Protecting your personal data

Healios takes protection of your personal data very seriously. Healios uses a range of precautions that include administrative, technical and physical measures, to safeguard your personal data against loss, theft and misuse, as well as against unauthorized access, disclosure, alteration and destruction. We store the personal data you provide encrypted on computer servers that are located in highly secure and controlled facilities. We restrict access to personal data to our employees, contractors and agents who need access in order to operate, develop, or improve our services and the application.

We follow industry accepted security standards to protect the personal data you submit to us, both during transmission and once we receive it.

We have implemented several technical and organisational measures to ensure your personal data is kept secure. This includes:

  • Achieving the European ISO27001 certification for Information Security Management Systems which requires annual recertification by external auditors
  • Compliance with the NHS Data Security and Protection Toolkit
  • Completing annual Cyber Essentials Plus certification by external security specialist company
  • Annual penetration testing of our systems by an external cyber security specialist company
  • Annual training for all staff on how to handle information securely.
  • Having role-based access controls so that staff can only access records necessary for their role.
  • Hosting on a secure platform through Heroku and Amazon Web Services who maintain the servers and ensure they are secure and up-to-date at all times with the latest security patches. This also includes extensive physical access security systems to the server sites by professional security staff utilizing video surveillance, state-of-the-art intrusion  detection systems, and other electronic means.
Skip to content