Privacy Notice

Please read this Privacy Notice and any other privacy notice or fair processing notice we may provide on specific occasions carefully, as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export and delete your information.

This Privacy Notice supplements the other notices and is not intended to override them.

We do not and will not sell your data to third parties.

Websites and Applications in scope of this Privacy Notice

My Online Therapy: Self Care

• iOS App (Apple App Store)
• Android App (Google Play Store)
• Desktop website

My Online Therapy: Therapists

• iOS App (Apple App Store)
• Android App (Google Play Store)
• Desktop website – Therapists

Company details

My Online Therapy is owned and run by My Online Therapy Ltd, a company incorporated and registered in England and Wales with company number 14006381, whose registered office is at 128 City Road, London, EC1V 2NX, United Kingdom.

You may know us by our brand name: My Online Therapy.

Controller

My Online Therapy Ltd is the Controller (registered with the ICO under number ZA456175) and responsible for your Personal Data under this Privacy Notice. This means we decide why we collect your data, how we collect it, what data is collected, how this data is going to be used and how this data is protected.

Our Psychologists are all registrants of the Health and Care Professions Council (HCPC). The HCPC is a regulator whose main aim is to protect the public. To do this, it keeps a register of psychologists who meet its standards for training, professional skills, behaviour, and health. Our Psychologists have a professional and legal responsibility to respect and protect the confidentiality of their clients at all times.

Psychologists are also Controllers of your Personal Data and have their own privacy notice. Please ask your Psychologist for a copy of their privacy notice before starting your therapy to make sure you understand their information practices, as this Privacy Notice does not cover the interaction between you and your Psychologist.

We respect your right to privacy and are committed to protecting it and complying with Data Protection Law. We will always keep your Personal Data safe. We will be clear and open with you about why we collect your Personal Data and how we use it. Where you have choices or rights, we will explain them to you and respect your wishes.

If you have questions about this Privacy Notice or the processing of your Personal Data, please contact us at:

Postal address

The Data Protection Officer
My Online Therapy Ltd,
128 City Road,
London,
EC1V 2NX,
United Kingdom.

Email

[email protected]

Data protection officer (DPO)

We have appointed GRCI Law Limited as our DPO, who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, our privacy practices or how we handle your personal information, please contact our DPO.

We have appointed IT Governance Europe Ltd to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our representative at [email protected].

Please ensure you include our company name in any correspondence you send to our representative.

We may collect, use, store and transfer different kinds of Personal Data about you depending on our relationship with you:

Identity data

Includes first name, last name, date of birth, title and gender.

Contact data

Includes your billing address, email address and telephone number(s).

Insurance data

Your insurer’s details, insurance membership number and claim number.

Location data

We may collect your location data from your IP address and telephone codes.

Transaction data

Includes details about payments to and from you and other details of services you have purchased from us.

Payment data

Includes details about payments made via our Website and Apps in order to pass on to Stripe for storage and processing. All payments are managed by Stripe.

Technical data

Includes IP address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our site or our Apps.

Profile data

Includes your email and password, the services you have used on our site or our Apps, your use of social media functions on our Website or our Apps for authentication, feedback, survey responses and such information about your health as you provide to us.

Usage data

Includes information about how you use our Website or Apps and the services you use.

Candidate data

Includes information you have provided to us in your curriculum vitae, covering letter and/or application form, including name, title, address, telephone number(s), personal email address, date of birth, gender, employment history, qualifications, areas of specialisms and registrations with professional bodies such as the Health and Care Professions Council (HCPC).

This also includes any information you provide to us during an interview.

Marketing and communications data

Includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Video sessions

We do not collect data from your video sessions. Your video sessions with Psychologists are not recorded.

Therapy notes and chat sessions

Psychologists may make their own session notes and store them independently – these notes are not stored on our system and are the responsibility of the therapist as controller of this data. Therapists are also able to make and store session notes within our platform. These notes are associated with your session records and are visible only to your therapist and their supervisor.

Our platform also provides online chat sessions with your Psychologist and stores the chat history of any previous sessions, which may include Special Category Personal Data should any such details have been discussed during the session. The chat history data from previous sessions are only available to you and your therapist.

For more information, please also see your Psychologist’s privacy notice or contact them.

Special Category Personal Data

Special Category Personal Data is personal data that needs more protection because it is sensitive, and we may collect this type of personal data from you in the course of providing you with our services or during our interactions with you.

Your online chat sessions may contain Special Category Personal Data

Health data is Special Category Personal Data and we collect it when you provide us information about your health in our self-assessment questionnaires or insurance standard questionnaires. We also may collect information about your moods from our mood check-ins.

Aggregated Data

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data, which will be used in accordance with this Privacy Notice.

We will not process your Special Category Personal Data in order to aggregate it without a Lawful Basis to do so.

We use different methods to collect data from and about you, including through:

Personal Data provided directly by you

You may give us your Personal Data by filling in forms, surveys, questionnaires or assessments on our Apps or Website, by applying to work for or with us, or by corresponding with us by post, phone, email, chat or otherwise. This includes Personal Data you provide when you:

• Register to use our Apps, Website or services, or to receive general, market or commercial information;
• Make uploads such as a user profile image and subscribe to access self-care content;
• Start or complete an assessment and/or questionnaire;
• Download our Apps;
• Make an in-App purchase;
• Create an account on our site or via our Apps;
• Enter a promotion or survey;
• Give us feedback or contact us; or
• Complete our Net Promoter Score (NPS) rating tool.

Data we collect when you use our Websites and Apps

Each time you interact with our Website or use our App, we will automatically collect Personal Data, including technical data about your device, your browsing actions and patterns, content and usage data. We collect this data using Cookies, server logs and other similar technologies like pixels, tags and other identifiers in order to remember your preferences, to understand how our Website and Apps are used, and to customise our marketing offerings.
Please see our Cookie Policy for further details.

Information we receive from third parties

We may receive Personal Data about you from various third parties, such as:

1. Device data from the following parties:
   • Analytics providers such as Google.
   • Advertising networks.
   • Search information providers.
2. Contact, financial and transaction data from providers of technical, payment and delivery services, such as Stripe;
3. Transactional data from app stores for in-App payments, such as the Apple App Store and Google Play Store;
4. Technical data and device data from the following parties:
   • Analytics providers such as Google Analytics, Mixpanel, Facebook, AppsFlyer, Optimizely, Apptentive and UXCam.
   • Advertising networks such as Google, Facebook and Instagram.
   • Search information providers such as Algolia.
5. Providers collecting survey information, such as SurveyMonkey and Typeform;
6. Psychologists providing general and Aggregated Data to ensure sufficient resources and health and safety obligations;
7. Information about our candidates from referees, recruitment agencies and social media such as LinkedIn; and
8. Reviews from providers such as Trustpilot.

Information we receive from public sources

Identity and contact data from publicly available sources such as the UK Companies House and the electoral register inside the UK.

Unique application numbers

When you want to install or uninstall a service containing a unique application number or when such a service searches for automatic updates, that number and information about your installation, for example the type of operating system, may be sent to us.

General

We need your Personal Data to conduct our business and provide you with our Apps and services. Most commonly we will use your Personal Data in the following circumstances:

• Where you have consented before the processing.
• Where we need to perform a contract, we are about to enter or have entered with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.

UK GDPR/EU GDPR Lawful Basis table

The table below describes the ways we plan to use your Personal Data, and which Lawful Basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.
For more information on the Lawful Basis we use to process your data under the UK GDPR and EU GDPR, see our Lawful Basis table  below or contact us.

Lawful Basis Table

Reason for processing Special Category Personal Data

Where we are processing your Special Category Personal Data, we must, in addition to the Lawful Basis in the Lawful Basis table, process your Special Category Personal Data because of an additional condition, including:

• You have given us your explicit consent to process that data;
• We are required by law to process that data in order to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations (or other legal obligations imposed on us);
• The processing is necessary to carry out our obligations under employment, social security, or social protection law;
• The processing is necessary for the establishment, exercise, or defence of legal claims;
• You have made the data manifestly public; or
• Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes.

Commonly we will process that data:

• On your express consent; or
• On the basis of scientific research in the public interest.

For more information about us using your Special Category Personal Data, please see the Special Category Personal Data table below or contact us. The ICO has some useful information here.

Special Category Personal Data table

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the Lawful Basis that allows us to do so.

Using Personal Data for marketing purposes

We may use your information to provide you with details about services.

Where we are legally required to obtain your consent to provide you with certain marketing materials, we will only provide you with such marketing materials where we have obtained such consent from you.

You can opt out of us using your personal information for marketing purposes by following the unsubscribe link included in each marketing email or by contacting us via email ([email protected]).

Sharing your Personal Data safely

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law.

We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

Who we share Personal Data with

We may share your personal information with the following organisations that help us manage our business and deliver our products, applications, or services, or where we are legally obliged to share information, including with:

• Business partners, our employees, psychologists, contractors’ consultants, agents and professional advisors;
• Insurance providers, including Vitality Insurance;
• Third parties carrying out services on our behalf, including billing, sales, marketing agencies, analytics, research, university research, data storage, validation, security, fraud prevention and legal services;
• GRCI Law for data privacy services;
• Stripe for payment processing;
• Third-party service providers to assist us with client insight analytics, such as Google Analytics;
• Third parties to which we outsource certain services such as couriers, IT systems or software providers, IT support service providers, and document and data storage providers;
• Third-party platforms to manage and deliver customer relationship management (CRM);
• Third parties for the purposes of App development;
• Third parties in the event of any merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our assets (including without limitation in connection with any bankruptcy or similar proceedings);
• Other organisations for the purposes of fraud/crime protection and investigation;
• Courts of law and government, regulatory authorities or third parties to the extent required by law, court order or a decision rendered by a competent public authority and for the purpose of law enforcement; or
• Other third parties subject to your consent.

Why we share your Personal Data

As a general principle, we share data in order to facilitate or improve our services or offers. We will get your express opt-in consent before we share your Personal Data with any third party for marketing purposes.

You can opt out of us using your personal information for marketing purposes by following the unsubscribe link included in each marketing email or by contacting us via email ([email protected]).

From time to time, we may share Personal Data and other information that we have collected about you:

• To get help in running our business, and delivering our products, Apps and services;
• Where we are legally required to do so, such as in response to court orders or legal process, or to establish, protect or exercise our legal rights or to defend against legal claims or demands;
• Where we are acquired by or merged with another entity (in which case we will require such entity to assume our obligations under this Privacy Notice or inform you that you are covered by a new privacy notice);
• If we believe it is necessary in order to investigate, prevent or act regarding illegal activities, fraud, or situations involving potential threats to the rights, property or personal safety of any person, or other exigent circumstances; or
• If we believe it is necessary to investigate, prevent or act regarding situations that involve abuse of our infrastructure or the Internet in general (such as voluminous spamming, denial-of-service attacks, or attempts to compromise the security of the Website infrastructure), or to otherwise protect our assets or rights.

Sharing your Personal Data overseas

Please note that we may send personal information outside of the country generally for, but not limited to, reasons relating to processing and storage by our service providers. For example, we may have Cloud storage providers with data storage facilities in the US, Canada, Europe, Japan, Pakistan, or other countries.

When we do this, we will ensure it has an appropriate level of protection and the transfer is made in line with Data Protection Law. Often, this protection is set out under a contract with the organisation that receives that information. You can find more details of the protection given to your information when it is transferred overseas by contacting us.

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties that have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.

We periodically test the security of our systems to check for vulnerabilities.

Risk

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Data, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many Information Security Risks that exist and take appropriate steps to safeguard your own information.

Encryption

All information you provide to us is stored encrypted in rest and in transit. Any payment transactions will be managed by Stripe and will be encrypted.

Breaches

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

You should be aware that information about your use of this website (including your IP address) may be retained by your ISP (Internet Service Provider)  , the hosting provider and any third party that has access to your Internet traffic.

Our Website and Apps may contain links to third-party websites and plugins, for instance a social media login plugin. If you choose to use these websites, plugins, or services, you may disclose your information to those third parties.

We are not responsible for the content or practices of those websites, plugins, or services. The collection use and disclosure of your Personal Data will be subject to the privacy notices of these third parties and not this Privacy Notice. We urge you to read the privacy and cookie notices of the relevant third parties.

We do not target children, and our Website and Apps are not intended to attract children. Accordingly, our online services that collect Personal Data are not directed at and should not be accessed by individuals under the age of 18 years, and we request that such individuals do not provide any Personal Data to us.

Minors must obtain express consent from parents or legal guardians before accessing or providing any Personal Data. If notified by a parent or guardian, or discovered by other means, that a minor under the age of 18 has provided their Personal Data to us, we will delete the minor’s Data that is in our possession.

We will keep your Personal Data in line with our data retention policy for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We use Cookies and similar technologies like pixels, tags, and other identifiers to remember your preferences, to understand how our Website and our Apps are used, and to customise our marketing offerings.

Further details can be found in our Cookie Policy.

You have several rights under Data Protection Law. The rights available to you depend on our reason for processing your information and are set out in the Table of your rights. Information on your rights under Data Protection Law can also be found at https://ico.org.uk/for-the-public/.

Table of your rights

How to exercise your rights

In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you.

To exercise your rights or get more information about exercising them, please contact us, giving us enough information to identify you.

We hope that we can resolve any query or concern you raise about our use of your information. Please contact us first and title your email “Complaint”. All complaints will be treated in a confidential manner and we will try our best to deal with your concerns.

You have the right to lodge a complaint with a supervisory authority in the EEA member state where you work or normally live, or where any alleged infringement of Data Protection Law occurred.

The supervisory authority in the UK is the ICO, which may be contacted at https://ico.org.uk/concerns or by telephone on 0303 123 1113.