This notice is directed to people who registered an interest or signed up to courses on the My Personal Therapy online platform. We ask that you read this Client Privacy Notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
- Who we are
- Our collection and use of your personal information
- Our legal basis for processing your personal information
- The Purposes for which we use your information
- Who we share your personal information with
- Transfer of your information out of the EEA
- Cookies and similar technologies
- Your rights
- Keeping your personal information secure
- How to complain
- How to contact us
Who we are
The My Personal Therapy platform is operated by My Personal Therapy Ltd, a limited company registered in England and Wales.
We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation which applies across the European Union and in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.
Our collection of your personal information
We collect personal information about you when you access our platform, register with us, contact us, send us feedback, or post reviews or other material to our platform.
We collect this personal information from you either directly, such as when you register with us, contact us or purchase course plans via our platform or indirectly, such as your browsing activity while on our platform (see ‘Cookies’ below).
We may also collect personal information about you in the form of notes from a practitioner who works with you on a 1-2-1 session. These notes will be anonymised, and you have the right to access any notes held about you at any time, by emailing us at email@example.com.
The personal information we collect about you includes:
- On registration: On registration you may be asked to provide us with your email address, phone numbers, name and some optional demographic data. We will also ask you to undergo a sign-up assessment, in which you will answer questions about your mental health in order to help allocate / recommend appropriate course and practitioner for you. If you register for an urgent care plan, we will require you to provide all those items, as well as details of you GP, and contact details of two people who we have your permission to talk to you about your mental health (name, mobile number, your relationship to them) in the event of an emergency.
- If you request information about our service, we will collect your email address in order to do so
- Stripe, our payment processor, will process your name, address details, and telephone and email contact details and billing address. Stripe retains these – we never actually retain them on our servers.
- Coursework responses you submit by means of the platform
- Your practitioner’s anonymised notes from any 1-2-1 sessions
- information about your course plan and the practitioner we have allocated to you
- your account details, such as username, login details
Urgent Care Plans
If you are on an urgent care plan, we will also record information about action we have taken under the urgent care plan to inform others of any urgent matters regarding your mental health
Should MPT or the practitioner we allocate to you feel that you, or someone you know, are at significant risk of harm, we will make every effort to inform you that Urgent Care Plan steps are being implemented prior to taking such action. Wherever we reasonably can, we will involve you in the decision-making process before going ahead with Urgent Care Plan steps. Your confidentiality will be always be protected, except in rare situations where a breach of confidentiality, in our reasonable opinion, is unavoidable. We will almost always seek your informed consent – only in exceptional cases would Urgent Care Plan steps be taken without firstly seeking your consent.
Our legal basis for processing your personal information
When we use your personal information, we are required to have a legal basis for doing so. There are various different legal bases upon which we may rely, depending on what personal information we process and why.
The legal bases we may rely on include:
- consent: where you have given us clear consent for us to process your personal information for a specific purpose
- contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
- legal obligation: where our use of your personal information is necessary for us to comply with the law (not including contractual obligations)
- vital interests: where our use of your personal information is necessary to protect a client’s life
- public task: where our use of your personal information is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
- legitimate interests: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal information, which overrides our legitimate interests). Our legitimate interests include providing, developing and maintaining a safe, effective course plan and platform for all our clients and the practitioners we allocate to them.
The specific bases we use in relation to each purpose for which we use your information is set out below.
The Purposes for which we use your information
We use this personal information to:
- create and manage your account with us (Legal Basis: Contract, Legitimate Interests )
- undertake a risk assessment to determine whether we consider you require an urgent care plan (Legal Basis: Vital Interests, Legitimate Interests, Contract )
- allocate a practitioner to you to work with you on your course (Legal Basis: Legitimate Interests, Contract)
- provide access to the platform and the course materials to you (Legal Basis: Contract)
- if we consider it necessary, invoking your urgent care plan (Legal Basis: Vital Interests)
- provide a therapy or mentor service to you – including monitoring your progress through our courses, reviewing your scheduling of 1-2-1 sessions (Legal Basis: Contract, Legitimate Interests)
- by means of our payment processor, Stripe, to charge you for the course plans you select (Legal Basis: Legitimate Interests)
- customise our platform and its content to your particular preferences (Legal Basis: Legitimate Interests)
- notify you of any changes to our platform or to our services that may affect you (Legal Basis: Legitimate Interests)
- improve our services to our clients generally (Legal Basis: Legitimate Interests)
- create anonymised, aggregated sets of information we can analyse to make decisions about our services and share it with others. No personally identifiable information about you will be contained in this information. (Legal Basis: Legitimate Interests)
- Retain your information in case you want a copy of it, either during your course or for up to one year afterwards (Legal Basis: Legitimate Interests, Contract)
Who we share your personal information with
We routinely share your username and (if you have provided it) your first name and last name with practitioners we introduce to you to provide 1-2-1 sessions. We will also share with them the following, if you agree to it: summary of your risk assessment; and a summary of your progress as set out in your responses to online course materials and your involvement in 1-2-1 sessions with your practitioner. Your practitioner will also have access to notes they make in respect of any 1-2-1 sessions and other work they conduct with you. We will also let them know if you cancel your booking or fail to make any payment under your booking.
We use Stripe to process payments to you – https://stripe.com/gb/privacy
We use Plume Ltd to host our platform and your personal data that we hold on it – https://plume.co.uk/.
If you have an urgent care plan, we will share your personal information with your GP and the contacts specified in your urgent care plan if the circumstances require it – see the ‘Urgent Care Plans’ section above for more details.
We will share your personal information with government or other authorities if required by applicable law.
Whether information has to be provided by you, and if so why
We require you to provide certain minimum registration data if you wish to join the platform. We will inform you at the point of collecting information from you, whether you are required to provide the information to us.
Transfer of your information out of the UK and EEA
We may transfer your personal information to the following which are located outside the European Economic Area (EEA) as follows:
- Stripe, which processes data in the USA in order to make payments to you
The USA does not have the same data protection laws as the United Kingdom and EEA. Whilst the European Commission has not given a formal decision that the USA provide an adequate level of data protection similar to those which apply in the United Kingdom and EEA, any transfer of your personal information will be subject to appropriate safeguards under the General Data Protection Regulation that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. See here for a general summary of the safeguards – https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en. To obtain a copy of the safeguards applicable to your data, ask us by emailing firstname.lastname@example.org.
Cookies and similar technologies
For further information on cookies generally visit www.aboutcookies.org.
We would like to send you information about other services we offer, which may be of interest to you. Where we have your consent to do so, we may do this by email.
We will only ask whether you would like us to send you marketing messages when you tick the relevant boxes when we ask for your consent.
If you have previously agreed to being contacted in this way, you can unsubscribe at any time by contacting us at email@example.com or clicking the ‘unsubscribe’ link in the email.
It may take up to 7 days for this to take place.
For more information on your rights in relation to marketing, see ‘Your rights’ below.
Under the General Data Protection Regulation, you have a number of important rights free of charge. In summary, those include rights to:
- access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
- require us to correct any mistakes in your information which we hold
- require the erasure of personal information concerning you in certain situations
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- object at any time to processing of personal information concerning you for direct marketing
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
- object in certain other situations to our continued processing of your personal information
- otherwise restrict our processing of your personal information in certain circumstances
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation, here: www.ico.org.uk.
If you would like to exercise any of those rights, please:
- email, our Data Protection Officer at firstname.lastname@example.org
- let us have enough information to identify you
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- let us know the information to which your request relates
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
How to complain
We hope that our Data Protection Officer can resolve any query or concern you raise about our use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
How to contact us
Please contact us or our Data Protection Officer, if you have any questions about this privacy notice or the information we hold about you.
If you wish to contact us our Data Protection Officer, please send an email to email@example.com or firstname.lastname@example.org write to Unit 3 Netham View Industrial Park, Bristol BS5 9PQ or call 0333 567702.