PRIVACY POLICY

This Privacy Policy outlines how TalaThrive Ltd (“TT”) collects and processes personal data when you access and use TT’s platform (the "Services") via iOS or Android applications (the “Application ”) or by visiting our website https://www.talathrive.com/ (the “Website”).

This document also outlines your rights and how they can be asserted. The terms and conditions for use of the Services are set out in the current Terms and Conditions (the "Terms and Conditions ") and can be accessed here: Tala Thrive - Terms and conditions of use - Jan 2024 (1).docx - Google Docs

When using the Services, TT is the data controller for the processing of your personal data. TT is processing personal data according to the General Data Protection Regulation (EU) 2016/679 (GDPR) as incorporated into domestic law of the United Kingdom, Data Protection Act 2018 and other applicable data protection regulation.

Data controller details:

TalaThrive Ltd (Company Number: 14703044) 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Introduction

Your privacy and safety are of utmost importance to us. We strive to make our policies clear and understandable. We want you to feel secure about how we process your personal data.

All treatment is strictly confidential and never under any circumstances are your communications with a Service Provider shared with an unauthorised party.

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. All information collected by TT through the Website or the Application will be governed by our most recent Privacy Policy, posted on the Website. If you have any queries, please contact us at support@talathrive.com .

TT has appointed Sonia Kaurah/Tala Thrive as Data Protection Officer (DPO). If you have any questions or complaints about our compliance with this Privacy Policy or how we process your personal data, please contact our DPO via email at: support@talathrive.com.

What information do we collect about you and how do we process it?

TT needs to have a legal basis to process your data, we provide our legal bases below. We only collect and process data which is relevant and necessary to properly fulfil our purposes with such processing. In this section, we describe our different purposes for processing your personal data. For each purpose we state the following information:

  • what personal data is collected (and processed);
  • the purpose(s) for processing the data; and
  • the legal basis TT relies on to process this data.

Processing necessary for providing the Services and healthcare

Personal data

The following personal data is processed for the purpose of providing our Services.

Contact information

  • First name, last name and country
  • Email address
  • Phone number
  • Home address
  • Country of residence
  • Spoken language
  • Religious beliefs
  • Demographic information including gender, sexual orientation, cultural identity etc
  • date of birth

Health data

Information regarding your physical and mental health

  • This could include information relating to an illness, your medical history or mental state. Health data will be collected by a Service Provider through meetings, registration forms, self-assessment forms, self led programs in the Application and notes from any Service Providers in your medical records, images, videos and sounds shared during the use of the Services are neither recorded nor stored.

Payment information

  • Payment details (e.g. credit card number)
  • Any promotional codes redeemed

Technical data

  • Calendar availability
  • Time of booking and meeting status (cancelled, unpaid, completed)
  • Device, IP address, language, operating system and screen resolution
  • Date and time of your sessions
  • Which Service Providers you have identified as favourites
  • Your self led program progression in the Application

We aim to share our anonymized and aggregated insights with governmental bodies, academic partners and the general public, making sure that TT - together with you - can help improve mental healthcare for all.

Purpose of processing

Your contact information is processed for the following purposes to:

  • be able to identify you and verify that you are of the required age to receive care
  • send help in case of an emergency
  • be able to identify you in the Application

Your health data is processed for the following purposes to:

  • provide mental healthcare treatment
  • evaluate the effectiveness of ongoing treatment

Your payment information is processed to make it possible for you to pay for your treatments and issue a refund in case of cancellation.

Your technical data is processed for the following purposes to:

  • plan and conduct meetings with you
  • optimise your experience depending on the device you are using
  • keep track of your preferred Service Provider(s)
  • track your self led program progression

Legal basis

The legal basis for this processing is the performance of a contract (UK GDPR Art. 6.1.b) to fulfil our obligations of providing you with the agreed Services and general legal obligation (UK GDPR Art. 6.1.c).

TT are processing health data supported by UK GDPR Art. 9.2.h and DPA 2018. Health data collected through self-assessment forms is processed with support of your explicit consent (UK GDPR Art. 9.2.a).

Processing necessary for communication, marketing services and products to you

Personal data

The following personal data is processed for the purpose of communicating with you in connection with the provision of the agreed services.

Contact information

  • First name and last name
  • Email address
  • Phone number
  • Technical data
  • Device identification
  • User information collected through social media when you interact with TT’s content

Cookie data

  • Information regarding how you have been using our Website and what other websites you have visited

Health data

  • Information regarding your physical and mental health collected upon completion of forms on our Website

Purpose of processing

Your contact information is processed for the following purposes to:

  • contact your telephone number in the event your Service Provider is unable to reach you through the Application for a booked meeting.
  • contact you with important information such as changes to our Privacy Policy or user agreement, for example.
  • inform you of our products or services via notification or email
  • send you promotional marketing emails and marketing newsletters (you can unsubscribe from any mailing lists at any point)
  • send notifications to the last phone you used to log in to the Services

Your cookie data is processed to measure the reach of our marketing campaigns.

Your health data is processed to send you promotional marketing emails.

Legal basis

The legal basis for processing your contact information is the performance of a contract (UK GDPR Art. 6.1.b) or your given consent (UK GDPR Art. 6.1.a) to provide you with customized products and services and to inform you about and market our offered Services. The legal basis for processing your cookie data for this purpose is your given consent (UK GDPR Art. 6.1.a). We only process your health information for targeted marketing if you have given your explicit consent (UK GDPR Art. 9.2.a).

You have the right to withdraw your consent (to “opt out”) of any marketing communications at any time. You can opt-out (e.g. email) by using the unsubscribe link available in every newsletter or in every commercial message you receive from us or in case of electronic direct marketing by following the instructions in the communication.

Processing necessary for evaluating and improving our Services in addition to providing customer service

Personal data

The following personal data is processed for the purpose of evaluating and improving the Services that we provide.

Contact information

  • First name, last name and country
  • Email address
  • Phone number
  • Age

Technical data

  • Data collected through the Application or by customer service agents regarding time of booking and meeting status (cancelled, unpaid, completed)
  • Data collected through the Application regarding which device you are using
  • Data collected through the Application regarding how and when you use different parts of the Application
  • Data collected through the Application regarding how you rate your meeting, the video meeting quality and any further feedback provided
  • The Service Provider(s) you have identified as favourites in the Application
  • The Service Provider(s) you have been meeting through the Application
  • Feedback such as answered polls or comments you have posted on social media in posts published by TT in TT’s official social media accounts
  • self led programs you have completed in the Application

Health data

  • Self-assessment questionnaires you have submitted through the Application
  • Information regarding your physical and mental health. This could include, for example, information relating to an illness, your medical history, or mental state.

Customer service inquiry data

  • Text data collected through upon filing an inquiry through our Website or application
  • In the case that a customer service inquiry holds medical information together with identifiable information, TT takes technical measures to ensure that the support ticket is rendered completely unidentifiable and therefore not linked to an individual.

Payment information

  • Credit card information collected through our payment service
  • Any promotional codes redeemed in the Application

Purpose of processing

Your contact information, technical data, health data and customer inquiry data is processed for the following purposes to:

  • improve time-slot and Service Provider availability
  • improve user flows by making it easier to navigate and find certain features in the Application
  • detect bugs depending on device type
  • improve our videos service
  • improve the general user experience in the Services
  • analyse how your wellbeing may change during your treatment
  • investigate how wellbeing differs between different demographics
  • investigate how treatment outcomes differ for different demographics
  • better understand how to treat you in an effective way
  • processed for the purpose of providing customer service
  • investigate, respond to and resolve complaints and problems with the Services

Any personal data processed for the purpose of evaluating and improving our Services is always handled and stored unidentifiable through pseudonymization. We will use the personal data to create statistics on a sufficiently aggregated level so that individual patients cannot be identified from the results. Aggregated statistics will be used for internal and external communication and for research.

Legal basis

The legal basis for this processing is the performance of a contract (UK GDPR Art. 6.1.b) to fulfil our obligations of giving you the agreed services and our legitimate interest (UK GDPR Art. 6.1.f). We process your health data supported by your explicit consent (UK GDPR Art. 9.2.a).

To the extent that the customer services are related to care or processing of health data, the processing takes place with the support of our right to process personal data in connection with the administration of care activities (UK GDPR Art. 9.2 h) and Data Protection Act 2018.

Time Limits

Your personal data and contact details are saved for as long as you still have your TT account on the Website and/or Application. If your account is inactive (i.e. you have not logged in for two (2) years, consecutively), your account will automatically be erased along with some of your personal data (see below). Some personal data may however need to be retained to meet legal obligation. How long your personal data is stored for depends on the type of data. Below we have listed how long different forms of personal data are stored.

Demographic data

Your demographic data is stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account - either by you requesting deletion of the account or if the account has been inactive for two (2) years.

Payment information

Your payment information is saved for as long as you have an account or six (6) years from the date of completed purchases to meet legal obligations such as keeping business records.

Technical data

Your technical data is stored for as long as you have an account. It will be deleted or rendered completely unidentifiable upon deletion of your account - either by you requesting deletion of the account or if the account has been inactive for two (2) years.

In order to detect and fix errors, we save error logs in our systems. Since these logs may contain personal data, they are deleted after a maximum of 60 days. We always strive to minimise the storing of unnecessary data, therefore this storing period is often much shorter than 60 days.

Cookie data

If you have consented to third-party cookies being stored on your computer or mobile devices, the cookies will be removed when you uninstall them or when the cookie expires.

Customer service requests

If you have contacted our customer service team, the inquiry will be stored for 180 days before it is deleted. Some conversations may be relevant and recorded to your medical file, in which case the following ‘Health data’ terms apply.

Health data

All health data that is collected for the purpose of providing you with healthcare and the Services and evaluating and improving our Services, will be stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account - either by you requesting deletion of the account or if the account has been inactive for two (2) years.

Health data that is stored in the journal will be saved for seven (7) years in order to comply with legal obligations.

Your rights

Your personal data belongs to you. Therefore, you have a right to obtain information on and determine how your personal data is processed by TT.

These rights may be limited, for example if fulfilling your request would reveal personal data about another person or otherwise would be harmful to disclose, or if you ask us to erase information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority, please see more information below.

Where we collect personal data to administer our contract with you or to comply with our legal obligations, this is necessary, and we will not be able to manage the customer and patient relationship without this information. In all other cases, provision of the requested personal data is optional, but this may affect your ability to participate in certain programs and limit your possibilities to use our Website and other services, where the information is necessary for those purposes.

There may be additional requirements or provisions that restrict or extend your rights. There can also be legal obligations that prevent us from issuing or moving parts of your data or from blocking or erasing your data. These obligations are derived from legislation in the areas of health and medical assistance, confidentiality, archiving and accounting and tax. If your data must be saved due to legal obligations, the data will only be used to fulfil those obligations and for no other purpose.

A brief summary of your rights is set out below:

  • The right to object to processing

    • You can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or legal requirement).

    You have a right to object to your personal data being processed for our legitimate interests including profiling and for direct marketing. In that case, TT will either show that there are compelling legitimate reasons for the processing that outweigh your interests, or else stop processing your data.

    Where we have asked for your consent, you may withdraw consent at any time (e.g. by emailing us at the contact details below). If you ask to withdraw your consent to TT processing your data, this will not affect any processing which has already taken place at that time.

  • The right to access and data portability

    • At any time, you can request a copy of your personal data, as well as information on how it has been obtained and how it is being used or distributed. This also applies to information kept in your medical records. You also have a right to transfer your personal data to another personal data controller.

  • The right to receive extracts from logs

    • When someone accesses your electronic medical records, it is registered in a log. As a patient, you can receive an extract from the log to see who has looked at your medical records.

  • The right to erase data

    • You have a right to ask for your personal data to be erased if it is no longer necessary for the purpose for which it was collected or if there is no legal basis for processing the data.

  • The right to correct information

    • You have a right to correct inaccurate or incomplete data. If you consider that a detail in your medical records is inaccurate or misleading, you have a right to ask for a note to that effect to be entered in the records. You have a right to request a restriction on the processing of your personal data until inaccurate data has been corrected or an objection from you has been investigated.

  • The right to restriction

    • You may request us to restrict certain processing of your personal data. If you restrict certain processing of your personal data, this may lead to fewer possibilities to use our websites and other services.

  • Automated decision-making

    • We may in some cases use automated decision-making, if it is authorised by legislation, if you have provided an explicit consent or if it is necessary for the performance of a contract.

    You can always express your opinion or contest a decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you. You have the right to obtain human intervention to express your opinion or contest a decision.

    When using automated decision-making we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.

How do I exercise my rights?

You may request to use these rights by sending a letter or e-mail to support@talathrive.com, including your name, address, phone number to the contact details set out below. When you exercise any of your rights, we may need to identify you in order to ensure that we are in contact with the correct person. Hence, we may request the provision of additional information necessary to confirm your identity.

We will respond to your request without undue delay, but at the latest within one (1) month of the request. If the requests are numerous or complex, we may extend the deadline to two (2) months, but we will still respond to the request within the first month and explain why the extension is necessary.

Disclosure of your personal data

Your personal data may need to be transferred to or shared with others whenever necessary or justified. Your personal data is shared with:

  • Authorised employees at TT

    • Your personal data may be shared under secrecy with TT employees who are involved in your treatment and/or providing the Services. Your personal data may also be shared with analysts and software developers at TT working with statistics or evaluating and improving the Services. Analysts only have access to pseudonymized data.

  • Suppliers and subcontractors

    • Your personal data may be transferred to or shared with certain companies that supply various types of services to TT. These services could be medical journal systems, video and operator service providers, payment providers, marketing tracking providers, advertising and analytics service providers, chat or email automation providers and infrastructure platforms necessary for our services to run.

    Subcontractors are covered by the same confidentiality agreement as those which apply to TT, and may only process personal data in accordance with our instructions or in accordance with laws and regulations.

  • Medical referrals

    • If you and your Service Provider decide that you need a medical referral, they will write and send a referral to the appropriate medical provider.

  • Authorities

    • TT may also be required to provide necessary information to local healthcare authorities, the police or other authorities if required by law or if you have granted your approval.

  • Scientific Research

    • We may process information about your use of Services for research purposes which aim at (e.g. increasing scientific knowledge in the field of medicine, health and nursing science). Such analysis is only made on a group level, and therefore results cannot be linked to you as an individual. We will only present aggregated results, non-personally identifiable data (anonymized data). Anonymized data can be shared to third parties for research purposes. Regulations on data privacy don’t apply to the anonymized data because registered persons are not identifiable.

  • Where your personal data is processed

    • Your medical record data will not be transferred to, or processed in, any country outside the EU/EEA or the UK. Other personal data may be processed in a country outside the EU/EEA or the UK. When transferring personal data to a country outside the EU/EEA or the UK to a country which is not subject to an adequacy decision by the European Commission or the UK Secretary of State, or considered adequate as determined by applicable data protection laws such as UK Privacy Framework, we take appropriate legal, technical and organisational security measures to ensure that the personal data is adequately protected according to the same level of protection as within the EU/EEA and the UK. If your personal data is transferred outside the EU/EEA or the UK, then this is done on the basis of appropriate and adequate safeguards for data transfers to comply with the requirements set out in UK GDPR Chapter V.

    A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

    The European Commission has determined that the United Kingdom offers an adequate level of protection – you can find out more in the adequacy decision available here https://ec.europa.eu/commission/presscorner/detail/ro/ip_21_3183. We rely on this decision for EU/EEA-UK transfers and explain below what happens when there is not an adequacy decision covering a transfer.

Information Security

We will take all reasonable, appropriate technical, security and organisational means and measures considering the nature and purposes of processing and the nature of personal data processed, to protect TT and our customers from unauthorised access to or unauthorised alteration, disclosure or destruction of personal data we hold. Measures include, where appropriate, encryption, firewalls, secure facilities and access rights systems.

Should, despite the security measures, a security breach occur that is likely to result in a high risk to your rights and freedoms, we will inform you about the breach without undue delay.

Third-party websites and services

Our Website or other parts of our Services may contain links to third-party websites and services. If you decide to visit third-party websites and services, this Privacy Policy will no longer apply and you should consult the privacy policy of that third-party instead.

Changes to the Privacy Policy

This policy may occasionally need to be changed or updated, for example if functions are changed or added to the Services. Minor changes to our Privacy Policy will be communicated through our Website. Major changes regarding how your data is processed will be communicated through the Application, Website and email (if you have provided it to us). We will not make substantial changes to this Privacy Policy or reduce your rights under this Privacy Policy without providing you with a notice.

Complaints

In case you consider our processing activities of your personal data to be inconsistent with the applicable data protection laws, you may lodge a complaint with the local supervisory authority for data protection.

You have a right to contact and file a complaint with the Information Commissioner’s Office (https://ico.org.uk/) if you believe we have processed your personal data incorrectly.

This Privacy Policy was last updated on 1 January 2024.