Privacy Policy

1. Introduction

Welcome to clear minds. We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our workplace mental health and wellness support services.

ClearMinds Ltd is the data controller for the personal information we collect and process. We are registered with the Information Commissioner's Office (ICO) under registration number: [INSERT ICO REGISTRATION NUMBER].

2. Information We Collect

2.1 Information You Provide Directly

When you use our services, we collect:

• Contact Information: Name, email address, phone number, postal address
• Demographic Information: Date of birth, age, gender
• Employment Information: Your employer's name, employee reference number (to verify eligibility for wellness services)
• Health Information: Details about your mental health concerns, symptoms, therapy notes, assessment outcomes, treatment plans
• Communication Records: Records of your communications with us (emails, phone calls, chat messages, session notes)

2.2 Information We Collect Automatically

When you use our website or app, we may automatically collect:

• Technical Information: IP address, browser type, device information, operating system
• Usage Information: Pages visited, time spent on pages, navigation paths, session duration
• Cookies: Small files stored on your device (see our Cookie Policy for details)

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Providing Our Services

• Delivering mental health support and counselling services
• Assessing your mental health needs and creating treatment plans
• Managing appointments and session bookings
• Maintaining clinical records for continuity of care
• Verifying your eligibility for wellness services through your employer
• Communicating with you about your care and appointments

3.2 Improving Our Services

• Understanding how our services are used
• Improving our website, app, and service delivery
• Conducting quality assurance and clinical supervision
• Training our staff (using anonymised data)

3.3 Reporting to Corporate Clients

• Providing your employer with aggregated, anonymised usage statistics (e.g., number of sessions accessed, general themes)
• IMPORTANT: We do NOT share details of individual sessions, specific concerns discussed, or any identifiable information with your employer without your explicit consent

3.4 Legal and Regulatory Requirements

• Complying with legal obligations
• Responding to legal proceedings or regulatory requests
• Safeguarding vulnerable individuals (only when legally required or in emergency situations)

4. Legal Basis for Processing

Under UK GDPR, we process your personal data under the following legal bases:

4.1 For Standard Personal Data

• Contract: To provide the services you've signed up for
• Legitimate Interests: To improve our services and ensure quality care
• Legal Obligation: To comply with legal and regulatory requirements

4.2 For Health Data (Special Category Data)

• Explicit Consent: You give us consent when you book services and accept our terms
• Health/Social Care Purposes: Providing mental health care (UK GDPR Article 9(2)(h))
• Vital Interests: In emergency situations to protect your life or someone else's

5. Who We Share Your Information With

We only share your personal information when necessary and with appropriate safeguards:

5.1 Our Clinical Team

• Counsellors, therapists, and clinical supervisors involved in your care
• Clinical directors for quality assurance (using minimum necessary information)

5.2 Service Providers (Data Processors)

We work with trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Technology Providers: Cloud hosting (UK-based), video conferencing platforms, email services
• IT Support: Technical support for our systems (access limited to what's necessary)
• Administrative Services: Appointment scheduling systems

All service providers are required to maintain the same high standards of data protection and confidentiality.

5.3 Your Employer (Corporate Clients)

• What we share: Only aggregated, anonymised statistics about overall service usage
• What we DON'T share: Details of your individual sessions, concerns discussed, or any identifiable information
• Exceptions: We may share information with your employer only with your explicit written consent

5.4 Healthcare Professionals

• Your GP or other healthcare providers (only with your explicit consent)
• Emergency services (in crisis situations only)

5.5 Legal and Regulatory Authorities

We may share information when legally required:

• With the Information Commissioner's Office (ICO) if required
• With courts or legal authorities in response to legal proceedings
• To prevent serious harm or protect vulnerable individuals (safeguarding)
• When required by law (e.g., terrorism prevention)

6. International Data Transfers

We prioritize UK-based data storage and processing. Your data is primarily stored on servers located in the United Kingdom.

In limited circumstances, we may use service providers that process data outside the UK (e.g., Google Analytics). When this occurs, we ensure:

• Appropriate safeguards are in place (Standard Contractual Clauses)
• Your data remains protected to UK GDPR standards
• You have the same enforceable rights

7. How Long We Keep Your Information

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Data Type	Retention Period
Clinical records (adults)	8 years from your last contact with us
Clinical records (children/young people under 18)	Until your 25th birthday OR 8 years from last contact (whichever is longer)
Account information	Duration of your use of services + 2 years
Communication records (emails, calls)	Duration of services + 2 years
Website usage data (cookies, logs)	26 months

After these periods, we securely delete or anonymise your information in accordance with our Data Retention Policy.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

8.1 Right of Access

You can request a copy of the personal data we hold about you. We will provide this free of charge within one month.

8.2 Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data.

8.3 Right to Erasure ('Right to be Forgotten')

You can request deletion of your personal data in certain circumstances. Note: We may need to retain some data for legal or regulatory reasons (e.g., clinical records).

8.4 Right to Restrict Processing

You can ask us to limit how we use your data in certain situations.

8.5 Right to Data Portability

You can request your data in a machine-readable format to transfer to another provider.

8.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing.

8.7 Right to Withdraw Consent

Where we process your data based on consent, you can withdraw it at any time.

8.8 Rights Related to Automated Decision-Making

You have rights regarding automated decisions. Currently, we do not use fully automated decision-making that affects you.

9. How We Protect Your Information

We implement robust technical and organisational security measures to protect your personal data:

9.1 Technical Security

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Multi-factor authentication and role-based access
• Secure Infrastructure: Firewalls, intrusion detection, regular security updates
• Regular Testing: Penetration testing and security audits
• Secure Backups: Encrypted backups stored securely

9.2 Organisational Security

• Staff Training: All staff receive mandatory data protection and security training
• Confidentiality Agreements: All staff sign confidentiality agreements
• Access Restrictions: Staff only access data necessary for their role
• Clear Policies: Comprehensive data protection and security policies
• Regular Audits: Internal and external security reviews

10. Cookies and Website Tracking

Our website uses cookies to improve your experience. Cookies are small text files stored on your device.

10.1 Types of Cookies We Use

• Essential Cookies: Necessary for the website to function
• Analytics Cookies: Help us understand how you use our website (Google Analytics with IP anonymization)
• Functional Cookies: Remember your preferences

For detailed information, please see our Cookie Policy.

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling some cookies may affect website functionality.

11. Children's Privacy

We provide services to young people aged 13 and over. For children under 16, we may seek parental consent depending on the circumstances and legal requirements.

Children's records are retained until their 25th birthday or 8 years from last contact (whichever is longer), in line with professional guidelines.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify active users by email or through our platform
• Post a notice on our website

We encourage you to review this policy periodically.

13. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your personal data, please contact us:

14. Complaints

If you're not satisfied with how we've handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

However, we encourage you to contact us first so we can try to resolve your concerns.