Privacy Policy

This privacy notice explains what data we, Onebright Ltd, collect from visitors to our website www.onebright.com and other subdomains owned and run by Onebright Ltd (company number 09507950 with registered office at First Floor West Wing, Holgate Park Drive, York, United Kingdom, YO26 4GN) and from the users of our Services (including our Virtual Therapy Room and Virtual Triage tools).

It also describes how we use that data and it explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint about how we process and use the personal data we collect about you.

Where we collect, use and are responsible for certain personal data about you, we are subject to the UK General Data Protection Regulation (“UK GDPR”). We are also subject to the EU General Data Protection Regulation (“EU GDPR”) in relation to Services we offer to individuals in the European Economic Area (“EEA”). We may also be subject to other data protection laws where we offer Services to individuals based outside of the UK and the EEA or if we provide Services from outside of the UK or the EEA.

This version of our privacy notice is primarily written for adults, including parents and guardians of child users of our Services. If you are a child (under 18 years old) you are welcome to read this notice if you find it useful, but we recommend you discuss the contents of this privacy notice with your parent or your guardian.

This privacy notice is divided into the following sections:

  • Information we collect about you
  • How we collect personal information
  • How and why we use your personal information
  • Who we share your personal information with
  • Your privacy rights
  • Data security and protection
  • Retention of your personal information
  • Links and third parties
  • Transferring your personal data out of the UK and EEA
  • Cookies
  • How to complain
  • Changes to this privacy notice
  • How to contact us

Information we collect about you

We process certain information about visitors of our website and users of our Services and (where this applies) dependants of such visitors and users.

We categorise this information as per the following:

  • Standard personal information
    This is information which helps us to contact, identify, administer, or manage our relationship with you; and
  • Special Categories of personal information
    This is information which helps us to tailor your care and provide healthcare services.

 

Standard personal information includes:

  • Contact information such as name, address, phone numbers and email address;
  • The country you live in, age, date of birth and national identifiers such as passport document or National Insurance number;
  • Employment details;
  • Details of any contact we have had with you such as any complaints or incidents;
  • Financial details (if required, we store your card details on our secure Sage Pay service for 90 days, after which these details are then deleted); and
  • Information about how you use our website, apps, Services, or other technology, including IP addresses or other device information.

 

Special Category personal information includes:

  • Information about your physical or mental health, including genetic information or biometric information (we may get this information from application forms you have filled in, from notes and reports about your health and any treatment and care you have received or need, or it may be recorded in details of contact we have had with you such as information about complaints or incidents, and referrals from your existing insurance provider, quotes and records of medical services you have received);
  • Information about your race, ethnic origin and religion (we may get this information from your medical preferences to allow us to provide care that is tailored to your needs); and
  • Information about any criminal convictions and offences (we may get this information when carrying out anti-fraud or anti-money-laundering checks, or other background screening activity).

 

If you do not provide personal information we ask for where it is indicated to be ‘required’ at the point of collection, it may delay or prevent us from providing Services to you.

How we collect personal information

Some of the personal information we process is collected through voluntary submissions of information from you, some of it is collected or received in the course of us providing website content, and some through the use of our Services. Third parties (namely, anyone acting on your behalf, for example, solicitors, personal injury services, insurers etc.) may also provide us with personal information about you, subject to their own privacy policies.

We collect personal information from you when you make use of our website and our Services and when you contact us via phone or email in order for us to administer our relationship with you, provide website content and Services, and respond to inquiries. You may also be required to provide certain information when you create an account to access certain portions of our website, or to use our Services (including the Virtual Therapy Room).

Note that where you make contact with us via phone, we may record or monitor phone calls for security and training purposes.

We may also collect personal information about you from other people and organisations, as described below:

For users of our Services and our website, we may collect information from:

  • A family member or someone acting on your behalf;
  • Doctors, clinicians, healthcare professionals, hospitals, clinics and other healthcare providers;
  • Any service providers who work with us in relation to your product or service; and
  • Organisations and professional bodies such as but not limited to NMC, GMC, BABCP or HCPC who provide us with correct and up to date accreditation information.

 

If we provide you with psychological healthcare services, we may collect information from:

  • Your employer;
  • Your parent or guardian (if you’re under 18 years old); and
  • Those paying for the products or Services we provide to you including other insurers.

 

Special notice regarding our Virtual Therapy Room; recording of sessions:

Note that where you make use of the Virtual Therapy Room, we may record the audio of your therapy session using a third-party tool, ‘Lyssn’. Lyssn is a quality monitoring tool we use to help us monitor the clinical quality and conduct of therapy sessions. Through the use of Lyssn, it is possible that in recording your therapy session we will collect standard personal information and special category information about you. Any such information collected by Lyssn will be used solely for clinical quality, conduct and training purposes. We may also use aggregated anonymised information to understand patient outcome scores and for Service improvement purposes. More information about how we use this information is set out below.

How and why we use your personal information

Under data protection law, we can only use your personal data if we have a proper reason. For example:

  • where you have given consent
  • to comply with our legal and regulatory obligations
  • for the performance of a contract with you or to take steps at your request before entering into a contract, or
  • for our legitimate interests or those of a third party

 

A legitimate interest is when we or a third party have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

 

The information below explains what we use your personal information for and why.

  1. To create and manage your account with us, respond to your inquiries or fulfil your requests (e.g. send you documents or information you request), and otherwise administer our relationship with you.

 

Depending on the circumstances:

  • To meet the requirements of a contract to deliver Services to you
  • To comply with our legal and regulatory obligations
  • For our legitimate interests or those of a third party (i.e., to be as efficient as we can so we can deliver the best Service to you).

 

2. To provide psychological healthcare services to you, including on behalf on a third party.

 

Our reasons:

Your consent and in certain situations to comply with our legal and regulatory obligations.

 

3. To ensure the billing of any products and Services procured by you or for you by a third party and obtain payment.

Our reasons:

  • To meet the requirements of a contract.

 

4. To conduct checks to identify you and verify your identity or to help prevent and detect fraud against you or us.

Our reasons:

  • For our legitimate interests or those of a third party, i.e. to minimise fraud that could be damaging for you and/or us.

 

5. Updating and enhancing our user records.

Depending on the circumstances:

  • To perform our contract with you or a third party acting on your behalf or to take steps at your or that third party’s request before entering into a contract
  • To comply with our legal and regulatory obligations
  • where neither of the above apply, for our legitimate interests or those of a third party, e.g. making sure that we can keep in touch with you as we deliver our services.

 

6. To communicate with you about content, product and Services offerings, newsletters, and event invitations which are relevant to your interests and in line with your preferences.

For our legitimate interests or those of a third party, i.e. to promote our business to existing and former users of the Services.

See ‘Marketing’ below for further information. We use a third party email marketing software called ‘Mailchimp’ that holds the following information within their system:

  • Email Address
  • I.P Address
  • Subscription time & date

 

7. Communications with you not related to marketing, including about    changes to our terms or policies or changes to our products and services or other important notices. To process and respond to complaints or incidents.

Depending on the circumstances:

  • To comply with our legal and regulatory obligations,
  • In the performance of a contract, or
  • In other cases, for our legitimate interests or those of a third party, i.e. to protect our business, interests and rights of others.

 

8. To monitor and record information relating to the use of our website and how you move around different sections of our website for analytics purposes. This helps us to understand how people use our website so that we can make it more intuitive or to check our website is working as intended.

Depending on the circumstances:

  • Your consent as gathered by the separate cookies tool on our website (see ‘Cookies’ below)
    • where we are not required to obtain your consent and do not do so, for our legitimate interests or those of a third party, i.e. so we can deliver the best service and experience to you.

 

This website is hosted in Azure within the Onebright tenant and is designed and maintained by TiPi, who does not export or use any data stored on its client websites.

 

9. Statistical analysis to help us manage our business, e.g. in relation to our  financial performance, customer base, product/services range or other efficiency measures. To monitor and record information relating to the use of our products and Services, including the Virtual Therapy Room.

To meet a legitimate interest of us or a third party in order to improve our products and Services for users, and for quality control and training purposes.

Where patients have opted to use the Virtual Therapy Room, we will rely on their consent in order to record the audio of their virtual therapy sessions using the third party quality monitoring tool, ‘Lyssn’. Subject to patient consent, audio recordings of sessions are shared with a third party for clinical quality, training and conduct purposes.

 

10. To monitor our clinical and non-clinical performance expectations.

To meet a legitimate interest or those of a third party for quality control of our products and Services and so that we can demonstrate we operate at the highest standards.

 

11. Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, e.g. to record and demonstrate evidence of your consents.

To comply with our legal and regulatory obligations.

 

12. Protecting the security of systems and data.

To comply with our legal and regulatory obligations.

We may also use your personal information to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests or those of a third party, i.e. to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us.

 

13. To verify compliance with the terms of use of our website or other agreement governing the use of the website or our products and Services, or to protect our (and third parties’) rights, property or safety.

Depending on the circumstances:

  • To comply with our legal and regulatory obligations, or
  • In other cases, for our legitimate interests or those of a third party, i.e. to protect our business, interests and rights of others.

 

14. To exercise our legal rights, to defend ourselves from legal claims, to undertake legal proceedings or because we have a legal obligation to do so pursuant to applicable law which governs the psychological healthcare services we offer.

Depending on the circumstances:

  • To comply with our legal and regulatory obligations, or
  • In other cases, for our legitimate interests or those of a third party, i.e. to protect our business, interests and rights of others.

 

15. To share your personal information with members of our group and third parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary.

Depending on the circumstances:

  • To comply with our legal and regulatory obligations, or
  • In other cases, for our legitimate interests or those of a third party, i.e. to protect, realise or grow the value in our business and assets.

 

Certain personal information we collect is treated as a special category to which additional protections apply under data protection law. to send you updates (by email, text message, telephone or post) about Services. See ‘Special Categories of personal information’ under section ‘Information we collect about you’ for details.

Where we process such special category personal information, we will also ensure we are permitted to do so under data protection laws.

Marketing

We may use your personal data to send you updates (by email, text message, telephone or post) about Services.

We have a legitimate interest in using your personal information for marketing purposes (see above ‘How and why we use your personal data’). This means we do not usually need your consent to send you marketing information. However, where consent is needed, we will ask for this separately and clearly.

You have the right to opt out of receiving marketing communications at any time by:

  • contacting us at the details provided below
  • using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts, or;
  • updating your marketing preferences

 

We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell or share it with other organisations outside of our group for marketing purposes.

For more information on your right to object at any time to your personal data being used for marketing purposes, see ‘Your privacy rights’ below.

Who we share your personal information with

We share the personal information we collect about you through our website, and our products and Services (including through your use of the Virtual Therapy Room and Virtual Triage) within Onebright, with relevant policyholders, with funders or third parties arranging services on your behalf and with others who help provide services to you, for example, medical experts and clinicians. We also share information where required by law or regulation.

We share information with:

  • Doctors, clinicians and other health-care professionals, hospitals, clinics and other health-care organisations;
  • Suppliers who help us run our business and deliver this website and our products or Services (such as website hosts, website analytics providers and payment service providers);
  • People or organisations we are required to share your personal information with by law (for example, for fraud-prevention or safeguarding purposes);
  • The police, law-enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations and to help them perform their duties;
  • external auditors, e.g. in relation to the audit of our accounts, in which case the recipient of the information will be bound by confidentiality obligations;
  • professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
  • other parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible, however, the recipient of the information will be bound by confidentiality obligations.

 

If we provide you with psychological healthcare services, we share information with:

  • Your employer (If your employer is paying for the services we are providing);
  • Our insurance partners, for example, solicitors and interpreters;
  • Those paying for the products or Services we provide to you; and
  • Those providing your treatment.

 

If Onebright does share your personal information, we will make sure suitable protection is in place to protect your personal information in line with applicable law.

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

Your privacy rights

If you are in the EEA or the United Kingdom you have certain privacy rights and protections under the EU GDPR or the UK GDPR. These are the following:

  • The right to be informed
    This Privacy Notice tells you about the ways in which we use your personal information (which is referred to as “Personal Data” in the EU GDPR and the UK GDPR).
  • The right of access
    You have the right to ask us for copies of your personal information. There are some exemptions and limitations in what we can provide in response to such requests, which means you may not always receive all the personal information we process. We will inform you if any exemption or limitation applies and what its impact is.
  • The right of rectification
    You have the right to ask us to correct personal information you think is inaccurate. You also have the right to ask us to complete your personal information you think is incomplete.
  • The right to erasure (also known as the right to be forgotten)
    You have the right to ask us to erase your personal information in certain circumstances. Where it is appropriate that we comply, your request will be actioned within 30 days. Please note that we may not always be able to remove your personal information from ongoing or completed treatment or where we are required by law or regulation to retain it. We may also retain some account information related to service history. This enables us to provide ongoing support regarding prior treatments and Services, and is also necessary for accounting, audit, quality and compliance purposes.
  • The right to restrict processing
    You have the right to ask us to restrict the processing of your personal information in certain circumstances. For example, you can request that we limit the way in which we use your personal information if you are concerned about the accuracy of the data.
  • The right to data portability
    You have the right to receive your personal information which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to have us send your personal information to another organisation in certain situations.
  • The right to object to processing
    You have the right to object to processing of your personal information in certain circumstances. Where it is appropriate that we comply with your request, we will stop processing your information for the use you have objected to.

 

For further information on each of those rights, including the circumstances in which they do and do not apply, please contact us (see ‘How to contact us’ below). You may also find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR.

If you would like to exercise any of those rights, please email, call or write to us—see below: ‘How to contact us’. When contacting us please:

  • provide enough information to identify yourself and any additional identity information we may reasonably request from you, and
  • let us know which right(s) you want to exercise and the information to which your request relates.

Data security and protection

We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. We have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

It is your responsibility to protect the confidentiality of your passwords, account information, and any other access features associated with your access or use of the website or our products and Services. If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Retention of collected information

We will not keep your personal information for longer than we need it for the purpose for which it is used. Different retention periods apply for different types of personal information. How long we retain specific personal information varies depending on the purpose for its use.
Please note, we may retain your personal information even after we have stopped delivering services to you to comply with our legal and regulatory obligations, to resolve disputes or complaints, and to enforce our rights in connection with the website, our Services, or our products or to protect our business.
Personal information we collect about you is stored within Onebright’s case management system and will enter our archiving system 7 years from the date of closure of the case.

Links and third-parties

Where we provide links to websites of other organisations or collect information provided by third parties, this Privacy Notice does not cover how that third-party processes personal information. Please understand that those third-parties may have different terms of use and privacy policies. We are not responsible for the privacy practices of any third-party, unless we have engaged them on our behalf to process your personal information for a specific purpose identified in this Privacy Notice. We are also not responsible for the terms of use you may be required to agree to in order to use third-party websites and services.

Transferring your personal data out of the UK and EEA

The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.

It is sometimes necessary for us to share your personal information to countries outside the UK and EEA. In those cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal information.

For example, some of the clinicians we use to deliver psychological healthcare services to you are based outside of the UK and the EEA.

If you are an individual based within the EEA and we provide services to you, we will transfer your personal information from the EEA to the UK as we are based in the UK.

Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

  • in the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. A list of countries the UK currently has adequacy regulations in relation to is available here;
  • in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR. A list of countries the European Commission has currently made adequacy decisions in relation to is available here. In addition, EEA data protection laws provide that transfers of personal data to the UK are lawful under an adequacy decision dated 28 June 2021;
  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you;
  • where consent is a valid exception under relevant data protection laws, where we have your explicit consent to transfer your personal information out of the UK/EEA; or
  • a specific exception applies under relevant data protection law.

 

Where we transfer your personal information outside the UK we do so on the basis of an adequacy decision or (where such is not available) on legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal information outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law.

Where we transfer your personal information outside the EEA we do so on the basis of an adequacy decision or (where such is not available) on legally approved standard data protection clauses recognised or issued further to Article 46(2) of the EU GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law.

Where we transfer your personal information into the UK/EEA from a country outside of the UK/EEA and that country has applicable data protection law which governs such transfer, we will transfer your personal information in accordance with the requirements of that applicable data protection law. For example, we may need to obtain and rely on your consent to transfer the data to the UK/EEA or a country may have similar adequacy decisions to that of the UK/EEA.

Any changes to the destinations to which we send personal information or in the transfer mechanisms we use to transfer personal information internationally will be notified to you in accordance with the section on ‘Changes to this Privacy Notice’ below.

For further information about such transfers and the safeguards we employ, please contact our Data Protection Officer (see ‘How to contact us’ below).

Cookies

Like many other websites, our website uses cookies. Some of the cookies we use are essential for the site to work. We also use some non-essential cookies to collect information about how visitors use our website so that we can make informed decisions about improvements to the site and get a good understanding of the kind of content our visitors like to read.

Cookies are small text files that are placed onto your device (e.g. computer, smartphone or other electronic device) when you visit our website. They do not affect your device, but are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies can be used to remember information about you, such as your language preference or login information. Cookies may contain a unique identification code that makes it possible to track the user’s navigation of the site for statistical, advertising, and technical purposes.

For further information on cookies, our use of them, when we will request your consent before placing them and how to disable them, please see our Cookie Policy

How to complain

Please contact us if you have any queries or concerns about our use of your personal information (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with:

  • the Information Commissioner in the UK, and
  • a relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA

 

The UK’s Information Commissioner may be contacted at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

For a list of EEA data protection supervisory authorities and their contact details see here.

Changes to this Privacy Notice

We may change this Privacy Notice from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. All changes are effective immediately when we post them, and they apply to all access to and use of the website and our products and Services from that point onward. When we make significant changes we will take steps to inform you, for example by including a prominent link to a description of those changes on our website for a reasonable period or by other means, such as email.

How to contact us

Please do not include any health information or other sensitive information when you contact us in connection with this Privacy Notice.

Individuals within the UK

You can contact our Data Protection Officer by post, email or telephone if you have any questions about this Privacy Notice or the information we hold about you, to exercise a right under data protection law or to make a complaint.
Our Data Protection Officer’s contact details are shown below:

  • email: DPO@onebright.com
  • telephone: 01904 620781
  • address: Onebright Ltd, First Floor West Wing, Holgate Park Drive, York, United Kingdom, YO26 4GN attention: Data Protection Officer – Website Privacy Notice

 

Do you need extra help?

If you would like this Privacy Notice in another format (for example audio, large print, braille) please contact us at the above email, telephone or postal address.