Privacy policy
Introduction
Healios Limited (Healios), trading as Melios, is a UK company which specialises in providing online Mental Health Services to children, young people and adults. We work with the NHS and private patients to deliver our services to you and we also undertake our own research projects to improve our services and to demonstrate how they can benefit patients.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 are data protection laws that apply to companies that are established in the UK. UK GDPR requires us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints.
Healios takes your privacy very seriously and is committed to protecting your personal information. This Privacy Notice provides that information in a way we have tried to make clear and transparent. If you would like more information about what data we process, for what purpose or how long we keep it for, please use one of the contact details provided to ask us.
Controller
Healios Limited (referred to as Healios, “we”, “us” or “our” in this privacy policy) is a limited company with registration number 08459279. Healios is Controller of the personal data to which this privacy policy relates. This means that we are responsible for making sure that we process your personal data in a safe and lawful way.
We have appointed a data protection lead (“DPL”) whose role includes overseeing questions in relation to how we process your personal data. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our DPL using the details set out below.
Contact Details
Our contact details are:
Our full name: Healios Limited
DPL contact name: Millie Pocock
Email and postal address for contacting us and our DPL:
Email address: dpo@healios.org.uk
Postal address: 4a Tileyard Studios, Tileyard Road, London N7 9AH
1 Melios service users
Personal data processed
Personal data is any information we have that can identify you, such as your name, date of birth, medical history or credit card details.
Our data retention period, which is the length of time we hold your personal data, is informed by the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council.
We might also keep some information that doesn’t identify you to help improve our business and our services as well as helping with health research. We do this by removing your identifiable information (such as your name, date of birth, contact details) to form ‘de-identified’ data.
In accordance with national opt-out legislation, you can choose to opt out of your confidential information being used for research and planning. For more information on this, please visit the NHS data opt-out website. If you have any concerns about this or wish to change your data preferences, please email the Governance team at ClinicalGovernance@healios.org.uk or call 0330 088 3127 between 8:30am to 4:30pm Monday through to Friday.
We process the following personal data for the purposes listed. Where we use personal data, we will only use the minimum necessary personal data for that purpose.
Types of individuals |
Types of personal data | Retention period | Lawful basis | |
| Providing health and care to NHS referred patients | NHS Patients | Name, demographics, health data, video and/or audio conversations recorded throPrivacy policyugh clinical sessions as well as recorded calls and emails to support teams regarding your service with us, health experience questionnaires | If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. | Performing a task in the public interest [Article 6(1)(e)] and; The provision of health or social care or treatment [Article 9(2)(h)] |
| Providing health and care to private paying patients | Private paying patients | Name, demographics, health data, video and/or audio conversations recorded through clinical sessions as well as recorded calls and emails to support teams regarding your service with us, health experience questionnaires | If you are an adult service user, we will keep your data for 8 years. If you enquired about our service but decided not to proceed, we will keep your data for two years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; The provision of health or social care or treatment [Article 9(2)(h)] |
| Managing contract with private payers | Private paying patients | Name, address, payment details | We keep your data for 8 years | For compliance with a legal obligation [Article 6(1)(c)] |
| Communi-cating regarding any concerns, queries or complaints | All patients | Name, contact details, any relevant information including health | We keep your data for 10 years | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)] |
| Quality assurance, quality improvement, training and security including conducting peer reviews of consultations conducted by clinicians delivering Healios services | All patients | Health data, video and/or audio conversations recorded through clinical sessions as well as recorded calls and emails to support teams regarding your service with us | If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)] |
| To conduct research | Patients who register their interest and participate | Name, contact details, study ID and health data, video and/or audio conversations recorded through clinical sessions We remove any details that could identify you from this information. This includes your name, address and contact information. |
We keep your data for up to 10 years, which will vary on the type of research | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For the public interest, scientific or statistical purposes [Article 9(2)(j)] |
| Further research purposes (see section “Helping with health research”) | All patients | Health data, video and/or audio conversations recorded through clinical sessions. Use of products like ThinkNinja. We remove any details that could identify you from this information. This includes your name, address and contact information. As part of our research, we may use your contact details to invite you to take part in clinical trials. |
We keep your data for 8 years | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For the public interest, scientific or statistical purposes [Article 9(2)(j)] |
| ThinkNinja app use | All patients | IP address, device address, time of day, length of time, what screens visit, health data. | If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] |
| Complying with our legal or regulatory obligations, and defending or exercising our legal rights where necessary or in the vital interests of the data subject | All patients | All personal data held by Healios where necessary | We keep your data for 8 years, although it may be longer to comply with legal requirements | For compliance with a legal obligation [Article 6(1)(c) and Article 9(2)(f)] and; For reasons of substantial public interest [Article 9(2)(g)] |
| Supplier retention | All suppliers | Name, address, contact details and payment information | We keep your contact details for the life of the contract plus 6 years for audit purposes | Processing is necessary for the performance of a contract [Article 6(b)] |
How to unsubscribe from our marketing communications
You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link at the bottom of our emails or emailing the Data Protection Lead at dpo@healios.org.uk.
Please note customers cannot opt-out of receiving transactional emails related to their account or service with Healios.
2 Child-friendly privacy policy
To learn about how we use your information, read our child-friendly privacy policy.
3 Website users and social media platforms
Personal data processed
| Purposes of processing | Types of individuals | Types of personal data | Retention period | Lawful basis |
| Collect analytics to understand user numbers accessing website, registering interest for our research | All individuals access social media platforms that click on our adverts | IP address, device address, time of day, length of time, what screens are visited | We keep your data for 8 years | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] |
For website users and social media platforms, where we rely on GDPR Article 6(1)(f) our legitimate interests are as follows:
- Marketing our products, services and research.
4 Cookies
If you are a visitor to our website, Healios, trading as Melios, will also process personal data using cookies.
We use cookies on our websites (melios.org.uk and healios.org.uk) to help in order for the websites to run and to provide a more personalised service to you. This policy describes how we use cookies and your options in regard to them.
What are cookies?
Cookies are a small piece of text which is downloaded on a device (such as a computer or mobile phone) when a user accesses a website which allows the website to understand the users preferences or past actions.
Healios uses a number of these cookies as outlined below. Healios will always ask for your consent before placing these cookies on your device, except where the cookie is necessary in order for our website to function. These are called ‘strictly necessary’ cookies.
All other cookies can be controlled via our cookie management system, which is available on our website pages.
We have outlined below the types of cookies we use, their purpose and how long the cookie is kept on your device.
Where you have consented to all non-strictly necessary cookies, you may withdraw this at any time by using our cookie management platform.
You may also contact us at admin@healios.org.uk and hello@melios.org.uk if you have any queries regarding the processing.
Strictly Necessary Cookies
We have two cookies that we use which are necessary to run our site. The purpose of these cookies are outlined below:
| Name of Cookie and host name |
Purpose | Duration | Third party? |
| cookiehub .www.melios.org.uk | Used by Healios Ltd to store information about whether visitors have given or declined the use of cookie categories used on the site | 365 days | No |
| VISITOR_INFO1_LIVE .youtube.com | A cookie that YouTube sets that measures your bandwidth to determine whether you get the new player interface or the old. | 180 days | Yes |
| SIDCC |
These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier for tracking purposes when using the booking forms | 2 Years | Yes |
| SAPISID |
These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier for tracking purposes when using the booking forms | 2 Years | Yes |
| APISID |
These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier for tracking purposes when using the booking forms | 2 Years | Yes |
| SSID |
These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier for tracking purposes when using the booking forms | 2 Years | Yes |
| HSID |
These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier for tracking purposes when using the booking forms | 2 Years | Yes |
| SID |
These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier for tracking purposes when using the booking forms | 2 Years | Yes |
| AEC |
‘AEC’ cookies ensure that requests within a browsing session are made by the user, and not by other sites. These cookies prevent malicious sites from acting on behalf of a user without that user’s knowledge. | 6 months | Yes |
| NID |
These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier for tracking purposes when using the booking forms | 2 Months | Yes |
| _cf_bm CloudFlare |
To read and filter requests from bots, when using booking forms | 30 minutes | Yes |
| JSESSIONID Hubspot | Record your session ID, when using booking forms | Session | Yes |
Preferences Cookies
We operate the following cookies which allow you to set preferences regarding the use of our site:
| Name of Cookie and host name | Purpose | Duration | Third Party? |
| Lang .ads.linkedin.com |
Session-based cookie that remembers the user’s selected language version of a website. | Session | Yes |
| lidc .linkedin.com |
Used by LinkedIn for routing. | 1 day | Yes |
| CONSENT .youtube.com |
Used by Google to store user consent preferences | 6109 days, 9 hours | Yes |
Analytical Cookies
We use the following cookies to analyse visitors to our website:
| Name of Cookie and host name | Purpose | Duration | Third Party? |
| _ga .www.melios.org.uk |
Contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions. | 730 days | No |
| _gid .www.melios.org.uk |
Contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions. | 1 day | No |
| _gat_gtag_UA_xxxxxxxxx .www.melios.org.uk | These cookies are set by Google Analytics which is a simple tool that helps us measure how users interact with our website. As a user navigates between web pages, Google Analytics records information about the page a user has visited, for example the URL of the page. The cookies themselves are used to ‘remember’ what a user has done on previous pages and interactions with our website. | 1 Hour | No |
| YSC .youtube.com |
This cookie is set by YouTube video service on pages with YouTube embedded videos to track views. | Session | Yes |
| bcookie .linkedin.com |
This is a Microsoft MSN 1st party cookie for sharing the content of the website via social media | 730 days, 12 hours | Yes |
|
ga_Z8G47D141K |
Used to distinguish users. | 2 Years | Yes |
Advertising
We use the following cookies for advertising:
| Name of Cookie and host name |
Purpose | Duration | Third party? |
| fbp .www.mealios.org.uk |
Facebook Pixel advertising first-party cookie. Used by Facebook to track visits across websites to deliver a series of advertisement products such as real time bidding from third party advertisers | 90 days | No |
| fr .facebook.com |
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers. | 90 days | Yes |
| UserMatchHistory .linkedin.com |
Contains a unique identifier used by LinkedIn to determine that two distinct hits belong to the same user across browsing sessions. | 30 days | Yes |
| bscookie .www.linkedin.com |
Used by the social networking service, LinkedIn, for tracking the use of embedded services | 730 days | Yes |
| personalization_id .twitter.com |
This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website. | 730 days | Yes |
| IDE .doubleclick.net / |
Used by Google’s DoubleClick to serve targeted advertisements that are relevant to users across the web. Targeted advertisements may be displayed to users based on previous visits to a website. These cookies measure the conversion rate of ads presented to the user. | 390 days | Yes |
| AnalyticsSyncHistory .linkedin.com |
Used by LinkedIn to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries | 30 days | Yes |
| __Secure-3PSIDCC Google | For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising | 1 Year | Yes |
| __Secure-1PSIDCC Google | For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising | 1 Year | Yes |
| __Secure-3PAPISID Google | For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising | 2 Years | Yes |
| __Secure-1PAPISID Google | For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising | 2 Years | Yes |
| __Secure-3PSID Google | For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising | 2 Years | Yes |
| __Secure-1PSID Google | For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising | 2 Years | Yes |
| DV Google | To secure digitally signed and encrypted data from the unique Google ID and store the most recent login time that Google uses to identify visitors, prevent fraudulent use of login data and protect visitor data from unauthorized parties. This can also be used for targeting purposes to display relevant and personalized advertising content | 1 Year | Yes |
| __Secure-ENID Google | To secure digitally signed and encrypted data from the unique Google ID and store the most recent login time that Google uses to identify visitors, prevent fraudulent use of login data and protect visitor data from unauthorized parties. This can also be used for targeting purposes to display relevant and personalized advertising content | 1 Year | Yes |
5 Your data protection rights
The UK GDPR allows various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Where you wish to exercise any of your rights, you may do so free of charge (unless in specific circumstances, where you will be informed in advance) by contacting us at governance@melios.org.uk. We will respond within one month.
Details of the rights within UK GDPR are below. You will be informed if the right is available to you upon application:
| Right | Meaning |
| AccessUK GDPR Article 15 | You may request a copy of the data held by us about you. |
| RectificationUK GDPR Article 16 | If you think the data held by us is wrong and you may request that it is corrected. |
| Erasure (Right to be forgotten)UK GDPR Article 17 | You can request that your data is deleted by us. |
| Restriction UK GDPR Article 18 | There are circumstances in which you may ask us to stop processing your data but we must otherwise keep the data. For example, where required by law. |
| Portability UK GDPR Article 19 | You can ask for a copy of your data in a format that can be readily transferred to another company. |
| ObjectionUK GDPR Article 20 | You can object to the processing of your personal data when we are relying on a legal obligation or public duty legal basis or where we are processing in our legitimate interest, especially for direct marketing. |
| Automated decisionsUK GDPR Article 22 | Where a computer makes a decision about you without human intervention, for example in an online loan application you have the right to know how the decision was arrived at. |
6 Complaints
If you have any complaints regarding our use of personal data, please contact us by one of the above means. In the event we cannot resolve your complaint, you have the right to complain to the Information Commissioners Office, the UK data protection regulator.
They can be contacted at:
Information Commissioner’s Office (www.ico.org.uk)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
7 Protecting your personal data
Healios and Melios take protection of your personal data very seriously. Healios and Melios use a range of precautions that include administrative, technical and physical measures, to safeguard your personal data against loss, theft and misuse, as well as against unauthorized access, disclosure, alteration and destruction. We store the personal data you provide encrypted on computer servers that are located in highly secure and controlled facilities. We restrict access to personal data to our employees, contractors and agents who need access in order to operate, develop, or improve our services and the application.
We follow industry accepted security standards to protect the personal data you submit to us, both during transmission and once we receive it.
We have implemented several technical and organisational measures to ensure your personal data is kept secure. This includes:
- Achieving the European ISO27001 certification for Information Security Management Systems which requires annual recertification by external auditors
- Compliance with the NHS Data Security and Protection Toolkit
- Completing annual Cyber Essentials Plus certification by external security specialist company
- Annual penetration testing of our systems by an external cyber security specialist company
- Annual training for all staff on how to handle information securely.
- Having role-based access controls so that staff can only access records necessary for their role.
- Hosting on a secure platform through Heroku and Amazon Web Services who maintain the servers and ensure they are secure and up-to-date at all times with the latest security patches. This also includes extensive physical access security systems to the server sites by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means.