Skip to main content

Privacy Policy

Last updated February 2024.

This privacy policy is provided in a layered format so you can click through to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.


  1. Glossary
  2. Introduction
  3. Who We are
  4. How to contact Us
  5. Purpose of this Privacy Policy
  6. Changes to Our Privacy Policy
  7. Data Security – Protecting Your privacy and identity
  8. The Personal Data we collect about you
  9. If You fail to provide Personal Data
  10. How We collect Your Personal Data and why do We have it
  11. How We collect Special Category Data and why do We have it
  12. Purposes for which We will use Your Personal Data
  13. Anonymised Data
  14. Risk or crisis situations (Risk Management)
  15. How We may disclose Your Personal Data
  16. Retention and destruction of Personal Data
  17. Where We store Your Personal Data
  18. Cookies
  19. Your data protection rights
  20. Complaints



Please click the link below to see key definitions we use in relation to our Services and Our Community.

Visit the glossary



Welcome to Togetherall’s privacy policy.

Togetherall respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how and why we use your personal data and your privacy rights.


Who We are

We offer an online mental health self-support platform and related services (the “Services”). The platform is located at (our “Site”).

Our customers are universities, public and private organisations (“Customers”) that wish their individual users that register with Us to benefit from the Services (“Members” and collectively the “Community”).

The controller responsible for your personal data is Togetherall Limited, a company registered in England and Wales under company number 06227377, with a registered office at 27 Old Gloucester Street, London, England, WC1N 3AX (“We”, “Us” “Our”).

“You”, “Your”, “Yourself”, means the: (i) the Members and other individuals that access Our Site, requests or receive any of Our services and/or interact with Us by any means (email, phone, etc.); and (ii) the admin users and representatives of our Customers (“Admin Users”).

We have appointed a Data Protection Officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Policy. If You have any questions about this Privacy Policy, including any requests to exercise Your legal rights, please contact Our DPO using the details set out below.

Back to the top


How to contact Us

Email Our Data Protection Officer at:

Call Us on +44(0)203 405 6196

Back to the top


Purpose of this Privacy Policy

Here at Togetherall, we respect your privacy and are committed to protecting your Personal Data. Our Privacy Policy explains how We collect, use, disclose and retain Your Personal Data and how You can protect Your privacy when You use the Services.

Our Services are available to individuals who are 16+ years old. We do not knowingly collect data relating to people under the age of 16.

It is important that You read this Privacy Policy together with any other privacy notice or fair processing notice We may provide on specific occasions (e.g., when We are collecting or processing Personal Data about You), so that You are fully aware of how and why We are using Your Personal Data. This Privacy Policy supplements other notices and is not intended to override them. Please also read our Privacy Policy in conjunction with Our Member Terms available on Our Site.

Back to the top


Changes to Our Privacy Policy

We keep Our privacy policy under regular review. This version was last updated on the date shown above.

It is important that the Personal Data We hold about You is accurate and current. Please keep Us informed if Your Personal Data changes during Your relationship with Us.

Back to the top


Data Security – Protecting Your privacy and identity

Our main goal is to enable a safe Community for Members to give and receive support while being able to share their thoughts, feelings and discussions with others in a confidential environment.

We use appropriate administrative, physical and technical safeguards to protect Your Personal Data from loss or theft, unauthorised access, use or disclosure, or modification or destruction. For example, We train Our personnel to protect Your privacy and require them to comply with Our policies and procedures that protect Your Personal Data. In addition, We limit access to Your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Your Personal Data on Our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected Personal Data breach. We use computing systems in secure facilities to store Your Personal Data in an encrypted form. The Personal Data is also encrypted whenever it is transferred between Our servers and Your device. This is because Our website uses https, which means the data is protected by ‘transport layer security’ when it is transferred.

We use good industry practice in the development of Togetherall’s systems to ensure that data minimisation principles are met. We only collect Personal Data We need for Our specified purposes. We ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We include role-based permissions for users of Our platform to ensure they can only access information required for their role. We have controls and processes in place to challenge, assess and review current and proposed changes to data processing.

Back to the top


The Personal Data We collect about You

We may collect, use, store and transfer different types of Personal Data about You which We have grouped together as follows:

1. Registration Data: We collect the following data when You register for Togetherall:

    • date of birth
    • email address
    • postal code
    • telephone number

2. Background Data: We may collect the following data when You activate Your Togetherall Account (all optional):

    •  gender
    • ethnicity
    • employment / work status
    • health and wellbeing information
    • living status
    • information about other sources of support
    • information about where You heard about Togetherall

3. Admin Data: we process information generated by the Admin Users when they registered with us, access their Togetherall accounts, manage the service we provide to the Customers and interact with us.

4. Technical Data: We will collect and store Members’ time zone and country upon registration, then all relevant IP addresses to Members and other end users accessing the Site along with their login data, browser type and version, operating system and platform, and other technology on the devices they use to access Our Site.

5. Member Content Data: We process Personal data posted whilst using Our Site for example within Bricks, Talkabouts, Journals, Courses or Self Assessments (refer to Our definitions section at the end of this document).

6. Membership Data: this means Personal Data You provide to Us or is provided to Us when You request access or agree to use Our services through Your insurance provider, Your university, college or employer, health care professional or the organisation who put you in touch with Us or referred You to Our service to ensure eligibility or to be used as a reference.

7. Referral Data: this means:

    • Referral Data: If You reach Our services through the route of being referred (this could be a prescription by Your healthcare professional or another suitable person), they may include Your full name, Your telephone number, or a reference number. Your referrer may also include a note on the referral which may contain Personal Data or Special Category Data (e.g., health data).
    • Additional Referral Data: Details relevant to Your safeguarding. For example, these may include other organisations / professionals involved in Your care or details of family members.

8. Survey/Research Data: means Personal Data We may collect from You if You agree to participate in a Survey or a research project.

9. Marketing Data: includes your preferences in receiving marketing from Us and Our third parties and Your communication preferences.

Back to the top


If You fail to provide Personal Data

Where We need to collect Personal Data by law, or under the terms of Our contract with You, or to provide the Services, and You fail to provide that data when requested, We may not be able to perform the contract We have or are trying to enter into with You or the Services. In this case, We may have to cancel or suspend a Service. We will notify You if this is the case at the time.

Back to the top


How We collect Your Personal Data and why do We have it

We will only use Your Personal Data when the law allows Us to. Most commonly, We will use Your Personal Data in the following circumstances:

  • Where We need Your information to perform the contract We are about to enter into or have entered into with You.
  • Where it is necessary for Our legitimate interests (or those of a third party) and Your interests and fundamental rights do not override those interests.
  • Where We need to comply with a legal obligation.

Generally, We do not rely on consent as a legal basis for processing Your Personal data although We will ask you to opt-in and/or give You the chance to opt-out before sending third party direct marketing communications to You via email or text message.

You have the right to withdraw consent to marketing at any time by contacting Us or clicking unsubscribe in the direct marketing communications.

Back to the top


How We collect Special Category Data and why do We have it

  • Registration / Activation: During the Member’s registration and activation processes to access Our Platform, We give Members the option to provide Us with Background Data. When We do collect this Special Category Data, We do so to ensure that We can support Members effectively when required.
  • Through Our Community: When You create a post or comment on Togetherall, through a Talkabout, Brick, Group interaction. Or use one of our tools such as Self-Assessment, Journal or Goal setter.
  • When someone refers You to Us, they could send Referral Data.

Back to the top


Purposes for which We will use Your Personal Data

We have set out below, in a table format, a description of all the ways We plan to use Your Personal Data, and which of the legal bases We rely on to do so. We have also identified what Our legitimate interests are, where appropriate. Should the purpose for which We will use Your Personal Data change, We will inform you.

Note that We may process Your Personal Data for more than one lawful basis depending on the specific purpose for which We are using Your Personal Data. Please contact Us if You need details about the specific legal basis We are relying on to process Your Personal Data where more than one basis has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest and Conditions for processing Special Category Data
 (1) To register You as a new Member or to (2) offer You access to our Services as per Customer’s request or a referral

(a) Registration Data

(b) Background Data

(c) Membership Data

Art. 6 – Lawful Bases for processing:

Necessary to comply with a legal obligation

Contract Performance

Necessary for Our legitimate interests:

(i) We collect date of birth to confirm Your eligibility for Togetherall. You should be 16+ to register for the Services. We also collect email address so that We can verify Your account. In some case We also collect email address to ensure that You are eligible for Togetherall, through Your university for example. In some cases, We collect post code to ensure Your eligibility, for example when Togetherall is available within a specific post code area. Where provided, We use Membership Data to ensure eligibility, such as through an insurance provider where the Services have been made available to You.

(ii) We use Your email address to send You an invitation where You have been referred to Togetherall. Here We will email You to register for Togetherall.


Article 9 – Conditions For Processing:

Health or social care (with a basis in law);

(i) We use Background Data to collect Special Category Data from You, which enables Our clinical team to provide You with appropriate support or information when You request or need this support.

Article 9 – Archiving, research and statistics (with a basis in law)

(i) We use Background Data to ensure that We are serving a diverse population, for example gender and ethnicity, and to understand Our population and their mental health presentations, which is why We ask about Your mental health. All of these questions are optional, and You can respond with ‘i’d rather not say’ if You do not wish to provide this information.

Administer the Site, the Services and Your Membership

a) Registration Data

(b) Membership Data

(c) Technical Data

(d) Member Content Data

(e) Admin Data

Art.6. Lawful Bases for processing:

(i) Necessary to comply with a legal obligation

(ii) Contract Performance: We may use Membership Data and Member Content Data to present it to the Member in ‘My Account’ and to provide the Services to them.

(iii) Necessary for Our legitimate interests: We may also use Your Personal Data to:

Investigate any suspected breaches of, and enforce Our House Rules and Terms, e.g., to help Us determine if a Member has registered more than once.

Process and deal with any complaints made by or about You.

Investigate usage of the Site or the Services that may be inappropriate.

Enforce the Member Terms.


Art. 9. Conditions for Processing

Article 9(2)(h) Health or social care

We process Member Content to the provide Our Services provide support or refer Members at risk to third parties through an escalation

To provide Members with the care and support they need or request (as applicable) and keep them or another person safe, including preventing trolling

(for further detail see below: (1) Risk or Crisis situations (Risk Management) (2) How We collect Special Category Data and why do We have it)

(a) Registration Data

(b) Background Data

(c) Technical / Location Data

(d) Member Content

(e) Membership Data

(f) Referral Data

Art. 6 Lawful Bases for processing:

(i) Necessary to comply with a legal obligation

(ii) protection of vital interests: In circumstances where We are concerned about Your safety or the safety of another person, and a Member is physically or legally incapable of giving consent (or if applicable, We need to comply with a legal duty of care), We may process their Personal Data to keep You or another person safe, for more information regarding this please view Our ‘Risk or crisis situations (Risk Management)’ section.


Art. 9. Conditions for processing:

Under Art. 9 (c) & (h) GDPR: To protect Vital Interests and Article 9(2)(h) for Health or social care – We process Member Content to the provide our Services involving health care.

To contact or survey Members or Admin Users to improve Our Services

(a1) to ask you to participate in any research projects.

(b2) to ask Members to partake / complete surveys: We may present a research survey to You and collect Personal Data from You if You agree to participate. We will inform You about why We wish to collect Your Personal Data and may ask You for Your consent before collecting it.

(a) Registration Data

(b) Admin Data

(c) Survey Data

Art.6. Lawful Bases for Processing

(a) Consent

(b) Necessary for Our legitimate interests (To improve Our Services or for medical or scientific research)


Art.9. Conditions for Processing

(a) Explicit Consent

(b) Archiving, research and statistics

To manage Our relationship with our Customers which will include:

(1) To Register a Customer and Interact with its Admin users for the purpose of the Services

(2) to Communicate with Admin Users: for instance, messages about the Site and Membership, and notifications about new content and activity on the Site pertinent to the relevant Customer

(a) Registration Data

(b) Technical Data

(c) Admin Data

(d) Marketing

Art.6.Lawful Bases for Processing

(i) Contract Performance

(ii) Necessary to comply with a legal obligation

(iii) Necessary for Our legitimate interests (to keep Our records updated and record of the services we provide, and to study how Customers use Our products/services).

To administer and protect Our business and Our Site:

including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Registration Data

(b) Admin Data

(c) Technical Data

(d) Marketing Data

(a) Necessary for Our legitimate interests (for running Our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To use data analytics to improve Our Site, products/services, marketing, customer relationships and experiences

(a) Technical Data

(b) Admin Data

(e) Marketing Data

Necessary for Our legitimate interests (to define types of services, to keep Our Site updated and relevant, to develop and improve Our business and to inform Our marketing strategy)

Back to the top


Anonymised Data

We use Your Personal Data and Special Category data to create data sets and reports that contain anonymised data that cannot be used to identify You. Anonymised data could be derived from Your Personal Data but is not considered Personal Data (as You cannot be identified from this data). We use such reports and data, and may disclose them to external parties, such as funding sources or clients, for statistical, analytical and reporting purposes; research; and for evaluating and enhancing the Site or improving the service. For example, We may aggregate part of Your Site usage data to calculate the percentage of users accessing a specific Site feature. We may produce reports that identify how many Members live in different geographical areas by using Your postal code along with that of other Members.

Back to the top


Risk or crisis situations (Risk Management)

In the rare situation where We feel that You or someone else is at risk, We may use Your Personal Data and Special Category Data to escalate risk to the appropriate external support mechanisms. We have a duty of care to ensure that We provide a safe space to support You. If We cannot achieve Our mission and We believe there is a significant risk, Our legal obligation means We may have to escalate externally. Here Your Personal Data and Special Category Data will be required to provide You with the appropriate support. Of course, this decision will always be made with a considered approach by Our team of qualified Senior Clinicians.
The external support mechanism will need Your Data to provide You with the appropriate support. External support mechanisms may include the appropriate representative from Your commissioning body (such as Your university, college or employer), the organisation who referred You to Our service(s), Your GP, third party escalation services and/or the emergency services. After We have reached out to these organisations, We may ‘Pause’ Your Account in line with Our ‘Member Terms’.

Back to the top


How We may disclose Your Personal Data

We require all third parties We share Personal data with to respect the security of Your Personal Data and to treat it in accordance with the law. When this happens, We implement strict contractual agreements with such third parties. We do not allow Our third-party service providers to use Your Personal Data for their own purposes and only permit them to process Your Personal Data for specified purposes and in accordance with Our instructions.

We may disclose Your data to Our employees, and agents to administer Your membership and the services provided by Us now or in the future.

We will only disclose Your health data to third parties as specified above (see “How We collect Special Category Data and why do We have it” and “Risk or crisis situations (Risk Management)”).

We may also disclose Your Personal Data to third parties:

  1. in order to facilitate the running of the Site. For example, contractors associated with hosting Our servers. Details of the subcontractors that We share Your Personal Data with are set out in Our linked Page of Third Party sub-contractors;
  2. when this is necessary for the purpose of the services We provide to You (e.g., if applicable, with Your insurance provider to confirm Your eligibility where You request access to Our services through said provider);
  3. if We are required to do so by law or to comply with any legal obligation. This includes exchanging information with other companies and organisations such as the police, regulatory bodies or legal advisers for the purposes of security, risk reduction and fraud protection or criminal activity;
  4. in order to enforce or apply Our Terms and other agreements (e.g., if you are trolling on Our Site or disrupting the Community, we may share Your information to deal with this accordingly); or
  5. to protect the rights, property, or safety of Togetherall Limited, Our customers, or others.
    We may disclose Your Personal Data to any member of Our group, which means Our subsidiaries, Our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may disclose Your Personal Data to third parties to whom We may choose to sell, transfer or merge parts of Our business or Our assets, but this will always be on a “need to know basis” and in compliance with Data Protection Legislation. Alternatively, We may seek to acquire other businesses or merge with them. If a change happens to Our business, then the new owners may use Your Personal Data in the same way as set out in this Privacy Policy.

Back to the top


Retention and destruction of Personal Data

We only keep Your Personal Data for so long as it is necessary to fulfil the purpose for which it was collected and to comply with guidelines for the retention of health records and also for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, We consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Your Personal Data, the purposes for which We process Your Personal Data and whether We can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. We will keep Your Personal Data for a period of 8 years after You or We have closed Your Member Account, or if You have not logged into Your Member Account for more than 8 years. After that 8-year period We will delete all of Your information securely in accordance with Our data destruction policies unless You contact Us to reactivate Your Member Account in that period. We may retain Your Personal Data period in the event of a complaint and/or if We reasonably believe there is a prospect of litigation in respect to Our relationship with You.

Back to the top


Where We store Your Personal Data

If You are located in the EEA or in the UK, all Personal Data, including Member Content, You provide to Us is stored and processed on Our secure servers located in the UK or the European Economic Area (“EEA”). We may transfer Personal Data outside of the EEA or the UK (as applicable) to provide 24/7 care in urgent or risk situations, but We will implement adequate safeguarding controls where this is the case. We may store locally Personal Data of Members located outside the UK or the EEA.

Back to the top



Our Sites use certain cookies, pixels, beacons, log files and other technologies. Please see Our Cookies Policy to learn about the cookies We use and how to manage Your preferences. We use a third party Cookie Preference Manager which allows You to set and amend Your cookie Preferences. You can use the ‘Manage Consent’ shield in the bottom left of some pages to manage Your preferences. We do not include this shield on all pages as this can prevent You from using some Site features. We use ‘Cross Domain Consent’ so that You do not need to set Your preferences on every area of Our Site.

Back to the top


Your data protection rights

If You wish to make a data subject request, please contact Us by any of the means specified in the How to Contact Us section above.

Your right of access
You have the right to request copies of Your Personal Data which We hold, this is known as a subject access request. You can also view the latest Personal Data We hold on to Your Member Account by logging into Our platform and viewing the “Account Settings” section.

Your right to rectification
This enables You to have any incomplete or inaccurate Personal Data We hold about You corrected, though We may need to verify the accuracy of the new Personal Data You provide to Us. If You would like to do this, please contact Us and let Us know the information that is incorrect and the information You want it replaced.

Your right to restriction of processing
This enables You to ask Us to suspend the processing of Your Personal Data in the following scenarios: (a) If You want Us to establish the Personal Data’s accuracy; (b) Where Our use of the data is unlawful but You do not want Us to erase it; (c) Where You need Us to hold the data even if We no longer require it as You need it to establish, exercise or defend legal claims; and (d) You have objected to Our use of Your Personal Data but We need to verify whether We have overriding legitimate grounds to use it.

Your right to object to processing
You may object to Our processing of Your Personal Data where We are relying on a legitimate interest (or those of a third party) and there is something about Your situation which makes You want to object to processing on this ground as You feel it impacts on Your fundamental rights and freedoms. You also have the right to object where We are processing Your Personal Data for direct marketing purposes. In some cases, We may demonstrate that We have compelling legitimate grounds to process Your information which override Your rights and freedoms. Exercising this right may also result in closure of Your Member Account as We will not be able to continue to provide access if We cannot process Your Personal Data for the purpose of administering Your Member Account and providing You access to it and the log-in areas of the Site.

Your right to erasure
You may request for Us to erase all Your Personal Data (also known as the “right to be forgotten”) in the following circumstances:

  1. It is no longer necessary for Us to hold that Personal Data with respect to the purpose for which it was originally collected or processed;
  2. Consent is the lawful basis for Togetherall holding Your data and You withdraw Your consent;
  3. You object to Us holding and processing Your Personal Data (and there is no overriding legitimate interest to allow Us to continue doing so);
  4. We are processing Your Personal Data for direct marketing purposes and You object to Us processing for marking purposes;
  5. The Personal Data has been processed unlawfully; or
  6. The Personal data needs to be erased in order for Us to comply with a particular legal obligation.

Erasure of Your Personal Data may result in automatic closure of Your Member Account and access to the log-in areas of Our Site.

Right to data portability
We will provide to You, or a third party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You. You can get a copy of Your Member Account information and Your Member Content by logging into Your Member Account. You can also request a copy of Your information which We hold (this is known as a subject access request). You can transfer this to other organisations if You wish.

No Fee Usually Required
You will not have to pay a fee to access Your Personal Data (or to exercise any of the other rights). However, We may charge a reasonable fee if Your request is clearly unfounded, repetitive or excessive. Alternatively, We could refuse to comply with Your request in these circumstances. We will notify You if this is the case at the time.

Time Limit to Respond
We try to respond to all legitimate requests within one month. Occasionally it could take Us longer than a month if Your request is particularly complex or You have made several requests. In this case, We will notify You and keep You updated.

It may not be possible for Us to delete Your Personal Data if We are required to keep it by law or if We hold it in connection with a contract with You. Similarly, access to Your Personal Data may be refused if making the information available would reveal Personal Data about another person or if We are legally prevented from such disclosure.

Back to the top



If You have any complaints about the way in which We have used Your Personal Data and these have not been addressed by contacting Us first, You can contact the relevant supervisory authority which in the United Kingdom is, the UK Information Commissioner’s Office. We would, however, appreciate the chance to deal with Your concerns before You approach the ICO so please contact Us in the first instance.

Information Commissioner’s Office
Wycliffe House
Water Lane
Helpline number: +44(0)303 123 1113