Last updated 7th March 2023.
‘Account’ means a Members’ Site personal account;
‘Bricks’ means a way for Members to express creatively through drawing or by uploading their own images and adding text on Our platform.
‘Courses’ means a place where a Member can enroll and take part in interactive group courses on a variety of topics to help them feel more in control of their emotional health.
‘House rules’ means the House Rules applicable to Members accessing the Site.
‘Journal’ means a place a Member can use to note down what they have been up to and what they have been going through.
‘Member’ means an individual that has registered as such on the Site and has had a Member Account set up on the Site and ‘membership’ shall be interpreted accordingly.
‘Site’ means our website located at www.togetherall.com.
‘Talkabouts’ means the areas of the Site where Members can share their thoughts with fellow Members to share and discuss what’s on their mind, gain support and advice.
‘We’, ‘Us’ and ‘Our’ means Togetherall Limited, a company registered in England and Wales under company number 06227377, with a registered office at 36-38 Whitefriars Street, London, EC4Y 8BQ.
“You”, “Your”, “Yourself”, “You’ve” means the: (i) Members and other individual end users that access Our Site, requests or receive any of Our services and/or interact with Us by any means (email, phone, etc.); and (ii) the staff of Our customers (“Customers”) that interact with Us for the purpose of managing the services We provide to the Customer (“Customer’s Users)”.
“The Wall” means the areas of the Site where Members can post and interact with other users, including professionals.
“Wall Guides” means professionals assigned by Togetherall to provide guidance to Members.
For the purpose of the General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”), the data controller is Togetherall Limited, a company registered in England and Wales under company number 06227377, with a registered office at 36-38 Whitefriars Street, London, EC4Y 8BQ.
Email Our Data Protection Officer, Daniel Mortimore, at: firstname.lastname@example.org
Call Us on +44(0)203 405 6196
Or write to Us at:
71-73 Carter Lane
We have also appointed a representative in the EU. You can contact them by post at Taylor Vinters Europe Limited, Clifton House, Fitzwilliam Street Lower, Dublin, Dublin, D02 Xt91, Ireland, or by email at email@example.com.
Here at Togetherall We take Your privacy rights very seriously and We seek to ensure the highest standards of compliance. We fully comply with all applicable data protection laws, including: (i) the General Data Protection Regulation (“GDPR”) and other applicable European Union data protection laws; (ii) the UK Data Protection Act 2018 (“DPA 2018”) and other applicable UK data protection law (“Data Protection Legislation”).
Our services are available to individuals who are 16+ years old and are not intended for children. We do not knowingly collect data relating to children. You can report any knowledge of a child accessing Togetherall and providing personal data by using the ‘Report’ or ‘Ask a Wall Guide’ buttons.
Back to the top
Our main aim in providing The Wall is to provide a safe place for Members to share their thoughts, feelings and discussions with others in a confidential environment, where Your anonymity is respected.
If You are engaged with Live Therapy, Your Personal Data will be confidentially collected as described in Our Live Therapy and ‘Risk or crisis situations’ sections below.
We use appropriate administrative, physical and technical safeguards to protect Your Personal Data from loss or theft, unauthorised access, use or disclosure, or modification or destruction. For example, We train Our personnel to protect Your privacy and require them to comply with Our policies and procedures that protect Your Personal Data. In addition, We limit access to Your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Your Personal Data on Our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach. We use computing systems in secure facilities to store Your Personal Data in an encrypted form. Data between our servers and a client browser is transferred via HTTPS/TLS. This means that Your Personal Data is encrypted between the device and Our external host storage.
We use best practice in the development of Togetherall to ensure that data minimisation principles are met. We only collect Personal Data We actually need for Our specified purposes. We ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We have controls and processes in place to challenge, assess and review current and proposed changes to data processing.
“Personal Data”, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
“Special Category Data” means Personal data that includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about Your health, and genetic and biometric data). We do not collect any information about criminal convictions and offences.
We may collect, use, store and transfer different types of Personal Data and non-Personal Data about You which We have grouped together as follows:
1. Registration Data: We process the following registration data;
2. Customer’s Users Data: Personal Data collected and generated when a Customer’s User opens a user account, manages the services We provide to the Customer and interacts with us including:
3. Technical and Location Data: We will collect and store Members time zone and country upon registration, then all relevant IP addresses to Members and other end users accessing the Site along with their login data, browser type and version, operating system and platform, and other technology on the devices they use to access Our Site.
4. Personal Information within Member Content:
Information posted whilst using Our Site for example within Bricks, Talkabouts, Journals or Courses (refer to Our definitions section at the start of this document) sessions, subject to Your privacy settings or when You interact with Us including by phone and email.
5. Membership Data: Personal Data You provide to us, when You request access to Our services through Your insurance provider, Your university, college or employer or the organisation who referred You to Our service, to ensure eligibility.
6. Patient Data:
7. Live Therapy Data: Where You are prescribed or referred and participate in Our Live Therapy
We may collect the following Personal Data and Special Category Data during the sessions, which could include:
Where We need to collect Personal Data by law, or under the terms of a contract We have with You, and You fail to provide that data when requested, We may not be able to perform the contract We have or are trying to enter into with You (for example, to provide You with Our services). In this case, We may have to cancel a service You have with Us, but We will notify You if this is the case at the time.
We will only use Your Personal Data when the law allows Us to. Most commonly, We will use Your Personal Data in the following circumstances:
Generally, We do not rely on consent as a legal basis for processing Your Personal data although We will seek Your consent, or give you the chance to opt-out in light of our latest communication, before sending third party direct marketing communications to You via email or text message. You have the right to withdraw consent to marketing at any time by contacting Us.
Support Network: During the registration process to access Our Platform We give You the option to provide Us with Your Ethnicity. When We do collect this special category data We do so to help ensure that We are meeting the needs of diverse population and serving Our populations appropriately, in line with Our charter to be inclusive for all.
Live Therapy: You may give Us Special Category Data such as biometric data for unique identification, health information and medical records, racial or ethnic origin, political orientation or beliefs, religious or philosophical beliefs, trade union membership, data concerning sex life or sexual orientation, genetic data.
Patient Data: We may also collect or receive Patient Data from You or from other parties (i.e. those who refer You) in the context of the health and care services We provide to you.
Any information provided by You during the course of Live Therapy sessions will be regarded as Special Category Data and treated as medically sensitive information and will only be used for the purposes of the therapist continuing to assist You under those sessions. Such information will not be disclosed to third parties without Your prior written consent in accordance with the provisions of the Access to Medical Reports Act, 1988 unless We need to do so to protection Your vital interests. See the Live Therapy section of Our Member Terms for more information on disclosure to protect You.
We will only use confidential information (including Special Category Data) about Your health and care, where this is allowed by law and there is a clear legal basis to use it. For instance, We process Special Category Data about You (e.g. patient records) when We provide a health or care service to You (such as You attending a Live Therapy session, to provide You with the care and treatment You need or request). Our overall aim is to help improve Your mental health, after all Our goal is to eradicate mental health globally.
We will generally request Your consent before We process Your confidential information relating to Your treatment or safeguarding and other Patient Data. However, In circumstances where We need to use this information to provide You with the care and treatment You need or request, or where We are concerned about Your safety or the safety of another person, We may process Your health related or safeguarding information using a legal basis, and a condition for processing, other than consent. This may include, substantial public interests or the substantial public interests of another, a legal obligation We hold as an organisation or for a public task in the area of public health.
Please note that We will only rely on Vital Interests as a lawful basis and condition for processing Your Personal Data (under Art. 6 and 9 GDPR) in situations of risk where You are physically or otherwise incapable of giving consent or when We need to comply with a duty of care towards You pursuant to applicable laws.
We have set out below, in a table format, a description of all the ways We plan to use Your Personal Data, and which of the legal bases We rely on to do so. We have also identified what Our legitimate interests are where appropriate. Should the purpose for which We will use Your Personal Data change, and consent is Our lawful basis for processing, You will be informed and consent re-obtained.
Note that We may process Your Personal Data for more than one lawful ground depending on the specific purpose for which We are using Your data. Please contact Us if You need details about the specific legal ground We are relying on to process Your Personal Data where more than one ground has been set out in the table below.
If You would like to opt out of any or all of the processing activities mentioned below please get in touch with Us using the information under the ‘Contacting Us’ section above. It may not be possible for opt out of a processing activity if We are required to keep it by law or if We hold it in connection with a contract with You.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest and conditions for processing Special Category Data|
|To register You as a new Member or Customer’s User and maintain Your registration||
(a) Registration Data
(b) Membership Data
(c) Customer User’s Data
(a) Performance of a contract with You
(b) Necessary for Our legitimate interests
We collect Members’ date of birth and email address to register the new Members and other information necessary to create the Member account. More particularly, We use Your date of birth to confirm Your eligibility for Membership. If You have registered using Your postal code/eircode, We will also collect this information to confirm Your eligibility for Membership. If You have registered via Your insurance provider, We use Your membership data to verify Your eligibility through said provider.
(c) Consent: in relation to the optional “ethnicity” field included in the Members’ registration form, the lawful basis for processing, and Condition for processing under Art. 9 GDPR are consent.
|Administer the Site and Your Membership||
(a) Registration Data
(b) Membership Data
(d) Member Content
(e) Customer User’s Data
(a) Performance of a contract with You
(b) Necessary for Our legitimate interests
We use Your Personal data to present it to You in ‘My Account’. We may also use Your Personal Data to:
To manage Our relationship with You which will include:
(b) to Communicate with You: for instance, messages about the Site and Your Membership, and notifications about new content and activity on the Site pertinent to You
For further detail see below: How We collect Member Content and why do We have it
(a) Registration Data
(b) Technical Data
(c) Customer User’s Data
a) Performance of a contract with You
(b) Necessary to comply with a legal obligation
(c) Necessary for Our legitimate interests (to keep Our records updated and to study how customers use Our products/services)
To provide You with the care and treatment You need or request (as applicable) and Keep You or another person safe
(for further detail see below: (i) Live Therapy; (ii) Risk and Crisis situations (Risk Management); and (iii) How We collect Special Category Data and why do We have it)
(a) Registration Data
(b) Patient Data
(c) Member Content
(a) consent, substantial public interests
(b) Necessary to comply with a legal obligation, substantial public interests, vital interests
(c) protection of vital interests: In circumstances where We are concerned about Your safety or the safety of another person, and You are physically or legally incapable of giving consent (or if applicable, We need to comply with a legal duty of care), We may process Your Personal Data to keep You or another person safe, for more information regarding this please view Our ‘Risk or crisis situations (Risk Management)’ section.
Conditions for processing under Art. 9 GDPR: Consent, Vital Interests or health care (also pursuant to condition 2 of UK DPA 2018)
To contact You & To improve Our services
(a) including whether You’d be interested in participating in any research projects. You may also turn these emails off in Your ‘Account Settings’ section
(b) to ask You to partake / complete surveys: We may present a research survey to You and collect Personal Data from You if You agree to participate. We will inform You about why We wish to collect Your Personal Data and ask You for Your consent before collecting it.
(a) Member Content
(a) Necessary for Our legitimate interests (To improve Our services or for medical or scientific research)
To administer and protect Our business and Our Site:
including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Registration Data
(b) Technical Data
(a) Necessary for Our legitimate interests (for running Our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
|To use data analytics to improve Our Site, products/services, marketing, customer relationships and experiences||
(a) Technical Data
(b) Member Content
(c) Customer User’s Data
|Necessary for Our legitimate interests (to define types of services, to keep Our Site updated and relevant, to develop Our business and to inform Our marketing strategy)|
We may use Your Personal Data to create data sets and reports that contain anonymised data that cannot be used to identify You. Anonymised data could be derived from Your Personal Data but is not considered Personal Data (as You cannot be identified from this data). We use such reports and data, and may disclose them to external parties, such as funding sources, for: statistical, analytical and reporting purposes; research; and for evaluating and enhancing the Site or improving the service. For example, We may aggregate part of Your Site usage data to calculate the percentage of users accessing a specific Site feature. We may produce reports that identify how many Members live in different geographical areas by using Your postal code/eircode along with that of other Members.
Therapists will keep short narrative factual record of each therapy session. These notes will be stored online on a secure server, for more information on this please view Our ‘Where We store Your data’ section. The notes will be stored in pseudonymised form using an identifier.
The purpose of the record is to act as an aide memoire of the key points of the session and to assist the preparation of update reports to referrers (for NHS client Members). It will not be a narrative account of the full session.
Members will have the opportunity to add their own comments to the session record but not to request a change of the therapist’s record. However any factual errors in the therapist’s record can be noted by the Member in the record they make. This does not affect Your rights to have Your Personal Data updated, corrected or erased. See the ‘Your data protection rights’ section below. The therapist will have been informed by Togetherall of their obligations under the Data Protection Legislation, the Access to Medical Reports Act 1988 and any other applicable legislation.
The record of the session will be stored online on a secure server.
In the rare situation where We feel that You or someone else is at risk We may use Your Personal Data to escalate risk to the appropriate external support mechanisms. We have a duty of care to ensure that We provide a safe space to support You, if We cannot achieve Our mission and We believe there is a significant risk, Our legal obligation means We may have to escalate externally. Here Your Personal Data will be required to provide You with the appropriate support. Of course, this decision will always be made with a considered approach by Our team of qualified Senior Clinicians.
The external support mechanism will need Your Personal Data to provide You with the appropriate support. External support mechanisms may include; the appropriate representative from Your commissioning body (such as Your university, college or employer), the organisation who referred You to Our service(s), Your GP, third party escalation services and/or the emergency services.
Live Therapy (UK only)
Therapists assess risk in all assessment sessions and all follow up sessions with Togetherall Live Therapy Members. If the therapist identifies in the course of a therapy session that the Member or another person is identified (in the therapist’s opinion) as being at risk of harm then the therapist will take steps that they believe to be reasonable to reduce the risk of harm. Due to the remote nature of the service We will:
We require all third parties We share Personal data with, to respect the security of Your Personal Data and to treat it in accordance with the law.
Often We may need to share Your Personal Data with other service providers in order to facilitate the running of the Site. For example, third parties associated with hosting server co-locations. When this happens, We implement strict contractual agreements with such third parties. We do not allow Our third-party service providers to use Your Personal Data for their own purposes and only permit them to process Your Personal Data for specified purposes and in accordance with Our instructions. We will only disclose your health data to third parties as specified above (see “How We collect Special Category Data and why do We have it”, “Live Therapy” and “Risk or crisis situations (Risk Management)”).
Details of third parties that We share Your Personal Data with are set out in Our linked Page of Third Party sub-contractors.
We may disclose Your data to Our employees, and agents to administer Your membership and the services provided by Us now or in the future.
We may also disclose Your Personal Data to third parties:
This includes exchanging information with other companies and organisations such as the police, regulatory bodies or legal advisers for the purposes of security, risk reduction and fraud protection. For example, We may disclose Your Personal Data to the police in connection with any alleged criminal offence.
We may disclose Your Personal Data to any member of Our group, which means Our subsidiaries, Our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
This section does not apply to Members and only applies to the representatives of our business customers.
We may also use Your Personal Data to send You and keep You updated with information by e-mail or message through the Site about existing and new services from Us and to send You information by e-mail or message through the Site about related products or services of selected third parties that may be of interest to You.
If at any time you wish to no longer receive our marketing emails, or no longer consent to our use of the tracking pixel, an unsubscribe link is found at the bottom of every email where you can opt out.
You have the right at any time to stop Togetherall from contacting you. If you no longer wish to be contacted for marketing purposes, please email firstname.lastname@example.org.
This section applies to Members of the Togetherall platform.
To opt-out of receiving these messages as a Member or as an Account holder, You can also use the facility contained in any such communication or change Your ‘Account settings’ through Your Togetherall profile on the Site. You may also contact Us to opt out using the information under the ‘Contacting Us’ section above: please state Your member name, and from whom You do not wish to receive further communications.
Also see the ‘Your Rights’ section below, for information about how to withdraw Your consent to receive these messages.
We only keep Your Personal Data for so long as it is necessary to fulfil the purpose for which it was collected and to comply with guidelines for the retention of health records and also for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, We consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Your Personal Data, the purposes for which We process Your Personal Data and whether We can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. We will keep Your Personal Data for a period of 8 years after You or We have closed Your Member Account, or if You have not logged into Your Member Account for more than 8 years. After that 8-year period We will delete all of Your information securely in accordance with Our data destruction policies unless You contact Us to reactivate Your Member Account in that period. We may retain Your Personal Data for a longer period in the event of a complaint or if We reasonably believe there is a prospect of litigation in respect to Our relationship with You.
We may retain some information in anonymised form, for example for statistical analysis and research purposes, but We do not retain any Personal Data after the expiry of the 8-year period from the date of closure or expiry of Your Member Account.
If You are located in the EEA or in the UK, all Personal Data, including Member Content, You provide to Us is stored and processed on Our secure servers located in the UK or the European Economic Area (“EEA”). This data may be processed by our staff internationally, but only on a “need to know” basis, and always under a duty of confidentiality. We may transfer Personal Data outside of the EEA or the UK (as applicable) to: (i) provide 24/7 care in urgent or risk situations; or (ii) seek specialist support and advice from specialist consultants located outside the EEA or the UK, but We will implement adequate safeguarding controls where this is the case. We may store locally Personal Data of Members located outside the UK or the EEA.
When Your Member Account is still active (i.e. You have logged-in within the previous 8 years, You may login to Your Member Account on the Site at any time to view Your Personal Data. If Your Member Account has expired, You may reactivate it by contacting Us using the contact form or +44(0)203 405 6196. We will generally be able to reactivate Your account for a period of two weeks in order for You to access and copy Your Personal Data and Member Content. You may update Your email address at any time by logging in and accessing ‘Account Settings’.
Tip: You may click on Your My Profile picture and see all the Member Content You have posted in one place. You may also see all Your Bricks, Talkabouts and Course content by visiting those sections of the Site.
You have other rights to access, correct and erase Your Personal Data under Data Protection Legislation. See the ‘Your Rights’ section below.
If you opt-in to receiving our emails, you are consenting to our use of a tracking pixel.
A tracking pixel operates in a similar way as cookies are used in web browsers. A tracking pixel is usually part of electronic mail marketing. We use the tracking pixel to gather data on how our email activity is received such as, but not limited to, device, IP address, open time, link activity and website activity if a user clicks through to our website from our marketing emails. We use this information to create a better site experience for you and our customers, help personalise emails and tailor the site experience for all who opt in to hear from us.
Our Sites use certain cookies, pixels, beacons, log files and other technologies. Please see our Cookies Policy to learn about the cookies we use and how to manage your preferences.
Our Site may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about You. Please note Our Privacy Notice only applies to Our Site, if You click on a link to an external website You should read their privacy statements. We do not accept any responsibility or liability from the actions or omissions of any third-party websites which You may access.
Such third-party websites are not investigated, monitored or checked for accuracy, appropriateness, or completeness by Us, and We are not responsible for any websites You may access via a recommendation or suggestion on the Site. Inclusion of, linking to or permitting the use or installation of any third-party website or any third-party applications, software or content does not imply approval or endorsement by Us. If You decide to leave the Site and access a third-party website or to use or install any third-party applications, software or content, You do so at Your own risk.
We are not responsible for the policies, content or security of these linked websites, including how they protect Your privacy and collect, use and disclose Personal Data. We strongly encourage You to review the privacy policies applicable to any linked websites You visit.
We do not have any control over the use to which third parties may put Your data where You choose to purchase products or services or otherwise to contact them via the Site and We take no responsibility or liability for such use by third parties. Please check any policies on such websites before You submit any Personal Data to them.
If You wish to make a data subject request, please contact Us by any of the means specified in the How to Contact Us section above.
Your right of access
You have the right to request copies of Your Personal Data which We hold, this is known as a subject access request. You can also view the latest Personal Data We hold on Your Member Account by logging into Our platform and viewing the “Account Settings” section.
Your right to rectification
This enables You to have any incomplete or inaccurate Personal Data We hold about You corrected, though We may need to verify the accuracy of the new Personal Data You provide to Us. If You would like to do this, please contact Us and let Us know the information that is incorrect and the information You want it replaced.
Your right to restriction of processing
This enables You to ask Us to suspend the processing of Your Personal Data in the following scenarios: (a) If You want Us to establish the Personal Data’s accuracy; (b) Where Our use of the data is unlawful but You do not want Us to erase it; (c) Where You need Us to hold the data even if We no longer require it as You need it to establish, exercise or defend legal claims; and (d) You have objected to Our use of Your Personal Data but We need to verify whether We have overriding legitimate grounds to use it.
Your right to object to processing
You may object to Our processing of Your Personal Data where We are relying on a legitimate interest (or those of a third party) and there is something about Your situation which makes You want to object to processing on this ground as You feel it impacts on Your fundamental rights and freedoms. You also have the right to object where We are processing Your Personal Data for direct marketing purposes. In some cases, We may demonstrate that We have compelling legitimate grounds to process Your information which override Your rights and freedoms. Exercising this right may also result in closure of Your Member Account as We will not be able to continue to provide access if We cannot process Your Personal Data for the purpose of administering Your Member Account and providing You access to it and the log-in areas of the Site.
Your right to erasure
You request for Us to erase all Your Personal Data (also known as the “right to be forgotten”) in the following circumstances:
Erasure of Your Personal Data may result in automatic closure of Your Member Account and access to the log-in areas of Our Site.
Right to data portability
We will provide to You, or a third party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You. You can get a copy of Your Member Account information and Your Member Content by logging into Your Member Account. You can also request a copy of Your information which We hold (this is known as a subject access request). You can transfer this to other organisations if You wish.
No Fee Usually Required
You will not have to pay a fee to access Your Personal Data (or to exercise any of the other rights). However, We may charge a reasonable fee if Your request is clearly unfounded, repetitive or excessive. Alternatively, We could refuse to comply with Your request in these circumstances. We will notify You if this is the case at the time
Time Limit to Respond
We try to respond to all legitimate requests within one month. Occasionally it could take Us longer than a month if Your request is particularly complex or You have made several requests. In this case, We will notify You and keep You updated.
It may not be possible for Us to delete Your Personal Data if We are required to keep it by law or if We hold it in connection with a contract with You. Similarly, access to Your Personal Data may be refused if making the information available would reveal Personal Data about another person or if We are legally prevented from such disclosure.
If You have any complaints about the way in which We have used Your Personal Data and these have not been addressed by contacting Us first, You can contact the relevant supervisory authority which in the United Kingdom is, the UK Information Commissioner’s Office. We would, however, appreciate the chance to deal with Your concerns before You approach the ICO so please contact Us in the first instance.
Information Commissioner’s Office
Helpline number: +44(0)303 123 1113
In the Republic of Ireland, this is the Data Protection Commission: www.dataprotection.ie
Data Protection Commission
21 Fitzwilliam Square South
Helpline number: +353(0)1 7650100 / 1800437 737