Last updated February 2024.
Please click the link below to see key definitions we use in relation to our Services and Our Community.
We offer an online mental health self-support platform and related services (the “Services”). The platform is located at www.togetherall.com (our “Site”).
Our customers are universities, public and private organisations (“Customers”) that wish their individual users that register with Us to benefit from the Services (“Members” and collectively the “Community”).
The controller responsible for your personal data is Togetherall Limited, a company registered in England and Wales under company number 06227377, with a registered office at 27 Old Gloucester Street, London, England, WC1N 3AX (“We”, “Us” “Our”).
“You”, “Your”, “Yourself”, means the: (i) the Members and other individuals that access Our Site, requests or receive any of Our services and/or interact with Us by any means (email, phone, etc.); and (ii) the admin users and representatives of our Customers (“Admin Users”).
Email Our Data Protection Officer at: firstname.lastname@example.org
Call Us on +44(0)203 405 6196
Our Services are available to individuals who are 16+ years old. We do not knowingly collect data relating to people under the age of 16.
It is important that the Personal Data We hold about You is accurate and current. Please keep Us informed if Your Personal Data changes during Your relationship with Us.
Our main goal is to enable a safe Community for Members to give and receive support while being able to share their thoughts, feelings and discussions with others in a confidential environment.
We use appropriate administrative, physical and technical safeguards to protect Your Personal Data from loss or theft, unauthorised access, use or disclosure, or modification or destruction. For example, We train Our personnel to protect Your privacy and require them to comply with Our policies and procedures that protect Your Personal Data. In addition, We limit access to Your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Your Personal Data on Our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach. We use computing systems in secure facilities to store Your Personal Data in an encrypted form. The Personal Data is also encrypted whenever it is transferred between Our servers and Your device. This is because Our website uses https, which means the data is protected by ‘transport layer security’ when it is transferred.
We use good industry practice in the development of Togetherall’s systems to ensure that data minimisation principles are met. We only collect Personal Data We need for Our specified purposes. We ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We include role-based permissions for users of Our platform to ensure they can only access information required for their role. We have controls and processes in place to challenge, assess and review current and proposed changes to data processing.
We may collect, use, store and transfer different types of Personal Data about You which We have grouped together as follows:
1. Registration Data: We collect the following data when You register for Togetherall:
2. Background Data: We may collect the following data when You activate Your Togetherall Account (all optional):
3. Admin Data: we process information generated by the Admin Users when they registered with us, access their Togetherall accounts, manage the service we provide to the Customers and interact with us.
4. Technical Data: We will collect and store Members’ time zone and country upon registration, then all relevant IP addresses to Members and other end users accessing the Site along with their login data, browser type and version, operating system and platform, and other technology on the devices they use to access Our Site.
5. Member Content Data: We process Personal data posted whilst using Our Site for example within Bricks, Talkabouts, Journals, Courses or Self Assessments (refer to Our definitions section at the end of this document).
6. Membership Data: this means Personal Data You provide to Us or is provided to Us when You request access or agree to use Our services through Your insurance provider, Your university, college or employer, health care professional or the organisation who put you in touch with Us or referred You to Our service to ensure eligibility or to be used as a reference.
7. Referral Data: this means:
8. Survey/Research Data: means Personal Data We may collect from You if You agree to participate in a Survey or a research project.
9. Marketing Data: includes your preferences in receiving marketing from Us and Our third parties and Your communication preferences.
Where We need to collect Personal Data by law, or under the terms of Our contract with You, or to provide the Services, and You fail to provide that data when requested, We may not be able to perform the contract We have or are trying to enter into with You or the Services. In this case, We may have to cancel or suspend a Service. We will notify You if this is the case at the time.
We will only use Your Personal Data when the law allows Us to. Most commonly, We will use Your Personal Data in the following circumstances:
Generally, We do not rely on consent as a legal basis for processing Your Personal data although We will ask you to opt-in and/or give You the chance to opt-out before sending third party direct marketing communications to You via email or text message.
You have the right to withdraw consent to marketing at any time by contacting Us or clicking unsubscribe in the direct marketing communications.
We have set out below, in a table format, a description of all the ways We plan to use Your Personal Data, and which of the legal bases We rely on to do so. We have also identified what Our legitimate interests are, where appropriate. Should the purpose for which We will use Your Personal Data change, We will inform you.
Note that We may process Your Personal Data for more than one lawful basis depending on the specific purpose for which We are using Your Personal Data. Please contact Us if You need details about the specific legal basis We are relying on to process Your Personal Data where more than one basis has been set out in the table below.
|Type of data
|Lawful basis for processing including basis of legitimate interest and Conditions for processing Special Category Data
|(1) To register You as a new Member or to (2) offer You access to our Services as per Customer’s request or a referral
(a) Registration Data
(b) Background Data
(c) Membership Data
Art. 6 – Lawful Bases for processing:
Necessary to comply with a legal obligation
Necessary for Our legitimate interests:
(i) We collect date of birth to confirm Your eligibility for Togetherall. You should be 16+ to register for the Services. We also collect email address so that We can verify Your account. In some case We also collect email address to ensure that You are eligible for Togetherall, through Your university for example. In some cases, We collect post code to ensure Your eligibility, for example when Togetherall is available within a specific post code area. Where provided, We use Membership Data to ensure eligibility, such as through an insurance provider where the Services have been made available to You.
(ii) We use Your email address to send You an invitation where You have been referred to Togetherall. Here We will email You to register for Togetherall.
Article 9 – Conditions For Processing:
Health or social care (with a basis in law);
(i) We use Background Data to collect Special Category Data from You, which enables Our clinical team to provide You with appropriate support or information when You request or need this support.
Article 9 – Archiving, research and statistics (with a basis in law)
(i) We use Background Data to ensure that We are serving a diverse population, for example gender and ethnicity, and to understand Our population and their mental health presentations, which is why We ask about Your mental health. All of these questions are optional, and You can respond with ‘i’d rather not say’ if You do not wish to provide this information.
|Administer the Site, the Services and Your Membership
a) Registration Data
(b) Membership Data
(c) Technical Data
(d) Member Content Data
(e) Admin Data
Art.6. Lawful Bases for processing:
(i) Necessary to comply with a legal obligation
(ii) Contract Performance: We may use Membership Data and Member Content Data to present it to the Member in ‘My Account’ and to provide the Services to them.
(iii) Necessary for Our legitimate interests: We may also use Your Personal Data to:
Investigate any suspected breaches of, and enforce Our House Rules and Terms, e.g., to help Us determine if a Member has registered more than once.
Process and deal with any complaints made by or about You.
Investigate usage of the Site or the Services that may be inappropriate.
Enforce the Member Terms.
Art. 9. Conditions for Processing
Article 9(2)(h) Health or social care
We process Member Content to the provide Our Services provide support or refer Members at risk to third parties through an escalation
To provide Members with the care and support they need or request (as applicable) and keep them or another person safe, including preventing trolling
(for further detail see below: (1) Risk or Crisis situations (Risk Management) (2) How We collect Special Category Data and why do We have it)
(a) Registration Data
(b) Background Data
(c) Technical / Location Data
(d) Member Content
(e) Membership Data
(f) Referral Data
Art. 6 Lawful Bases for processing:
(i) Necessary to comply with a legal obligation
(ii) protection of vital interests: In circumstances where We are concerned about Your safety or the safety of another person, and a Member is physically or legally incapable of giving consent (or if applicable, We need to comply with a legal duty of care), We may process their Personal Data to keep You or another person safe, for more information regarding this please view Our ‘Risk or crisis situations (Risk Management)’ section.
Art. 9. Conditions for processing:
Under Art. 9 (c) & (h) GDPR: To protect Vital Interests and Article 9(2)(h) for Health or social care – We process Member Content to the provide our Services involving health care.
To contact or survey Members or Admin Users to improve Our Services
(a1) to ask you to participate in any research projects.
(b2) to ask Members to partake / complete surveys: We may present a research survey to You and collect Personal Data from You if You agree to participate. We will inform You about why We wish to collect Your Personal Data and may ask You for Your consent before collecting it.
(a) Registration Data
(b) Admin Data
(c) Survey Data
Art.6. Lawful Bases for Processing
(b) Necessary for Our legitimate interests (To improve Our Services or for medical or scientific research)
Art.9. Conditions for Processing
(a) Explicit Consent
(b) Archiving, research and statistics
To manage Our relationship with our Customers which will include:
(1) To Register a Customer and Interact with its Admin users for the purpose of the Services
(2) to Communicate with Admin Users: for instance, messages about the Site and Membership, and notifications about new content and activity on the Site pertinent to the relevant Customer
(a) Registration Data
(b) Technical Data
(c) Admin Data
Art.6.Lawful Bases for Processing
(i) Contract Performance
(ii) Necessary to comply with a legal obligation
(iii) Necessary for Our legitimate interests (to keep Our records updated and record of the services we provide, and to study how Customers use Our products/services).
To administer and protect Our business and Our Site:
including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Registration Data
(b) Admin Data
(c) Technical Data
(d) Marketing Data
(a) Necessary for Our legitimate interests (for running Our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
|To use data analytics to improve Our Site, products/services, marketing, customer relationships and experiences
(a) Technical Data
(b) Admin Data
(e) Marketing Data
|Necessary for Our legitimate interests (to define types of services, to keep Our Site updated and relevant, to develop and improve Our business and to inform Our marketing strategy)
We use Your Personal Data and Special Category data to create data sets and reports that contain anonymised data that cannot be used to identify You. Anonymised data could be derived from Your Personal Data but is not considered Personal Data (as You cannot be identified from this data). We use such reports and data, and may disclose them to external parties, such as funding sources or clients, for statistical, analytical and reporting purposes; research; and for evaluating and enhancing the Site or improving the service. For example, We may aggregate part of Your Site usage data to calculate the percentage of users accessing a specific Site feature. We may produce reports that identify how many Members live in different geographical areas by using Your postal code along with that of other Members.
In the rare situation where We feel that You or someone else is at risk, We may use Your Personal Data and Special Category Data to escalate risk to the appropriate external support mechanisms. We have a duty of care to ensure that We provide a safe space to support You. If We cannot achieve Our mission and We believe there is a significant risk, Our legal obligation means We may have to escalate externally. Here Your Personal Data and Special Category Data will be required to provide You with the appropriate support. Of course, this decision will always be made with a considered approach by Our team of qualified Senior Clinicians.
The external support mechanism will need Your Data to provide You with the appropriate support. External support mechanisms may include the appropriate representative from Your commissioning body (such as Your university, college or employer), the organisation who referred You to Our service(s), Your GP, third party escalation services and/or the emergency services. After We have reached out to these organisations, We may ‘Pause’ Your Account in line with Our ‘Member Terms’.
We require all third parties We share Personal data with to respect the security of Your Personal Data and to treat it in accordance with the law. When this happens, We implement strict contractual agreements with such third parties. We do not allow Our third-party service providers to use Your Personal Data for their own purposes and only permit them to process Your Personal Data for specified purposes and in accordance with Our instructions.
We may disclose Your data to Our employees, and agents to administer Your membership and the services provided by Us now or in the future.
We will only disclose Your health data to third parties as specified above (see “How We collect Special Category Data and why do We have it” and “Risk or crisis situations (Risk Management)”).
We may also disclose Your Personal Data to third parties:
We only keep Your Personal Data for so long as it is necessary to fulfil the purpose for which it was collected and to comply with guidelines for the retention of health records and also for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, We consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Your Personal Data, the purposes for which We process Your Personal Data and whether We can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. We will keep Your Personal Data for a period of 8 years after You or We have closed Your Member Account, or if You have not logged into Your Member Account for more than 8 years. After that 8-year period We will delete all of Your information securely in accordance with Our data destruction policies unless You contact Us to reactivate Your Member Account in that period. We may retain Your Personal Data period in the event of a complaint and/or if We reasonably believe there is a prospect of litigation in respect to Our relationship with You.
If You are located in the EEA or in the UK, all Personal Data, including Member Content, You provide to Us is stored and processed on Our secure servers located in the UK or the European Economic Area (“EEA”). We may transfer Personal Data outside of the EEA or the UK (as applicable) to provide 24/7 care in urgent or risk situations, but We will implement adequate safeguarding controls where this is the case. We may store locally Personal Data of Members located outside the UK or the EEA.
Our Sites use certain cookies, pixels, beacons, log files and other technologies. Please see Our Cookies Policy to learn about the cookies We use and how to manage Your preferences. We use a third party Cookie Preference Manager which allows You to set and amend Your cookie Preferences. You can use the ‘Manage Consent’ shield in the bottom left of some pages to manage Your preferences. We do not include this shield on all pages as this can prevent You from using some Site features. We use ‘Cross Domain Consent’ so that You do not need to set Your preferences on every area of Our Site.
If You wish to make a data subject request, please contact Us by any of the means specified in the How to Contact Us section above.
Your right of access
You have the right to request copies of Your Personal Data which We hold, this is known as a subject access request. You can also view the latest Personal Data We hold on to Your Member Account by logging into Our platform and viewing the “Account Settings” section.
Your right to rectification
This enables You to have any incomplete or inaccurate Personal Data We hold about You corrected, though We may need to verify the accuracy of the new Personal Data You provide to Us. If You would like to do this, please contact Us and let Us know the information that is incorrect and the information You want it replaced.
Your right to restriction of processing
This enables You to ask Us to suspend the processing of Your Personal Data in the following scenarios: (a) If You want Us to establish the Personal Data’s accuracy; (b) Where Our use of the data is unlawful but You do not want Us to erase it; (c) Where You need Us to hold the data even if We no longer require it as You need it to establish, exercise or defend legal claims; and (d) You have objected to Our use of Your Personal Data but We need to verify whether We have overriding legitimate grounds to use it.
Your right to object to processing
You may object to Our processing of Your Personal Data where We are relying on a legitimate interest (or those of a third party) and there is something about Your situation which makes You want to object to processing on this ground as You feel it impacts on Your fundamental rights and freedoms. You also have the right to object where We are processing Your Personal Data for direct marketing purposes. In some cases, We may demonstrate that We have compelling legitimate grounds to process Your information which override Your rights and freedoms. Exercising this right may also result in closure of Your Member Account as We will not be able to continue to provide access if We cannot process Your Personal Data for the purpose of administering Your Member Account and providing You access to it and the log-in areas of the Site.
Your right to erasure
You may request for Us to erase all Your Personal Data (also known as the “right to be forgotten”) in the following circumstances:
Erasure of Your Personal Data may result in automatic closure of Your Member Account and access to the log-in areas of Our Site.
Right to data portability
We will provide to You, or a third party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You. You can get a copy of Your Member Account information and Your Member Content by logging into Your Member Account. You can also request a copy of Your information which We hold (this is known as a subject access request). You can transfer this to other organisations if You wish.
No Fee Usually Required
You will not have to pay a fee to access Your Personal Data (or to exercise any of the other rights). However, We may charge a reasonable fee if Your request is clearly unfounded, repetitive or excessive. Alternatively, We could refuse to comply with Your request in these circumstances. We will notify You if this is the case at the time.
Time Limit to Respond
We try to respond to all legitimate requests within one month. Occasionally it could take Us longer than a month if Your request is particularly complex or You have made several requests. In this case, We will notify You and keep You updated.
It may not be possible for Us to delete Your Personal Data if We are required to keep it by law or if We hold it in connection with a contract with You. Similarly, access to Your Personal Data may be refused if making the information available would reveal Personal Data about another person or if We are legally prevented from such disclosure.
If You have any complaints about the way in which We have used Your Personal Data and these have not been addressed by contacting Us first, You can contact the relevant supervisory authority which in the United Kingdom is, the UK Information Commissioner’s Office. We would, however, appreciate the chance to deal with Your concerns before You approach the ICO so please contact Us in the first instance.
Information Commissioner’s Office
Helpline number: +44(0)303 123 1113