Policies

Privacy Policy

PLEASE READ THIS POLICY CAREFULLY. IF YOU DO NOT ACCEPT THESE TERMS, YOU ARE ADVISED NOT TO USE THE WEBSITE OR APP

This Privacy Policy is subject to regular review in order to ensure we remain compliant with data protection guidance and applicable legislation. You are encouraged to refer to this page on each visit to the website or App to ensure that you are up-to-date with our policies and practices in relation to the handling of personal data.

We also have a practice Confidentiality Policy which is available on our website, upon request and which will also be verbally summarised at your first Self Space session.

This Privacy Policy is effective from 1^stSeptember 2019

1. POLICY ACCEPTANCE

This Privacy Policy applies to the website https://www.selfspace.com (“website”) and our App, operated by The Self Space Limited (“Self Space”) and shall include all personal data processed by us through direct mail, telephone or social media channels. Any reference to “you” or “your” means you, the user.

Your acceptance of this Privacy Policy is deemed to occur upon your first use of the website. You are required to read and accept this Privacy Policy when you engage with us.

2. POLICY STATEMENT

Self Space recognises the trust you place in us when you share personal data with us. We are committed to being open, honest and transparent with our use of personal data.

This Privacy Policy provides you with details of the personal data we collect when we engage with you, how we will use and look after your personal data, your privacy rights and how the law protects you. We will take all reasonable steps to ensure that personal data is safeguarded and kept in accordance with applicable data protection law.

3. ABOUT US

Self Space launched in February 2018 as a contemporary, proactive and forward-thinking mental wellbeing service. All bookings are made directly via our Branded App, Website or the MINDBODY bookings app.

Self Space is registered in England and Wales under company registration number 10996170. Our registered office address is 4th Floor 4 Tabernacle Street, London, United Kingdom, EC2A 4LU

Where we manage personal data, we identify as a Data Controller and recognise and act on our obligations under applicable data protection law, including but not limited to the EU General Data Protection Regulation and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO), registration number ZA491860.

For any issues relating to data protection the person responsible is Michele Brown. You can contact us in relation to data protection matters by email to hr@theselfspace.com or hey@theselfspace.com

4. WHAT PERSONAL DATA DO WE COLLECT?

Personal data is any information relating to an identified or identifiable individual. It does not include data where the identity has been removed (i.e. anonymous data). We may collect, use, store and transfer different kinds of personal data about you when we engage with you. This may include:

(a) Identity Data – title, first name, last name, date of birth or similar identifiers. If you interact with us through social media, this may include your social media username;

(b) Contact Data – billing address, email address and telephone numbers;

(d) Transaction Data – details about services we have provided to you;

(e) Technical Data – includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website;

(f) Profile Data – your username and password, your preferences, feedback and

survey responses;

(g) Geographical Data – information setting out your primary address to control the

use of location services in most mobile devices and desktop settings;

(h) Usage Data – information about how you use our website and services;

(i) Marketing and Communications Data – includes your preferences in receiving marketing from us and our third parties and your communication preferences.

5. HOW DO WE COLLECT PERSONAL DATA?

We use different methods to collect data from and about you, through:

Using ‘Contact Us’ on the website and booking Apps
Registration
- We collect details of a user’s name, email and phone number as well as subject and content of any message when using our online contact form to get in touch. This information enables us to communicate with our clients, suppliers and third parties and facilitates our service provision. We may process personal data on the basis of being legitimate to our business or in order to fulfil a contractual obligation in relation to our services.

Applying to work at Self Space
- Self Space has access to and processes personal data for applicants who express an interest in joining our team in order to conduct our business. We process this data in line with the consent of those supplying the detail and for future reference should our employment requirements change in the future.
- We use Monday.com to process this information and have ensured that they as data controllers comply with their legal requirements. Their privacy notice can be found here Privacy Policy – monday.com Legal Portal
Registration
- Personal details provided during registration on our website and booking apps are processed so that we can register you and respond to your communications with details of vacancies and our job application procedure. Data is held in preparation for entering into an agreement with you and with your consent.
Bookings
- Personal details provided during the booking process, either directly or through the MindBody App, may be processed by us on the basis of being legitimate to our business or in order to fulfil a contractual obligation in relation to our services.
Emails
- We retain copies of emails sent to us and any personal data will be held in accordance with this Privacy Policy on the basis of being legitimate to our business interests.
Telephone Calls
- Calls to us may be recorded and any data relating to the call may be retained by us. Personal data will be held on the basis of being for our legitimate business needs or in order to fulfil our contractual obligations if you are a client of ours.
Other direct interactions
- You may give us your data by filling in forms or by corresponding with us face-to-face, by post, when attending any events, training, talks or workshops we hold, or through our social media channels. This includes personal data you provide when you: register to receive our services; make enquiries or request information be sent to you; use our services; ask for information to be sent to you; engage with us on social media; contact us directly; or leave comments or reviews on our services.
Social Media
- We use social media to engage with users and link to our Facebook, Instagram, LinkedIn and Twitter pages. We do not keep any specific data that identifies you as an individual user but hold details of our followers on these platforms. You should refer to the Privacy Policy of these channels to understand how they treat your data in relation to linking to our site.
- Facebook: https://www.facebook.com/privacy/explanation Instagram: https://wellbeing.instagram.com/safety LinkedIn: https://www.linkedin.com/legal/privacy-policy Twitter: https://twitter.com/en/privacy
- If you send us a direct message via social media, the details may be retained by us only as relevant to any ongoing contract or to further our legitimate business interests or as required for legal purposes. The third-party provider may also retain details in accordance with their Privacy Policy.
Visits to our website
- When you visit our website, we do not attempt to identify you as an individual user, and we will not collect personal data about you unless you specifically provide this to us.
- As you interact with our website, technical data may be automatically processed through the use of Cookies, details of which are explained in our Cookie Policy.

3.1 Special categories of data

We collect some special category data that is relevant to the issues you present in the course of our counselling services. Examples of some of the sensitive information our Therapists may gather is:

Gender, ethnicity and marital status;
Religious or other cultural beliefs;
Physical or mental health or condition;
Sexual orientation and or data related to your sex life.

We will ask you some personal details about yourself – why you wish to attend Self Space sessions, whether you have a medical diagnosis, if you are currently on medication, whether you are receiving clinical mental health treatment and whether you have had any suicidal thoughts in the last 6 months. These notes enable us to provide a safe and informed space for you with the therapist that you choose. It also ensures that some basic information about you can be made available to other therapists should you decide to change your therapist. Such information is only provided on a need to know basis.

3.1.1 Children

We do not market this website at those under 18 years old. Consistent with the GDPR we will never knowingly request personally identifiable information from anyone under the age of 18 years old. We will take appropriate steps to delete any personal data of individuals less than 18 years of age that has been collected on our website upon learning of the existence of such data.

6. INFORMATION WE GET FROM OTHER SOURCES

From time to time, we may need to obtain information from third parties about you. This will only apply where it is necessary to provide our services and as permitted by law.

We may receive personal data relating to your identity and contact data from data partners and data from any third parties who are permitted by law or have your permission to share your personal data with us, such as via social media.

7. HOW WE USE YOUR DATA

UK data protection law requires us to have a “legal basis” for processing personal data. The legal bases we rely on are:

Performance of a contract we are about to enter into or have entered into with you;
Compliance with a legal or regulatory obligation;
Carrying out activities that are legitimate to our business interests;
Consent. However, generally, we shall not rely on consent as a legal basis for processing your personal data other than where the law requires it. Where our legal basis is consent, you have the right to withdraw consent any time.

Detailed list of the reasons for us using personal data.

Use of personal data Type of data Legal basis Online registration:

(a) Identity

(b) Contact

Use of personal data Type of data Legal basis Application processing:

(a) Identity

(b) Contact

Performance of a contract or to take steps to enter into a contract To provide, manage and personalise our services to you, respond to communications

(a) Identity (b) Contact

Where necessary for the perform of our agreement or to take steps to enter into an agreement:

It is in our legitimate interests to make sure that our customer accounts are well-managed, and to provide a high standard of service

To process payments

(a) Identity

(b) Contact

(d) Transaction

Performance of a contract

Necessary to comply with a legal obligation to administer and improve the website

(e) Technical (h) Usage

It is in our legitimate interests to develop and improve our products and services, so that we can continue to provide products and services that our customers want to use, and to make sure we continue to be competitive To send email notifications which have been specifically requested

(a) Identity (b) Contact

It is in our legitimate interests to give you information about our products and services that you may be interested in To send marketing communications, where expressly agreed eg newsletters;

(a) Identity (b) Contact (i) Marketing and

Communications

In the case of electronic marketing when we have your consent to do so.

To provide third parties with statistical information about our users

(e) Technical (h) Usage

It is in our legitimate interests to better understand how our customers use our products and what changes we could make to improve them To ask for feedback or review

(a) Identity

(b) Contact

It is in our legitimate interests to better understand how our customers use our products and what changes we could make to improve them To deal with enquiries and complaints

(a) Identity (b) Contact (e) Technical (h) Usage

It is in our legitimate interests to make sure that our customer accounts are well-managed, so that our customers are provided with a high standard of service To recover debt and exercise other rights we have under any agreement with you, as well as to protect ourselves against harm to our rights and interests in property

(a) Identity (b) Contact (c) Financial (d) Transaction

Where necessary to perform a contract or to take steps to enter into an agreement with you where the law requires this.

It is in our legitimate interests to ensure that we can recover debts owed to us, as well as making sure our assets are protected

Users contacting this website and/or its owners do so at their own discretion and provide any such personal data requested at their own risk. Your personal data is kept private and stored securely until a time it is no longer required or has no use.

Our legitimate interests

When we use our legitimate interests as the legal basis for processing your personal data, we will consider and balance any potential impact on you and your rights before we process your personal data. We will only then proceed where we believe our interests are not overridden by the impact on you. Our legitimate interests include the management of our business operations.

8. SHARING INFORMATION

Disclosure

We don’t share, sell, or distribute your data to third parties, except as contractually agreed with you or as explained in this Privacy Policy. We may disclose your personal data if we are required to do so by law, in connection with any legal proceedings, and in order to establish, exercise or defend our legal rights, or if otherwise legally permitted.

We may need to use your information and personal data to contact your GP or emergency contact. This will be in exceptional circumstances such as when we have a duty of care or are required by law to provide information about you.

If you are a staff member of a Company purchasing our services we will not share your data or any other information with that Company except with your permission (extending service provision etc).

We may disclose personal data to a third party to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change such as this happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

Counselling Notes and use of Zoom/Google meet

Therapists may keep brief handwritten notes of the counselling sessions for their own records and must ensure that measures are taken to protect the confidentiality of clients at all times. Notes should not identify any individual client.

Records must comply with the Regulations and Codes of Practice determined by a counsellor’s accreditation body. Therapists are also required to adhere to the Self Space Documentation Management Policy.

No recordings are kept of sessions conducted by Zoom or Google Meet, but you are recommended to refer to the Privacy Policy or the relevant platform provider for details of how this third party use data.

See Privacy | Zoom

Google Meet security and privacy for users – Google Meet Help

Supervisions

Therapists are required to have regular supervision with another professional therapist as part of their professional accreditation. Therapists do not disclose any personally identifying information about clients within supervision.

Data Processors

We use Data Processors who act on our instruction in relation to the management of your personal data and where this applies, all data processors are required to confirm that they adhere to data protection law and regulations. We will ensure that any Data Processors used only operate on our written instructions and comply with their obligations under the GDPR. Data Processors who provide services to Self Space include those providing therapy sessions, or other services such as workshops, groups or training events. Personal data is only collected and/or provided on a need to know basis.

You will be informed of any other Data Controllers who have access to your data and who may determine processing activities separately to us, or as a Joint Data Controller.

MINDBODY

Our client data is stored by MINDBODY (https://www.mindbodyonline.com) who are a third party Data Processor with whom we have a contractual agreement to provide booking services. We have taken appropriate steps to ensure that MINDBODY is compliant with data protection law and regulations. MINDBODY acts on our instructions and will process your data in accordance with their Privacy Policy. Please refer to their policy at https://company.mindbodyonline.com/legal/privacy-policy

MONDAY

The details of those expressing a wish to work with us is retained by Monday.com who are a third party Data Processor with whom we have a contractual agreement to provide booking services. We have taken appropriate steps to ensure that MONDAY is compliant with data protection law and regulations. MONDAY acts on our instructions and will process your data in accordance with their Privacy Policy. Please refer to their policy at Privacy Policy – monday.com Legal Portal

Google Drives

Self Space use google docs and other cloud based google products for day to day document storage. Google are a third party Data Processor.

We have taken appropriate steps to ensure that MINDBODY is compliant with data protection law and regulations. MINDBODY acts on our instructions and will process your data in accordance with their Privacy Policy. Please refer to their policy at Privacy Policy – Privacy & Terms – Google

Marketing

We may carry out direct marketing by email, phone, text or post. We will ask for your consent to receiving marketing communications (including newsletters) when you register on the website and you have the option not to give consent and to withdraw consent given at any time. You may withdraw your consent for us to contact you by email to hr@theselfspace.com or hey@theselfspace.com. We may continue to contact you for non-marketing purposes if there is another lawful basis to do so. Non-personally identifiable information may be provided to other third parties for marketing, advertising or other uses.

External links

Users of the website are advised to adopt a policy of caution before clicking on any external web links. Clicking an external link will take the user away from our website. Once you leave our website or are redirected to a third-party website, plug-in or application, you are no longer governed by this Privacy Policy or our website’s terms and conditions. We cannot guarantee or verify the contents of any externally linked website and users click on external links at their own risk. Self Space and its owners cannot be held liable for any damages, or the consequences of visiting any external links.

Social media platforms

Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are subject to our terms and conditions as well as the privacy policies held with each social media platform respectively.

Users are advised to use social media platforms wisely and communicate and/or engage with them with due care and caution in regard to their own privacy and personal details. This website nor its owners will not ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email. Self Space uses social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised that before using such social sharing buttons, that they do so at their own discretion, and should consider that the social media platform may track and save requests to share a web page, through the users’ social media platform account.

Payment processing

In order to process your account and take payment for your Self Space sessions we will take your Debit/Credit card details. We are monitored and require annual compliance with the PCI (Payment Card Industry), which means we must follow their technical and operational standards to ensure that credit card data provided by cardholders is safeguarded and that all payment transactions are carried out securely.

Reviews/Evaluation of our service

We may ask for a review of our services and these may be published on our website or social media, if you give your consent for us to do so. You may withdraw your consent at any time.

9. DATA RETENTION

We keep your personal data in accordance with our Data Retention Policy which reflects our needs to provide services to you as contracted and also as required to meet legal, statutory and regulatory obligations. The need to hold information is regularly reviewed and data will be disposed of when no longer required.

10.DATA SECURITY

We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential. We take appropriate steps to ensure a safe processing of personal data, however, we cannot guarantee the security of data transmitted through our website or by email. Any such transmission is at the sender’s own risk.

11.DATA STORAGE AND TRANSFERS

Any information including personal data that you supply to us may be stored and processed by MINDBODY, www.mindbodyonline.com or Monday.com. Your data may be transferred in accordance with their policies and under relevant data protection law. You can refer to the Privacy Policy at https://company.mindbodyonline.com/legal/privacy-policy.

We may transfer some or all of your data to countries outside of the EEA where such countries provide adequate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission (EC).

Where data is to be transferred to a country outside of the EEA which does not offer the same level of protection as the GDPR with respect to the processing of personal data, we will ensure that the company agrees to similar levels of protection.

Where we transfer data to any organisation based in the US, we may transfer data to them where they provide similar protection to personal data shared between the Europe and the US.

Our website is hosted by WPEngine.com and storage of the website and any transfers do not include personal data.

12.RIGHTS OF DATA SUBJECTS

Self Space recognises a data subject’s rights and will uphold these in accordance with data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your

identity or (ii) where we do not need to do this because we already have this information, from the date we received your request.

You should note that the following rights may not be absolute and may not be upheld where there is valid justification not to do so.

Subject access requests

You have the right to ask for a copy of the information that we hold about you by email to hr@theselfspace.com or hey@theselfspace.com. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information. In limited circumstances a fee may apply.

Right to rectification

Data subjects have the right to request that personal data is amended or changed if it is inaccurate or incorrect. We act on any such request without delay.

Right to erasure

Data subjects have the right to ask us to delete personal data from our systems without giving any reason and at any time. We act on any such request without delay.

Right to restrict processing

Data subjects have the right to rectification or erasure of personal data in the following circumstances:

Personal data is not accurate; – The processing of data is unlawful; – Data is required to exercise legal rights or defend legal claims; – Data is unlawful, although there may be lawful grounds for processing, which

override this right.

Right to data portability

Data subjects have the right to obtain and request the transfer of their data to a different service provider.

Right to object

Data subjects have the right to object to the processing of personal data at any time based on their circumstances. This includes objecting to profiling unless it is in the ‘public interest’ or exercised lawfully by an official authority. We will only process personal data upon a legal basis.

Right not to be subject to decisions based on automated processing

Self Space do not use any automated processing that results in any automated decision based on personal data.

Exercising your rights

If you wish to invoke any of your rights as a data subject, you should contact us by email to hr@theselfspace.com or hey@theselfspace.com

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. We may refuse to comply with your request in limited circumstances.

13.DATA BREACHES

We will report any unlawful breach of data as required by the GDPR within 72 hours of the breach occurring, if it is considered that data within our control including the control of our data processors, has been compromised, or potentially compromised. If the breach is classified as ‘high risk’ we will notify all data subjects concerned using an appropriate means of communication. We will report relevant breaches as required to the ICO, see below.

14.CHANGES TO OUR PRIVACY POLICY

We reserve the right to change this Privacy Policy at any time and users are recommended to review it frequently. Changes will take effect immediately upon their posting on the website. You will be deemed to have accepted any changes to the terms of the privacy policy on your next visit of the website following the amendment.

15.REPORTING COMPLAINTS

If you wish to raise a concern about the use of your personal data, you can contact us by email to hr@theselfspace.com or hey@theselfspace.com Alternatively, you can formally raise a concern or complaint to the Information Commissioner’s Office (ICO), the UK regulatory authority for data protection: Address: Information Commissioner’s Office

Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 0303 123 1113 Website: https://ico.org.uk/concerns

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gat_UA-112764771-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
attribution_user_id	1 year	This cookie is set by Typeform for usage statistics and is used in context with the website's pop-up questionnaires and messengering.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
rl_anonymous_id	never	RudderStack set this cookie to store statistical data of users' behaviour on the website, which can be used for internal analytics by the website operator.
rl_group_id	never	RudderStack sets this cookie to collect user activity on the web.
rl_group_trait	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_page_init_referrer	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_page_init_referring_domain	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_trait	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_user_id	never	RudderStack set this cookie to store a unique user ID for the Marketing/Tracking purpose.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_healcode_v3.0.1_session	session	No description
AWSALBTG	7 days	No description available.
AWSALBTGCORS	7 days	No description available.
DEVICE_INFO	5 months 27 days	No description
intercom-device-id-ll7yqek1	8 months 26 days 1 hour	No description
intercom-id-ll7yqek1	8 months 26 days 1 hour	No description
intercom-session-ll7yqek1	7 days	No description
tf_respondent_cc	6 months	No description