Skip to content
Thalamos
Request demo Log in

Privacy Policy

Thalamos provides Mental Health Act (MHA) clinical administration systems and other products relating to digital mental healthcare (the “Services”) from its website at https://thalamos.co.uk/ (“Website”). Thalamos Limited is registered with the Information Commissioners Office (“ICO”) under ZA528790. Thalamos Limited is registered in England and Wales under 10814088 at Arch 31 Old Union Yard, Union Street, London, Southwark, England, SE1 0LR .

We provide our Services to NHS Trusts, Local Authorities, Police Forces, and any other public or private body that discharges Mental Health Act functions (an “Authority”).

Welcome to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. If you are a user of our Services, this Privacy Policy should be read alongside the Terms of Use and Information Governance Statement available when you authenticate to our service.

The purpose of this Privacy Policy is to explain how we use and protect any personal information that you make available to us (or we collect) when you access our Website or Services as a user or in another professional capacity. This is covered by Part A.

In addition, in Part B we set out an explanation of our role when processing personal data (including health data) of people who are assessed or treated under the Mental Health Act by Authorities using our Service under an agreement (or other relationship) we have in place with that Authority.

Part A – Users of our Services

Thalamos is a data controller for your personal information if you use our Website or Services, whether independently or as an employee of an Authority. We are also a data controller if we process your data because we are engaging in another professional capacity, such as careers, events, online content or getting in touch with us.

What we collect from users

  • Name
  • Profession
  • Contact information including email address
  • Professional registration details
  • Signature for signing MHA Forms
  • Other profile data required for maintaining an account with us, such as passwords
  • Details of third party services as outlined in the Terms of Use for audit purposes – specifically details of where / who data is being shared to within the service
  • Details of website or service features which are being used to improve experience and resolve issues
  • IP address and other session data

We may collect the following information for other services offered through our website such as careers, events, online content or getting in touch with Thalamos:

  • Demographic information such as postcode and preferences for booking events.
  • Details of website or service features which are being used to improve experience
  • Name and Contact details if getting in touch
  • Any additional data required for careers, such as employment history. We may also ask for demographic information for diversity and inclusion monitoring, this information is optional and anonymous if provided

If you provide us with your contact details, we may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using an email address you provided. We may also use this information for market research purposes. You can opt out of this at any time by replying to an email or selecting ‘unsubscribe’ at the bottom of email campaign messages.

We may aggregate anonymous data collected from our Website and Services for certain purposes, such as administration and analytics, and share it with third parties. This data might be based on personal data but it does not identify you personally. If it does identify you personally – we will treat it as personal data in line with this Privacy Policy and will not share it.

Lawful basis for Processing

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into for the provision of services to an authority
  • Where we need to comply with a legal or regulatory obligation
  • Where we have a legitimate interest in doing so

“Legitimate Interest” means the interest of our business in conducting and managing our business to enable us to give you the best service/product, the best and most secure experience and to promote our product and services. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.

Generally, we do not rely on consent as a legal basis for processing your personal data.

Use of your information

Processing of your personal data is required for the following purposes:

  • Providing the Services
  • Ensuring the functionality and security of the Services
  • Identifying you as a user of the Service including to authenticate you, enable you to use the Services and enable us to communicate with you
  • Handling your request / queries when contacting us
  • Detecting and correcting errors and problems with the Services
  • Populating you user account in connection with the Services and to support the operation of such account
  • Combating fraudulent behaviour on or use of our services
  • Market research, statistical evaluation and business development
  • Ensuring compliance with our legal and regulatory obligations
  • Safeguarding our prevailing interests, including in defending and enforcing its legal claims
  • Creating aggregated data for commercial and analytics purposes
  • Other purposes to which explicit reference is made at the point of data collection

For each Authority we work with to provide Services, a Data Protection Impact Assessment (DPIA) is undertaken by or in collaboration with the Authority to ensure processing activities are appropriate on behalf of the Authority as data controller.

Information Storage

Personal data is held in secure electronic databases. All data we process as part of our Services is encrypted in transit and at rest and only ever stored on servers based in the UK. We use some service providers who aren’t based in the EEA to provide some other business functions. Service providers which handle personal data and are located outside of the EEA are based in countries deemed to have adequate levels of protection in place by the European Commission. For the few service providers located outside the EEA where the Privacy Shield was previously relied upon, there are appropriate safeguards in place in the form of Standard Contract Clauses approved by the European Commission and/or the ICO to protect data in line with Article 46 of GDPR.

We are committed to ensuring that the information we process is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for different types of personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Sharing your information

We may have to share your personal data with the parties set out below for the purposes set out under “Use of Your Information” above:

  • Technology providers such as hosting providers, CRM providers and other professional cloud services which allow us to provide our services
  • Other third-party service providers such as lawyers and accountants who support us in provision of the Services
  • To comply with any legal or regulatory obligation on request

How we use cookies

A cookie is a small file which asks permission to be placed on your electronic device. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual.

We use traffic log cookies to identify which pages are being used on our website. This helps us analyse data about web page traffic and improve our Website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

We also use cookies in order to provide our Services. If you use one of our Services we use Cookies for Authentication and session management. We also use Cookies to log activity so we understand how are our Services are being used and for offering Support Services. We cannot provide our service without these essential cookies. More information can be found on our Cookie Policy

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A Cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Your Rights

You have certain rights relating to your personal data under data protection law. These rights will depend on our reason for processing your information. You have the right to:

  • Request access to copies of your personal data
  • Request we correct any information you believe to be inaccurate
  • Request we erase your personal data data under certain conditions
  • Object to or request we restrict processing of your personal data under certain conditions
  • Request we transfer the data we have collected to you or another organisation under certain conditions
  • Lodge a complaint with the ICO, but where possible we would prefer to discuss the issue first to see if we can remedy the situation

If you wish to exercise your rights (including a Subject Access Request), contact our Data Protection Officer (DPO) ask a question or lodge a complaint please contact dpo@thalamos.co.uk. You can also contact the Information Commissioner’s Office (“ICO”), the UK’s independent regulatory office in charge of upholding information rights for further information or to make a complaint.

Part B – People assessed or treated under the Mental Health Act

Thalamos provides Services to Authorities to enable them to efficiently and effectively meet the requirements of Mental Health Act legislation and wider mental health assessment, detention, treatment and discharge when providing care and support to patients.  This will include Special Category Data in relation to assessment and treatment under the Mental Health Act including:

  • Name, Address and Date of Birth
  • NHS Number
  • Mental Health Assessment, Detention, Treatment and Discharge Information

If your personal data (including health data) is held within our MHA clinical administration system we process this information as a data processor on behalf of the Authority as data controller. The Authority as data controller is responsible for making sure it has the correct authority to collect, store or share the information. This means we can only process your personal data as instructed by the Authority and the legal basis for processing your personal data is determined by them.  We can only use or disclose this information as directed to by the Authority or if legally obliged to do so.

Retention of data within the MHA clinical administration system is determined by the Authority, usually as part of our contract with them. The length of the retention period may vary depending on the nature of the personal data and legal basis for processing.

As a business, we cannot and do not routinely access identifiable personal data which we process on behalf of Authorities in order to provide our service. This can only be accessed by the relevant Authority.

You have certain rights relating to your personal data under data protection law including the right to request access to your personal data (commonly known as a “data subject access request”).  Because we are acting as data processor on behalf of an Authority and do no access your data, the obligation to respond lies with the Authority as data controller. We are unable to deal with any requests but will help where we can to direct you to make an enquiry to the correct Authority.