Skip to content

Privacy Policy


Thalamos is a website and service that provides Mental Health Act (MHA) administration systems and other features relating to digital mental healthcare. This privacy policy applies to the services offered through the website at, our employees, our wider mental health act administration systems and any other personal data we may handle. If you use one of our Mental Health Act administration systems this Privacy Policy should be read alongside the Terms of Use you agreed to when signing up. The Terms of Use contain some different and unique terms relating to use of our clinical administration systems.

This website is owned and the service provided by Thalamos Limited (we, us, our). Thalamos Limited is registered with the Information Commissioners office under ZA528790. Thalamos Limited is registered in England and Wales under 10814088 at 1 Royal Street, London, England, SE1 7LL.

The purpose of this policy is to explain how we use and protect any personal information that you give to us when you use our website or service. Thalamos is committed to ensuring that your privacy is protected. Personal Information you provide to us will only be used in accordance with this policy. Thalamos may change this policy by updating this page. So you should check back from time to time to make sure you’re happy.


We may collect the following information and personal data from you if you use one of our MHA administration services. We need this information to provide our service:

  • Name
  • Profession
  • Contact information including email address.
  • Professional registration details
  • Other profile data required for maintaining an account with us, such as passwords.
  • Details on sub processors as outlined in the Terms of Use for audit purposes.
  • Details of website or service features which are being used to improve experience and resolve issues
  • IP Address

We may collect the following information for other services offered through our website such as events, online content or getting in touch with Thalamos:

  • Demographic information such as postcode and preferences for booking events.
  • Details of website or service features which are being used to improve experience
  • Name and Contact details if getting in touch

If you provide us with your contact details, we may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using an email address you provided. We may also use this information for market research purposes. You can opt out of this at any time by replying to an email.

We may aggregate anonymous data collected from our website and MHA administration system for certain purposes, such as administration and analytics, and share it with third parties This data might be based on personal data but it does not identify you personally. If it does identify you personally – we will treat it as personal data in line with this privacy policy and will not share it.


We will only use personal data as outlined above and as the law allows.

Thalamos provides a service to its customers which enables them to efficiently and effectively meet the requirements of Mental Health legislation when providing care and support to patients/service users. Thalamos acts as a data processor, i.e. we only process patient/service user information as instructed by our customers and the legal basis for our processing this data is therefore determined by them. In addition, we process limited data about our customers and their staff to deliver and advertise our services. We act as a data controller, rather than a data processor, for this data and such processing is considered to be a legitimate interest of our business and in most cases is required to fulfil our contractual obligations.

For each organisation we work with to provide MHA administration services, a Data Protection Impact Assessment (DPIA) is completed to ensure processing activities are appropriate on behalf of the controller.


We will only retain personal data for as long as necessary to fulfil the purpose we collected it for. Personal data is held in secure electronic databases. To be clear, all data we process as part of our MHA administration system is encrypted using AES256 or greater and only ever stored on servers based in the UK. We use some service providers who aren’t based in the EEA to provide some other business functions. Service providers which handle personal data and are located outside of the EEA are based in countries deemed to have adequate levels of protection in place by the European Commission. For the few service providers located outside the EEA where the Privacy Shield was previously relied upon, there are appropriate safeguards in place in the form of Standard Contract Clauses approved by the European Commission to protect data in line with Article 46 of GDPR.

Thalamos is a data controller for your personal information if you use our website or services. If you use our MHA administration system, we process the information you store and share there as a Data Processor on behalf of the Data Controller. The Data Controller is responsible for making sure it has the correct authority to store or share the information. If we store, process or share individual identifiable health data on our MHA administration system for a Data Controller, we can only use or disclose this information as directed to by the Data Controller or unless legally obliged to do so.

We are committed to ensuring that the information we process is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Retention of data on the MHA administrative system is either the responsibility of the account owner who should not keep data for longer than is necessary or retention is pre-agreed with the Data Controller as part of contracts. The retention period will depend on the reason for using the clinical administrative system.


Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

We may share your data with subcontractors in order to fulfil contractual obligations. We will only do this if necessary and only for the purpose which we disclose it to them for. We may share your non-personal data with third parties for certain purposes such as to enable data aggregation described above.

If you share information on our MHA administration system, data in transit is encrypted using Transport Layer Security (TLS).


A cookie is a small file which asks permission to be placed on your electronic device. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. We also use cookies in order to provide our MHA Administration system, such as for authentication. We cannot provide our service without these essential cookies.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.


You have certain rights relating to your personal data under data protection law. These rights will depend on our reason for processing your information. You have the right to:

  • Request access to copies of your personal data.
  • Request we correct any information you believe to be inaccurate.
  • Request we erase your personal data under certain conditions.
  • Object to or request we restrict processing of your personal data under certain conditions
  • Request we transfer the data we have collected to you or another organisation under certain conditions.
  • Lodge a complaint with the Information Commissioner, but where possible we would prefer to discuss the issue first to see if we can remedy the situation

If you wish to exercise your rights (including a Subject Access Request), contact our Data Protection Officer (DPO) ask a question or lodge a complaint please contact