GET STARTED
GET STARTED

Privacy Policy

TherapyCloud (“We”, “Our”, “Us”) takes your privacy seriously, and We want “You” to know how We collect, utilise, impart and protect “Your” information as visitors to the site.

This Privacy Policy has been drafted in line with Article 12 of the General Data Protection Regulation which states that the controller shall take appropriate measures to provide information where ‘personal data’ is to be collected (defined below).[1]

1.       Who we are?

Our proprietary technology platform uses advanced data-driven tools to personalize and enhance your care. We connect you  with mental health professionals (the “Therapists”) based on information you supplied on Our TherapyCloud platform (hereinafter referred to as “Our Website” or “Our Platform” as applicable in context) When you apply or enquire about applying with Us, we keep a record of the “Personal Data” that You provide to Us as well as any medical or mental health related information, which shall herein be referred to as “Sensitive Personal Data”, in accordance with the terms of the General Data Protection Regulation, its principles and this Privacy Policy.

2.       Scope and Applicable Laws

Our Website, together with the provision of Our Services (as defined below), is established in Malta and therefore the principle privacy laws applicable are the following:

  • Data Protection Act (Chapter 586 of the Laws of Malta) and the subsidiary legislation issued thereunder;
  • General Data Protection Regulation or ‘GDPR’ (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC).

Our Website and Our Services shall only be accessible for individuals residing in an EU or EEA country. The Scope of applicable data protection law shall hence be considered limited to the above, hereinafter collectively referred to as the applicable “Data Protection Law”.

3.       What data do We collect?

In accordance with the EU General Data Protection Regulation 2016/679  (hereinafter referred to as “GDPR”),[2] ‘personal data’ is any information which is related to an identified or identifiable natural person, whether directly or indirectly, in particular by reference to an identifier such as a name and any location information, and to an online identifier, such as for instance, name, an identification number, and e-mail address, where applicable (hereinafter “Personal Data”).

We collect the following Personal Data:

  • Personal Data that You might provide to Us when You:
  • contact Us to ask a question or inquire about our services,
  • send Us a request for information,
  • apply on Our Website for a suitable, optimised, mental health professional,
  • make a complaint, or leave any feedback,
  • enquire in terms of vacancy regarding collaborating mental health professionals.

  • Personal Data We collect:
    • When applying on Our Website to get matched with a mental health professional such as a therapist, the following would be required to enable us to assign the suitable professional:
      • Name and surname
      • Country residing from
      • Date of birth
      • Email Address
      • Contact Number
      • Notification Preferences
      • Gender and any background preferences connected with the mental health professional
      • Mental health related Information in connection with reasons concerning why You are accessing Our Platform for Our Services including what You are hoping to get from therapy
      • Mental health related information, where appliable
      • Generally any other pertinent information which may be necessary to be processed in order to give effect to Our Contract with You, where entered into, as may be stipulated or required in the latter

Whereby the above information constitutes Personal Data as defined above, in terms of the GDPR and notably, Personal Data concerning ‘Gender’, ‘Reasons for seeking mental health support’ and ‘Pertinent health related information’ would constitute “Sensitive Personal Data” in terms of the processing of special categories of Personal Data under Article 9 of the GDPR. For all intents and purposes herein, reference to Personal Data shall be considered to include also Sensitive Personal Data, without any prejudice whatsoever in relation thereto.

We will collect and process the Personal Data, including Sensitive Personal Data subject to due informed and/or explicit consent, as applicable, in order to enable us to evaluate and assign accordingly the suitable professional for You.

  • When making use of Our Website, We may collect and utilise certain cookies, which are small files placed on the hard drive of Your computer or mobile device, in the following circumstances:
    • We automatically collect strictly necessary cookies. Strictly necessary cookies are purely functional in purpose, without which the website would not work properly, and hence are exempt from requiring specific consent. This includes cookies obtained to activate the core functionality of the website, in ensuring the intended and optimal website experience, as well as cookies obtained to comply with the GDPR’s security principle.
    • We may process certain cookies in the case required to protect our legitimate interests.
    • Subject to due informed consent obtained from You, We may collect certain cookies such as web beacons, as you navigate through Our Website, to collect information about your equipment, browsing patterns and actions. Data collected from such cookies and web beacons might include information on a web browser, details of your visits to Our Website, including inter alia, traffic data and logs, page views and an internet protocol address. 
  • Personal Data we may collect from third-party sources:
  • In order to provide the optimum service to You, We have contracted with third-party suppliers and service providers. We may obtain Personal Data about You from third parties, provided that consent has been duly obtained, including but not limited to:
  • Google Analytics: This is a third-party tool by Google Inc that helps gather data. Provided You have given Us consent, this tool allows Us to understand more about Our visitor; for example, information such as the website visitor’s location and device used, including information on the visitor’s demographic.
  • Google Ads: This third-party tool carries out similar functionalities to Google Analytics however it is limited to the tracking of ads shown to You as the user – provided You have given Us consent.

We require that any third parties processing information will have done so lawfully, having obtained the appropriate consent to process such, first. We work hard to ensure that any Personal Data collected by third parties is lawfully collected and stored, however We are not in a position to ascertain this fully, and therefore, We shall not be deemed responsible for any breach carried out by third parties, whether listed above or otherwise, including in case of unlawful repurposing of the personal data by such third parties, in terms of and in breach of Article 5 (1) (b) of the GDPR.

4.       How do We use your data?

In line with the principle of data minimization and data economy, We only collect Personal Data and process it for the following purposes and/or legal bases, as applicable:

  • To contact You, to respond to your queries, complaints or questions, to troubleshoot and diagnose problems, complaints or questions.
  • To operate Our Platform, including in duly ensuring security and integrity, and to enforce our agreements and policies.
  • To carry out and give effect to Our contractual obligations with You, notably by connecting you with therapists through Our Platform (“Our Services”), as governed by Our Terms of Use (“Terms of Use”) and the Intermediary Services Agreement which incorporates our Data Protection Agreement (Our Terms of Use, together with Intermediary Services Agreement and the Data Protection Agreement constituting “Our Contract”).
  • For legitimate interest, primarily to protect Us from legal action or claims from third parties, including You and/or to protect our legal rights and/or those of our employees, including to ensure apt performance of the website for the desired end-user experience.

We endeavour not to collect additional Personal Data nor use the Personal Data We have collected for materially different, unrelated or incompatible purposes without asking for Your consent.

We ensure the maximum level of safety and adopt high security measures to prevent unauthorized access, disclosure, modification or unauthorized distribution of data. The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes/legal bases indicated, in the following manner:

  • In terms of high level security storage of the Personal Data, this processing will primarily be carried out by the contracted “Service Provider” as Data Processor under the auspices and direction of Us as Data Controller and Processor, which may be entrusted to, in whole or in part, to a Service Provider’s sub-processor, the “Sub-Processor”.
  • Whereas processing of the Personal Data in order to give effect to Our Contract obligations shall be undertaken solely by Us.
  • Whilst the Service Provider, or Sub-Processor, as the case may be, shall be processing Personal Data as Data Processor or sub-processor accordingly, for the purposes of security and storage thereof within the pertinent server, they are however duly excluded from processing of such data for whatever means of manipulation of data which is not for storage or security thereof. The Service Provider is therefore only authorised to process Personal Data on the platform for the purpose of security & storage, unless otherwise required in terms of this privacy Policy or Our Contract (“Service Provider Scope” or “SP Scope”).

5.       Legal Basis

When processing your Personal Data, We rely solely on the following legal basis:

Consent – As per Article 6 (1) (a) of the GDPR, processing of personal data is lawful when the data subject gives consent to the processing for a specific purpose. We will process your personal data when You consent. By acceding to prompts conveying ‘I accept’ or ‘I agree’, whether in relation to cookies, or in relation to providing You with Our Services, as per Our Contract terms with You, You consent for Us to process Your Personal Data:

  • In terms of collection of Personal Data for cookies, Your consent is utilised to understand the appropriateness of Our Website and to accordingly improve the website and platform for You. Such consent can be easily withdrawn at any time.
  • Consent for the collection of Personal Data for the purposes of Our Services, albeit falling also under a contractual domain, is requested due to the sensitivity of the Services and relationship rendering such basis the most suitable in this respect.

Explicit Consent – in terms of Article 9 (2) (a) of the GDPR, processing of special categories of personal data, or the defined Sensitive Personal Data in this case, shall only be lawful when the data subject provides explicit consent to the processing for a specific purpose, for which subject matter a particular Member State’s law does not explicitly prohibit such derogation to processing in being allowed.

  • Explicit consent, for the collection and processing of Sensitive Personal Data shall be procured accordingly for the purposes of Our Services via Our Platform, including via Our Contract.

Necessary/Contract – As per Article 6 (1)  (b) of the GDPR, We shall lawfully process personal data if it is necessary for the performance of a contract to which You are a party, or in order to conclude the required legal and customary steps to enter into a contract with You.

  • In terms of collection of Personal Data for the provision of Our Services, the prior steps of entering into a contract concerning Our Services and eventual execution of Our Contract would also fall under the contractual legal basis. This legal basis would therefore come into existence with the execution of Our Contract being entered into with You.
  • Whilst lawfulness of processing is activated in terms of both lawful bases of ‘consent’ and ‘contract’, the ‘contract’ basis will thereby function in relation to Our Contract being entered into between You and Us, in covering, inter alia, Our Services T&Cs with accompanying Services DPA.
  • Moreover, whilst both lawful purposes may be construed as applying in parallel to processing of Your Personal Data in accordance with purposes underlying this privacy policy, the existence of the contract legal basis shall not be utilised so as to potentially prejudice or otherwise the remit of the consent legal basis which may be withdrawn at any time by You. As per Our Contract terms with You, should You withdraw Your consent at any time for Our Services or the processing of Your Personal Data, the contract legal basis shall not be considered available to be utilised for processing of Your Personal Data to the prejudice of consent of processing which has been withdrawn – provided We are not compelled in terms of law, or no other basis applies giving us reasonable cause to continue carrying out the processing of such as per above – unless You yourself reinstate Your consent and reaffirm Your commitment to be bound under contractual terms with You.
  • The above in regard to consent shall apply to explicit consent mutatis mutandis.

Moreover, We may legally process data if it is necessary for compliance and adherence to legal obligations to which We are subject [3] or if required to protect your vital interest or that of any other natural person[4] or it is necessary for the performance of any task carried out in the public interest or in the exercise of an official authority vested to Us[5].

Legitimate Interest – As per Article 6(1)(f) of the GDPR, We process certain data in order to troubleshoot and eliminate certain technical problems and to develop and enhance new website features, to ensure a high standard of user experience. We also undertake in processing the IP address concerned, for the purposes of legitimate interests as defined in Data Protection Law, which include cybersecurity and fulfilment of vetting and due diligence-related duties.

6.       Who has access to your data?

We do not share Your Personal Data with third parties, except as strictly in the below circumstances. In line with the consent or otherwise which You have or may have provided us, We may share data in the following ways:

Our Service Provider: In order to store Your Personal Data securely in line with Data Protection Law, we entrust Your Personal Data with a vetted Service Provider. Hence, the processing carried out by the Service Provider will be limited to the Service Provider Scope of security & storage.

The Therapist – In order to provide You with Our Services and in order for the Therapist to be able to get in touch with You to set up a preliminary meeting assessment with You, We will simply relay Your Name and Contact Number or Email Address, depending on Your Notification Preferences, for this purpose.

Legal Requirements: We might be asked by law enforcement agencies to disclose your Personal Data for the establishing of any legal or litigious right by the competent authorities, in cases of evident prima facie mala fides from your end.

Your request: As per Data Protection Law – in the event that You decide to access your right to data portability as per below, We have no option but to transfer your Personal Data accordingly.

7.       How We store Your data

We use commercially available physical and technical safeguards which have been designed to secure your Personal Data from loss, or unauthorized access or use. Additionally, We do not share Personal Data which We collect unless in line with this Policy; therefore only disclosed upon your request or legitimate law enforcement or judicial request, or in order to provide You Our Services.

This notwithstanding, We are aware that despite We take all the measures which are feasibly available to Us, there might be rare instances of data loss or damage due to accidents which are beyond our control. No method of transmitting data over digital mediums can be classified as without risk.

Any transmission of Personal Data is done at Your own risk and We cannot guarantee that such Personal Data may not be accessed, disclosed or altered by unauthorized persons.

Additionally, We herein outline programmes and systems We use in Our collection, processing and storing of Personal Data:

  • We use Our online Platform in collaboration with Our Service Provider to manage and operate the necessary storing and processing of information, data and details;
  • We use reCAPTCHA to detect any improper use of Our Website by automated mechanical processing. Certain Personal Data, which is necessary in relation to such processing, such as an IP address, is thus transmitted to “Google”. This is primarily done in order to comply with the necessary appropriate technical and organisation safeguards required to be implemented in terms of Data Protection Law;
  • When someone visits Our Website and consents for the collection and processing of analytical and/or other non-necessary data, a third party service, Google Analytics, is utilised to collect data such as standard internet log information and details of visitor behaviour patterns. This information is processed in such a manner that it does not identify the user nor render them identifiable.[6]

8.       Data Retention

In light of Data Protection Law provisions[7], We keep Personal Data as long as is necessary in order to keep up with Our legal and/or Contractual obligations, as applicable. Therefore, unless You explicitly request to have Your Personal Data deleted as per the below, We will retain your Personal Data in Our secure database for as long as is needed to commence and complete the supply of Our Services to You, including to rectify any concern or enquiry for which Personal Data was relayed to Us.       

Notwithstanding the previous provision, Personal Data collected might be kept for an additional period as may be required for legal or tax reasons, or for legitimate and lawful business purposes. In such case, and balancing the data protection competing interests involved, such as in light of a Data Protection Impact Assessment, or ‘DPIA’, such data will be in a manner which aims to mask the identifiability of the Personal Data, such as by encryption whereby the Personal Data is pseudonymised, or via anonymisation of such, whereby the data involved would not technically be considered Personal Data and consequently subject to Data Protection Law.

9.       Your Rights 

We would like to make sure You are fully aware of all of Your data protection rights. Every user is entitled to the following:

The Right to Access Your Persona Data[8] – You have the right to request for copies of Personal Data which have been collected concerning yourself. You can access this right at reasonable intervals. This right should not adversely affect the rights or freedoms of others, including intellectual property rights, trade secrets or software copyright held by Us.

The Right to Rectification[9] – You have the right to request that without unjust delay We correct any information You relayed to Us, which You believe is inaccurate. You also have the right to request to complete information which You have relayed to Us which You believe is incomplete, by providing a supplementary statement.

The Right to Erasure[10] – You have the right to request the erasure of Your Personal Data without undue delay and We shall erase such Personal Data as considerably soon as possible when one of the following grounds apply:

  • The Personal Data is no longer necessary in relation to the purpose for which it was collected or processed;
  • You withdraw consent on which processing is based or there is no longer a legal ground for the processing;
  • You object to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing; or
  • The processing was unlawful.

The above right shall not apply to the extent that processing is necessary for the establishment, exercise or defence of legal claims. 

The Right to lodge a complaint with a supervisory authority – You have the right to lodge a complaint with the pertinent supervisory authority where You consider that the processing of Your Personal Data infringes any point contained in this Privacy Policy or any provision under Data Protection Law such as the GDPR. In terms of Article 12(4) GDPR, further to a notification from Us, that We will not be taking action as per the request made by Yourself pursuant to one of the rights contained herein or to any other right which may be invoked by Yourself under Data Protection Law, You have the right to lodge a complaint with a supervisory authority for the possibility of seeking a judicial remedy thereto on the basis of such decision.

The Right to Restrict Processing[11] – You have the right to request that We restrict the processing of Your personal data, under certain conditions:

  • The accuracy of the Personal Data is contested by Yourself, for a period, to enable Us to verify the accuracy of such Personal Data.
  • The processing is unlawful and You oppose to the erasure of the Personal Data and restrict use instead.
  • We no longer need to process your Personal Data, but such Personal Data is required by yourself for the establishment, exercise or defence of legal claims.
  • You have objected to the processing in line with Article 21(1) of the GDPR, pending verification whether Our legitimate grounds override those of the data subject.

When Personal Data is restricted in line with the above, such data may only be processed with your consent.

The Right to withdrawal – You have the right to withdraw the consent You gave Us to process Your Personal Data for the purposes herein mentioned, if either point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR have been utilized as a lawful basis to process the Personal Data. 

Exception to Abovementioned Rights

In line with Article 12(2) of the GDPR, the effective exercise of the data subject’s rights under Articles 15 to 22 of the GDPR inter alia, may be refused to be effected, if We deem that We are unable to identify the data subject concerned tied to the personal data which is the subject of the data subject right/s invoked.

10.   Cross-Border Transfer of Data

We take well into consideration any cross-border relay of data which may be deemed strictly necessary in the course of providing Our Services, in terms of the below.

Intra-Group Transfers of Data Within the EU/EEA

The free exchange of personal data between Member States is a fundamental aspect of the EU’s basic principles. This principle is also reflected in Data Protection Law, which excludes the restriction or prohibition of the free movement of personal data within the EU or EEA.

Data Protection Law therefore allows for the transfer between EU/EEA entities subject to the existence and/or fulfilment of a legal basis as per section 5 of this privacy policy.

Transfers Outside the EU/EEA

Personal Data We collect from You is collected, stored or processed within the EU/EEA. Our Service Provider, in carrying out their SP Scope to further Our Services, may require to pass or store temporarily some or all of the Personal Data outside of the EU/EEA. However, We, together with Our Service Provider endeavour to transfer data to such providers following adoption of the adequate safeguards. Such appropriate safeguards include contractual arrangements, particularly standard contractual clauses approved by the European Commission.

11.   Changes

We keep this Privacy Policy under regular review and place any updates on this web page. This Privacy Policy was last updated on 21 August 2023.

12.   Contact Us

If You have any comments, concerns or questions about this Privacy Policy or our privacy practice, please send an email to [email protected].

[1] Article 13, General Data Protection Regulation.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

[3] Article 6 (c), General Data Protection Regulation.

[4] Article 6 (d), General Data Protection Regulation.

[5] Article 6 (e), General Data Protection Regulation.

[6] Ref to ‘personal data’ under Article 4 (1), General Data Protection Regulation

[7] Article 5 (e), General Data Protection Regulation

[8] Recital 63 & Article 15, General Data Protection Regulation. 

[9] Article 16, General Data Protection Regulation.

[10] Article 17, General Data Protection Regulation.

[11] Article 18, General Data Protection Regulation.

Want to stay in touch?

Register for our newsletter to receive periodical updates from TherapyCloud. You may unsubscribe anytime.

Services

Legal

Disclaimer

This website is not intended as an Emergency line. If you are in immediate danger, please contact 112 for general emergencies or 1579 for the mental health support line.

© TherapyCloud - All Rights Reserved

Website designed and developed by Storm (Malta)

If you are in crisis or someone you know may be in danger, please do not use this site. Instead, reach out to one of the following resources for immediate help: