Effective Date: 12th May 2025
Last Updated: 12th May 2025
1. Introduction
Welcome to the Towards app (the "App"), provided by Towards ("Towards," "we," "us," or "our"). We are a mental health therapy clinic committed to protecting your privacy and handling your personal data with care and respect.
This Privacy Policy explains how we collect, use, share, and protect your personal information when you1 use our App. It also tells you about your rights and how you can exercise them. Your privacy is critically important to us, especially given the sensitive nature of the services we provide.
This App is intended for individuals aged 12 and over. Specific rules apply to users under the age of 18, as detailed in Section 6.
2. Who We Are and How to Contact Us
Towards is the 'data controller' for the personal data processed through this App. This means we decide how and why your personal data is used.
If you have any questions about this Privacy Policy, how we handle your data, or wish to exercise any of your rights, please contact our Head of Operations:
Email: magda.shah@wearetowards.com
For more general information about our privacy practices, you can view our general privacy notice on our website: www.wearetowards.co.uk.
3. What Personal Data We Collect About You
When you use our App, we may collect the following types of personal data:
Identity and Contact Data: This includes your name, email address, telephone number, date of birth, and other information you provide during registration or when updating your profile.
Health Data (Special Category Data): As a mental health therapy app, we will collect information about your physical or mental health conditions, therapy session notes (if applicable and entered by you or your therapist with your knowledge), information about your use of the App related to your health conditions, self-reported symptoms, mood tracking, journal entries, and responses to assessments or questionnaires. This is considered "special category data" and is handled with additional safeguards.
Usage Data: Information about how you use our App, such as features accessed, time spent on the App, interaction patterns, and performance data.
Technical Data: This may include your IP address, device type, operating system, app version, and other technical information necessary for the App to function and for us to provide support.
Communications Data: If you contact us or we communicate with you, we will collect records of those communications.
We aim to collect only the minimum amount of personal data necessary for the purposes outlined below.
4. How We Use Your Personal Data (Purposes and Lawful Bases)
We use your personal data for specific purposes and only when we have a lawful basis to do so. The UK General Data Protection Regulation (UK GDPR) requires us to identify these bases.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.5
5. Special Category Data (Health Data)
As mentioned, much of the data processed through our App is health-related and is treated as "special category data" under data protection law. We process this data:
Where it is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in Article 9(3) of the UK GDPR (i.e., processed by or under the responsibility of a professional subject to the obligation of professional secrecy).
Where you have given your explicit consent to the processing of this data for one or more specified purposes.
We have implemented additional security controls and measures for storing and using your special category data.
6. Children's Data
Our App and services are available to individuals aged 12 and over.
In the UK, individuals aged 13 or over can generally provide their own consent for the processing of their personal data in the context of online services.
For users who are 12 years old, we require parental or guardian consent before they can use our App and for us to process their personal data, unless our services are deemed to be online counselling or other preventive services directly offered to a child, where different rules may apply.
We are mindful of the UK's Age Appropriate Design Code (AADC) and strive to ensure our App is designed in a way that is suitable for younger users within our target age range, particularly if our services are not exempt from the Code. We handle children's data with enhanced sensitivity and care.
If you are a parent or guardian and believe your child under 13 (or a 12-year-old without your consent where required) has provided us with personal data, please contact us at magda.shah@wearetowards.com.
7. How We Share Your Personal Data
We may share your personal data with the following parties for the purposes set out in Section 4:
Service Providers (Processors): Third-party vendors who provide services on our behalf, such as cloud hosting, data analytics, IT support, and marketing providers. We have contracts in place with these processors to ensure they protect your data and only process it on our instructions.
Healthcare Professionals: If you are using the App in connection with therapy provided by Towards, relevant information may be shared with your designated therapist(s) and their clinical supervisors (supervision discussions will use anonymised data unless your explicit consent is obtained to share identifiable information).
Legal and Regulatory Authorities: If required by law, a court order, or to comply with a legal obligation (e.g., safeguarding concerns where there is a risk of harm to you or others, we may be legally obliged to share information with authorities like social services or the police).
Other Third Parties:
In the event of a sale or purchase of any business or assets, we may disclose your personal data to the prospective seller or buyer.6
To protect our rights, property, or safety, or that of our employees, clients, or others (e.g., exchanging information for fraud protection).
With your explicit consent (e.g., sharing information with your GP).
We will not sell your personal data to third parties.
8. International Data Transfers
Some of our external third-party service providers may be based outside the UK or the European Economic Area (EEA), so their processing of your personal data will involve a transfer7 of data outside these regions.
Whenever we transfer your personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following8 safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in9 the UK (such as the EU Standard Contractual Clauses with the UK Addendum).
We may also need to carry out a transfer impact assessment to consider the laws and practices in the recipient country.
Please note that allowing access to personal data hosted in the UK/EEA from a country outside these regions (e.g., for IT support) also constitutes a data transfer.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK/EEA.10
9. Data Security
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost,11 used, accessed in an unauthorised way, altered, or disclosed.12 This includes:
Encryption of client data both in transit and at rest.
Access controls implemented through password protection, role-based permissions, and secure authentication methods.
Regular review of our security practices.
In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will notify13 you and any applicable regulator of a breach where we are legally required to do so.
10. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected14 it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data15 are available in our Data Retention Policy (which16 can be requested by contacting us).
11. Your Data Protection Rights
Under data protection law, you have rights including:
Right of access: You have the right to ask us for copies of your17 personal information.
Right to rectification: You have the right to ask us to rectify personal information18 you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Right to erasure (right to be forgotten): You have the right to ask us to erase your personal information in certain circumstances19 (e.g., if it's no longer needed for the purposes for which it was collected, or you withdraw consent).
Right to restriction of processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Right to object to processing: You have the right to object to the processing of your personal information in certain circumstances20 (e.g., where we are relying on legitimate interests, or for direct marketing).
Right to data portability: You have the right to ask that we transfer the personal information you gave us to another21 organisation, or to you, in certain circumstances, in a machine-readable format.
Right to withdraw consent: Where we are relying on consent to process your personal data, you have the right to withdraw22 that consent at any time.
Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on23 automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. (We do not24 currently carry out such automated processing using personal data from the App).
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We have 30 days from receipt of your request to respond. This period may be extended in certain circumstances. We may need to request specific information from you to help us confirm your identity.
To exercise any of these rights, please contact the Head of Operations at magda.shah@wearetowards.com.
12. Cookies and Tracking Technologies
Our App may use cookies or similar tracking technologies (e.g., within the App itself or if it links to our website). Cookies are small text files placed on your device.
Essential Cookies/Trackers: Some are necessary for the App to function correctly.
Non-Essential Cookies/Trackers: Others (e.g., for analytics or preferences) will only be used if you provide your prior consent.
We will provide clear information about any cookies/trackers used (e.g., via an in-app banner or settings page, or a cookie policy on our website if the App links to it) and how you can manage your preferences.
13. Marketing Communications
We will only send you direct marketing communications (e.g., emails or text messages about new services or offers) if you have actively consented to receive them, or if you are an existing customer and the marketing relates to similar services, and you have not opted out.
You can ask us to stop sending you marketing messages at any time by following the opt-out or unsubscribe links on any marketing message sent to you or by contacting25 us.
Please note that opting out of marketing communications will not affect service communications (e.g., updates to terms, appointment reminders if applicable).
14. Changes to This Privacy Policy
We keep this Privacy Policy under regular review and may update it from time to time. We will notify you of any significant changes, for example, by posting a notice within the App or by sending you an email. The "Last Updated" date at the top of this policy indicates when it was last revised.
15. Complaints
If you have any concerns about our use of your personal information, you can make a complaint to us by contacting26 the Head of Operations at magda.shah@wearetowards.com.
You also have the right to lodge a complaint with the UK's data protection regulator, the Information Commissioner's Office (ICO).27 Their contact details are:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF28
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk29