Privacy Policy

Solas Mind Privacy Policy 
This Privacy Policy explains what personal and other information is collected by Solas Mind Ltd., a company registered in the United Kingdom with number 12196100 and its registered office at UHY Hacker Young (Birmingham), 9-11 Vittoria Street,Birmingham, England, B1 3ND, as well as Solas Mind International Ltd company number 14451457, and any other affiliates or subsidiaries (collectively, “Solas Mind”, “we”, “us”, or “our”) aspart of our activities, and how we use that information. Any reference to “you” or “your”means you, the user. Solas Mind recognizes the trust you place in us when you share personal data with us. We are committed to being open and transparent and to protecting your privacy and personal information. This Privacy Policy also explains how we may use personal information that we obtain about you, and your rights in relation to that information. This policy explains your choices surrounding how we use your personal information, which includes how you can object to certain uses of the information and how you can access and update certain information. 
Depending on where you reside, the EU’s General Data Protection Regulation (GDPR), the California Privacy Protection Act (for residents of the state of California,USA), the United States’ Health Insurance Portability and Accountability Act(HIPAA), as well as United Kingdom’s Data Protection Act of 2018 (collectively, the “Data Protection Laws”) may give you various rights regarding the way in which we store and use your personal information.
You may get further information about data protection and privacy laws by contacting your local data protection authority. 
OurTerms of Service govern all use of our services and together with this Privacy Policy, which constitutes youragreement with us. Ifyou have any questions about this Privacy Policy, our practices, or yourdealings with Solas Mind, please send us an email at hello@solasmind.com.
 1.POLICY ACCEPTANCE
This Privacy Policy applies to the website https://www.solasmind.com, our hubs, and any related websites or mobile applications(collectively, the “Website”) and shall include all personal data processed by us through direct mail, email, telephone,or social media channels.  
This policy applies to information we collect:
-through our Website;   
- in emails, text message, phone conversations, audio and video interactions and other electronic messages between you and our Website;
- when you interact with our advertising and applications on third party websites and services if those applications or advertising include links to this policy.
It does not apply to information collected by:
- us offline or through any other means,including on any other website operated by any third party; 
- any third party, including through any application or content (including advertising) that may link to or be accessible from or on the Website. 
Note,Solas Mind is not a medical group or practice. Any 1:1 online wellbeing sessions obtained through our Website are provided by independent practitioners (each, a “Provider”). Each Provider is responsible for providing you with a notice of privacy practices (as applicable)describing their collection and use of your health information, not Solas Mind.
If you do not agree to be bound by these terms, you are not authorized to access or use our Website, and you must promptly exit our Website. 
Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, you should elect not to use our Website. Your acceptance of this Privacy Policy is deemed to occur upon your first use of the Website. Your continued use of our Website after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates. 

2. ABOUT US 
Solas Mind launched in September 2019 as a wellbeing service specialising in working in the creative industries.  Our legal status under UK Data Protection Laws is that of a ‘data controller’ and in this capacity we will securely store and process your personal information which you have provided to us.
‘Data controller’ is a legal term used in the United Kingdom’s Data Protection Act 2018 (the “Act”)to signify the person who controls what to do with any given personal information. As data controller we have registered with the UK Information Commissioner’s Office and our registration number is ZA741303. 

3. WHAT PERSONAL DATA DO WE COLLECT? 
“Personal data” is any information relating to an identified or identifiable individual. It does not include data where the identity has been removed (i.e., anonymous data). We may collect, use, store and transfer different kinds of personal data about you when we engage with you.
This may include:
- Identity Data - title, first name,last name, date of birth or similar identifiers. If you interact with us through social media, this may include your social media username.
- Contact Data - billing address,email address, and telephone numbers.
- Financial Data – bank account and payment card details.
- Transaction Data - details about services we have provided to you.
- Technical Data - includes your internet protocol (IP) address, your login data, browser type and version, timezone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website.
- Geographical Data - information setting out your primary address to control the use of location services in most mobile devices and desktop settings.
- Usage Data - information about how you use our Website and services.
- Marketing and Communications Data - includes your preferences in receiving marketing from us and your communication preferences.
At first contact, we will collect the following information in order to establish if we can provide you with counseling or coaching services:
- Your name
- Contact information, including your email address
- Geographic information, such as your postcode
- Other information relevant to you engaging in counseling/coaching with us, e.g., emergency contact, next of kin,the name of your medical practice, etc.
- Information about any disability or communication difficulty you may have At first contact, you may also choose whether or not to share with us a brief description of why you have booked
 
Health Information (for United States residents only)
Some information Solas Mind collects may constitute protected health information (“PHI”)under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”). However, Solas Mind is a“business associate” (as that term is used under HIPAA) that provides service sto and for Providers. In the US, business associates are not “covered entities”under HIPAA (as that term is used under HIPAA). Additionally, while some of our Providers may be licensed therapists and psychologists and therefore may need to comply with HIPAA within their own practices, when working though Solas Mind,our Providers function only as coaches. When coaching is not provided within a formal healthcare setting (such as when using our services), HIPAA typically does not apply.
Even if your PHI or other personal data is not protected by HIPAA, you still have the other rights described in this Privacy Policy. Further, we may de-identify your PHI and other personal data so that it no longer reasonably identifies you. In this case, we may use this de-identified data without restriction and for any purpose, including to improve our Website, and products and services. 

4. HOW DO WE COLLECT PERSONAL DATA? 
We use different methods to collect data from and about you and you may give us your data by filling in online forms, by corresponding with us face-to-face, when attending any events, training, talks or workshops we hold, or through our social media posts and channels.  
Contact Us Form
We collect your name,email, and phone number as well as the subject and content of any message when you use our online contact form to get in touch. This information enables us to communicate with our clients, suppliers and third parties and facilitates the provision of services to you. We may process personal data for the purpose of providing the services you have requested or in order to fulfill a contractual obligation in relation to our services.
Service Registration & Bookings
Personal details provided during registration on our Website and booking system are processed so that we can register you, respond to your communications and send details of appointments. Data is held in preparation for entering into an agreement with a Provider and with your consent. 
When you book a session, we collect various personal information which may include your name and contact details (such as youraddress, email address, telephone numbers, and emergency contact).  
Note: We use third-party services for payment processing (e.g.,payment processors). 
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their privacy policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa,Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information. 
The payment processors we work with are: 
Stripe: Their Privacy Policy can be viewed at: https://stripe.com/us/privacy
PayPal: Their Privacy Policy can be viewed at: ​​https://www.paypal.com/myaccount/privacy/privacyhub  

Emails
We retain copies of emails sent to us and any personal data will be held in accordance with this Privacy Policy.
Social media
We use social media to engage with users. Our Website links to our Facebook, Instagram, LinkedIn, and Twitter pages. We do not keep any specific data that identifies you as an individual user when you interact with us on social media, but we hold details of our followers on each platform. You should refer to the individual privacy policies of each channel to understand how they treat your data in relation to linking to our Website. If you send us a direct message via social media, the details of such message may be retained by us only as relevant to any ongoing contract, to further our legitimate business interests or as required for legal purposes. The third-party provider may also retain details in accordance with their own privacy policy.
Visits to our Website
When you visit our Website, we do not attempt to identify you as an individual user, and we will not collect personal data about you unless you specifically provide this to us. As you interact with our Website, technical data may be automatically processed through the use of Cookies, details of which are explained in our Cookie Policy below in section 13.
Special Categories of Data
We collect some special categories of data that are relevant to the issues you share with us in the course of our services. Examples of some of the special data we may gather includes: some personal details about yourself, details of your GP, doctor, or other healthcare providers, your emergency contact, and why you have booked services. This special data enables us to provide a safe space for you with the Provider you choose to work with.
Such information is only provided on a need-to-know basis.
Children
We do not market this Website at those under 18 years old. Consistent with the GDPR, we will never knowingly request personally identifiable information from anyone under the age of 16 years old. We will take appropriate steps to delete any personal data of individuals less than 16 years of age that has been collected on our Website upon learning of the existence of such data.

5. INFORMATION WE GET FROM OTHER SOURCES 
From time to time, we may need to obtain information from third parties about you. This will only apply where it is necessary to provide our services and as permitted by law.  We may receive personal data relating to your identity and contact data from data partners and data from any third parties who are permitted by law or have your permission to share your personal data with us, such as via social media.

6. HOW WE USE YOUR DATA 
Our Legal Basis
UK Data Protection Laws require us to have a “legal basis” for processing personal data. The legal bases we rely on are:
- Performance of a contract we are about to enter into or have entered into with you;
- Compliance with a legal or regulatory obligation;
- Carrying out activities that are legitimate to our business interests; and
- Your consent.
Note that where our legal basis is consent, you have the right to withdraw consent any time.  
What We Do With the Information We Gather]
The lawful basis and purpose of holding this data is to ensure we can meet the terms for providing a contract for counseling or coaching to you. We will also use your personal data to meet any legal obligations placed upon us – for instance when you exercise your rights to see what data we hold under applicable Data Protection Laws orin order to meet any legal compliance placed on us; or occasions where we may be obliged to disclose information related to safeguarding children, young people and adults at risk.​  
Our Legitimate Interests
When we use our legitimate interests as the legal basis for processing your personal data, we will consider and balance any potential impact on you and your rights before we process your personal data. We will only then proceed where we believe our interests are not overridden by the impact on you. Our legitimate interests include the management of our business operations.

7. SHARING INFORMATION 
Disclosure
We don’t share, sell,or distribute your data to third parties, except as contractually agreed with you or as explained in this Privacy Policy.
We may disclose your personal data if we are required to do so by law, in connection with any legal proceedings,and in order to establish, exercise or defend our legal rights, or if otherwise legally permitted. 
We may need to use your information and personal data to contact your GP, doctor, other health care provider, or emergency contact. This will only be done in exceptional circumstances such as when we have a duty of care or are required by law to provide information about you. 
If you are a staff member of a company purchasing our services, we will not share your data or any other information with that company except in the case of an emergency, to safeguard you, where we think you are in immediate risk in the workplace.   
Sale or Transfer of Our Business
We may expand,reduce, sell, or transfer all or part of our business. Any personal data you have provided may then be transferred to the new owner or new controlling party. Any such new owner will, depending on the legal basis, be permitted to use that data only for the same purposes for which it was originally collected by us.
In the event that any of your data is to be transferred in such a manner, you will be notified in advance of the changes.’ 
Counselling / Coaching Notes and Use of Online Service Providers (e.g., Zoom, Skype)
Therapists, counselors,or coaches may keep brief handwritten notes of the sessions for their own records and must ensure that measures are taken to always protect the confidentiality of clients.  Records must comply with any Regulations and Codes of Practice determined by a Provider’s accreditation body.  
No recordings are kept of sessions conducted online, but you are recommended to refer to the online service provider’s privacy policies for details of how these third parties use data. 
Supervision
Solas Mind Providers are required to have regular supervision with another professional as part of their accreditation.
Providers do not disclose any personally identifying information about clients to their supervisors. 
Data Processors
We use third-party Data Processors who act on our instruction in relation to the management of your personal data and where this applies, all data processors are required to confirm that they adhere to Data Protection Laws and regulations. We will ensure that any Data Processors used only operate on our written instructions and comply with their obligations under applicable Data Protection Laws.  
Data Processors who provide services to Solas Mind include those providing support sessions, or other services such as workshops, groups, or training events. Personal data is only collected and/or provided on a need-to-know basis. You will be informed of any other Data Controllers who have access to your data and who may determine processing activities separately to us, or as a Joint Data Controller. 
Acuity
Our client data is stored by Acuity (https://www.acuityscheduling.com/), a SquareSpace company, who is a third-party Data Processor with whom we have a contractual agreement to provide booking services.
We have taken appropriate steps to ensure that they are compliant with applicable Data Protection Laws and regulations.
Please refer to their policy here.  
Other Data Processing Services
These services are used for specific data processing tasks. Only data required to complete the task is shared with them.  
SignRequest and Esignatures.io:
Manage contracts with our practitioners and third parties.
Zapier: Used to connect ourservices with other third-party apps.
They are GDPR compliant.
Appsmith: Our provider of user, customer, and provider surveys and forms.
Appsmith does not store data,they act as a proxy layer. Details may be found here.  
Typeform: Provides our feedback survey forms for users
Marketing
We may carry out direct marketing by email. We will ask for your consent to receive marketing communications (including newsletters) when you register on the Website, and you have the option not to give consent and to withdraw consent at any time.
You may withdraw your consent for us to contact you by email to hello@solasmind.com.  
External links
Users of the Website are advised to adopt a policy of caution before clicking on any external weblinks. Clicking an external link will take the user away from our Website. Once you leave our Website or are redirected to a third-party website, plug-in, orapplication, you are no longer governed by this Privacy Policy or our Website’sTerms of Service. We cannot guarantee or verify the contents of any externally linked website and users click on external links at their own risk. Solas Mind cannot be held liable for any damages, or the consequences of visiting any external links. 
Social Media Platforms
Communication, engagement,and actions taken through external social media platforms that this Website and its owners participate on are subject to our Terms of Service as well as the privacy policies held with each social media platform respectively. Users are advised to use social media platforms wisely and communicate and/or engage with them with due care and caution in regard to their own privacy and personal details.
This Website, nor its owners, will not ask for personal or sensitive information through social media platforms and encourages users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email. 
Reviews/Evaluation of our Services
We may ask for a review of our services, and these may be published anonymously on our Website or on social media platforms, if you give your consent for us to do so. You may withdraw your consent at any time.

8. DATA RETENTION 
We keep your personaldata in accordance with our internal data retention policy which reflects our needs to provide services to you as contracted and also as required to meet legal, statutory and regulatory obligations. The need to hold information is regularly reviewed and data will be disposed of when no longer required.

9. DATA SECURITY 
We have put in place appropriate security measures to prevent personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential. 
We take appropriate steps to ensure a safe processing of personal data. However, we cannot guarantee the security of data transmitted through our Website or by email. Any such transmission is at the sender’s own risk.

10. DATA STORAGE AND TRANSFERS 
Any information,including personal data, that you supply to us may be stored and processed by Acuity Scheduling. Your data may be transferred in accordance with their policies and under relevant Data Protection Laws.  Because we are a UK-based business, if you are a resident of the EU/EEA, we may transfer some or all of your data to countries outside of the EU/EEA.
For residents of the EU/EEA, where data is to be transferred to a country outside of the EU/EEA which does not offer the same level of protection as the GDPR with respect to the processing of personal data, we will ensure that the company agrees to similar levels of protection. 
When we transfer data to any organization based in the US, we may transfer data to them where they provide similar protection to personal data shared between the EU/EEA and theUS. 

11. RIGHTS OF DATA SUBJECTS (GDPR)
For residents of the EU/EEA, Solas Mind recognizes a data subject’s rights and will uphold these in accordance with applicable Data Protection Laws.
In relation to certain rights,we may ask you for information to confirm your identity and, where applicable,to help us to search for your personal information. You should note that the following rights may not be absolute and may not be upheld where there is valid justification not to do so. 
Subject Access Requests
You have the right to ask for a copy of the information that we hold about you by sending an email to hello@solasmind.com. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information. A fee may apply. 
Right to Rectification
Data subjects have the right to request that personal data is amended or changed if it is inaccurate or incorrect. We act on any such request without delay. 
Right to Erasure
Data subjects have the right to ask us to delete personal data from our systems without giving any reason and at any time. We will act on any such request without delay. 
Right to Restrict
Processing Data subjects have the right to rectification or erasure of personal data in the following circumstances:
-Personal data is not accurate;
- The processing of data is unlawful;
- Data is required to exercise legal rights or defend legal claims; and
- Data is unlawful, although there may be lawful grounds for processing, which override this right. 
Right to Data Portability
Data subjects have the right to obtain and request the transfer of their data to a different service provider. 
Right to Object
Data subjects have the right to object to the processing of personal data at any time based on their circumstances. This includes objecting to profiling unless it is in the ‘public interest’ or exercised lawfully by an official authority. We will only process personal data upon a legal basis. You also have the right not to be subject to decisions based on automated processing. 
Using Your Rights
If you wish to invoke any of your rights as a data subject, you should contact us by sending an email to hello@solasmind.com.  You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. 1

2. US PRIVACY RIGHTS (for residents of the USA only) 
While the CCPA only applies to California residents, all personal data we collect from US residents will be governed by the standards required by the CCPA. Please note that laws in Europe typically refer to the information we collect from you as ‘personal data’, whereas laws in the US typically refer to this information as ‘personal information’. As used in this Privacy Policy, there is no difference between the terms ‘personal data’ and‘personal information’. California Privacy Rights.
These privacy rights supplement the other information contained in our Privacy Policy and apply solely to visitors, users, and others who reside in the United States. This section is intended to comply with the California Consumer Privacy Act of 2018 (“CCPA”)and any terms defined in the CCPA have the same meaning when used in this notice. We may update this section as necessary and in the event of changes in the CCPA.
These terms apply only to US residents.
Please note that the CCPA expressly excludes personal information regulated under the California Confidentiality of Medical Information Act(CMIA) and protected health information (PHI) collected by a “covered entity”(e.g., a health care provider or insurance plan) or “business associate” (e.g.,Solas Mind) that provides services to a covered entity governed by HIPAA. 
Categories of Personal Information SolasMind Collects
As described in more detail in other areas of our Privacy Policy, we collect and/or disclose personal information about you when you visit or use our Website, including information about you that you provide to us, and information that we automatically collect from you or your computer or device as you use our Website.  Personal information does not include information that is: (i) publicly available information from government records; (ii) de-identified or aggregated consumer information; or(iii) certain information excluded from the scope of CCPA (e.g., PHI covered under HIPAA and medical information covered under the CMIA as discussed above). 
Categories of Sources from which Solas Mind has Collected Personal Information
As described in more detail in other areas of our Privacy Policy, we collect personal information directly from you, for example when you provide it to us when you contact us through our Website, book services through our Website, indirectly from you automatically through your computer or device as you use our Website, and from our service providers. 
Use of Personal Information
We do not sell your personal information. We may use or disclose the personal information wecollect for our business purposes described elsewhere in this Privacy Policy. 
Sharing Personal Information
As described in more detail in other areas of our Privacy Policy, Solas Mind may disclose your personal information to a third party for one or more business purposes such as to provide you with services or to contact your emergency contacts when appropriate. 
Access Request Rights
You have the right to request that SolasMind disclose certain information to you about our collection and use of your personal information over the past 12 months for the above business and commercial purposes.
To submit an access request, see Exercising Access and Deletion Rights below. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you
- Our business or commercial purpose for collecting that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you.
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
-sales, identifying the personal information categories that each category of recipient purchased; and
-disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained. 
Deletion Request Rights
You have the right to request that Solas Mind delete your personal information that we collected from you and retained,subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete)your personal information from our records, unless certain exceptions apply. 
Exercising Access and Deletion Rights
To exercise the access and deletion rights described above, please submit a verifiable consumer request to us by: Emailing us at hello@solasmind.com Only you, or for California residents, a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.
You may only make a verifiable consumer request for access twice within a 12-month period.
The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. 
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights.
Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. 
Our Policy on “Do Not Track” Signals
We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to b etracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser. 

13.ABOUT COOKIES 
A cookie is a small text file with an identifier sent by us to your computer or mobile device and stored in your browser. “Session-based” cookies last only while your browser is open and are then deleted. “Persistent” cookies last until you or your browser deletes them, or they expire. Cookies do not typically contain any personally identifiable information but may be linked to personal information we store about you. 
We use cookies to help us analyze our usage data and performance of our Website and services.
We use Google Analytics for this purpose. We use cookies to enable easy payment processing and to detect fraud through our payment processors
Stripe Payments Europe, Ltd. (“Stripe”) and PayPal. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer.  

14. DATA BREACHES 
We will report any unlawful breach of data governed by the GDPR as required by the GDPR within 72 hours of the breach occurring if it is considered that data within our control(including the control of our data processors) has been compromised or potentially compromised. If the breach is classified as ‘high risk’ we will notify all data subjects concerned using an appropriate means of communication.
We will report relevant breaches as required to the ICO.

15. CHANGES TO OUR PRIVACY POLICY 
We reserve the right to change this Privacy Policy at any time and users are recommended to review it frequently. Changes will take effect immediately upon their posting on the Website. You will be deemed to have accepted any changes to the terms of this Privacy Policy when you visit the Website.

16. REPORTING COMPLAINTS
 If you wish to raise a concern about the use of your personal data, you can contact us by sending anemail to hello@solasmind.com.
Alternatively, users located in the UK can formally raise a concern or complaint to the Information Commissioner’s Office (ICO), the UK regulatory authority for data protection. 
Information Commissioner’s Office Telephone: 0303 123 1113
Website:https://ico.org.uk/make-a-complaint/  

17. CONTACT INFORMATION
If you have any questions, concerns, complaints, or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us through the “Contact Us' page on our Website
This Privacy Policy is subject to regular review in order to ensure we remain compliant with data protection guidance and applicable legislation.