We may change this policy from time to time by updating this page.
You should check this page from time to time to ensure that you are happy with any changes.
Your Individual rights
Under the GDPR (General Data Protection Regulation), your rights are as follows:
• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to data portability
• The right to withdraw consent
We handle subject access requests in accordance with the GDPR.
How we collect personal information
We collect personal information from you and from third parties (anyone acting on your behalf, for example, solicitor, personal injury services, insurers etc.). Please see below for more information.
We collect personal information from you:
• Through your contact with us via phone (we may record or monitor phone calls for security and training purposes), email, our website or by post.
We also collect information from other people and organisations.
For all our customers, we may collect information from:
• A family member or someone acting on your behalf
• Doctors, clinicians, health care professionals, hospitals, clinics and other health care providers
• Any service providers who work with us in relation to your product or service
• Organisations and professional bodies such as but not limited to NMC, GMC, BABCP or HCPC who provide us with correct and up to date accreditation information
If we provide you with health care, we may collect information from:
• Your employer
• Your parent or guardian (if you’re under 18 years old)
• Those paying for the products or services we provide to you including other insurers.
Categories of personal information
We process two categories of information about you and (where this applies) your dependants:
• Standard personal information which helps us to contact, identify or manage our relationship with you; and
• Special Categories of information, which helps us to tailor your care.
Standard personal information includes:
• Contact information such as name, address, phone numbers and email address
• The country you live in, age, date of birth and national identifiers such as passport document or National Insurance number
• Employment details
• Details of any contact we had with you such as any complaints or incidents
• Financial details which if required, we store your card details on our secure Sage Pay service for 90 days, which are then deleted
• Information about how you use our website, apps, or other technology, including IP addresses or other device information.
Special Category information includes:
• Information about your physical or mental health, including genetic information or biometric information (we may get this information from application forms you have filled in, from notes and reports about your health and any treatment and care you have received or need, or it may be recorded in details of contact we have had with you such as information about complaints or incidents, and referrals from your existing insurance provider, quotes and records of medical services you have received);
• information about your race, ethnic origin and religion (we may get this information from your medical preferences to allow us to provide care that is tailored to your needs); and
• Information about any criminal convictions and offences (we may get this information when carrying out anti-fraud or anti-money-laundering checks, or other background screening activity
What we use your personal information for
We use your personal information for the purposes set out in this privacy notice.
We process standard personal information about you if this is:
• Necessary to provide the services set out in a contract
• In our or a third party’s legitimate interest
• Required or allowed by law
We process special category information about you because:
• It is necessary for the purposes of health prevention, assessment and treatment services
• It is necessary for insurance purpose
• It is necessary to establish, make or defend legal claims
• It is preventing or detecting an unlawful act, malpractice, dishonesty or other serious improper behaviour
• It is in the public interest; in line with any laws apply
• It is information that you have made public
• We have your permission
CBT Clinics process your personal information for a number of legitimate interests including:
• To help manage our relationship with you, our business and third parties who provides products or services for us.
• To provide health care service on your behalf of a third party
• To investigate complaints and incidents
• To develop and carry out marketing activities.
• For statistical research and analysis so that we can monitor and improve our products and services.
• To monitor our clinical and non-clinical performance expectations.
• To exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with
• To take part in, or be the subject of, any sale, purchase, merger or takeover of all or part of the CBT Clinics business
Sharing your information
We share your information within CBT Clinics, within relevant policyholders, with funders or people arranging services on your behalf and with others who help provide services to you, for example, medical experts. We also share information in line with the law.
For all our customers, we share information with:
• Doctors, clinicians and other health-care professionals, hospitals, clinics and other health-care providers
• Suppliers who help deliver products or services on our behalf
• People or organisations we have to, or are allowed to, share your personal information with by law (for example, for fraud-prevention or safeguarding purposes)
• The police and other law-enforcement agencies to help them perform their duties, or with others if we have to do this by law or under a court order
• If CBT Clinics sell or buy any business or assets, the potential buyer or seller of that business or those assets
• A third party who takes over any or all of CBT Clinics assets (in which case personal information we hold about our customers or visitors to the website may be one of the assets the third party takes over)
If we provide you with health care, we share information with:
• Your employer-If your employer is paying for the services we are providing
• Our insurance partners, for example, solicitors and interpreters
• Those paying for the products or services we provide to you
• Those providing your treatment
If CBT Clinics share your personal information, we will make sure suitable protection is in place to protect your personal information in line with data-protection laws.
Clinical Research and statistical purposes
We may use anonymised information or information that is combined with other people’s information for clinical research and statistical purposes. You cannot be identified from this information.
How long we keep your personal information
Personal Identifiable Data is stored within CBT Clinics case management system and will enter our archiving system 7 years from the date of closure of the case.
• To provide a better user experience
• Identify yourself to us by filling out a web form (“Join our Expanding Network”, “Request a call back”)
• Allow you to share pages via social network widgets like Facebook and Twitter
• Track your visit for statistical analysis, allowing us to improve the usability, speed and security of our website.
Cookies that we use are;
• Word Press: Our website, either in full or in part, is built on the popular open-source CMS framework-Word Press. WordPress utilises cookies to allow visitors to register, login and comment on our website’s content.
• Google Analytics: CBT Clinics uses an analytics tracking service called Google Analytics, which is a web analytics service that provides statistics and basic analytical tools for search engine optimization (SEO) and marketing purposes. Google Analytics uses web beacons from your web browser and IP address to collect information and monitor the actions you take on the company’s website such as the web pages viewed and links clicked. Google Analytics collects no personal information.
• Gravity Forms: CBT Clinics currently uses two web forms on our website; “Joining our Expanding Network” and “Request a call back”. We use a Word Press plugin called Gravity Forms, which is designed to create forms to collect information. In order to prevent spam enquiries, we protect our forms with a “CAPTCHA” challenge to ensure the submissions if from a living person rather than a computer bot. This CAPTCHA challenge creates a cookie that is used only to check the input response from the user is correct. The CAPTCHA cookie does not store any other information from your enquiry.
Data Security and protection
We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. Our methods meet the GDPR compliance requirement.
Under the GDPR, we use the consent lawful basis for anyone subscribing to our newsletter. We use a third party email marketing software called Campaign Monitor that holds the following information within their system:
• Email Address
• I.P Address
• Subscription time & date
Hosting and Data
The website is hosted on a third party host solution called TSO hosting and is designed and maintained by Blow Media who does not export or use any data stored on client websites.
Holgate Park Drive