Privacy Policy

Effective Date: March 2026

MoodEaser (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, share, and protect your personal information when you use our services, including the MoodEaser web and mobile application and related features (collectively referred to as “Service”).

How do we get information and why do we have it?

The personal information we collect is provided directly from you for the following reasons:

• To seek care: You provide your details to register, complete clinical assessments (e.g., GAD-7/PHQ-9), and book sessions with therapists.
• To manage funding: You provide payment details (for private-pay) or referral details (for NHS-commissioned care).
• To improve services: You may provide feedback or make a complaint regarding your experience.
• Newsletter: You have signed up for updates or mental health resources.

We also receive personal information about you indirectly from others in the following scenarios:

• From Independent Therapists: Providers on our platform share information regarding your attendance, session summaries, and clinical progress to ensure the service is meeting safety standards.
• From the NHS: If you are referred to MoodEaser via an NHS commissioning body, they may provide your name and contact details to facilitate your account setup.

What information do we collect?

Personal information is any information that can be used to identify a living person.

We currently collect and use the following personal information:

• Personal identifiers and contacts: Name, email address, telephone number, and date of birth.
• Account Authentication Data: Google Firebase UID and login timestamps.
• Financial Information: For private-pay users, we collect billing addresses and partial payment card details (processed securely via Stripe). No financial data is collected for NHS-commissioned users.
• Professional Details: For therapists on our platform, we collect professional registration numbers (e.g., HCPC/BACP), qualifications, and proof of identity.

More sensitive information

We process the following more sensitive data (including special category data) to ensure safe and effective clinical care:

• Data concerning mental health: Details about your appointments, clinical assessments (e.g., PHQ-9 or GAD-7 scores), diagnosis (where applicable), and session notes recorded by your therapist.
• Data revealing racial or ethnic origin: Where provided by you to help tailor your care or for mandatory NHS equality monitoring.
• Data concerning sexual orientation: Where relevant to your clinical treatment and disclosed during therapy sessions.
• Data relating to criminal or suspected criminal offences: Only where disclosed during clinical sessions if relevant to mandatory risk assessments or safeguarding.

Who do we share information with?

We may share information with the following types of organisations:

• Independent Healthcare Providers: The specific therapist or clinical practice you have chosen to engage with via our marketplace.
• Third-party data processors: Our essential infrastructure providers including Google Firebase (Authentication), Amazon Web Services (AWS) (Encrypted Data Storage), and Render (Application Hosting).
• Payment Processors: Stripe (only for users paying for sessions directly).
• NHS Commissioning Bodies: (e.g., Integrated Care Boards) for the purpose of verifying service delivery and billing for NHS-funded care.

In some circumstances we are legally obliged to share information. This includes:

• When required by NHS England to develop national IT and data services.
• When a court orders us to do so.
• Where a public inquiry requires the information.

We will also share information if the public good outweighs your right to confidentiality. This could include:

• Where a serious crime has been committed.
• Where there are serious risks to the public or staff.
• Safeguarding: To protect children or vulnerable adults in accordance with local authority requirements.

Is information transferred outside the UK?

While our primary clinical databases (AWS DynamoDB) and application hosting (Render) are located strictly in the United Kingdom (London), we utilise Google Firebase for secure user authentication for mobile app users. Some non-clinical authentication metadata (such as your email address and UID) may be processed in Google’s global data centres, including the United States.

To protect this data, we have entered into Data Processing Terms with Google that include Standard Contractual Clauses (SCCs) and the UK Addendum. This ensures your data receives a level of protection equivalent to the UK GDPR. No clinical notes, therapy session data, or mental health records are ever stored in Firebase or transferred outside of the UK.

What is our lawful basis for using information?

Personal information

• (a) We have your consent: We rely on your clear affirmative consent for the use of non-essential website cookies and for sending you marketing communications or newsletters, which you can withdraw at any time.
• (b) We have a contractual obligation: We process your account details, billing information, and contact data because it is necessary to perform the contract between you and MoodEaser (governed by our Terms and Conditions) to provide the marketplace platform and facilitate your connection with a therapist.
• (f) We have a legitimate interest: We process technical data (IP addresses and device info) and service usage patterns to maintain the security of our platform, prevent fraud, and improve the performance of the MoodEaser service.

More sensitive data (Special Category)

• (h) To provide and manage health or social care (with a basis in law): This is our primary basis for processing.

Common law duty of confidentiality

• You have provided us with your consent.
• We have a legal requirement to collect, share and use the data.
• Public Interest.

How do we store your personal information?

Your information is stored securely using industry-standard encryption.

• Data in Transit: TLS 1.3
• Data at Rest: AES-256

We utilise Render for our application hosting and Amazon Web Services (AWS) DynamoDB for our managed database service, as well as Google Firebase for authenticating mobile app users. Access to your data is strictly controlled via Multi-Factor Authentication (MFA) and is limited to authorised personnel only.

Retention and Disposal

Retention and Disposal: Your information is securely stored for the time periods specified in the NHS Records Management Code of Practice.

• Mental Health Records: 20 years after last contact (or 8 years after death).
• Administrative Data: Retained while account is active.

We will then dispose of the information as recommended by the Records Management Code. We will:

• Securely dispose of your information: We will perform a permanent digital deletion (cryptographic erasure) of your records from our live databases and backup systems. All hardware used by our sub-processors (AWS) is decommissioned using industry-standard physical destruction or data-wiping protocols that meet legal standards of destruction.

What are your data protection rights?

• Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request).
• our right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Email: support@moodeaser.com

Automated decision making

We do not currently use automated decision-making or profiling that produces legal effects or similarly significantly affects our users.

National data opt-out

We are not applying the national data opt-out because we are not using confidential patient information for planning or research purposes.

How do I complain?

If you have any concerns, contact support@moodeaser.com

ICO:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113
https://www.ico.org.uk