Start sleeping better

Privacy Notice

This privacy notice tells you how we collect, use and share your personal information, what your rights are and how to exercise them.

If you have any queries regarding this or any other of our policies, please contact us by emailing data.protection@sleepstation.org.uk.

There are a couple of technical definitions to get out of the way first.

By “personal information” we mean personal data as defined in UK data protection law. In general, it means any information relating to you, which identifies you or allows you to be identified. That may be your name, an ID number, location, an online identifier or factors specific to you (e.g. physical, physiology (thoughts, feelings), genetic, mental, economic, cultural or social factors).

By “sensitive” personal information we mean what’s technically known as “special categories”, that is personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.

We’re committed to protecting your privacy and will only use your personal information in compliance with the EU General Data Protection Regulation (GDPR 2018), the Data Protection Act 2018 and, where applicable, other laws such as the Health and Social Care Act 2012 and the Health and Social Care (Quality & Safety) Act 2015.

We aim to keep accurate records and to hold information for no longer than necessary.

The main purpose for which we hold and process your information is to allow us to provide services to you. We continually monitor our website services (including our sleep therapy) to ensure that the information that we provide is accurate and our programme remains effective. If you register for sleep therapy, we will include information that you provide to us about your sleep problem and your results within anonymised or pseudonymised reports for research purposes.

Our identity and contact details

Sleepstation is a digital healthcare organisation which provides information and delivers services to private individuals, services to individuals via their employers or funders and NHS services — registered as a data controller with the Information Commissioner’s Office (ZA725436).

Our NHS services are delivered in partnership with Newcastle upon Tyne Hospitals NHS Foundation Trust (NuTH) and all data processing for NHS services is jointly delivered with NuTH — registered as a data controller with the Information Commissioner’s Office (Z6173332).

Our private services are delivered directly. We’re registered independently as a data controller with the Information Commissioner’s Office.

Data protection queries should be directed to:

Sleepstation Data Protection
The Schoolhouse
12 Trinity Chare
Newcastle upon Tyne
NE1 3DF

Telephone: 0333 800 9404
Email: data.protection@sleepstation.org.uk

Our data protection officer is Alison Gardiner.

Our clinical safety officer is Prof. Joe Mcdonald B.M., B.S., B.Med.Sci., M.R.C.Psych., M.B.C.S.

Under the GDPR, we must always have a legal basis for using your personal information. We hold and process your personal information for the main purpose of providing services to you and also to comply with various legal obligations, including those relating to health and social care, as explained at the beginning of this document.

For your reference, we’ve outlined key information about the different types of legal basis below.

Consent: your consent to one or more specific purposes.

Contract: entering into a contract with you or performing a contract with you.

Legal obligation: we’re required by law to do this.

Vital interests: to protect your own or another individual’s vital interests (e.g. life or death situation)

Legitimate interests: we’ve identified this as a legitimate interest of ours or a third party; we consider that use of your personal information is necessary to achieve that legitimate interest; and we’ve balanced all that against your interests, rights and freedoms.

Where we’re dealing with sensitive personal information we need not one legal basis but two, from a different list (and the list is a lot longer). The main ones are:

Explicit consent: your explicit consent to one or more specific purposes

Health or social care: provision of healthcare or management of healthcare systems

Legal claims: to establish, exercise or defend a legal claim

Vital interests: that’s the same as above except it has to be where the individual is incapable (physically or legally) of giving consent

Archiving, research and statistics: this must be in the public interest; data must be minimised, and anonymised or at least pseudonymised; the activity mustn’t cause substantial distress or damage to individuals and mustn’t relate to a particular individual except for approved research

You can find more details on the ICO website at ico.org.uk.

Our main uses of your personal information

Our legal obligations are specific to the way in which you access Sleepstation and the extent to which you engage with the services we offer.

Access type: You may, for example, hold a private account with us or you may have been referred by your GP or been provided access by your employer, a funder or a charitable organisation.

Registration type: You may, for example, register only for access to information or to be enrolled on one of our sleep improvement programmes.

Extent of engagement: You may, for example, browse information, complete quizzes, undertake an assessment or complete a full course of therapy with us. You could commence a course of therapy and then decide not to proceed.

What we hold about you, and why we hold it will be dependent on your access type, registration type and extent of engagement.

A summary of the main uses of personal information for specific access types is provided below.

Private individuals

  • To enter into a contract with you and to provide agreed services to you.
  • To keep accounts and records.

NHS patients

  • To provide agreed services to you.
  • To share relevant information with people involved in your healthcare.
  • To keep accounts and records.

Employees

  • If your employer is entering into a contract with us, for the legitimate purpose of providing services to you, as agreed with your employer.
  • To keep accounts and records.

Funded persons

  • If a charitable organisation or other funder has entered into a contract with us, for the legitimate purpose of providing healthcare services to you, as agreed with your funder.
  • To keep accounts and records.

A website visitor or interested person

Unless you fill in a form, complete a questionnaire or contact us in some other way, we probably can’t identify you. Where we can, we use this information in the following ways:

  • to answer any queries you may have
  • to keep accounts and records.

Please note if you are simply browsing our website, and not specifically using our services, the information provided at the bottom of this notice in the “website privacy” section may be more relevant to you.

The personal data we collect

Private individuals

We collect this personal information in order to provide services to you. We collect the following data about private individuals:

  • The personal information provided by you in order to create your Sleepstation account (name, email address, telephone number/s and answers to security questions).
  • The information supplied by you in response to the initial assessment questionnaires.
  • The information submitted by you in your sleep diaries, including any notes you add.
  • Assessments and plans relating to your therapy course.
  • A log of your activity on your online account, including details about when you login, what sessions you complete and what content you view.
  • A log of any communication between you and our support team from within your online account (including messages and replies to alerts).
  • Copies of any text messages, letters or emails sent to you or received from you.
  • Details of any telephone conversations with you.

NHS patients

We collect this personal information in order to provide services to you (including communicating with you, your GP, your NHS referrer and other medical advisors as appropriate). We collect the following data about NHS patients:

  • The reasons for referral and information supplied by your GP, medical advisor, NHS referrer or other referrer. This will include your name, date of birth, address, contact telephone number/s, email address and certain health information.
  • The personal information provided by you in order to create your Sleepstation account (name, email address, telephone number/s and answers to security questions).
  • The information supplied by you in response to the initial assessment questionnaires.
  • The information submitted by you in your sleep diaries, including any notes you add.
  • Assessments and plans relating to your therapy course.
  • A log of your activity on your online account, including details about when you login, what sessions you complete and what content you view.
  • A log of any communication between you and our support team from within your online account (including messages and replies to alerts).
  • Copies of any text messages, letters or emails sent to you or received from you.
  • Details of any telephone conversations with you.

Employees

We collect this personal information in order to provide services to you and to report on employee access rates and anonymised group outcomes to your employer.

We do not and will never share any personal or sensitive information through which you could be identified with your employer. We do share information with your employer for the purpose of reporting on anonymised group data including outcomes and access rates and further information about data which may be shared with your employer is listed below under the heading “Who do we share your information with?”.

Depending on your registration type, you may only access a sub-set of services available to employees and therefore some of the items listed below may not apply to you. The full list of information we collect about employees includes:

  • The personal information provided by you in order to create your Sleepstation account (name, email address, telephone number/s and answers to security questions).
  • Your employer identification information (e.g. the access code you provided, who you work for, your work email address or payroll number).
  • The information supplied by you in response to questionnaires.
  • The information submitted by you in your sleep diaries, including any notes you add.
  • Assessments and plans relating to your therapy course.
  • A log of your activity on your online account, including details about when you login, what sessions you complete and what content you view.
  • A log of any communication between you and our support team from within your online account (including messages and replies to alerts).
  • Copies of any text messages, letters or emails sent to you or received from you.
  • Details of any telephone conversations with you.

Funded persons

We collect this personal information in order to provide services to you, to obtain funding on your behalf and to report on access rates and anonymised group outcomes to your funder.

We will share identifiable information with your funder for the purpose of obtaining your funding. We will obtain your explicit consent to share this identifiable information when we collect it and we will share it with your funder for this purpose only.

We do not and will never share any personal or sensitive health information through which you could be identified with your funder. We will share information for the purposes of reporting on anonymised group data including group outcomes and access rates. Further information about data which may be shared with your funder is listed below under the heading “Who do we share your information with?”.

The information we collect about funded persons is as follows:

  • The personal information provided by you in order to create your Sleepstation account (name, email address, telephone number/s and answers to security questions).
  • Your qualifying identification information (e.g. your membership number, who you work for, your work email address or payroll number).
  • The information supplied by you in response to the initial assessment questionnaires.
  • The information submitted by you in your sleep diaries, including any notes you add.
  • Assessments and plans relating to your therapy course.
  • A log of your activity on your online account, including details about when you login, what sessions you complete and what content you view.
  • A log of any communication between you and our support team from within your online account (including messages and replies to alerts).
  • Copies of any text messages, letters or emails sent to you or received from you.
  • Details of any telephone conversations with you.

A website visitor or interested person

Please note if you are simply browsing our website, and not specifically using our services, then it is unlikely that we will be able to identify you.

We only collect information which you submit via a form on our website. We collect this information to answer any queries you may have. The information we collect is listed below.

Information collected via contact forms

Information is collected via contact and enquiry forms on our website to allow us to contact you to answer questions and discuss queries you may have.

We collect the following information via these forms:

  • Your name, email address, postcode (if provided), telephone number (if provided), your questions/comments.

Information collected via NHS access forms

Information is collected via these forms to allow us to determine which NHS services you may be eligible for.

We collect the following information via these forms:

  • Your full name, date of birth, email address, first line of address, postcode, GP practice details, GP details (if provided), NHS number (if provided) and information about your sleep problem.

Who do we share your information with?

We have a data protection policy which means that relevant information is only shared with people involved in your healthcare where applicable. The obligations which we have with regard to sharing of your personal information are specific to the way in which you access Sleepstation, your registration type and the extent to which you engage in the services we offer.

In some circumstances we may share relevant pieces of your information with the following third parties for the purposes of communication, marketing and requesting feedback about our service:

  • Mailchimp
  • Trustpilot

Details about how we share data for each access type are provided below.

Private individuals

We will not pass on your personal information to third parties without first obtaining your consent, however, there are times when information, legally, has to be given even without your consent, these would include; child protection, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism, or a Court Order.

We only share information with your doctor, family, friends or advocates with your explicit consent.

NHS patients

If you access Sleepstation as an NHS patient, we are required to share your personal information with people involved in your healthcare. These will include:

  • practitioners engaged by us to carry out our services to you, your GP and any other NHS referrer
  • the Department of Health and other statutory bodies to whom we are required to submit data.

Apart from these people, we will not pass on your personal data to third parties without first obtaining your consent. However, there are times when information, legally, has to be given even without your consent, these would include; child protection, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism, or a Court Order.

We only share information with your family, friends or advocates with your explicit consent.

Employees

We will not pass on your sensitive personal information to third parties, including your employer, without first obtaining your consent. However, there are times when information, legally, has to be given even without your consent, these would include; child protection, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism, or a Court Order.

We only share information with your doctor, family, friends or advocates with your explicit consent.

Any information that we report back to your employer in relation to prevalence of certain conditions (such as sleep deprivation, anxiety, depression etc.) among the workforce will be presented in the form of grouped, anonymised or pseudonymised data and will never include details about your personal results or contain any information by which your results or outcomes of your therapy could be linked directly to you or could identify you.

Funded persons

We will not pass on your sensitive personal information to third parties, including your funder, without first obtaining your consent, however, there are times when information legally, has to be given even without your consent, these would include; child protection, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism, or a Court Order.

Consent to share your information for the purposes of obtaining your funding will be collected at the time we collect your information.

We only share your information with your doctor, family, friends or advocates with your explicit consent.

Any information that we report back to your funder in relation to prevalence of certain conditions (such as sleep deprivation, anxiety, depression etc.) for a given population will be presented in the form of grouped, anonymised or pseudonymised data and will never include details about your personal results or contain any information by which your results or outcomes of your therapy could be linked directly to you or could identify you.

Transfers outside of the European Economic Area (EU member states, Norway, Iceland and Liechtenstein) (EEA)

We do not transfer any personal information to third countries or international organisations. All personal information is stored in the UK and/or in the European Economic Area.

Storage period

The period for which we store records is based on guidelines provided by our insurers and on the NHS records management code of practice for health and social care.

For NHS patients, records will be retained for the duration specified by national guidance from the Department of Health.

For private individuals and employees, records will be retained for a period of eight years beginning on the date of the last entry in the service user records.

After which, the record will be reviewed and destroyed if no longer needed. All confidential information is destroyed in line with the NHS Records Management Code of Practice.

Your rights

Where you’ve given us explicit consent to use your sensitive personal information, you may withdraw it at any time.

To withdraw your consent, please contact us.

We will rely on your browser settings to indicate your consent to the use of cookies on our website. To withdraw your consent, please adjust your browser settings. Please see “Cookies and similar technologies” below for instructions.

Your right to object to our use of the “legitimate interests” basis for processing.

You may, at any time, object to our use of your personal information which is based on our legitimate interests, as summarised below.

We consider that our use of your personal information for the following is in our legitimate interests:

  • business operation and improvement
  • service user relationship management
  • employee relationship management
  • supplier relationship management
  • network and information security
  • reporting possible criminal acts/threats to competent authorities.

You may object to our use on that basis. To exercise your right, please contact us.

Your rights as a data subject

In compliance with the GDPR 2018, at any point while we are in possession of or processing your personal information, you have rights to make a request to us:

  • for access to your personal information
  • for rectification or erasure of your personal information
  • for restriction of processing concerning you
  • to object to our processing which is based on legitimate interests
  • to object to direct marketing
  • to object to archiving in the public interest, research and statistics
  • to object to automated processing, including profiling — you also have the right to be subject to the legal effects of automated processing or profiling
  • to port (transfer) personal information you have provided to us, either to you or to another provider.

These rights are more complicated than the simple summary above. To find out more about them, please visit the Information Commissioner’s website. To exercise your rights, please contact us. Most requests will be actioned within 30 days.

Our contact details are in the “Identity and contact details” section above. Please make it clear which right(s) you want to exercise, for example by putting the name of the right in the subject line of the email.

Right to erasure

In certain circumstances you can ask for the personal information that we hold about you to be erased from our records. This right will apply only if the processing has been undertaken on the basis of consent which is withdrawn, the processing of your personal information is determined not to be lawful or the information is no longer required. There are exceptions to the right to erasure and we are legally required to maintain your records in accordance to comply with health and social care laws.

You have a right to withdraw any explicit consent you give us at any time.

This will not affect the legality of our consent-based use before you withdrew consent.

To withdraw consent to cookies, please adjust your browser settings (please see our cookie policy for further details).

To exercise your right to withdraw in any other case, please contact us. Our contact details are in the “Identity and contact details” section above.

Complaints

You have a right to complain to the Information Commissioner, whose contact details are:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
England

Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate).
Website: ico.org.uk, which sets out email addresses and an email form.

There are no statutory requirements to provide us with personal information.

For private individuals, it is a contract requirement that you complete the registration forms and any healthcare questionnaires, fully and accurately.

If you are a website visitor who makes an enquiry, we’ll normally need your personal details (name and contact details) to answer your query.

Changes to this privacy notice

This notice is effective from 24th April 2024. Any future changes to this notice will be reflected in updates to this page. To ensure you are happy with any changes that come into effect, we recommend checking this page from time to time.

Website Privacy

This privacy policy sets out how we use and protect any information that you give us when you use this website. We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified (personal information) when using this website, for example to complete an online form, then you can be assured that it will only be used in accordance with this privacy statement. We may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 20th May 2020.

What we collect

Contact/enquiry forms

Information is collected via contact and enquiry forms on our website to allow us to contact you to answer questions and discuss queries you may have. We collect the following information via these forms:

  • your name, email address, postcode (if provided), telephone number (if provided), your questions/comments.

NHS access forms

Information is collected via these forms to allow us to determine which NHS services you may be eligible for. We collect the following information via this form:

  • your full name, date of birth, email address, first line of address, postcode, GP practice details, GP details (if provided), NHS number (if provided) and information about your sleep problem.

Other forms/questionnaires/surveys

From time to time, information is collected via additional forms. The purpose for the information being collected will be clearly set out on these forms. Information collected may include your name, your contact information, your demographic information such as postcode, your preferences and interests or other information relevant to customer surveys and/or offers.

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • to answer any queries you may have
  • to keep accounts and records
  • to improve our products and services.

If you have subscribed to any of our mailing lists, we may periodically send emails containing information about sleep science, new services and products we offer, special offers or other information which we think you may find interesting using the email address which you have subscribed with. You can unsubscribe from these mailing lists at any time.

If you are a registered Sleepstation account holder, we may also, from time to time, use your information to contact you for market research purposes. We may contact you by email, phone or text. We may use the information you provide to customise the website according to your interests.

If you have registered for a Sleepstation account we may contact you to discuss your needs to allow us to onboard you into the relevant service. If you do not intend to use our services, and you are not an NHS referred service user, you may terminate your account and request that your information is erased.

Children

Sleepstation is intended for use only by individuals who have been identified as suitable by the system. If you believe a person under the age of 18 has entered personal information upon using the service;, please contact us by emailing data.protection@sleepstation.org.uk.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Storage mechanism

Data is stored securely using recognised secure data storage technologies on one of our cloud servers.

Disclosure of personal data

In order to maintain the confidentiality and integrity of Personal Data, we have a range of safeguards, policies and procedures in place to help protect any improper use or accidental disclosure. We are required to give all Participants notice of our legal duties and privacy practices in relation to Protected Health Information (PHI), as well as notifying any individuals affected in the event of a breach of unsecured PHI.

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at marketing@sleepstation.org.uk.

We do not store credit card details nor do we share financial details with third parties.

We will not sell or lease your personal information to third parties for any purpose other than providing the services to you. We may disclose your personal information to third parties if we are under a duty to disclose or share your data in order to comply with any legal obligation.

We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen by opting in to receive such information.

At any point while we are in possession of or processing your personal information, you have the right to make a request to us for access to your personal information.

You also have a number of other rights. To find out more about them, please visit the Information Commissioner’s website.

To exercise your rights, please contact us. Our contact details are in the “Identity and contact details” section above. Please make it clear which right(s) you want to exercise, for example by putting the name of the right in the subject line of the email. Thank you.