[Reviewed: 22 July 2020]

1. Introduction

1.1 This policy describes what information we collect when you use Spill’s sites, services, therapy, and content (“Services”). It also provides information about how we store, transfer, use, and delete that information, and what choices you have with respect to the information. This policy is designed to ensure that we safely handle your personal data in accordance with relevant regulations and legislation such as the EU General Data Protection Regulations 2018 (“GDPR”). These privacy rules explain what data we may collect from you, what we will do with that data.

1.2 This policy applies to Spill’s main website, Spill’s content portals, and other Spill websites (collectively “the Websites”), as well as other interactions you may have with Spill (e.g. customer support conversations etc).

1.4 This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy.

1.5 In this policy, "we", "us" and "our" refer to Spill App Limited. Further details about us can be found below, in section 10 of this Privacy Policy.

2. How we collect, process and store information

2.1 We in Spill are committed to safeguarding the privacy of our users. Our business model is to provide a service to users who need to access mental health support that is paid for by their employer. Therefore, our business model does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service.

2.2 We may collect, store and process various kinds of data, with different legal grounds, as listed below. For the categories of data that require your consent, we will actively ask you for consent before collecting any data. In the rest of this section, we will set out: the general categories of personal data that we may process; the purposes for which we may process personal data; and the legal basis of the processing in each case.

2.3 The following is a list of data we collect, process or store, with the purpose and legal ground listed for each item or group of items having the same purpose and legal ground:

  1. User account information. If you choose to book therapy on Spill, you will have to provide your name and pronoun, a valid email address and phone number, your age, your business role, and (optionally) your post code or the area where you live. During the process of booking a therapy session, we also ask for a bit of information about you, such as what brought you to Spill, what you expect from your therapist, what you think your Counsellor needs to know about you or your past that would allow them to help you most effectively and whether you have any experience of therapy. This information helps our Counsellors prepare for the session, so as to make the session as helpful to you as possible. Thus, we require this information in order to deliver the Service to you as user. Processing this information is required for fulfilling the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b.
  2. User transaction data. This is the information we collect when you book a therapy session that you pay for yourself. The transaction data may include your contact details, your credit or debit card details, your billing email, your billing address, and the transaction details. The transaction data may be processed for the purpose of supplying therapy sessions and keeping proper records of those transactions. Processing this information is required for fulfilling the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b. Additionally, this information needs to be retained in order to comply with accounting and tax regulation cf. GDPR art. 6 (1) item c.
  3. User analytics. Like most digital services, our systems automatically collect information about how you use the Spill Platform. This may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use of the Spill Platform. The source of the usage data is our analytics tracking system or the technical log data. We require this information in order to analyse the way people use the Spill Platform and in order to build aggregate quantitative usage reports for the company that paid for your access to the service (e.g. “15 people have used Spill this month”). You cannot be identified from this information. The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) item f, namely using this data for the purpose of ensuring the proper administration of our website and business, analyzing the use of the website and services, monitoring and improving our website and services, improving the user experience, preventing abuse, and assisting users with support inquiries.
  4. User enquiry data. This is information you give us when you submit an enquiry or other customer support request at hi@spill.chat regarding the Spill Platform. Processing this information it is required for performing the contract we entered into with you, at your request (our Terms of Service), as well as our legitimate interest of handling your requests cf. GDPR art. 6 (1) item f.
  5. User personal information. This is information you give us during your use of the Spill Platform. Personal Information may include Ask a Therapist questions, personal details, the details of your employment, relationships, health or personal matters, or the search queries you use on the Spill Platform. We do not store any of your personal information. Our Counsellors have been told not to record or take notes of your personal information, except with your express permission (which you do not have to give). Even if you choose to give permission to record personal information, you have a right to ask for it to be erased at any time (except where such information must be retained for legal reasons). All of our Counsellors are bound by UK law and work in compliance with GDPR and the BACP Ethical Guidelines regarding client confidentiality. Processing this information it is required for performing the contract we entered into with you, at your request (our Terms of Service), as well as our legitimate interest of handling your requests cf. GDPR art. 6 (1) item f.
  6. User service and transactional notifications. Sometimes we’ll send you emails about your account, service changes, or new policies. For example, we will send you a confirmation email containing the details of your therapy session. You can’t opt out of this type of “service or transactional” emails (unless you delete your account) as they are necessary information for the Services. The legal grounds for processing this information is that it is required for performing our commitment about communicating changes in plans and pricing to you in the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b, and our legitimate interest of communicating important information about your account to you, cf. GDPR art. 6 (1) item f.

2.4 We may process any of your personal data identified in this policy where necessary for administrative purposes including in the exercise or defence of legal claims. The legal basis for this processing is our legitimate interests, namely for administrative record keeping, processing transactions and maintaining business records or for the protection and assertion of our legal rights.

2.5 If you supply any other person's personal data to us, you must do so only if you have the authority of such person to do so and you must comply with any obligations imposed upon you under the Data Protection Regulations.

3. Providing your personal data to others