Home
Privacy policy

Adult Privacy Policy

Our adult privacy policy

Your privacy is important to us at ProblemShared. We respect your privacy regarding any information we may collect from you across our website.

How to make a complaint

This Privacy Notice (this “Notice”) explains how we collect, use, store, and protect your personal data.

Please read this Notice together with our User Terms & Conditions. They set out the types of data we process, how we handle that data, and your rights over it.

This Notice is intended for adults; if you are the parent or guardian of a child who uses our services, please share our Children’s Privacy Notice with them and make sure they understand the information it contains.

This Notice is divided into clear sections. You can use the index to go straight to any section. You can also download a full copy here: [link]

1. About us

We are ProblemShared, which is the trading name of Teledoctor Limited, a company registered in England with company number 10410380. Our registered address is 16 High Holborn, London, England, WC1V 6BX. In this Notice, “ProblemShared”, “we”, “us” or “our” all refer to ProblemShared.

We provide mind and mental health (including neurodiversity) assessment and post-diagnostic services and support (the “Services”). These Services are delivered by qualified healthcare professionals (our “Practitioners”). Most Services are delivered through our digital platform, which includes components provided by third-party partners (together the “Platform”). These partners also process your personal data on our behalf and in line with this Notice. Some elements of our Services may also be delivered in-person.

This Notice explains how we collect, use, and protect your personal data when you use our Platform or access our Services. This may include special category data, such as information about your mental or physical health.

ProblemShared is the data controller of the personal data covered by this Notice. This means we are responsible for making sure that your personal data is handled safely, lawfully, and transparently, in line with applicable data protection laws (“Data Protection Legislation”). This legislation sets out the rules for how we collect, use, store, and share your personal data. It includes, without limitation:

the Data Protection Act 2018 (“DPA”).

UK General Data Protection Regulation (“UK GDPR”); and

guidance and codes of practice issued by the UK’s supervisory data protection authority, the Information Commissioner’s Office (“ICO”).

We have appointed a Data Protection Officer (“DPO”) who is responsible for answering questions in relation to this Notice. If you have any questions about this Notice or wish to exercise your legal rights under the Data Protection Legislation, please contact our DPO (dpo@problemshared.net).

2. The types of personal data we collect about you

Personal data is any information that can identify you, either directly or indirectly. We may collect this information when you sign up or enrol on our Platform, when a referring partner organisation or another third party provides it for you under their own privacy notice, or automatically when you use the Platform.

We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

Identity data: Full name, date of birth, gender (if provided as part of therapy preferences).

Contact data: Email address, mobile phone number, address, informant contact details, emergency contact details, GP name and GP practice contact details.

Financial data: Billing and payment information (including credit card details).

Transaction data: Session/appointment bookings and payment status, transaction history related to therapy or assessments, booking confirmation and reminder details.

Medical data: Clinical history, presenting concerns and symptoms, diagnoses, risk assessments, safeguarding information, recommendations, treatment plans and summaries, medication details (including dosage and side effects), practitioner notes and observations, MDT discussion points, clinical rationale, referral details, third-party or informant information, results of structured assessments or questionnaires (e.g., ADHD, Autism, SpLD), educational history and feedback, monitoring data (blood pressure, pulse, height, weight, lab results), and any other health-related documentation shared with us or uploaded to the Platform.

Technical data: Device type, unique device identifiers (UDIDs), IP address, operating system, browser type and version, screen size, language settings, geographic location (country only).

Profile data: Therapy preferences (Practitioner type, language, cultural background), feedback submitted via surveys or questionnaires, history of booked sessions, participation in assessments, notes/records stored on your health record (if applicable).

Usage data: Page visits and navigation patterns, clickstream data (URLs clicked before/after using the site), menu items or features accessed, length of session or visit, frequency of visits and sessions, page interaction data (scrolling, clicks, mouse hovers), video consultation duration.

Marketing and communications data: Records of consent to receive updates about the Platform, our Services and any other promotional, educational and research content (where you have opted in), communication preferences, copies of emails exchanged between you and ProblemShared.

Engagement data: ProblemShared may collect engagement data based on your interactions with our emails, events, webinars, downloads, and surveys as well as your social media engagement and patient panel registrations.

Employment data: We may collect information such as your job title and employer details from corporate contacts for the purposes of marketing and client communication.

Where our Services involve face-to-face interaction and/or live video sessions, we may process additional personal data such as audio data, visual data, behavioural data, and any special category information disclosed or visible during the session. However, we only record or store video or audio from our sessions if you have agreed to this.

It is important that the information we hold about you is accurate, current, and complete. Please let us know if any of your information changes or needs updating.

3. How is your personal data collected?

We use different methods to collect data from and about you including through: 

Your interactions with us. You may give us your personal data when registering, completing referral or assessment forms, using the client dashboard, or otherwise interact with our Services. You may also give us your personal data when you communicate with ProblemShared, and we may keep records of this (including metadata). Our Practitioners may use AI-based tools to help with document management, report writing, notetaking or administrative tasks. These tools are not used to diagnose you or make automatic decisions about your care.

Partner organisations: ProblemShared receives personal data about you when referrals are made by the NHS, insurers, occupational health providers, universities, or other partner organisations.

Practitioners: As part of your care and treatment, Practitioners will create and record notes or reports relating to your sessions with them containing personal data.

Third parties for assessments: For some services, like ADHD or Autism assessments, we may get information from parents, teachers, or others connected to you.

Automated technologies or interactions: When you use our website or platform, we collect technical information about your device and how you use our services. We do this using cookies and similar tools. You can read more in our Cookie Policy for further details.

4. How we use your personal data?

Legal basis

The law requires us to have a legal basis for collecting, using, and sharing your personal data. Before you receive any Services from us, you will be asked to accept our User Terms and Conditions and this Notice. These explain the legal bases on which we rely when processing your data. These are:

Provision of health and social care: We may use your special category health data where it is necessary to provide healthcare, diagnosis, and treatment as part of our Services (Article 9(2)(h) UK GDPR and Schedule 1 Part 1 Paragraph 1 of the DPA 2018).

Performance of a contract: Where we need to perform the contract we are about to enter into or have entered into with you or the organisation that referred you to us (Article 6(1)(b) UK GDPR).

Legitimate interests: We may process your personal data where it is necessary for our legitimate interests, including providing the Services, improving our Platform or analysing usage. Before doing so, we assess and balance our interests against any potential impact on your rights. We do not use your data where your rights override our interests, unless you consent or the law allows it (Article 6(1)(f) UK GDPR).

Legal obligation: We may use your personal data where it is necessary to comply with a legal duty. We will identify the relevant legal obligation when we rely on this legal basis (Article 6(1)(c) UK GDPR and Schedule 1 Part 1 Paragraph 1 of the DPA 2018).

Necessary or in the vital interests of the data subject: We may also use your data to protect your life or in an emergency to safeguard your vital interests or those of another person (Article 6(1)(d) UK GDPR & Article 9(2)(c)).

Consent: We rely on consent only where you actively agree to a specified purpose, for example if you consent to receive marketing communications from us. Our Practitioners will also ask for your consent before recording your sessions or using any AI-based tools (Article 6(1)(a) UK GDPR).

Purposes for which we will use your personal data

We will use your information only where the law allows. Below, we explain how we may use each type of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purposes of processing	Types of individuals	Types of personal data	Legal basis and retention period
Providing healthcare to patients	Patients	Identity data Contact data Financial data Transaction data Medical data Profile data	Legal basis: Performance of a contract; Provision of health and social care Retention period: Personal data retained for seven (7) years after care has ceased. Health and clinical records (medical data) typically retained for 20 years after the last contact, or until a child’s 25th birthday, whichever is later.
Training and improving our services: Using session recordings to support staff training and enhance the quality of our care	Patients who have provided consent	Identity data Contact data Medical data Audio data Video data Behavioural data Special category data	Legal basis: Consent; Provision of health and social care Retention period: Health and clinical records (medical data) typically retained for 20 years after the last contact, or until a child’s 25th birthday, whichever is later.
Processing and delivering your payments including: (a) manage payments, fees and charges; or (b) collect and recover money owed to us.	Private/self-pay patients	Identity data Contact data Financial data Transaction data	Legal basis: Performance of a contract Retention period: Personal data – seven (7) years
Managing our relationship with you, which will include: (a) notifying you about changes to our terms or Notice; or (b) dealing with your requests, complaints and queries.	All patients	Identity data Contact data	Legal basis: Performance of a contract Retention period: Personal data – seven (7) years
Developing and maintaining client relationships: Carrying out direct marketing activities	All patients, business partners	Identity data Contact data Communication data Engagement data Employment data	Legal basis: Consent; Legitimate interest (to develop and maintain relationships with clients and stakeholders, including promoting and improving our services and supporting business growth) Retention period: Retention periods for data collected for marketing purposes may vary. Records of patients’ opt-ins and consents will be retained indefinitely, unless consent is withdrawn. Other marketing data will be kept for up to 36 months.
Looking after your wellbeing in emergencies: Using information from emergency contacts to support you if an urgent situation arises	Emergency contacts of patients	Identity data Contact data	Legal basis: Legitimate interest (ensuring client safety and wellbeing during care delivery, including the ability to respond appropriately in emergency or safeguarding situations) Retention period: Personal data – seven (7) years
Supporting safe and accurate assessments: Using information from informants (e.g., parents, teachers, or carers) to give Practitioners a fuller picture	Informant identified by the patient (e.g. family members, carers, teachers, or other third parties) who provides information to support the patient’s assessment or care.	Identity data Contact data Medical data shared about the patient to support assessment or care (e.g., observations, concerns, context)	Legal basis: Legitimate interest (to record who provided input and ensure accountability and context in the assessment process) Retention period: Kept for the same duration as the patient’s record if it forms part of that record. Seven (7) years if stored separately for admin/legal purposes.
Running and protecting our business: Administering our platform and website, including troubleshooting, testing, maintenance, support, reporting, and hosting data	All platform users	Technical data	Legal basis: Legitimate interest (to operate, manage, and secure our digital infrastructure and ensure the integrity, availability, and performance of our website and services) Retention period: Retention periods vary per cookie. Most data is retained for 4 months, but analytical cookies (used to understand how visitors interact with the website) are retained for 1 year 1 month 4 days.
Improving our services: Using information about how services are used to generate insights, monitor quality, and develop improvements to patient care	Patients, website users	All categories of data as outlined in section 2.	Legal basis: Legitimate interest (to help us understand and improve our services for patients) Retention period: Personal data retained for seven (7) years after care has ceased. Health and clinical records (medical data) typically retained for 20 years after the last contact, or until a child’s 25th birthday, whichever is later.
Complying with laws and regulations: Meeting legal obligations, defending or exercising our rights, or acting in the vital interests of a patient	All patients	All categories of data collected (where necessary)	Legal basis: Legal obligation (Article 6(1)(c) and 9(2)(f)); Vital interests (Article 6(1)(d) and 9(2)(c)) Retention period: Personal data retained for seven (7) years after care has ceased. Health and clinical records (medical data) typically retained for 20 years after the last contact, or until a child’s 25th birthday, whichever is later.

‍

Marketing

If you have signed up or opted in to receive marketing communications from us, we may:

send promotional messages, updates, and invitations;

provide personalised content and communications; and

analyse how you interact with our services and follow up on events or activities to keep you informed about relevant offerings.

Cookies

To find out more about the cookies we use and how to change your preferences, click on the 'Consent Preferences' widget at the bottom left of your screen. You can also view our full Cookie Policy here (link).

Practitioners’ obligations

The Practitioner you see in your session or who is involved in your care or assessment must follow and comply with all Data Protection Legislation.

All Practitioners are trained on data privacy and are contractually required to follow our internal data handling, information governance, and privacy policies.

5. Disclosures of your personal data

We may share your personal data where necessary with the parties set out below.

Internal staff: Data is shared with treating Practitioners and authorised staff involved in client care, administration, and governance. Staff from our Clinical management and Quality and Improvement teams may also access data to deal with complaints and undertake audits, to make sure the Services are safe and working well.

Partner organisations: If you were referred by the NHS, insurers, occupational health providers or universities, we may share relevant information with them such as how your assessment is going or when sessions happen. These are shared according to our contracts with them.

Your GPs or other medical practitioners: Information may be shared where necessary for your care or to prescribe medication. In emergencies or safety situations, we may share information without asking you first.

Third party data providers: We work with trusted companies to help run our services. This includes video sessions, technology, data storage, payments, platform checks, and marketing. Payment details are handled safely by secure providers, and we do not keep your payment information ourselves.

Regulators and authorities: Sometimes we must share information with the law, regulators, or other authorities. For example, this could include healthcare regulators like the Care Quality Commission (“CQC”) or data protection authorities like the ICO.

When we share any information with them, we always make sure it is allowed by law. All third-party companies we use must follow data protection rules. They can only use your personal information to help us and cannot use it for their own purposes.

International transfers

Most of your information is stored and used in the UK on secure servers, including NHS-approved systems. Some companies that help us are based in the EU. When this happens, we make sure your information is fully protected according to the Data Protection Legislation.

6. Data Security

We take care to keep your personal information safe. We have strong security measures to stop your information from being lost, seen by the wrong people, changed, or shared without permission. These include:

using multi-factor authentication to check who is logging in;

encrypting your data when it is sent over the internet;

storing your data on secure servers in the UK or EU with strong protection;

regular checks of our systems for weaknesses, including tests and audits;

a clear plan for responding to problems or disasters;

regular training for all staff and contractors on keeping data safe; and

only collecting the personal data we need and keeping it for as long as necessary.

We also limit access to your personal information. Only employees, contractors, or other trusted people who need to see it can use it. They must follow our instructions and keep your information confidential.

Our systems meet the NHS Data Security and Protection Toolkit standards (with an “exceed” rating). Our web application is also tested every year by independent security experts.

No internet system is completely safe, but we have strong procedures to deal with any suspected data breaches. If the law requires it, we will tell you and the ICO about any breach.

7. Data retention

Health and clinical records (special category data) are kept in line with the NHS Records Management Code of Practice: typically for 20 years after the last contact, or until a child’s 25th birthday, whichever is later. This ensures you get the right care and we meet our medico-legal obligations. 

We keep things like administrative, engagement, financial, and technical records, for seven (7) years after care or treatment has ended. This aligns with the Limitation Act 1980 and helps us meet our legal, contractual, and audit requirements. Retention periods for the data we collect for marketing purposes may vary. Records of patients’ opt-ins and consent will be kept indefinitely, unless consent is withdrawn. Other marketing data will be retained for up to 36 months.

We regularly check our retention schedules to make sure they follow current guidance. When your information is no longer needed, we make sure it is securely deleted.

8. Your legal rights/your access to and rights over your personal data

You have several rights about the information we hold about you. To exercise any of these rights, or to withdraw your consent to us using your information in ways you previously agreed to, please email our DPO (DPO@problemshared.net).

You have the right to:

Right	Meaning
Access (Article 15 UK GDPR)	You can ask for a copy of the information we hold about you.
Rectification (Article 16 UK GDPR)	If any of your information is wrong, you can ask us to fix it. We may check the new information to make sure it is correct.
Erasure (Article 17 UK GDPR)	You can ask us to delete your information if we do not need it anymore, if you have objected to how we use it, or if we have used it wrongly. Sometimes, we must keep information for legal reasons. If this happens, we will explain when you make your request.
Restriction (Article 18 UK GDPR)	You can ask us to stop using your information in some situations, but we might need to keep it. This can happen if: You are checking that your information is correct We are using your information wrongly, but you want us to stop instead of delete it You need the information for a legal claim You have objected to our use, and we are checking if we have stronger reasons to continue
Portability (Article 19 UK GDPR)	You can ask for your information in a format that can be easily transferred to another company.
Objection (Article 20 UK GDPR)	You can object to how we use your information when we rely on a legal duty or our legitimate interests.

‍

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, if your request is clearly unreasonable, repeated a lot, or too difficult, we may charge a small fee or, in some cases, refuse your request.

What we may need from you

We may ask for some information to make sure you are who you say you are. This helps us keep your personal information safe and make sure it is not given to the wrong person. Sometimes we may also ask you for more information to help us respond more quickly to your request.

Time limit to respond

We try to answer all requests within one month. If your request is very complicated or you have made many requests, it might take longer. If this happens, we will tell you and keep you updated.

9. DSAR Process

Under Article 15 of the UK GDPR, you have the right to submit a Data Subject Access Request (“DSAR”) to get confirmation as to whether we process personal data relating to you. If we do, you can ask for a copy of it together with information required by law.

How to make a request

You can ask us by using the following link RADAR or by post addressed to: ProblemShared, 16 High Holborn, London, WC1V 6BX.

To help us find your information quickly, please state that you are making a “Data Subject Access Request” and, if you can, say exactly what information you want.

Verification of identity

To keep your information safe, we may need to check who you are. If someone else is asking for your information, we may ask for proof that they have your permission, such as written consent or a power of attorney.

Timeframe

We will acknowledge your request quickly and try to respond within one calendar month of receipt. If your request is very complicated or you have made many requests, this period may be extended by up to two additional months. If this is necessary, we will tell you within the first month.

Exemptions

Sometimes, we cannot give all the information. This could happen if giving it would:

Affect someone else’s rights or privacy;

Break the law or legal rules; or

Be restricted under regulations.

If we do not give you some information, we will explain why whenever we can.

Fees

You will not usually be charged for making a DSAR. If your request is clearly unreasonable, repeated many times, or too difficult, we may charge a small fee or refuse your request.

How we will provide the data

Information will normally be provided in a secure electronic format unless you request otherwise. If we cannot provide your data electronically, we will agree another method with you.

10. Complaints

You have the right to make a complaint to the ICO (www.ico.org.uk). They can be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone: 0303 123 1113.

Before doing so, please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. You can find more guidance on our complaints procedure here [Complaints & concerns | ProblemShared], and our complaints form here [Complaints Form].

11. Personal data in respect of job applications

If you apply for a job with us, we collect and process personal data (including, but not limited to, your name, contact details, address details, CV, and employment history) based on our legitimate interest in managing the recruitment process. None of this data will comprise sensitive category data unless you choose to share these with us as part of your job application.

This data is stored securely on the Platform and retained for up to 6 months if you are not hired, after which only minimal information (e.g. your name, role applied for) is kept for HR and legal purposes.

For your rights in relation to your personal data, please see section 8 of this Notice.

12. Children’s Privacy Notice

This Notice serves to inform adults who use our services (or are responsible for children who use our services) about how we handle their personal data. If you are the parent or guardian of a child who uses our services, please share our Children’s Privacy Notice with them.

13. Changes to the Privacy Notice and your duty to inform us of changes

We keep this Notice under regular review. This version was last updated on 24 November 2025. Historic versions can be obtained by contacting us at help@problemshared.net.

It is important that your information is correct and up to date.
Please tell us if anything changes, like your address or email, while you are using our services.

14. Third-party links

Our website may have links to other websites, apps, or plug-ins. If you click on these links, the other websites may collect or share information about you. We do not control these websites and are not responsible for their privacy rules. When you leave our website, we recommend that you read the privacy notice of the website you visit.