Digital CBTe Patient Privacy Notice (UK)
Effective Date: 2025-12-15
Version: v1.0
This notice explains how information is handled when you use Digital CBTe through an NHS Trust, clinic, or other care organization (“Care Organization”).
1. Roles: who controls your information
Your Care Organization is the data controller for the personal information and health information processed in Digital CBTe for your care. Credo is a data processor that processes information on behalf of your Care Organization to provide Digital CBTe. The UK Information Commissioner’s Office (ICO) explains these roles and responsibilities.
2. What information is processed
Depending on what you and your care team enter or enable, Digital CBTe may process:
- Account and contact details (for example, name, email, phone)
- Program usage and engagement data
- Questionnaire and assessment responses
- Symptom, outcome, and progress measures
- Messages or notes exchanged with your care team if enabled by your Care Organization
- Technical data such as device type and log data (for security and troubleshooting)
3. Why the information is used
Your Care Organization uses your information to:
- Provide and manage your care
- Monitor progress and support clinical decision-making
- Operate and administer the service it provides to you
Credo uses your information only to:
- Provide Digital CBTe to your Care Organization and to you
- Maintain security, prevent fraud, and troubleshoot
- Provide support to your Care Organization
- Meet legal obligations
Credo does not sell your health information.
4. Who your information is shared with
- Your Care Organization and its care team
- Credo’s service providers (subprocessors) who help operate Digital CBTe (for example, hosting and support), under contract and confidentiality
- Regulators or law enforcement where required by law
Your Care Organization may have additional sharing for your care. Refer to its privacy materials.
5. How long information is kept
Retention is determined by your Care Organization and applicable law. Credo retains information on behalf of the Care Organization for the duration of its contract and then returns or deletes information as instructed, subject to legal retention requirements.
6. Your rights
You have rights under UK data protection law, including rights to access, correction, and other rights depending on circumstances. Because your Care Organization is the controller, you should direct requests to your Care Organization. Credo will assist the Care Organization as required.
7. Security
Credo uses technical and organizational measures designed to protect information. No system can be 100% secure.
8. International transfers
Your Care Organization may choose service configurations that involve processing outside the UK. Where applicable, transfers are protected by lawful mechanisms under UK GDPR.
9. Contact
For privacy questions or to exercise rights, contact your Care Organization. Credo privacy contact: privacy@credotherapies.com.
Change log
- v1.0 (2025-12-15): Initial release.
