Privacy Notice
This Privacy Notice ("Notice") sets out how we at PsyScale Ltd ("PsyScale", "we", "our" or "us") use, protect and share the personal information that we collect from you when you use our website, our payment service, or when you interact with us or contact us in any other way.
Our activities regarding the collection, use, sharing, and processing of your personal information are set out in this Notice.
Who are we?
PsyScale Ltd is the data controller responsible for your personal information. This means that we are responsible under Data Protection Laws for ensuring that your personal information is protected and properly processed.
Our full company details are:
- Legal entity name: PsyScale Ltd.
- Company registration: Registered in England and Wales (Company number: 16235233).
- Registered office: 86-90 Paul Street, London, England, EC2A 4NE.
- Email address: privacy@psyscale.ai.
You can contact us at the above address should you have any questions about this Notice, or if you would like to exercise any of your rights under Data Protection Laws, which we set out below.
Clinical Trial Context
If you are participating in the clinical trial:
- Lindus Health (the CRO) collects your trial consent and acts as a separate data controller for research data.
- PsyScale processes your data to deliver treatment and clinical oversight, not for research analysis.
- PsyScale shares required treatment and outcome data with the CRO for study analysis.
- PsyScale may create anonymised datasets for research and product development.
What types of information do we collect from you?
We may collect, use, store and transfer different kinds of personal information (including personal data as defined under applicable laws such as the UK GDPR and the UK Data Protection Act) about you such as:
- Identity and Contact Information about you including full name, date of birth and age, email address, phone number, home address, parent/guardian details (under 18s), emergency contact name and number, GP/doctor's surgery details.
- Account and Authentication Information about you including login credentials, authentication identifiers, account status and membership history.
- Screening and Eligibility Information about you including questionnaire responses, mental health conditions historical and present, health information including self-harm/suicide attempts, current therapies and treatments, conditions, pregnancy status and cognitive/language barriers.
- Treatment Interaction Information including free text conversation content from sessions, exercise outputs, keeping well plans and in-app clinician interactions.
- Clinical Oversight Information including clinician notes and suitability assessments, safety signal review outcomes, post-session reviews, notes, audit trail of actions.
- Safeguarding Information including indicators of poor mental and physical health experiences and conditions, e.g. distress, destabilisation, self-harm/suicide, abuse, substance misuse etc.
- Technical and Usage Information including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, technical logs related to processing, device ID and other technology on the devices you use to access our websites, apps and information about how you interact with and use our websites, apps and services.
- Communications and Interactions Information including emails for support, in-app support messages, records of clinician calls, crisis support interactions.
- Marketing and Communications Information including your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Information such as statistical or demographic data for any purpose. Aggregated Information could be derived from your personal information but is not considered personal information in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this Notice.
How and why do we use your personal information?
How your information is collected
- When you interact with us: you may share your personal information with us when you provide information using any online form on our website, our apps or when you correspond with us by email, post, telephone or any other means, including completing onboarding/screening questionnaires, participate in clinician suitability review, engage in treatment and sessions, send messages, check-ins etc.
- Automated Technologies and Cookies: as you interact with our website, we will automatically collect Technical and Usage Information about your equipment, browsing actions and patterns. We collect this personal information by using cookies and other similar technologies.
- From third parties: we may obtain your personal information from available third parties (which, when combined with other personal information we may have of yours, may also constitute personal information). These may include clinical trial partners, CROs, referral partners and clinicians involved in your care (such as your GP, any Community Mental Health Team you have been involved with, emergency services or other medical professionals).
How your information is used
Data Protection Laws require us to have a legal basis for everything that we do with your personal information falling under one of the following categories:
- Performance of a contract with you: Where we need to perform a contract we are about to enter into or have entered into with you.
- Legitimate interests: We may use your personal information where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and/or enable us to give you the best user experience.
- Legal obligation: We may use your personal information where it is necessary for compliance with a legal obligation that we are subject to.
- Consent: We rely on consent only where we have obtained your active agreement to use your personal information for a specified purpose, in relation to receiving marketing emails from us.
- Vital Interests: We may process your personal information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.
We use your personal information in a number of different ways and for different reasons – the tables below set out what we do and why:
Identity and Contact Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Collect and store your name, email, phone number, date of birth, and address details. | To create and manage your account, verify your identity, and communicate with you. | Performance of a contract with you. |
| Verify your age and eligibility | To ensure you meet the criteria for treatment and the clinical trial | Performance of a contract with you. Legal obligation. |
| Use GP and emergency contact details | To contact appropriate parties where safety concerns arise | Performance of a contract with you. Legal obligation. Vital interests. |
| Use parent/guardian details (under 18s) | To meet safeguarding and consent requirements | Legal obligation. Vital interests. Performance of a contract with you. |
| Record identity information in your clinical record | To meet clinical governance and regulatory requirements | Legal obligation. |
| Use your contact details to send service-related communications. | To notify you about transactions, account activity, and security events. | Performance of a contract with you. Legitimate interests: to ensure users receive essential service and security notifications. |
| Use your contact details for customer support interactions. | To respond to queries, resolve issues, and provide assistance. | Performance of a contract with you. Legitimate interests: to maintain high-quality customer support. |
| Identify you when you visit our website or you contact us for any reason. | So we can identify you. | Legitimate interests: necessary for us to be able to communicate with you. |
| To send you information about our company. | So we can let you know about new products and services that we offer that you might be interested in. | Consent. Legitimate interests: necessary to promote our business. |
| To send you surveys and to ask for feedback. | To offer you the opportunity to let us know how we are doing, or to let us know your views on another subject. | Legitimate interests: necessary to ensure we are providing the best service and to identify any areas of potential improvement. |
| Retain contact records for compliance and support. | To meet regulatory and operational requirements. | Legal obligation. |
Account and Authentication Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Process login credentials. | To authenticate you and secure your account. | Performance of a contract with you. |
| Process authentication identifiers. | To prevent unauthorised access and maintain security. | Legitimate interests: to ensure platform security and preventing fraud. |
| Maintain account status and history. | To manage your access to treatment and clinical messaging. | Performance of a contract with you. |
| Log authentication events. | To maintain audit trails and detect suspicious activity. | Legitimate interests: to monitor security and ensure audit integrity. Legal obligation. |
Screening and Eligibility Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Collect screening questionnaire responses. | To assess clinical suitability for treatment. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Collect mental health history. | To determine inclusion/exclusion for the clinical trial. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Collect self-harm/suicide history. | To identify risk and ensure safe treatment. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. Vital interests. |
| Collect information on current therapies. | To avoid contraindicated or duplicate treatment. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Collect contraindicated conditions. | To ensure safe delivery of a regulated medical device. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Collect pregnancy status. | To ensure suitability and safety. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Collect cognitive/language barriers. | To determine whether the programme is appropriate. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Record screening outcomes. | To maintain clinical records and regulatory compliance. | Performance of a contract with you. Legal obligation. Art. 9(2)(h) UK GDPR. |
Treatment Interaction Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Process free-text conversation content. | To deliver and personalise the PsyScale treatment. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process exercise outputs. | To support therapeutic progress and personalise sessions. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process session progress markers. | To monitor engagement and adherence. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process "keeping well" plans. | To support relapse prevention and discharge planning. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process in-app clinician interactions. | To support clinical oversight and treatment delivery. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Use treatment data for the end of treatment review. | To review progress and determine discharge. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
Clinical Oversight Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Process clinician notes. | To provide clinical supervision. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process suitability assessments. | To determine ongoing suitability for treatment. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process safety review outcomes. | To detect and respond to safety concerns. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. Vital interests. |
| Process post-session review outcomes. | To monitor progress and identify concerns. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process check-in notes. | To review engagement and progress. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process escalation decisions. | To safeguard users and escalate risk. | Performance of a contract with you. Vital interests. Legal obligation. |
| Maintain audit logs. | To meet clinical governance and regulatory requirements. | Legal obligation. Art. 9(2)(h) UK GDPR. |
Safeguarding Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Process indicators of distress or destabilisation. | To detect emerging risk. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process indicators of self-harm or suicide. | To trigger safety review and escalate risk. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. Vital interests. |
| Process indicators of abuse or exploitation. | To fulfil safeguarding duties. | Legal obligation. Art. 9(2)(h) UK GDPR. |
| Process indicators of substance misuse. | To assess suitability and risk. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Process indicators of contraindicated conditions. | To ensure safe treatment. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Trigger a clinician review for safety concerns. | To conduct off-schedule clinical reviews. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Trigger emergency services contact. | To protect life in imminent risk. | Vital interests (Art 6(1)(d) and Art. 9(2)(c) UK GDPR). |
| Maintain safeguarding records. | To comply with safeguarding and clinical governance requirements. | Legal obligation. Art. 9(2)(h) UK GDPR. |
Technical and Usage Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Identify you when you visit our websites, apps and services. | To provide you with the best possible user experience. | Legitimate interests: necessary to provide the best user experience. |
| Monitor visitors to our websites and analyse their use. | To protect our websites, apps and our IT systems from fraud or cyberattacks and to improve our services and IT security. | Legitimate interests: necessary to ensure our systems are secure. Legal obligation. |
| Administer and protect our business, apps and our website. | For running our business, provision of administration and IT services, network security, to prevent fraud. | Legitimate interests: necessary to run our business. Legal obligation. |
| Use data analytics to improve our services. | To define types of customers, keep our services updated and relevant, develop our business and inform our marketing strategy. | Legitimate interests: necessary to enhance our business strategies. |
| Collect IP address, device type, browser information. | To secure the apps and website, detect suspicious activity, and troubleshoot issues. | Legitimate interests: ensuring platform security and preventing fraudulent or abusive use. |
| Log login activity and technical events. | To protect user accounts and maintain system integrity. | Legitimate interests: detecting unauthorised access and maintaining service reliability. |
Communications and Interactions Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| Process support emails. | To provide technical support. | Performance of a contract with you. |
| Process in-app support messages. | To provide clinical and technical support. | Performance of a contract with you. Art. 9(2)(h) UK GDPR. |
| Record clinician call metadata. | To maintain clinical records and audit trails. | Performance of a contract with you. Legal obligation. |
| Process crisis support interactions. | To safeguard users and escalate risk. | Performance of a contract with you. Vital interests. Art. 9(2)(h) UK GDPR. |
| Maintain communication logs. | To investigate incidents and improve service quality. | Legitimate interests: quality assurance and service improvement. |
Marketing and Communications Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| We keep a record of your communication preferences. | So we can make sure that you only receive the communications from us that you would like to receive. | Legitimate interests: necessary to promote our business. Legal obligation. |
| Send you electronic and text marketing. | To inform you about offers, events, and updates that may interest you. | Consent. Legitimate interests: soft opt-in where applicable. |
All Personal Information
| What do we do? | Why do we do it? | What is the Legal Basis? |
|---|---|---|
| We may transfer your personal information in connection with any merger, sale, transfer of our assets, restructure, investment, acquisition, bankruptcy, or similar event. | So we can ensure the continued service and function and to ensure we can protect and grow our business. | Legitimate interests: to ensure we can protect and grow our business. |
| Comply with legal and regulatory obligations. | So we can meet our legal responsibilities. | Legal obligation. |
| Retain your personal information to establish, exercise, or defend legal claims. | So we can protect our, or third parties', interests. | Legitimate interests: to seek legal advice, protect ourselves, or others in legal proceedings. |
In limited circumstances we may process any of the personal information we hold to the extent necessary to defend, establish and exercise legal claims or to comply with legal or regulatory obligations.
Where we need to collect personal information due to a legal or regulatory obligation, or for performance of a contract, and you do not provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. We will notify you of this at the time.
What about automated decision making?
PsyScale uses artificial intelligence (AI) to support the delivery of structured cognitive behavioural therapy (CBT). However, the system does not make decisions about your clinical care, safety, or access to treatment, and it does not make any decisions that produce legal or similarly significant effects about you.
How our AI supports your treatment
We use some automated processes to deliver our structured treatment programme consistently and safely. These processes are based on clinician-designed treatment protocols and are used to guide the programme content.
We also use AI-enabled features to support parts of the programme, such as generating or adapting in-app content based on the information you provide during sessions.
What the AI does not do
The AI does not:
- decide whether you are suitable for treatment
- decide whether you can access or continue the programme
- determine your risk level
- decide whether to escalate concerns
- contact emergency services
- make safeguarding decisions
- discharge you from treatment
- make any decisions that have legal or similarly significant effects
All of these decisions are made by qualified clinicians. Human involvement is involved in all significant decisions. Every decision that could affect your health, safety, access to treatment, or clinical outcome is made by a qualified clinician. This includes:
- suitability assessments
- safety reviews and risk assessments
- escalation decisions
- safeguarding actions
- treatment continuation or discharge
Automation may assist clinicians by surfacing information, but clinicians always review and decide.
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects about you under Article 22 of the UK GDPR.
How can you manage your marketing preferences?
We will provide you with the opportunity to "unsubscribe" via a link at the bottom of any marketing communication that we send to you, or you can contact us at unsubscribe@psyscale.ai.
Please note that if you "unsubscribe" from receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.
What about cookies?
We use Google Analytics 4 to understand how visitors interact with our website. Google Analytics uses cookies (_ga, _gid) to distinguish unique users and throttle request rates. These cookies are only set if you give consent via our cookie banner.
We use Google's Consent Mode v2, which means:
- Before you consent: Google receives anonymous, cookieless pings. No cookies are set and no personal data is transmitted. This helps us understand basic traffic patterns.
- After you consent: Google Analytics cookies are activated, enabling richer analytics such as return-visit tracking and session duration.
You can change your cookie preferences at any time using the "Cookie settings" link in the footer. You can also block cookies in your browser settings.
For more information about how Google processes data, see Google's privacy policy.
Who do we share your personal information with?
We do not sell your personal information, nor share it with third parties outside of the reasons outlined below, except as permitted or required by applicable law.
We may share your personal information with third parties who provide services to us, for example, our IT, communications, CRM, email and marketing automation and hosting providers. We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
We may share your personal information with third parties in the following circumstances:
- Internally between PsyScale and our Board of Directors for administrative and business purposes;
- With third party service providers (e.g. AWS, WorkOS, Sentry, Zoom, Google Meet, Opper AI, Google Analytics);
- With clinicians/other healthcare professionals as required;
- With parents/guardians of participants in accordance with this Notice;
- With clinical trial partners;
- With regulators;
- With our partners;
- With emergency services and safeguarding agencies/bodies;
- With professional advisors such as tax or legal advisors;
- With consultants, insurance companies/claim managers and accountants;
- With agents, suppliers or sub-contractors engaged by us;
- In order to operate the website, including hosting, maintenance, and analytics;
- If disclosure is required by law or in the context of an investigation or legal process;
- To protect against our liability and ensure safety;
- With third parties in case of a corporate transaction;
- To fulfil the purpose for which you provide it;
- With your consent.
Required by law. We may be required to disclose personal information as part of a legal process. We will comply with such requests only to the extent required by law and will seek to limit disclosure where possible.
We may provide anonymous information to analytics and search engine providers to help us improve and optimise our services. We will only share this information in a form that does not directly identify you.
What happens if we share your information with organisations outside of the UK?
Whenever we transfer your personal information out of the UK to service providers or any other third party, we ensure a similar degree of protection is afforded to it by ensuring that the necessary safeguards are in place, for example:
- We will only transfer your personal information to countries that have been deemed by regulators in the UK to provide an adequate level of protection for personal information; or
- We may use specific standard contractual terms approved for use in the UK which give the transferred personal information the same protection as it has in the UK.
For more information about these safeguards, please contact us at privacy@psyscale.ai.
How do we protect your personal information?
We are committed to protecting individuals' personal information. We put in place appropriate technical and organisational measures to help protect the security of your personal information. However, be aware that no system is ever completely secure.
We have put various safeguards in place to guard against unauthorised access and unnecessary retention of personal information in our systems. These include pseudonymisation, encryption, access, and retention policies.
How long do we keep your personal information for?
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. For further information about specific retention periods, please contact us at privacy@psyscale.ai.
What are your rights in relation to the personal information we hold?
You have a number of rights under data protection laws in relation to your personal information. You have the right to:
- Request access to your personal information (commonly known as a "subject access request").
- Request correction of the personal information that we hold about you.
- Request erasure of your personal information in certain circumstances.
- Object to processing of your personal information where we are relying on a legitimate interest. You also have the absolute right to object any time to the processing of your personal information for direct marketing purposes.
- Request the transfer of your personal information to you or to a third party.
- Withdraw consent at any time where we are relying on consent to process your personal information.
- Request restriction of processing of your personal information.
If you wish to exercise any of the rights set out above, please contact us at privacy@psyscale.ai.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Contact us if you have a question or a complaint
You have the right to make a complaint at any time to the relevant data protection regulator. We would, however, appreciate the chance to deal with your concerns before you approach any regulator, so in the first instance please contact us at privacy@psyscale.ai.
Updates to this privacy notice
We may update this Privacy Notice from time to time, and we keep it under regular review. This version was last updated on 5 June 2026.
Third-party links
Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.