top of page

Privacy and Cookies Policy 

At The Sandbox we take the privacy and safety of our users very seriously. We have written this document to tell you:

​

1. about how we protect your personal data

2. and how we work to keep you safe

​

What is Data Protection?
There is a law called the Data Protection Law which is there to ensure that we use your personal data lawfully, in order to protect it.

The Sandbox is called a data controller, our registered office is at:

Mindler
25 Wilton Road,

London
SW1V 1LW
Telephone: 020 4574 6366
Email: nhs.operations@mindler.co.uk 

Mindler has appointed Bird & Bird DPO Services SRL as our Data Protection Officer (DPO). If you have any questions or complaints about our compliance with this Privacy Policy or how we process your personal data, please contact our DPO via email at: dpo@mindler.se.

Our DPO may also be contacted at the following address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

What information do we need to collect and why?
When you use The Sandbox we need to collect some personal information from you - this is known as Personal Data.

When you sign up to The Sandbox we ask for:

  • The area that you live in

  • Your GP practice

  • Your date of birth

We need this data to be able to provide a service to you. Our legal basis for processing this data is to provide healthcare services to you.

We also collect additional data, which is called ‘special category data’:

  • Your gender identity

  • Your ethnicity
     

This data is collected under the legal basis ‘legitimate interest’.  It helps us to measure how we are performing as a service and to improve our service. This data is provided to the organisations who make our services available to you. Any data shared in this way is fully anonymous, non-identifiable data and is used to help inform the organisations about usage of the service, including, but not limited to:

  • Number of registrations

  • Sandbox Site usage

  • Issues faced by service users

  • Outcomes achieved
     

Although this is personal data, it will NOT:

  • Identify an individual user or

  • Allow us to trace or find an individual
     

We do not ask you for any information that may identify you when you sign up.

The use of cookies in The Sandbox
Our website uses cookies to distinguish you from other users of our website.  This helps us to provide you with a good experience when you browse our website and also allows us to improve our website.

We use the following cookies:

Strictly necessary cookies:

These are cookies that are required for the operation of our website.  They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services. These are always used.

Analytical or performance cookies:

These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it.  This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. You can choose whether or not to opt in.

Functionality cookies:

These are used to recognise you when you return to our website.  This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). You can choose whether or not to opt in.

Targeting cookies:

These cookies record your visit to our website, the pages you have visited and the links you have followed.  We will use this information to make our website more relevant to your interests.  You can choose whether or not to opt in.

Your Data - Your Rights
As the owner (aka ‘Data Subject’) of your personal data, you have certain rights under the General Data Protection Regulations (GDPR) to find out about our use of your personal data.

You have:

The Right to be informed - by providing you with this document, we are giving you the information about your data that is collected and held by us,

The Right of access - you can ask about your personal data that we hold - this is called a “data subject access request”,

The Right to rectification - you can tell us if the data we hold is wrong or incomplete and ask us to put it right,

The Right to erasure - you can request erasure of your personal data. This enables you to ask* us to delete or stop processing your data. (*There may be times when we can’t do this though because we are required by law to hold it for a certain time),

The Right to restrict processing - you can object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing,

The Right to data portability - you can ask us to securely transfer your personal data to another data controller,

The Right to object - you can ask us to stop the processing of your personal data for a period of time if data is inaccurate or there is a dispute about its accuracy or the reason for processing it.

If you wish to do any of these things, log in to your Sandbox account and message a member of The Sandbox team and they will help you. By contacting us through your account, rather than by direct email, you are protecting your anonymity.

If you think that we have failed to handle your data properly or have not allowed your rights listed above, you have the right to make a complaint to the Information Commissioner’s Office.

Your right to withdraw your consent
You have the right to withdraw consent if you have shared any personal data with us. You can withdraw your consent to share information at any time. You can request to withdraw your consent by sending a message to The Sandbox team when you are logged in.

Additional Information on how we improve our services
We may use the data we collect to measure how we are performing as a service and to improve our service. This information is always anonymised, therefore it could not be used to identify you.

We continuously try to improve our service, which may involve introducing new processes. In these circumstances we carry out a risk assessment into the impact of this on your data.

Case studies
We may be asked by the organisations who pay for the service, to provide them with anonymous case studies of our work with service users. This is so they can see how well The Sandbox is performing in our role in supporting you.

Our team at The Sandbox also have to take part in ongoing training and development so that they can be best placed and trained to support you. This means that they sometimes also have to write case studies for their courses or training.

Whenever a case study is written, we never use any of your personal data. It will never be possible to identify you from these case studies.
 

Consent & Privacy Policy for Users in Hertfordshire

​

Initial screen (for CYP who are signing up for therapeutic treatment rather than anonymous chat):

How we use what we know about you

​

We record how you are getting on in the Sandbox and we use that to help us to help you. This is called your personal information, and we will keep it confidential and secure. 

​

Keeping you safe

If you start therapy with the Sandbox, we will tell your Doctor (NHS GP) so your records are kept up to date. 

​

If we are really worried about you (including if you are having thoughts of harming yourself) we may need to share your personal information with someone else to keep you safe. We will ask for your permission before doing so, and you may wish to talk to that person yourself before we speak to them. However, if the situation is very serious, such as an emergency, we may need to act without talking to you first. 

​

What age is The Sandbox suitable for?

The Sandbox is open to anybody aged between 10 to 25. If you’re younger than 12, you’ll need a parent or guardian in the room with you during therapy sessions.  â€‹

​

Creating an account on the Mindler Sandbox website

Mindler’s services are provided to you by Hertfordshire County Council. Depending on your symptoms and assessment, and the referral pathway you are on, you may access a range of different services as part of our “Stepped Care Model” including:  

  • Getting Advice - access to the Sandbox website, downloads, games, livestreams, forums and live chat

  • Getting Help – an online course of iCBT called the “Sandbox Academy”

  • Getting More Help -  1x1 CBT therapy delivered via video
     

What personal information we will receive about you

Our services involve the collection of personal information about you to help us ensure we can provide you with the right help and advice.

​

We will receive information about you from Hertfordshire County Council, or from another organisation that works with them, such as the NHS, your GP, or your school. You, or your parent or guardian, will have given consent to that organisation to them sharing your information with us. This initial information normally includes –

  • your name;

  • age;

  • date of birth;

  • NHS Number;

  • home address,

  • the name of your GP,

  • your school,

  • the diagnosis (if you have one) and

  • the reasons you are seeking the advice.
     

We may also receive from the more detailed information about your health as you progress through our services. This will all be kept confidential and only used strictly in connection with providing you with health care services or ensuring your wellbeing.
 

We will receive and use your personal information for the purposes of providing you with healthcare services in the form of web-based advice and help from therapists. The advice is designed and provided under the responsibility of professional therapists who will use your information strictly in accordance with professional rules of confidentiality. 
 

How we will use your information

Getting Advice 

Our Sandbox website allows you to read or watch helpful content; to follow our social media accounts and to join our Live Chat service.

​

Getting Help and Getting More Help

​

How you will consent to receive healthcare services

If you are under 12 years of age we need the explicit consent of your parent or guardian to give you access to these services.

​

If you are 12 years of age or older, or if you have been assessed as able to provide this consent (this is called being “Gillick Competent”), we will seek your explicit consent before giving you access to these services. Your therapist will ask you if your parents or guardian are aware of the treatment that you are receiving. It can be helpful to involve them in your care journey, and your therapist will give you the option of involving them in your care. However, no-one at Mindler will contact your parents or guardian, without you providing explicit consent for us to do so. 

​

Sharing your data with your GP

If you are receiving therapy with Mindler, we will share your information with your NHS GP and with the organisation that referred you to us. In some circumstances, we may need to share your information with the Children and Adults Mental Health Services (CAMHS). This is so that we can ensure your NHS medical records are up-to-date and that your ongoing NHS care is coordinated properly. 

​

Emergency use of data and safeguarding 

We do not share your personal information with any third parties for any reason other than strictly in connection with your healthcare or well-being. If we believe that there are reasons for taking urgent action to protect you from harm we may need to share your personal information.

 

This could be your parent/guardian, your NHS GP, other health or social care organisations, or exceptionally the emergency services. We will usually seek your consent before doing so, but if the situation is serious we may need to take action without speaking to you first. Where applicable, we will do this in line with Hertfordshire Safeguarding Children Board guidance.

​

Transferring your information outside the UK

We will not transfer your personal information outside the UK (this is known as a “Restricted Transfer” under the Data Protection Act. 

​

Storage of your personal information

The personal information is kept only for as long as it is needed to ensure we can provide the service to you effectively and keep our own records for healthcare reasons and in order to inform the NHS about your referral and progress and help with managing health services. At any time, you can ask to see what data we hold about you. 

bottom of page