Privacy Policy
Last updated: 26/03/2023
This policy is in two parts. The short version explains what we do with your data in plain English. As most readers are service users, it's mostly written for them. The legal details cover our formal obligations under UK GDPR and also cover staff / coaches / trainees too and how we handle their data.
The short version
Who we are
Overcome is a UK-registered charity (number 1191308) that provides free online mental health coaching. We help people with building healthy habits, as well as managing mild to moderate low mood, worries, or fears through a 6-session programme of one-to-one video calls with trained coaches.
We have a defined scope. We are not a crisis service, and we cannot provide specialist support for conditions like OCD, PTSD, personality disorders, or psychosis. We cannot make diagnoses or prescribe medication. This matters for how we handle data, because it means we need to know whether the people arriving at our site are people we can actually help.
Why we track how people found us
We run advertising campaigns to reach people who could benefit from our service. But because we have a defined scope, it's important that those campaigns are reaching the right people. If an ad campaign or a partner referral is consistently sending people who need crisis support or specialist psychiatric care, we need to fix this as quickly as humanly possible.
The same applies to volunteer recruitment. If a campaign is consistently sending applicants who are not suitable to be coaches, we need to know so we stop running it!
We use the minimum amount of tracking needed to achieve these goals. We do not run targeted ads, we do not build profiles of users across the web, and we do not share this data with advertising networks for any other reason.
What we collect when people visit the site
We use PostHog (hosted in the EU) for website analytics. This tells us things like which pages people visit, how long they stay, what browser they use, and where they came from. This data is anonymised; It is never tied to any specific person.
What we collect when users sign up
To sign up, users fill out a short questionnaire via Typeform. You can see the latest version of the form on our homepage. We assess eligibility before we ask for contact details. If a user fall outside our scope, we direct them to more appropriate services.
If a user is eligible, we also record the referral data attached to their visit (UTM parameters) so we can connect the sign-up to the campaign that caused it. This is how we measure whether our outreach is reaching the right people, as described above.
What we collect during coaching
From clients, coaches collect:
Booking details
Sessions are scheduled via Google Calendar. Your name, email address, and session times are visible to your coach through their calendar.
Session notes
Your coach writes brief summaries after each session to track your progress. These are stored in an encrypted database and are only visible to your coach and their line manager. Senior management can access them only if there is a concern about someone's safety (e.g., if a clients shares a plan to attack someone).
Email read receipts
We monitor whether clients read emails about their coaching programme. If a client suddenly stops reading emails, this can be a signal that something is wrong, and we would want to follow up via an alternative contact method if they provided one.
Wellbeing questionnaires
We send routine surveys to track how clients are doing. These help coaches adjust when something is not working. We use this data to calculate things like how much happier clients are before and after. We show statistics like that to donors. Without this information, we can not keep the service free to use.
Testimonials
At the end of the programme, we may ask if you would like to share a testimonial. This is always optional.
Who sees your data
- Sign-up form responses:your coach and their line manager. Currently also processed by Typeform (GDPR and HIPAA compliant); we're moving off their service by March 2026 so there is one fewer third party with access to your data.
- Website visits (anonymised): processed by PostHog (EU-hosted). No personal details are included.
- Outcome data (anonymised): shared with partner organisations if you signed up through one, as summaries of client retention and outcomes only. Never your personal details.
- Booking details: visible to your coach and their managers via Google Calendar.
- Session notes: your coach and their line manager. Senior management can see it but will only do so if there is an urgent safety concern (e.g. if you threaten to harm someone).
Artificial intelligence
Coaches are never authorised to use AI tools during sessions without your explicit consent.
Coaches and other Overcome staff are never authorised to enter any personally identifiable information into any AI model, under any circumstances. We do not permit third parties to process client data with AI.
If you have specific requests around AI, email clients@overcome.org.uk before signing up. If you've already signed up, email both your coach and clients@overcome.org.uk to let us know.
How long we keep it
We keep all personally identifiable information in an encrypted database.
For applicants and prospective trainees, we store applications for 6 years for those we accept (in line with UK government guidance on learner data retention for training providers) and 3 years for unsuccessful applicants (as applicants may reapply within this period). After this period, we anonymise the data by removing all identifiable information (e.g., email, CV, name), but keep scores and rankings. Applications are stored for 10 years where dishonesty or misconduct is strongly suspected (e.g., apparent lies on CV).
We keep disciplinary records for coaches, trainees, and staff (e.g., formal warnings) for as long as is necessary to protect clients and prevent those individuals from rejoining the organisation, assessed on a case-by-case basis.
We store all coaching data, including session notes, wellbeing questionnaires, and communication records, in an encrypted database. 7 years after the programme ends (as recommended by the Association for Coaching), we anonymise this by removing all identifiable information, retaining only outcomes, age group, and country. You can request earlier anonymisation by emailing us. Anonymising this information helps us understand who our service works well for and where we need to improve.
We keep all evidence of grossly unacceptable client behaviour (e.g., stalking) for as long as is needed to protect our staff and coaches. What exactly we store would depend on the nature of the incident. At the time of writing, we have had to do this approximately 5 times, affecting less than 0.1% of clients.
How to get in touch
- Questions about this policy: enquiries@overcome.org.uk
- Questions about your data during coaching: clients@overcome.org.uk
The long legal version
This section covers our formal obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data controller
Overcome (Charity Number 1191308), registered in England and Wales, is the data controller for the personal data described in this policy.
Legal basis for processing
We process personal data under the following UK GDPR lawful bases:
Legitimate interest (Article 6(1)(f))
Tracking referral sources (UTMs, Google Click ID) to evaluate whether campaigns and partnerships are directing appropriate referrals to a mental health service with a defined clinical scope. This applies to both client and trainee recruitment. Our legitimate interest is preventing unsuitable referrals, whether people who need crisis or specialist support, or applicants who are not suitable to be coaches (e.g. dishonest, unreliable).
Contract (Article 6(1)(b))
Processing names, email, and session data as necessary to deliver the coaching programme users signed up for, including scheduling sessions via Google Calendar, sending session summaries, and tracking user progress.
Consent (Article 6(1)(a))
Optional marketing communications. Optional cookies beyond essential (redirect cookies, session recording). Testimonials.
Legal obligation (Article 6(1)(c))
Where we are required to process or retain data to comply with UK law, including safeguarding duties where we have reason to believe a client is at risk of harm or harming others.
Explicit consent (Article 9(2)(a))
For any data entered into any form.
Your rights under UK GDPR
You have the following rights. To exercise any of them, email enquiries@overcome.org.uk.
| Right | What it means |
|---|---|
| Access | You can ask us for a copy of all the personal data we hold about you. We will respond within 30 days. |
| Rectification | If any of your data is inaccurate, you can ask us to correct it. |
| Erasure | You can ask us to delete your personal data. We will do so unless we have a legal obligation to keep it (e.g. safeguarding). |
| Restriction | You can ask us to stop processing your data in certain circumstances while we resolve a dispute or verify accuracy. |
| Portability | You can ask for your data in a structured, machine-readable format so you can transfer it to another service. |
| Objection | You can object to processing based on legitimate interest. We will stop unless we can demonstrate compelling grounds. |
| Withdraw consent | Where processing is based on consent (e.g., marketing, optional cookies), you can withdraw that consent at any time. |
All clients also have the right to stop using our service at any time and to choose what they disclose during coaching sessions.
Data retention schedule
| Data type | Retention period |
|---|---|
| Application data for coaches and prospective trainees (e.g., CVs, quiz responses, rankings) | 6 years if accepted, 3 years if unsuccessful. 10 years if dishonesty or misconduct is strongly suspected (e.g., apparent lies on CV). |
| Coach training data (e.g., quiz scores, roleplay feedback, assessment results) | 6 years, in line with UK government guidance on learner data retention for training providers. |
| Disciplinary records for coaches, trainees, and staff (e.g., formal warnings) | Retained as long as necessary, judged on a case-by-case basis. Kept to protect clients and prevent those individuals from rejoining the organisation. |
| Coaching data (e.g., session notes, wellbeing questionnaires, communication records) | 7 years after the programme ends (as recommended by the Association for Coaching), then anonymised. You can request earlier anonymisation by emailing us. Anonymising this information helps us understand who our service works well for and where we need to improve. |
| Sign-up data (e.g., name, email, questionnaire responses) | 7 years after the programme ends, then anonymised. |
| Evidence of grossly unacceptable client behaviour (e.g., stalking) | Retained as long as necessary, judged on a case-by-case basis. Kept to protect staff and coaches. |
| Website analytics | No personal data is retained. |
| Cookie consent preferences | One year or until you clear your browser storage. |
Data security
- Forms: Sign-up forms (currently Typeform, being phased out by Q3 2026) are GDPR and HIPAA-compliant, rated A by UpGuard (July 2025).
- Scheduling: Sessions are booked via Google Calendar. Your name, email, and session times are stored within Google Workspace.
- Database: Password-protected with two-factor authentication, also rated A by UpGuard.
- Access control:Your data is accessible only to your coach, their line manager, and, when there is concern about someone's safety, senior management.
- Encryption: Session data is stored in an encrypted database.
Data sharing and processors
We share personal data with the following third-party processors:
| Processor | Purpose | Location |
|---|---|---|
| PostHog | Website analytics, cookie consent, session recording | EU |
| Typeform | Sign-up questionnaire (being phased out by April 2026) | EU |
| Google Calendar | Session scheduling | UK/EU |
| Google Meet | Video calls for coaching sessions | UK/EU |
| Zoom | Video calls for coaching sessions | US (adequacy safeguards) |
| Airtable | Some database functions (being phased out in Q3 2026) | EU |
We may also share data in the following circumstances:
- Partner organisations: If you signed up via a partner, we share anonymised summaries of client retention and outcomes to evaluate the partnership. We do not share anything specific to one user (e.g. name, emails, session notes).
- Legal authorities: Where required by UK law, including safeguarding obligations where we believe a client is at risk of harm.
We do not share data with advertising networks, data brokers, or any other third parties.
Third-party links
Our website and coaches may link to or recommend third-party websites and resources. We are not responsible for the privacy practices of those sites, and we encourage you to read their privacy policies.
International transfers
PostHog is hosted in the EU. Typeform is based in the EU (being phased out by May 2026). Session scheduling uses Google Calendar (Google Workspace). Coaching sessions take place over Google Meet or Zoom; their privacy policies apply to the video call infrastructure. We do not transfer personal data outside the UK/EU except as necessary for these services, all of which provide adequate safeguards under UK GDPR.
Changes to this policy
We will update this page when the policy changes and note the date at the top. If we make significant changes that affect how we handle your data, we will email active clients directly.
Contact
For any questions or requests regarding this policy:
- General Email: enquiries@overcome.org.uk
- For active clients: clients@overcome.org.uk
Overcome, Charity Number 1191308, registered in England and Wales.