Limbic Access
Privacy Policy, UK

Version 3 | Last Updated: 5 June 2025

OUR PRIVACY PROMISE

We take your privacy seriously. We only collect the information we need to help connect you with mental health services. We’ll always protect your data, explain what we’re doing with it, and respect your rights.

If you have any questions, you can reach us at:

data.enquiries@limbic.ai
Address: FAO Data Protection Enquiries, CTO/Director,
Kemp House, 160 City Road, London, EC1V 2NX
Who We Are

We’re Limbic Limited, a UK company helping people get access to mental health support through our chatbot, Limbic Access.

Company number: 11093861

Data protection registration: ZA779212

We follow data protection laws to make sure your data is handled safely and fairly.

What This Policy Covers

This privacy policy explains:

  • What data we collect and why
  • How we use and store your data
  • Who we share it with
  • Your rights over your data
What Data We Collect

Depending on how you use our chatbot, we might collect:

  • Identity info: Name, date of birth, NHS number
  • Contact info: Email, phone number
  • Messages: Anything you tell us in the chatbot or by email
  • Usage info: For example, how long you use the chatbot, where you click in the chatbot
  • Health info: Info about your mental health, symptoms, medication, and sensitive things like ethnicity or sexuality if needed by your care provider

We don’t collect info about criminal records or anyone under age 13. Please don’t share that.

How We Collect Your Data

We collect information:

  • When you use our chatbot
  • When you contact us
  • If you give feedback or fill out a survey
  • When you give us permission to use your data

Sometimes we may get your info from health services or platforms that help us provide the chatbot.

Why We Use Your Data

We use your data to:

  • Help you get referred to mental health services
  • Keep our chatbot running smoothly and fix bugs
  • Improve our services and do research (only with anonymised data)
  • Respond to questions or feedback
  • Meet our legal and safety obligations

We only use the data when we have a good reason - either:

  • You’ve given us permission
  • We need it to provide our service
  • It’s required by law
  • It helps us run our service properly and fairly
Special Health Data

Health info is sensitive, so we only use it:

  • With your permission
  • To support you to get care
  • To improve healthcare (in anonymised form only), and only if you agree for your data to be used in this way.

You can choose not to share health info, but this may limit how much we can help you.

Who We Share Data With

We only share your data when it’s necessary — either to provide our service, meet legal duties, or support your care. We never sell your data.

We may share your data with:

  • Health professionals or organisations involved in your care
  • People working at Limbic who need it to provide support
  • Companies that help us run the chatbot and keep it safe (“third parties”)
  • Regulators, legal advisers or law enforcement (only if required by law)
  • Another organisation if our company is ever sold or merged

Who We Share Your Data With (Third Parties):

  • Amazon Web Services (AWS): Cloud hosting for our chatbot and systems
  • MongoDB Atlas: Stores chatbot data securely (hosted on AWS)
  • Sentry: Tracks errors and technical problems
  • Mixpanel: Helps us understand how people use the chatbot
  • Professional advisers (e.g. regulators, auditors, security experts we use to help us): Help us comply with the law and protect our business
  • Health partners: If you’re referred, we may share info with your care team or local mental health service provider

We make sure all these services meet strict security and privacy standards and only use your data for the tasks we’ve asked them to do.

Transferring Data Abroad

Sometimes, your data may be stored or accessed outside the UK or EU. We only allow this when:

  • The country has strong privacy protections
  • There are proper safeguards like contracts in place
  • It’s necessary for legal reasons

We make sure your data is protected no matter where it is.

How Long We Keep Your Data

We only keep your data as long as needed to:

  • Provide you with our services
  • Meet legal or regulatory rules
  • Defend legal claims

Once it’s no longer needed, we delete it - usually within 30 days.

How We Keep Your Data Safe

We protect your data using strong security measures. We follow standards like:

  • NHS Data Security and Protection Toolkit
  • ISO 27001
  • Cyber Essentials
  • DCB0129
  • Medical device safety regulations

If there’s ever a data breach that puts you at risk, we’ll let you know as soon as possible.

Your Rights

You have the right to:

  1. Ask for a copy of your data
  2. Ask us to correct wrong data
  3. Ask us to delete your data
  4. Limit how we use your data
  5. Ask us to send your data to someone else
  6. Say no to how we use your data

To do this, just email us at data.enquiries@limbic.ai. We’ll send your data in a format that’s easy to read and can be used by another service.

We don’t currently use automated decisions that affect your care or legal rights. If this ever changes, we’ll tell you first and explain how it works.

How to Complain

If you have any concerns, contact us first:

data.enquiries@limbic.ai

You can also contact the UK’s data protection regulator:

Information Commissioner’s Office (ICO)

www.ico.org.uk
Changes to This Notice

We’ll update this notice when needed, the table below shows any changes made.

Summary of Changes
Document VersionDateWhat Changed
1.001/07/2022First published
1.006/08/2023Update to data sharing info
1.005/06/2025Language simplified for readability and layout