MOAI Clinical policies document

MOAI Clinical policies

Cancellation

MOA cancellation policy - At MOAI Health Ltd, we recognize that clients may sometimes need to make changes to their appointments. If you are unable to keep your appointment, we kindly request that you inform us as soon as possible through our contact telephone number 02080898007 or via email at contact-us@moaihealth.app.

We offer our clients the option to cancel or reschedule their appointments at no additional cost, provided that we receive notice at least 48 hours in advance of the scheduled appointment time. 

In the event that less than 48 hours' notice is given, the following terms and conditions will apply:

Appointments that are cancelled or rescheduled with less than 48 hours' notice will be charged at 100% of the full fee.

For any inquiries or concerns regarding our appointment cancellation and rescheduling policy, please contact us through our email address provided above.

Complaints 

Raising a Complaint

Patients, their family or carer can raise a complaint with MOAI Health ltd.  in writing, by phone, email, or in person. Details of how to make a complaint will be prominently displayed on webpages and in clinical staff signatures.

Upon receipt of the client's complaint, we will promptly acknowledge it in writing and provide a copy of our complaints policy, usually within five working days. 

We will then proceed to investigate the matter and provide a response within a reasonable timeframe, keeping the patient informed of the estimated timescales. The investigation will follow the below steps;

Step 1 - In-house

Investigation

Upon receiving your complaint, it will be reviewed by our head of Administration. If deemed necessary, they will discuss the matter with the consultant in question before providing you with a response. 

Response

The response will include a summary of the investigation, the decision made regarding your complaint, the reasons for this decision, and any redress that can be offered, such as a verbal or written apology, a refund or deduction in fees, or other suitable measures. 

Furthermore, the response will also summarise any actions that will be taken as a result of your complaint. In the event that the investigation requires additional time, we will send you a letter explaining the rationale for the extension and proposing a date for the response. 

Please note that we keep proper and comprehensive records of all complaints received. 

Further Review Requested

If the complainant is not satisfied with the response, they can request a review of the decision as per Step 2.

Step 2 - In-house Independent Director Review

Director Review

A review will then be carried out by one of the MOAI Health directors who has not been involved in the initial investigation. They will gather input from both the complainant and the clinician in question.

Step 3 - Third Party Independent Review

Independent Review

If the complainant is still not satisfied with the response after the review, they can request an independent review. 

The Care Quality Commission (CQC) encourages (as a matter of good practice) all independent healthcare providers to offer an independent external review stage that can provide patients with a route to resolve a complaint if it is not resolved via the providers’ in-house complaints process.

Complainants dissatisfied with the earlier stages of review can request an independent review with the Independent Sector Complaints Adjudication Service (ISCAS) which is hosted within the centre for Effective Dispute Resolution. This scheme provides independent mediation between subscribing organisations and their patients if they are unable to resolve their complaints directly through the organisation's own complaints procedure.

Learning

MOAI Health will use the information gathered from complaints to improve the quality of care that we provide. Complaints are important feedback and form part of the information gathered by MOAI Health’s Feedback Lead as part of our Clinical Feedback Policy.


Confidentiality

MOAI Health recognizes the importance of protecting clients' personal and health information, and is committed to ensuring that all personal and health information is kept secure and confidential. This policy is based on the legal and regulatory frameworks in the UK, including the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Caldicott Principles, the Care Quality Commission (CQC) regulations, and the NHS Digital Records Management Code of Practice for Health and Social Care 2016.

The General Data Protection Regulation (GDPR) is a European Union regulation that sets out rules for how personal data should be processed and protected. The GDPR applies to all EU member states and provides a framework for data protection across the region. The Data Protection Act 2018, on the other hand, is the UK’s implementation of the GDPR and sets out rules for how personal data should be processed and protected in the UK.

The Caldicott Principles provide a framework for ensuring the confidentiality and security of personal and health information. The principles are a set of guidelines that were developed in the UK in response to concerns about the confidentiality of patient information. The principles set out the responsibilities of health and social care organisations when handling personal and health information.

The Care Quality Commission (CQC) is an independent regulator of health and social care services in England. The CQC sets standards for care and regulates health and social care providers to ensure that they meet these standards. The CQC also ensures that providers comply with relevant legislation, including the Data Protection Act 2018 and the Caldicott Principles.

The NHS Digital Records Management Code of Practice for Health and Social Care 2016 provides guidance on the management of health and social care records in England. The code of practice sets out the legal and regulatory requirements for managing records, including requirements for confidentiality, security, and retention.

By complying with these legal and regulatory frameworks, MOAI Health ensures that clients' personal and health information is kept secure and confidential. This includes implementing appropriate technical and organisational measures to protect personal and health information from unauthorised access, disclosure, alteration, or destruction. Additionally, MOAI Health ensures that all employees and contractors are trained on their responsibilities for protecting personal and health information and are required to sign confidentiality agreements.

Privacy notice

We are MOAI Health® Limited, operating as MOAI (“we”, “us”). Our registered office is at 112, Scylla Road, Nunhead Scylla Road, London, England, SE15 3RZ and our company number is 12924603.

Our privacy notice is designed to tell you about our practices regarding the collection, use and disclosure of personal information which may be provided to us via our website, associated apps and other digital products we provide or collected through other means such as email, an online form, or telephone communication.

In this notice “you” refers to any individual whose personal information we hold or process (other than our staff), and in most circumstances, this will be the individual undertaking our wellbeing assessments. However it may also relate to our client, the organisation who has engaged for our services, or a visitor to our website.

This notice is prepared in compliance with applicable data protection legislation including the EU General Data Protection Regulation (the “GDPR”), the Data Protection Act 2018 and UK GDPR. For the purposes of this notice, “UK GDPR” means the GDPR as such regulation is adopted into the law of the United Kingdom pursuant to the European Union (Withdrawal Act) 2018 and as amended by the Data Protection Act 2018 and any successor regulation or law.

The type of personal information we collect

We currently collect and process at least some if not all of the information set out below from you:

Questionnaire Information: Most of the data you provide to us is in the form of questionnaire answers. These are answers to questions such as ‘Other people in this organisation take my opinions seriously’ and are normally in the form ‘Sometimes/always’ etc.’, or a number 1-11. These answers are generally considered ‘non-identifiable’. That is, it would be very difficult for anyone to identify you specifically from these answers alone. We are interested in looking for correlations between these questionnaire answers and demographic information. To facilitate this enquiry, we ask you for personal information, including certain sensitive personal information. Specifically, we collect personal data revealing age, gender, weight, height, address, current postcode, prior postcode, ethnicity, religious beliefs, area of employment, type of employment, relationship status, sexual orientation, disability, salary, and years in service.

Client Information: This means information which we hold because you are a client of ours (e.g. as the organisation who has engaged us for our services) and which we process during the course of providing our services to you and your members/employees.

Communication Information: This means a record of any correspondence or communication between you and us.

How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

Your organisation is interested in assessing their members’ wellbeing through our services. The questionnaire answers you provide are summarised in statistical reports and analyses that aim to give a snapshot of a group of people and what their answers to these specific questions may mean with regards to the wellbeing of the group.

We are interested in researching how people answer these questionnaires, what groups of people answer them perhaps differently from other groups and what it means in terms of their overall wellbeing.

We can also receive personal information indirectly, from the following sources in the following scenarios:

Our survey platform provider. When you respond to one of our assessments, they provide the type of device (Mobile vs Web) and the time at which the response was registered. Your organisation may provide us with your email address initially to deliver our assessments. This information is used only to deliver the assessment via email while your organisation retains our services. We will keep your email address (stored separately from all of your other information as described above) until your organisation or you no longer wish to be contacted for ongoing assessment.

Our authentication provider such as Google Identity Platform or Microsoft Azure Active Directory provides us with your email address if you explicitly consent and you choose to use one of these platforms to sign into the MOAI Health app.

We use the information that you have given us in order to:

Produce summary reports for your organisation to understand the wellbeing of their employees/members.

Research and understand how we can measure ‘wellbeing’ as a concept, what it might mean in day-to-day terms and how we can help companies and individuals improve their wellbeing.

Allow you to log on to our platform securely using your Google or Microsoft account.

We may share anonymised information with:

As noted above, your organisation, in the form of summary reports. Again, only in anonymised form.

Members of the MOAI Health Ltd team for internal operations and research purposes.

Legal basis for processing your personal information

Under applicable data protection legislation, we must rely on a legal basis in order to lawfully process your personal information. In most circumstances, we will process personal information we hold about you because you have specifically consented to this – for instance as part of completing a wellbeing assessment/ questionnaire. Please note you are able to withdraw your consent at any time if you wish to, however this will not affect the lawfulness of consent prior to withdrawal.

We may also process your personal information because:

It is necessary in order for us to comply with our obligations under a contract between you and us – for instance if are an organisation and have engaged us for the provision of our services;

The processing is necessary in pursuit of a “legitimate interest” - a legitimate interest in this context means a valid interest we have or a third party has in processing your personal information which is not overridden by your interests in data privacy and security; or

The processing is necessary to comply with a legal obligation.

How we store your personal information & data retention periods

We will take all reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and protect against unlawful access and accidental loss or damage.

These measures may include (as necessary):

protecting our servers by both hardware and software firewalls;

locating our data processing storage facilities in secure locations;

encrypting all data stored on our server with an industry standard encryption method. By way of example, your information is securely stored in an encrypted form in servers run by GOOGLE LLC in many regions across the world, details of which can be found here. Google’s cloud platform privacy policy can be found here;

when necessary, disposing of or deleting your data so it is done so securely;

regularly backing up and encrypting all data we hold.

We keep different types of information for different periods of time as outlined below:

Personal Information:

We will retain this information for as long as our users wish to undergo wellbeing assessments or interventions, and up to a maximum of 5 years thereafter after which time the information will be securely deleted.

Questionnaire Information:

We will retain this information for as long as our users wish to undergo wellbeing assessments or interventions, and up to a maximum of 5 years thereafter after which time the information will be securely deleted.

Anonymised information will be kept for ongoing research efforts into wellbeing for a maximum of up to 30 years after which time it will be permanently deleted.

Client Information:

We will retain this information for as long as the relevant organisation continues to engage us for our services and remains a client of Moai, and up to a maximum of 5 years thereafter. After which time the information will be securely deleted.

Communication Information:

We will retain this information for as long as is deemed reasonably relevant given the particular circumstances at the time.

Marketing Information and Technical Information:

We will retain this information for a period of 3 years from the last date on which the user interacted with us.

Please note that any information which is anonymised falls out of scope in relation to applicable data protection law however in any event, once the above timeframes have elapsed we will then dispose of your information securely (such as by way of permanent deletion from Google’s Cloud servers further information about which can be found here).

For any category of personal information not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period for any personal information will be deemed to be 7 years from the date of receipt by us of that data.

The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).

We review the personal information (and the categories of personal information) we are holding on a regular basis to ensure the data we are holding is still relevant to our business and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take reasonable steps to correct or delete this data as may be required.

Who we share your information with

We may disclose information to third parties in the following circumstances:

We may work with other professionals and providers in providing and delivering our services to you or your organisation, such as service technology provider Google Cloud.

In order to enforce any terms and conditions or agreements for our services that may apply.

If we are sub-contracting services to a third party we may provide information to that third party in order to provide the relevant services. See a full list of our sub processors detailed below.

We may disclose information to our group companies (as the case may be).

If we are under a duty to disclose or share your personal information in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime).

As part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.

To protect our rights, property and safety, or the rights, property and safety of our users or other third parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

If we do supply your personal information to a third party we will take steps to ensure that your privacy rights are protected and that such third party complies with the terms of this notice.

List of sub processors

Subprocessor

Purpose of transfer

Personal data transferred

Sensitive data?

Country

Subprocessor Privacy Notice

Google LLC

Data storage and management

E-mail, DOB, gender, sex, sexuality, height, weight, employment parameters including salary, job title, employer team, psychological wellbeing data, loneliness data, organisational culture data.

Yes

UK

Typeform LLC

Data gathering and storage

E-mail, DOB, gender, sex, sexuality, height, weight, employment parameters including salary, job title, employer team, psychological wellbeing data, loneliness data, organisational culture data.

Yes

US

Mongo DB Inc.

Data storage

E-mail, DOB, gender, sex, sexuality, height, weight, employment parameters including salary, job title, employer team, psychological wellbeing data, loneliness data, organisational culture data.

Yes

Belgium

Twilio SendGrid

Email notifications and application communication

Email Address

No

Global

Stripe Inc.

Payment processing

Email Address

No

US

Transferring your information outside of the UK or EEA

We will not transfer your personal information in a systematic way outside of the UK or European Economic Area (“EEA”) but there may be circumstances in which certain personal information is transferred outside of the UK or EEA, in particular:

From time to time, some of our data processors (such as hosting server providers), may be based outside of the UK or EEA. In that case, we will ensure we have an agreement in place with such processors to provide adequate safeguards and a copy of such safeguards will be available on request.

If you or your organisation uses our services while you are outside the UK or EEA, your information may be transferred outside the UK or EEA in order for us to provide our services or to communicate with you or your organisation (as the case may be)

We may communicate with individuals or organisations outside of the UK or EEA in providing our services. Those communications may include personal information (such as contact information).

From time to time your information may be stored in devices which are used by our staff outside of the UK or EEA (but staff will be subject to our cyber-security policies).

If we transfer your information outside of the UK or EEA, and the third country or international organisation in question has not been deemed by the EU Commission or Secretary of State (as the case may be) to have adequate data protection laws, we will provide appropriate safeguards and we will be responsible for ensuring your privacy rights continue to be protected as outlined in this notice.

Data breaches

If personal information we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to our data protection manager or officer (if an officer has been appointed) and/or the Information Commissioner’s Office (ICO) (as necessary).

If a breach is likely to result in a high risk to your data rights and freedoms, we will notify you as soon as possible.

Cookies

Like most websites and applications, we use cookies to help provide you with the best experience whilst using our service. Please note the information in a cookie does not contain any personally identifiable information you submit yourself to our website.

The cookies we use are split between the following categories:

Strictly Necessary Cookies - which are an essential part of our service and affect the way you can use our website (e.g security & authentication);

Performance / analytics Cookies - which are used for analytics (e.g understanding usage on our website);

Functionality Cookies - which collect information about your device to help you customise our service (e.g. remembering your timezone settings or accessing inline help); and

Targeting / advertising Cookies - these cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests.

Other than in relation to Strictly Necessary Cookies, we are generally required to obtain your consent prior to using cookies. On this basis and on your first visit to our website from your browser, we will display a cookie consent banner. We will only load the Strictly Necessary Cookies until you have clicked the “Accept” button on our cookies banner. If you click the “Accept” button our Functionality, Performance/Analytics Cookies will be loaded depending on your stated preferences.

For more information, please see our up-to-date cookie policy here.

Your data protection rights

Under applicable data protection law, you have rights including:

Your right to be informed - You have the right to know about our personal information protection and data processing activities, details of which are contained in this notice.

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Your right to withdraw consent - You have the right to withdraw any permission you have given us to process your personal information

Your rights in relation to automated decision making and profiling - You have the right not to be subject to automated decision-making (including profiling) when those decisions have a legal (or similarly significant effect) on you.

Please contact us at legal@moaihealth.app if you wish to make a request in respect of your rights. We will endeavour to comply with such requests as soon as possible but in any event we will respond to a data subject access request within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).

Notification of changes to the contents of this notice

We will post details of any changes to our notice on our website to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.

Contact us

If you have any enquiry or concerns about our use of your personal information, you can contact us at:

Address: 112 Scylla Road, Nunhead Scylla Road, London, England, SE15 3RZ

Email: legal@moaihealth.app

Complaints

If we are unable to resolve any issues you may have or you would like to make a further complaint, you can contact the Information Commissioner’s Office (“ICO”).

The ICO’s address:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk