In most software companies, security and privacy are engineering concerns. In a clinical platform, they are ethical ones. The same duty of care that governs how a psychologist handles patient information governs how Aureum handles platform data.
UK GDPR & DPA 2018
All data handling is architected to meet UK GDPR and Data Protection Act 2018 requirements from day one. Individual psychological data is never sold, never shared with advertisers, never used for profiling. Users retain full access, rectification, and erasure rights at all times.
As a registered data controller with the Information Commissioner's Office, Aureum operates under legal obligations that go beyond policy commitments.
NHS DIGITAL STANDARDS
Platform architecture is being developed in alignment with NHS Digital Data Security and Protection Toolkit (DSPT) requirements and the Digital Technology Assessment Criteria (DTAC) for digital health tools.
Clinical records handled to the standard appropriate for therapeutic data, consistent with the confidentiality obligations of registered health practitioners.
DATA ENCRYPTION
All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256. Session notes and clinical records are encrypted at the record level, meaning individual records cannot be accessed in bulk even in the event of a breach.
Platform infrastructure is hosted exclusively within the UK and EU. No personal data is transferred outside GDPR jurisdiction without explicit user consent.
DATA PARTITIONING
Individual, clinical, and corporate data are held in separate logical partitions with independent access controls. Employers cannot access individual employee psychological data under any circumstance.
Executive tier data is categorically isolated from standard employee data within the same organisation. Clinicians can only access records of consented clients within their own caseload.
We collect the minimum data necessary to deliver a personalised, clinical-grade experience. Nothing is collected for advertising or profiling purposes. Ever.
ACCOUNT DATA
Identity and access
Name, email address, and authentication credentials. Required to operate your account. Never shared with third parties without consent.
CLINICAL DATA
Psychological and health information
Assessment responses, programme progress, session notes, and outcome measures. Held as special category data under UK GDPR. Encrypted at record level. Your rights apply in full.
USAGE DATA
Engagement and platform behaviour
Which tools you use, when, and for how long. Used solely to personalise your programme and surface progress insights. Anonymised before any aggregate analysis.
CORPORATE DATA
Aggregate workforce intelligence
Employers receive only anonymised, aggregate data. No individual employee data is accessible to HR teams or managers under any configuration of the platform.
CLINICAL RECORDS
Practitioner session data
Session notes and clinical records are accessible only to the treating practitioner and the consented client. Aureum does not access or process clinical session content.
WHAT WE DON'T DO
Never, under any circumstances
We do not sell data. We do not serve advertising. We do not profile users for commercial purposes. We do not share individual psychological data with employers. We do not transfer data outside GDPR jurisdiction.
RIGHT OF ACCESS
You can request a full copy of all data Aureum holds about you at any time. We will provide it within 30 days, in a portable, machine-readable format.
RIGHT OF ERASURE
You can request deletion of your account and all associated data at any time. Deletion is permanent and completed within 30 days of request.
RIGHT OF RECTIFICATION
You can correct inaccurate data held about you at any time through your account settings or by contacting us directly.
DATA PORTABILITY
You can request export of your data in a standard format for transfer to another service at any time. Your progress data belongs to you.
CONSENT WITHDRAWAL
Where processing is based on consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing.
COMPLAINTS
If you believe your data rights have been breached, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.
DOCUMENT 01
Privacy Policy
Full detail on what data we collect, how we use it, who we share it with, and your rights. Governing document for all personal data processing.
View document →
DOCUMENT 02
Terms of Use
The terms governing your use of the Aureum platform, including acceptable use, intellectual property, and limitations of liability.
View document →
DOCUMENT 03
Cookie Policy
What cookies and tracking technologies we use, why, and how to manage or disable them. Minimal cookies, clear purpose.
View document →
DOCUMENT 04
Clinical Disclaimer
Clarification of the nature of the platform, the clinical status of its tools, and the scope of practitioner relationships within Aureum.
View document →
Contact our data team directly at admin@aureumglobal.co.uk, or use the form below. We aim to respond to all data enquiries within 5 business days.