top of page

Privacy and Cookies Policy 

Privacy and Cookies Policy 

At The Sandbox we take the privacy and safety of our users very seriously. We have written this document to tell you:

1. about how we protect your personal data

2. and how we work to keep you safe​

What is Data Protection?
There is a law called the Data Protection Law which is there to ensure that we use your personal data lawfully, in order to protect it.

The Sandbox is called a data controller, our registered office is at:
Mindler Ltd
25 Wilton Road,
Telephone: 020 4574 6366

What information do we need to collect and why?

When you use The Sandbox we need to collect some personal information from you - this is known as Personal Data.

When you sign up to The Sandbox we ask for:

  • The area that you live in

  • Your GP practice

  • Your date of birth

We need this data to be able to provide a service to you. Our legal basis for processing this data is to provide healthcare services to you.

We also collect additional data, which is called ‘special category data’:

  • Your gender identity

  • Your ethnicity

This data is collected under the legal basis ‘legitimate interest’.  It helps us to measure how we are performing as a service and to improve our service. This data is provided to the organisations who make our services available to you. Any data shared in this way is fully anonymous, non-identifiable data and is used to help inform the organisations about usage of the service, including, but not limited to:

  • Number of registrations

  • Sandbox Site usage

  • Issues faced by service users

  • Outcomes achieved

Although this is personal data, it will NOT:

  • Identify an individual user or

  • Allow us to trace or find an individual

We do not ask you for any information that may identify you when you sign up.

The use of cookies in The Sandbox:
Our website uses cookies to distinguish you from other users of our website.  This helps us to provide you with a good experience when you browse our website and also allows us to improve our website.

We use the following cookies:

Strictly necessary cookies:

These are cookies that are required for the operation of our website.  They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services. These are always used.

Analytical or performance cookies:

These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. You can choose whether or not to opt in.

Functionality cookies:

These are used to recognise you when you return to our website.  This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). You can choose whether or not to opt in.

Targeting cookies:

These cookies record your visit to our website, the pages you have visited and the links you have followed.  We will use this information to make our website more relevant to your interests.  You can choose whether or not to opt in.

Your Data - Your Rights
As the owner (aka ‘Data Subject’) of your personal data, you have certain rights under the General Data Protection Regulations (GDPR) to find out about our use of your personal data.

You have:

The Right to be informed - by providing you with this document, we are giving you the information about your data that is collected and held by us,

The Right of access - you can ask about your personal data that we hold - this is called a “data subject access request”,

The Right to rectification - you can tell us if the data we hold is wrong or incomplete and ask us to put it right,

The Right to erasure - you can request erasure of your personal data. This enables you to ask* us to delete or stop processing your data. (*There may be times when we can’t do this though because we are required by law to hold it for a certain time),

The Right to restrict processing - you can object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing,

The Right to data portability - you can ask us to securely transfer your personal data to another data controller,

The Right to object - you can ask us to stop the processing of your personal data for a period of time if data is inaccurate or there is a dispute about its accuracy or the reason for processing it.

If you wish to do any of these things, log in to your Sandbox account and message a member of The Sandbox team and they will help you.

If you think that we have failed to handle your data properly or have not allowed your rights listed above, you have the right to make a complaint to the Information Commissioner’s Office.

Your right to withdraw your consent
You have the right to withdraw consent if you have shared any personal data with us. You can withdraw your consent to share information at any time. You can request to withdraw your consent by sending a message to The Sandbox team when you are logged in.

Additional Information on how we improve our services
We may use the data we collect to measure how we are performing as a service and to improve our service. This information is always anonymised, therefore it could not be used to identify you.

We continuously try to improve our service, which may involve introducing new processes. In these circumstances, we carry out a risk assessment into the impact of this on your data.

Case studies
We may be asked by the organisations who pay for the service, to provide them with anonymous case studies of our work with service users. This is so they can see how well The Sandbox is performing in our role in supporting you.

Our team at The Sandbox also have to take part in ongoing training and development so that they can be best placed and trained to support you. This means that they sometimes also have to write case studies for their courses or training.

Whenever a case study is written, we never use any of your personal data. It will never be possible to identify you from these case studies.

Consent & Privacy Policy For Users Who Sign Up To Our Service

How we use what we know about you:

We record how you are getting on in The Sandbox and we use that to help us to help you. This is called your personal information, and we will keep it confidential and secure. 

Keeping you safe

If you start therapy with the Sandbox, we will tell your Doctor (NHS GP) so your records are kept up to date. 

If we are really worried about you (including if you are having thoughts of harming yourself) we may need to share your personal information with someone else to keep you safe. We will ask for your permission before doing so, and you may wish to talk to that person yourself before we speak to them. However, if the situation is very serious, such as an emergency, we may need to act without talking to you first. 

What age is The Sandbox suitable for?

The Sandbox is open to anybody aged between 5 to 25. If you’re younger than 12, you’ll need a parent or guardian in the room with you during therapy sessions.  ​

Creating an account on The Sandbox 

Mindler’s services are provided to you by Hertfordshire County Council and South Staffordshire Councl. Depending on your symptoms and assessment, and the referral pathway you are on, you may access a range of different services as part of our “Stepped Care Model” including:  

  • Getting Advice - access to The Sandbox website, downloads, games, livestreams, forums and live chat

  • Getting Help – an online course of iCBT called "The Sandbox Academy”

  • Getting More Help -  1x1 CBT therapy delivered via video sessions

What personal information we receive about you

Our services involve the collection of personal information about you to help us ensure we can provide you with the right help and advice.

We will receive information about you from your local council, or from another organisation that works with them, such as the NHS, your GP, or your school. You, or your parent or guardian, will have given consent to that organisation to them sharing your information with us. This initial information normally includes –

  • your name;

  • age;

  • date of birth;

  • NHS Number;

  • home address,

  • the name of your GP,

  • your school,

  • the diagnosis (if you have one) and

  • the reasons you are seeking the advice.

We may also receive more detailed information about your health as you progress through our services. This will all be kept confidential and only used strictly in connection with providing you with health care services or ensuring your wellbeing.

We will receive and use your personal information for the purposes of providing you with healthcare services in the form of web-based advice and help from therapists. The advice is designed and provided under the responsibility of professional therapists who will use your information strictly in accordance with professional rules of confidentiality. 

How we will use your information

Getting Advice 

The Sandbox website allows you to read or watch helpful content; to follow our social media accounts and to join our Live Chat service.


Getting Help and Getting More Help


How you will consent to receive healthcare services

If you are under 12 years of age we need the explicit consent of your parent or guardian to give you access to these services.

If you are 12 years of age or older, or if you have been assessed as able to provide this consent (this is called being “Gillick Competent”), we will seek your explicit consent before giving you access to these services. Your therapist will ask you if your parents or guardian are aware of the treatment that you are receiving. It can be helpful to involve them in your care journey, and your therapist will give you the option of involving them in your care. However, no one at Mindler will contact your parents or guardian, without you providing explicit consent for us to do so.


Sharing your data with your GP

If you are receiving therapy with Mindler, we will share your information with your NHS GP and with the organisation that referred you to us. In some circumstances, we may need to share your information with the Children and Adults Mental Health Services (CAMHS). This is so that we can ensure your NHS medical records are up-to-date and that your ongoing NHS care is coordinated properly. 

Emergency use of data and safeguarding 

We do not share your personal information with any third parties for any reason other than strictly in connection with your healthcare or well-being. If we believe that there are reasons for taking urgent action to protect you from harm we may need to share your personal information.

This could be your parent/guardian, your NHS GP, other health or social care organisations, or exceptionally the emergency services. We will usually seek your consent before doing so, but if the situation is serious we may need to take action without speaking to you first. 

Transferring your information outside the UK

Sometimes, we may need to send your personal data to a country outside the EU, EEA, or the UK. If we do this and the country doesn't have the same strong data protection rules, we will take special steps to keep your data safe and protected, just like it is within the EU, EEA, or the UK. This means we use proper legal and security measures to protect your data when it's sent to another country and to comply with the requirements set out in the Data Protection Act Chapter V. 

Storage of your personal information

The personal information is kept only for as long as it is needed to ensure we can provide the service to you effectively and keep our own records for healthcare reasons and in order to inform the NHS about your referral and progress and help with managing health services. At any time, you can ask to see what data we hold about you. 

Data Protection Officer

Mindler has a special person called a Data Protection Officer (DPO) to help with questions about your personal data. Our DPO is Bird & Bird DPO Services SRL. If you have any worries or complaints about how we use your personal data, the DPO can be contacted via email at


You can also write a letter to our DPO at this address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium. 

If you are still not happy after talking to our DPO, you have the right to complain to the Information Commissioner’s Office (ICO), which is like a referee for data protection in the UK. Their website is However, we would really like to help you first, so please talk to us before going to the ICO.

This document was last updated on 2024-06-13. 

bottom of page