Privacy Notice.

Understanding how we handle your personal information under Bermuda PIPA

This Privacy Notice explains how Tuteca Ltd, trading as Solstice ("Solstice", "we", "us", or "our"), collects, uses, discloses, and protects your personal information, including sensitive healthcare information, when you engage with our services. We are committed to safeguarding your privacy and handling your personal information responsibly and in compliance with the Bermuda Personal Information Protection Act 2016 ("PIPA").

We encourage you to read this notice carefully to understand our practices regarding your personal information and how we will treat it.

1. About Tuteca Ltd, trading as Solstice

Tuteca Ltd, trading as Solstice, is a Bermuda-based mental health and wellness company dedicated to offering high-quality, confidential services to our clients. Our registered office is located at 18 Parliament Street, City of Hamilton, HM12, Bermuda.

2. Our Commitment to Your Privacy

Your privacy is paramount to us. We are committed to protecting the personal information we collect and process about you. This commitment extends to ensuring transparency about our data handling practices, providing you with control over your information, and maintaining robust security measures. We act as a 'Controller' of your personal information under PIPA, meaning we determine the purposes and means of processing your data.

Our Responsibilities

Solstice is a Data Controller of your information. This means we are responsible for collecting, storing, and handling your personal and healthcare information when you register with us as a client or enquire about our services and give us verbal consent to store your basic information.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions, we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

Your Responsibilities

Please read this Privacy Notice carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

3. What Types of Information We Collect

We collect various types of personal information to provide our services effectively and meet our legal and professional obligations. This includes both general personal information and special category personal information, particularly healthcare information.

3.1 General Personal Information

This may include, but is not limited to:

  • Identification Data: Your name, date of birth, gender, ethnicity, nationality, and contact details including work contact details (address, email address, telephone number).

  • Contact Information: Emergency contact details, next of kin.

  • Children's information: Date of birth, gender identity, ethnicity; your medical history; health insurance policy information; and parental consent

  • Financial Information: Billing address, payment details (e.g., credit card information, bank account details for invoicing), insurance policy details.

  • Service Interaction Data: Records of appointments, communications with us (emails, phone calls, messages), feedback, and survey responses.

  • Technical Data: IP address, browser type and version, time zone setting, operating system and platform, and other technology on the devices you use to access our website or services.

3.2 Special Category Personal Information (Healthcare Information)

Due to the nature of our services, we routinely collect and process sensitive personal information, specifically healthcare information. This may include:

  • Medical History: Past and present physical and mental health conditions, diagnoses, treatments, medications, and family medical history relevant to your care.

  • Therapeutic Records: Session notes, treatment plans, progress reports, and assessments.

  • Lifestyle Information: Information about your lifestyle, social circumstances, and habits that are relevant to your health and treatment.

  • Referral Information: Details from referring healthcare professionals or organisations.

We only collect healthcare information that is directly relevant and necessary for the provision of our services to you.

4. How and When We Collect Your Information

We collect personal information from you through various channels and at different stages of your engagement with us:

  • Directly from You: When you enquire about our services, register as a client, complete forms, attend appointments, communicate with us via phone, email, or our website, or provide feedback.

  • From Third Parties: With your consent, we may receive information from other healthcare providers, referrers, insurance companies, or family members (e.g., emergency contacts).

  • Automatically: Through our website, via cookies and similar technologies, to understand how you interact with our online services and improve your experience.

5. Why We Collect Your Information (Purposes)

All information we collect is the minimum necessary in order to provide you with the best care possible or to comply with local regulations and insurance purposes.

  • To Provide Our Services: To deliver the specific mental health or wellness services you have requested, including assessment, diagnosis, treatment planning, and ongoing therapeutic support.

  • Client Management: To manage your client account, schedule appointments, send reminders, and communicate with you about your care.

  • Billing and Payments: To process payments for services rendered, manage insurance claims, and handle financial administration.

  • Legal and Regulatory Compliance: To comply with our legal obligations, including those under PIPA, and professional standards set by bodies such as the Bermuda Medical Council.

  • Internal Operations: For internal record-keeping, administrative purposes, service improvement, and quality assurance.

  • Safety and Emergency: To contact emergency contacts in urgent situations or to ensure your safety and the safety of others.

  • Communication: To respond to your enquiries, provide information about our services, and send important updates.

6. Lawful Bases for Processing

Under PIPA, we must have a lawful basis to process your personal information. Our primary lawful bases include:

  • Consent: Where you have given clear consent for us to process your personal information for a specific purpose (e.g., for certain marketing communications or sharing information with specific third parties). You have the right to withdraw your consent at any time.

  • Contractual Necessity: Where processing is necessary for the performance of a contract with you (e.g., to provide the therapeutic services you have requested) or to take steps at your request before entering into such a contract.

  • Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., maintaining clinical records as required by the Bermuda Medical Council or other regulatory bodies).

  • Vital Interests: Where processing is necessary to protect your vital interests or the vital interests of another person (e.g., in a life-threatening emergency).

  • Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided your fundamental rights and freedoms do not override those interests (e.g., for administrative purposes, service improvement, or fraud prevention).

For special category personal information (such as healthcare information), we rely on specific additional conditions under PIPA, including:

  • Explicit Consent: Where you have given explicit consent.

  • Medical Purposes: Where processing is necessary for medical purposes, including the provision of healthcare or treatment, and is carried out by a healthcare professional or by a person subject to an equivalent duty of confidentiality.

  • Vital Interests: To protect your vital interests or those of another person where you are physically or legally incapable of giving consent.

  • Legal Claims: For the establishment, exercise, or defence of legal claims if we need your information to defend a legal claim against us by you, or by another party.

7. How We Share Your Information

We treat your personal information with the utmost confidentiality. We will only share your information in specific circumstances and with appropriate safeguards. For example: When we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement.

We will never pass on your personal information to anyone else who does not need it or has no right to it unless you give us clear consent to do so.

7.1 Third-Party Processors

We may engage trusted third-party service providers (data processors) to perform functions on our behalf, such as IT support, payment processing, clinical record management systems, or administrative services. These providers are contractually bound to protect your information, use it only for the purposes for which it was shared, and comply with PIPA. They do not have permission to use your personal information for their own purposes.

7.2 Regulatory Bodies and Legal Requirements

We may disclose your personal information to regulatory bodies, such as the Bermuda Medical Council, or other governmental authorities, where required by law or professional ethical guidelines. This includes situations where we have a legal obligation to report certain information or to respond to a valid legal request.

7.3 Other Healthcare Professionals

With your explicit consent, we may share relevant healthcare information with other healthcare professionals involved in your care (e.g., your GP, specialists, or other therapists) to ensure coordinated and effective treatment.

7.4 Emergency Situations

In rare circumstances, where there is a serious risk of harm to yourself or others, we may be legally or ethically obliged to disclose information without your consent to relevant authorities or emergency contacts.

Anyone you have given your consent to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record by writing, we will not necessarily need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed.

Occasionally, your data may be handled by a select number of employees who are part of our Referrals Team or Child and Adolescent Programmes for support services. These employees are under strict duties of confidentiality. We may also share your data with financial recovery organisations in case of payment defaults.

8. International Transfers of Personal Information

As a Bermuda-based organisation, we primarily process your personal information within Bermuda. However, some of our third-party service providers or IT systems may be located outside Bermuda. When we transfer your personal information outside Bermuda, we ensure that appropriate safeguards are in place to protect your privacy rights, as required by PIPA. These safeguards may include:

  • Transferring to countries deemed to have an adequate level of data protection by the Bermuda Privacy Commissioner.

  • Implementing standard contractual clauses or other PIPA-approved mechanisms that legally bind the recipient to protect the personal information.

  • Obtaining your explicit consent for the transfer after informing you of the potential risks.

We will always strive to ensure that any international transfer is conducted securely and in a manner that upholds your data protection rights.

9. How We Protect Your Information (Security)

We are committed to ensuring the security of your personal information. We implement robust technical and organisational measures to protect your data from unauthorised access, alteration, disclosure, destruction, or loss. These measures include:

  • Encryption or password protecting: Using encryption for data in transit and at rest where appropriate.

  • Access Controls: Restricting access to your personal information to authorised personnel on a need-to-know basis.

  • Physical Security: Protecting our premises and data storage facilities.

  • Cybersecurity Measures: Implementing firewalls, anti-virus software, and intrusion detection systems.

  • Staff Training: Regularly training our staff on data protection best practices and confidentiality obligations.

  • Secure Systems: Utilising secure electronic health record systems and communication platforms.

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

10. How Long We Retain Your Information

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The specific retention periods vary depending on the type of information and the purpose of processing. For healthcare records, we adhere to professional guidelines and legal requirements, which typically mandate retention for a significant period after your last interaction, for example, your medical records, for at least 7 years according to the Bermuda Medical Council.

Once your information is no longer required, we will securely delete or anonymise it.

11. Your Rights Under PIPA

Under PIPA, you have several important rights regarding your personal information:

11.1 Right to Access

You have the right to request access to the personal information we hold about you. This is often referred to as a 'Subject Access Request' (SARS). We will provide you with a copy of your personal information, subject to certain exemptions (e.g., information relating to another individual). The SARS request has a fee schedule that will depend on the amount of information that will need to be redacted and the clinician that will redact it. We have 45 days to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing, and it is made clear to us what and how much information you require.

11.2 Right to Correction

You have the right to request that any inaccurate or incomplete personal information we hold about you is corrected or updated. If you wish to make a change to your information, the contact at Solstice is the administration department at info@solstice.bm

11.3 Right to Deletion/Erasure

In certain circumstances, you have the right to request the deletion or erasure of your personal information. This right is not absolute and may be subject to legal or professional obligations (e.g., retention of medical records).

11.4 Right to Object to Processing

You have the right to object to the processing of your personal information in certain situations, particularly where we are relying on legitimate interests as our lawful basis.

11.5 Right to Data Portability

Where technically feasible, you have the right to request that we transfer your personal information to another organisation in a structured, commonly used, and machine-readable format. This is done via a SARS request; we will require your clear consent to be able to do this, and a charge may be applicable in case we need to redact any information from your records. 

11.6 Right to Withdraw Consent

Where we rely on your consent as the lawful basis for processing, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

These rights are not absolute. We have the right to refuse providing access to personal information if we consider the information may cause “serious physical or mental harm,” and we are not able to redact that information from your records. To exercise any of these rights, please contact our Privacy Officer using the details provided in Section 15.

12. Making a Complaint

If you have concerns about how we handle your personal information, we encourage you to contact our Privacy Officer in the first instance. We will do our best to resolve any issues you may have.

You also have the right to lodge a complaint with the Bermuda Privacy Commissioner if you believe your rights under PIPA have been infringed. The contact details for the Privacy Commissioner are:

Office of the Privacy Commissioner

Maxwell Roberts Building

6th Floor, 22 Church Street

Hamilton HM 11, Bermuda

Telephone: +1 441 543 7742

Email: info@privacy.bm

Website: https://www.privacy.bm/

13. Cookies and Other Technologies

Our website may use cookies and similar technologies to enhance your browsing experience, analyse website traffic, and understand user behaviour. Cookies are small text files placed on your device. We take no responsibility (legal or otherwise) for the content of other websites. For more detailed information, please refer to our separate Cookie Policy.

14. How to Contact Us

Solstice has appointed a Privacy Officer who is responsible for overseeing questions in relation to this privacy notice and other queries or issues relating to your Personal Information held by Solstice. If you have any questions related to this Privacy Notice, including access to, rectifying, blocking, erasing, or destroying your personal information, you can contact the Privacy Officer.

The Privacy Officer is the Operations Manager, who can be contacted on (441) 292-3456 or privacy@solstice.bm if:

We reserve the right to update this policy whenever deemed necessary without prior notice.