Information about Joy

Privacy policy

Joy Privacy Policy


We take data protection very seriously and want to be market leader when it comes to privacy and being compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

This policy explains how we use your personal data.

We invite you to spend a few moments understanding this policy. We may update this policy from time to time and, if we make any material changes, we will notify you when we do so. We will provide you with the opportunity to review such changes. By continuing to use our products and services after the changes have been made and we have notified you of them, the way we use your personal data will be subject to the terms of the updated policy.

This notice applies across all websites and apps that we own and operate and all services we provide, including our online referral systems and self-referral pages. For the purpose of this notice, we’ll just call them our ‘services’.

This policy covers:

  1. Who we are
  2. Data we hold about you that we collect from you directly
  3. Data we hold about you which is provided to us by another person or entity
  4. Purposes for holding your data
  5. Sharing your personal data with others
  6. Legal grounds for holding and using data
  7. Retention periods
  8. Data storage, security and transfers
  9. Your rights

 If you have any further questions about how we process your information, please don't hesitate to get in touch by sending an email titled ‘Data Protection’ to or writing to us at:

Address: Data Protection Officer, Pungo, City Launch Lab, 124 Goswell Road, London, EC1V 7DP, UK

1.   Who we are

When we refer to ‘we’ (or ‘our’ or ‘us’), that means Pungo Ltd trading as ‘Joy’, company number 11914576. We are based at City Launch Lab, 124 Goswell Road, London, EC1V 7DP. We will be acting as “data controller” and "data processor" of personal data. You can contact us with regard to any matter contained within this Privacy Policy by writing to us at the address above.

Your relationship is with Pungo Limited. If for example, you would like to access your data, Pungo Limited is the entity to which you would make such a request.

2.   Data we hold about you that we collect from you directly

We hold the following categories of personal data about you which you provide us directly:

Personal details

When you register with us or makes a booking, personal details are collected containing identifiable information about you, such as your name, date of birth, email address and NHS number. In addition, you may disclose information on your gender or ethnicity. 

Health and medical information

You may choose to provide us with health and medical information for example you may wish to store information on your Joy profile about a health condition so that we can improve the service we provide to you. This may contain information about health, symptoms, treatments, medications, referrals and allergies.

Service information

You may list a service on the Joy platform such as an activity or class, details of that information such as contact details for the service are stored on in our database. 

Financial information

If you make any payments on our services, their credit/debit card details are processed directly by a third-party processor that will store all payment information and transaction details. We will only retain details of transactions on secure servers and we will not retain credit or debit card information.

Technical information and analytics

When you use our app or visit our website, we may automatically collect the following information where this is permitted by your device or browser settings:

  • technical information, including the address used to connect your device to the Internet, your login information, system and operating system platform type and version, device model, browser or app version, time zone setting, language and location preferences, wireless carrier and your location (based on IP address); and
  • information about your visit (such as when you first used our app/website and when you last used it, and the total number of sessions you have had on our app/website), including products and services you viewed or used, app/website response times and updates, interaction information (such as button presses or the times and frequency of your interactions with the communications we deliver to you in the app/device or otherwise) and any phone number used to call our customer service number.
  • We work with partners who provide us with analytics and advertising services (for our services only and not for third party advertising). This includes helping us understand how users interact with our services, providing our advertisements on the internet, and measuring performance of our services and our adverts. Cookies and similar technologies may be used to collect this information, such as users’ interactions with our services. You can prevent the setting of cookies by adjusting the settings on your browser or your mobile phone.

Information obtained from third party services

You may choose to connect your existing accounts with other providers (such as a social media provider), for example, when signing up to make it easier to create an account with us. If you choose to do this, we will receive limited information about you from that provider, such as your email address and name. Provided we are acting in accordance with data protection laws, we may also use information from other sources, such as specialist companies that supply information, online media channels, our commercial partners and public registers. This information can for example, help us to improve and measure the effectiveness of our services.

3.   Data we hold about you which is provided to us by another person or entity

When another person uses our services on your behalf, we need to collect some personal data. For example, three common use cases include:

  1. When a family member or loved one makes a referral on your behalf to a community group
  2. When a Social Prescriber uses Joy to make referrals for you and record notes of appointments, referrals and health information where relevant
  3. When a GP refers you into a Social Prescribing scheme using their GP system

We hold the following categories of personal data about you

Personal details

For example, identifiable information such as your name, date of birth, email address and NHS number. In addition, diversity information may be provided for reporting purposes such as client gender or ethnicity. 

Health and medical information
It may be necessary to hold some of your health and medical information for example when signing up to a community group it may be necessary to enter information about a disability so that you can be better supported.

Other relevant data can include information on your health, wellbeing, symptoms, treatments, medications, referrals, bookings, allergies as well as details of appointments such as notes from an appointment with a Social Prescriber.

Financial information

If someone makes a payment on the app or website on behalf of you using your details, then your credit/debit card details are processed directly by a third-party processor that will store all payment information and transaction details. We will only retain details of transactions on secure servers and we will not retain credit or debit card information.

4.    Purposes for holding your personal data

The purposes for which we use your personal data are as follows:

Providing a service

  • We obtain and use your information in order to establish and provide a service and (if applicable) deliver a contract to an organisation which you are associated with.
  • We obtain and use your health and medical information because this is necessary for health purposes, including case management, the provision of care or treatment and the measuring of outcomes.

Improving the service, we deliver

  • We will use your information to improve our services, so that we can deliver a better service. For instance,
    • we may identify gaps in service provision for people with a health need in a specific location
    • we may identify the services that have the greatest impact on wellbeing and share best practice across the wider health community
    • we may research the impact of community referrals on health and social care resources in order to understand the link between community referrals and health
    • we may contact you for research and development purposes 

Keeping you up to date 

  • We may use your email addresses, phone numbers and/or details to contact you or present you with occasional updates and marketing messages where you have not opted out, based on our legitimate interest in marketing our services to you and subject to your right to opt out at any time

Other uses

  • Where necessary, we may need to share personal and financial details for the purposes of fraud prevention and detection.
  • We may need to review your information and, where necessary, make disclosures in compliance with reasonable requests by regulatory bodies including the General Medical Council, MHRA, and Care Quality Commission, or as otherwise required by law or regulation.
  • Strict confidentiality and data security provisions will apply at all times to any such audit and access.

 5.  Sharing your personal data with others

  • We may share your personal data with health and social care providers you are part of such as the NHS and Local Authority where we have a contract to do so. For instance, notes and referrals stored in a Joy record may be shared with a GP or your Social Worker.
  • We may share your personal data with service providers which you are referred to in order to enable a successful referral
  • We may share your personal data with companies we have hired to provide services on our behalf, including those who act as data processors on our behalf, acting strictly under contract in accordance with Article 28 GDPR. Those data processors are bound by strict confidentiality and data security provisions, and they can only use your data in the ways specified by us.

 Anonymised information

  • We may display on our website or share with our commercial partners aggregated and anonymised data that does not personally identify you, but which shows general trends, for example, the number of users of our service.
  • We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of our services or the physical safety of any person.

Except as described above, we will never share your personal information with any other party without your consent.

6.  Legal grounds for holding and using data

We collect, use and share the data that we have in the ways described above:

  • as necessary to fulfil our terms of services
  • in accordance with your consent which you may provide to others when they make referrals on your behalf
  • in order to fulfil a contract obligation with a Local Authority, NHS organisation or other Public Organisation you are a part of e.g. with the NHS or Local Authority
  • in order to comply with our legal obligations
  • as necessary for our (or others') legitimate interests, including your interests in providing an innovative, personalised and safe service to our users and partners, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data.
  • Your data will not be sold to third parties for advertising

 7.  Retention periods

We will retain your data for a maximum of ten years of inactivity or account closure

8.  Data storage, security and transfers

All information is stored on our (or Our third party service providers’) secure servers located in the United Kingdom. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our services, you are responsible for keeping this password confidential.

We do not store any credit or debit card information.

Your data may be processed or stored via destinations outside of the UK and the European Economic Area (EEA), but always in accordance with data protection law, including mechanisms to lawfully transfer data across borders, and subject to strict safeguards. For example, we work with third parties who help deliver our services to you, whose servers may be located outside the UK or EEA.

9.  Your rights

As indicated above, whenever we rely on your consent to process your personal data, you have the right to withdraw your consent at any time

You also have specific rights under the GDPR and DPA to:

  • wherever we process data based on your consent, withdraw that consent at any time.
  • understand and request a copy of information we hold about you. Subject to our retention periods. For other information, you can make a request by email we will return this to you within 14 working days;
  • ask us to rectify or erase information we hold about you, subject to limitations relating to our obligation to store medical or health records
  • ask us to restrict our processing of your personal data or object to our processing; and
  • ask for your data to be provided on a portable basis.

You may also contact the Information Commissioners Office (the data protection regulator in the UK): Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113 (local rate).

Contact us

For any questions or concerns, you can contact us by sending an email to