LEGAL

Privacy Policy

My-Therapy-Suite Ltd

Contact details

If you have any questions about this notice, contact us:

  • Company name: My-Therapy-Suite Ltd
  • Company number: 15892346
  • ICO registration: ZB738497
  • Registered address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
  • Email: info@mytherapysuite.com

Our role (controller / processor)

Data protection law distinguishes between organisations that decide why and how personal data is processed ("controllers") and organisations that process personal data on behalf of controllers ("processors").

  • When we act as a controller: We act as controller for personal data relating to individuals who create and manage My-Therapy-Suite accounts (for example therapists, clinic administrators, staff users, billing contacts, and website enquiries).
  • When we act as a processor: We act as processor for client/patient data uploaded to the platform by therapists/practices as part of providing therapy services (for example appointment details, clinical notes, session recordings, transcriptions, communications, documents, assessment data, and treatment-related information). In this context the therapist or practice is the controller. The terms on which we process this data are set out in our Data Processing Agreement.

If your data has been entered by a therapist or practice, please contact them directly to exercise your data protection rights.

What information we collect, use, and why

Personal information for platform functionality

We collect or use the following information to provide platform and portal functionality:

  • Names and contact details
  • Addresses (where entered into the platform)
  • Account information, including registration details
  • Information used for security purposes (e.g. login metadata, audit logs)
  • Marketing preferences
  • Payment and billing information (excluding full payment card details, which are processed by Stripe)

Special category personal data (health data)

The Service may process special category personal data, such as health information, if a therapist/practice enters this information for the purpose of providing care. This information is processed under strict access controls and security safeguards. The therapist/practice as controller is responsible for establishing the appropriate lawful basis and condition for processing special category data.

Video, audio, and AI-assisted processing

Where therapists use the platform's video or audio session features, we may process session metadata (date, time, duration, participants) and, where recording is enabled by the therapist, session recordings stored on servers in the United Kingdom.

The Service includes AI-assisted features such as session transcription, clinical summarisation, pre-session briefing, and risk signal analysis. Where these features are used, data may be sent to third-party AI providers acting as sub-processors (see "Who we share information with" below).

The therapist/practice as controller is responsible for obtaining appropriate consent for recording and for informing clients about how recordings will be used. We provide template consent agreements to assist with this.

Personal information for legal and compliance purposes

We collect or use personal information for legal compliance purposes, including names, contact information, and audit logs and security records (where necessary).

Information updates, marketing, or market research

We collect or use the following for information updates, marketing, or market research: names and contact details, marketing preferences, and IP addresses and usage analytics (where enabled).

Lawful bases and your data protection rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. You can find out more about lawful bases on the ICO's website.

Our lawful bases

Platform functionality

  • Contract - we process personal information to provide the Service and fulfil our contract with users.
  • Consent - where we rely on consent for certain optional features or communications, you can withdraw consent at any time.
  • Legitimate interests - where necessary to operate, secure, and improve the Service (without overriding your rights).

Legal requirements

  • Legal obligation - we process personal information where required to comply with law.

Marketing

  • Consent - for direct marketing where required.
  • Legitimate interests - limited analytics and service improvement activities.

If you are a client/patient whose data is processed by a therapist/practice using the Service, the therapist/practice is typically the controller and determines the lawful basis for processing your therapy record.

Your rights

You have the right to access your personal information, rectification of inaccurate data, erasure (in certain circumstances), restriction of processing, data portability, objection to processing based on legitimate interests, withdrawal of consent at any time, and not to be subject to solely automated decisions with legal or similarly significant effects.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Where we get personal information from

We may get personal information from:

  • Directly from you
  • Therapists/practices using the Service
  • Other health and care providers (where added by the therapist/practice)
  • Insurance companies (where relevant and added by the therapist/practice)

How long we keep information

We keep personal information only for as long as necessary for the purposes it was collected for, including legal, accounting, regulatory, and security requirements.

Client/patient records: The controller (therapist/practice) determines the retention period. We retain that information according to the controller's instructions.

Account records: Retained for the duration of the account and for up to 6 months after closure, unless a longer period is required by law.

Billing and financial records: Retained for 6 years from the end of the relevant financial year, in accordance with HMRC requirements and the Companies Act 2006.

Security and audit logs: Retained for up to 24 months for security monitoring, incident investigation, and legal compliance.

Session recordings and transcriptions: Retention is determined by the therapist/practice as controller. We provide tools for therapists to manage and delete recordings.

Who we share information with

Sub-processors

We use third-party service providers ("sub-processors") to help us deliver the Service. These providers process personal information only on our instructions and are subject to contractual data protection obligations under our Data Processing Agreement. Our current sub-processors are:

  • Microsoft Azure - cloud hosting, database, and compute infrastructure
  • Google Cloud Platform - file storage including session recordings
  • Anthropic - AI-assisted clinical summarisation, transcription, and risk analysis
  • OpenAI - AI-assisted clinical summarisation, fallback provider
  • Stripe - payment processing
  • Cloudflare - bot protection and security verification (Turnstile), and video session infrastructure (RealtimeKit)
  • Zoom Video Communications - video session infrastructure
  • Mailgun - transactional and marketing email delivery (account notifications, appointment reminders, password resets, newsletter)
  • Sentry - error monitoring and application observability

Others we share personal information with

  • Insurance companies, brokers, and intermediaries (where applicable and instructed by the controller)
  • Organisations we are legally obliged to share personal information with

Duty of confidentiality

Where applicable, therapists/practices may be subject to a common law duty of confidentiality. There are circumstances where health and care information may be shared: where consent has been provided; where there is a legal requirement; or where public interest overrides the duty of confidentiality.

In the context of the Service, this section generally applies to therapists/practices as controllers of client/patient data.

International transfers

Our primary infrastructure (Microsoft Azure and Google Cloud Platform) is hosted in the United Kingdom. Some sub-processors are located outside the UK. Where personal information is transferred outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses).

Cookies and similar technologies

Strictly necessary cookies: Required for the Service to function (e.g. authentication, session management). These cannot be switched off.

Analytics cookies: Where enabled, we may use analytics cookies to understand how the Service is used. We will ask for your consent before setting these.

We do not use advertising or tracking cookies.

You can manage cookie preferences through your browser settings.

Security

We use appropriate technical and organisational measures to protect personal information, including encryption in transit and at rest, role-based access controls, audit logging, and secure infrastructure hosted in UK data centres.

No method of transmission or storage is completely secure, but we take reasonable steps to protect personal information.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy after raising a complaint with us, you can also complain to the ICO.

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113

Website: ico.org.uk