Privacy Policy

Therapy Connect ("we", "us", "our") operates the website and platform at therapyconnect.uk. We act as the data controller for the personal information described in this policy.

If you have any questions about how we handle your data, please contact us at privacy@therapyconnect.uk.

We collect different information depending on whether you are a client, a therapist, or an admin.

Account information (all users)

• Name, email address, and password (stored salted and securely hashed)
• Account role (client, therapist, or admin) and verification status
• Email verification codes and password-reset codes (short-lived, with expiry)
• Authentication and refresh tokens used to keep you signed in

Client profile

• Date of birth, gender, and sexual orientation (optional — used to match you with a suitable therapist)
• Contact details (phone number, address) if you choose to provide them
• Areas of concern, preferred languages, preferred clinical approaches, and therapist preferences
• Profile and avatar images

Therapist profile

• Professional bio, qualifications, areas of focus, and clinical approaches
• Contact details, practice address, and location coordinates (for search)
• Professional body memberships, registration details, and uploaded credential documents
• Education history and continuing professional development (CPD) entries
• Profile and cover images, and any external profile links you choose to publish
• Availability windows and exceptions, session modalities offered, session rates, course packages, and cancellation policy
• Verified, supervisor, and Pro subscription status flags

Session and booking data

• Session requests, scheduled sessions, dates, times, modality, and status
• Reschedule and cancellation requests, and the resulting decisions
• Session notes written by your therapist (visible only to them unless explicitly shared)
• Supervision sessions and supervision notes between therapists and their supervisors
• Workshop registrations, where applicable

Communications

• One-to-one messages between connected users (clients ↔ therapists, therapists ↔ supervisors), including any files you attach
• Forum threads and replies, community feed posts and replies, and likes
• In-app notifications and the events that triggered them
• Real-time delivery metadata required to route messages and notifications via Azure Web PubSub

Journal, mood, and wellbeing data

• Personal journal entries, mood ratings, sleep quality and hours, anxiety and stress scores, gratitude, accomplishments, challenges, activities, goals, and thoughts
• Clinical assessment responses and scores (for example, in-session questionnaires)
• This is sensitive personal data and is treated with the highest level of protection. You can choose whether to share specific journal entries or assessment results with a therapist you are connected to.

Relationships and connections

• Connections (therapist ↔ client), supervision connections, follower / followed-therapist relationships, and bookmarks
• External client invitations issued by therapists, including the recipient's email and any allocated pro bono session tokens

Financial data

• Session prices, payment status, refunds, and pro bono token usage
• Therapist earnings, transaction history, and payout records
• Pro subscription identifiers and billing status (managed by Mollie — we never see or store your full card details)

Safety and moderation data

• Content reports you submit about other users or about specific posts, replies, or threads
• Reports submitted about you or your Content, and any moderation decisions taken
• Audit logs of data exports, account deletions, and other significant account actions

Preferences and settings

• Notification settings (which events trigger an email or in-app alert)
• Theme settings (light / dark mode and other UI preferences)

Technical data

• Cookies and local storage entries (see Section 9)
• Video session room identifiers and short-lived participant tokens (we do not record video or audio)
• Server logs containing IP address, request metadata, and error diagnostics, retained for security and debugging

We process your personal information for the following purposes:

• Providing our service — creating your account, matching you with therapists, managing sessions and bookings, enabling messaging, video calls, journals, supervision, workshops, and the community
• Safety and security — authenticating your identity, protecting against fraud, content moderation, enforcing our terms of use, and investigating reports
• Communications — sending verification emails, password resets, session reminders, notification emails, data export notifications, and important service updates
• Payment processing — calculating therapist earnings, managing pro bono allocations, and processing subscriptions and session payments via Mollie
• Compliance — meeting tax, accounting, and other legal record-keeping obligations
• Platform improvement — understanding usage patterns to improve features (we do not use third-party analytics or advertising)

We do not use your personal data to train any machine-learning or generative-AI model, and we do not share it with third parties for that purpose.

Under UK GDPR, we rely on the following lawful bases:

• Contract — processing necessary to provide the services you signed up for (account management, sessions, messaging, payments, subscriptions)
• Legitimate interest — platform security, fraud prevention, content moderation, defending legal claims, and service improvement
• Consent — for optional data such as demographic preferences, journal entries shared with therapists, and non-essential cookies
• Legal obligation — where we are required to retain or disclose data by law (for example, financial record-keeping or responses to lawful requests)

Where we process special category data (health, sexual orientation, gender identity, journal and assessment data), we do so on the basis of your explicit consent given when you provide that information, and because it is necessary for the provision of health-related services.

We do not sell your personal data. We never share it for advertising purposes, and we do not provide it to data brokers. We share data only with:

Your therapist, supervisor, or client

Profile information, messages, session details, supervision notes, and any journal entries or assessment results you choose to share are visible to the other party in your therapeutic, supervisory, or peer relationship. Reports you submit about another user are visible to our moderation team only.

Third-party service providers (data processors)

• Microsoft Azure — hosts our platform, database, file storage (profile images, credential documents, message attachments), and real-time messaging infrastructure (Azure Web PubSub). Data is stored in Azure's UK South region.
• Azure Communication Services — sends transactional email (verification codes, password resets, session reminders, and other notifications). Receives the recipient's email address and the email content.
• LiveKit — provides video call infrastructure for sessions and supervision sessions. Receives short-lived room identifiers and participant tokens during a call. Video and audio are transmitted in real time and are not recorded or stored by us or by LiveKit.
• Mollie — processes payments and Pro subscriptions. Receives payment amounts, subscription metadata, and billing information. Your card details are handled entirely by Mollie and never touch our servers.

Legal and safety disclosures

We may disclose data if required by law, regulation, or legal process, or where necessary to protect the safety of users or the public (for example, in response to a credible threat of serious harm).

Our primary infrastructure is hosted in the United Kingdom (Azure UK South). Some third-party services may process data outside the UK:

• LiveKit — video sessions connect to the nearest LiveKit Cloud region (typically London). Signalling and media routing may pass through other regions.
• Mollie — payment data is processed in the Netherlands (EU), subject to Mollie's data processing agreement and standard contractual clauses.

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

• Account data — retained for as long as your account is active. If you delete your account, your personal information is removed within 30 days, except where retention is required by law.
• Anonymised records — when you delete your account, certain operational records (for example, anonymised session and earnings history, content moderation logs, and audit trails) may be retained in anonymised or pseudonymised form for legal, audit, and safety purposes. These records cannot be used to identify you.
• Session records and clinical / supervision notes — retained for the duration of your account plus any period required for professional record-keeping obligations, after which they are deleted or anonymised.
• Messages, forum posts, and community Content — retained for the duration of your account. Posts you delete are removed from public view immediately and purged from backups in line with our backup rotation.
• Journal and wellbeing data — retained for the duration of your account; you can delete entries at any time.
• Payment records — retained for 7 years to comply with UK tax and financial regulations.
• Content reports and moderation actions — retained for as long as necessary to enforce our Terms, defend legal claims, and identify repeat offenders.
• Authentication and refresh tokens — automatically expire and are deleted on a rolling basis.
• Server and security logs — retained for up to 12 months for security monitoring and incident investigation.

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you. You can use the data export feature in your account settings.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data (subject to legal retention requirements).
• Restriction — ask us to limit how we use your data in certain circumstances.
• Portability — receive your data in a structured, commonly used format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at privacy@therapyconnect.uk. We will respond within one month.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

We use a small number of cookies and browser storage entries:

Strictly necessary

• Authentication tokens — keep you signed in during your session
• Cookie consent preferences (cc_cookie) — remember your cookie choices for 6 months

Functionality

• Theme preference — remembers whether you prefer light or dark mode
• UI state — small entries that remember which page or tab you were last on

We do not use any analytics, advertising, or third-party tracking cookies. You can manage your cookie preferences at any time using the cookie settings on our site.

We take appropriate technical and organisational measures to protect your data, including:

• Passwords are salted and securely hashed — we never store them in plain text
• All data in transit is encrypted via HTTPS / TLS
• Authentication uses short-lived JWT tokens with secure refresh mechanisms
• Video sessions use end-to-end encrypted WebRTC connections; we do not record or store video or audio
• File uploads are stored in access-controlled cloud storage with private URLs
• Database access is restricted to authorised personnel and is logged and monitored
• Real-time messaging connections require an authenticated, short-lived access token bound to your identity

No system can be guaranteed to be 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO in line with our legal obligations.

The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us at privacy@therapyconnect.uk and we will delete it promptly.

We may update this privacy policy from time to time. If we make significant changes, we will notify you through the platform or by email. The "last updated" date at the top of this page indicates when the policy was last revised.

If you have any questions or concerns about this privacy policy or our data practices, please contact us:

• Privacy and data: privacy@therapyconnect.uk
• General enquiries: hello@therapyconnect.uk