Legal

Privacy Policy

We are committed to protecting and respecting your privacy. This policy outlines how we collect, use, and safeguard your information.

ICO Ref: ZB610705UK and EU GDPR CompliantLast updated: April 2026

Introduction

Therasee Limited (“Therasee”, “we”, “us”, “our”) is committed to protecting and respecting your privacy. This policy outlines our practices regarding the collection, use, and sharing of information about you through the use of our services. By using our platform, you agree to the collection and use of information in accordance with this policy.

Definitions

Personal Data: Any information relating to an identified or identifiable individual who can be directly or indirectly identified from that data. This may include, but is not limited to, names, email addresses, phone numbers, and location details.
Special Category Data: Personal data that is given specific protection under UK GDPR and EU GDPR, including data concerning health, mental health, racial or ethnic origin, and other categories defined in Article 9. Given the nature of our platform, health and mental health data is the most relevant category.
Usage Data: Information collected automatically through the use of our Service, which may include details such as your device's Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Service that you visit, the time spent on those pages, unique device identifiers, and other diagnostic data.
Cookies: Small files stored on your device (computer or mobile device) that help us to improve our Service and your experience.
We, Us, Our or Company: means Therasee Ltd.
You or Your: means you, your organisation.
Software, Services, or Therasee: means the software and associated services provided and developed by the Company which may be supplied to you.
UK GDPR: The UK General Data Protection Regulation, being the retained EU law version of the General Data Protection Regulation (EU) 2016/679 as it forms part of UK law, together with the Data Protection Act 2018.
EU GDPR: The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council, as applicable to the processing of personal data within the European Union.

Who This Policy Applies To

Therasee serves mental health practitioners (therapists, counsellors, psychologists, and psychiatrists) and, through the platform, their clients. This policy covers two distinct categories of personal data:

Practitioner data: Information we collect directly from practitioners who use our platform, such as their name, email address, billing details, and professional profile. For this data, Therasee is the data controller.
Client data: Information about a practitioner's clients that is entered into or processed through the platform, such as client names, contact details, health and mental health information, session notes, and form responses. For this data, the practitioner is the data controller and Therasee acts as a data processor on their behalf.

This distinction is important because the practitioner, as the data controller for their client data, is responsible for having a lawful basis to collect and process that data, for providing appropriate privacy notices to their clients, and for ensuring that client data is handled in accordance with their professional and legal obligations. Therasee processes client data only on the practitioner's instructions and in accordance with our Data Processing Agreement.

Where this policy refers to “your data” in the context of practitioners, it means your practitioner data. Where it refers to client data, it will say so explicitly.

Information Collection and Use

We collect several types of information for various purposes to provide and improve our service to you.

Types of Data Collected

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. This may include, but is not limited to:

Name
Email address
Phone number
Address

Usage Data

We may also collect information on how the Service is accessed and used. This Usage Data may include details such as your computer's Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

Third-Party Services

To enhance the functionality, security and performance of our platform, Therasee partners with trusted third-party providers. Each is carefully selected based on their privacy standards, security credentials, and compliance with UK and EU GDPR.

We only share data with trusted third-party providers where it is essential to deliver platform features, such as payments, video sessions, transcription, or AI-assisted form generation. All data sharing is governed by strict contractual agreements and processed in full compliance with UK and EU GDPR. Where applicable, we also align with internationally recognised data protection frameworks and healthcare privacy standards to ensure the highest level of security and confidentiality for all users, wherever they are based.

Microsoft Azure (Infrastructure and Database)

Therasee's application infrastructure and database services run on Microsoft Azure, with all services hosted in data centres located in the United Kingdom. This includes both our application servers and our databases, meaning all stored data, including client records, session information, messages, forms, and billing data, remains within UK jurisdiction. These secure facilities provide the backbone for our platform, delivering high availability, resilience, and enterprise-grade cloud security. All data is encrypted both in transit and at rest using industry-standard encryption protocols. Access is tightly controlled with role-based permissions, audit logging, and multi-factor authentication. Microsoft Azure is certified under ISO 27001, SOC 2 and other leading security standards, ensuring full compliance with UK and EU GDPR and helping us maintain the highest levels of protection for your information.

Intercom

We use Intercom to support customer communication, including live chat and helpdesk functionality. Intercom processes data such as your name, email address and chat history solely to assist with support requests. All interactions are encrypted and handled in accordance with UK and EU GDPR.

Jitsi as a Service (JaaS)

We use Jitsi to deliver secure, real-time video sessions for telehealth. All audio, video and shared content are encrypted in transit using secure protocols. Sessions are not recorded and no identifiable content is stored. However, we may retain limited, anonymised technical data (such as call quality metrics) strictly for performance monitoring and service improvement. Jitsi acts solely as a real-time communication tool and does not have access to session content. This service operates in full compliance with both UK and EU GDPR, supporting safe, confidential therapeutic interactions.

Google Analytics

To improve our website and better understand user behaviour, we use Google Analytics in anonymised mode. This means no personally identifiable information is tracked or stored. We collect high-level metrics such as device type, browser version, and general location, all in compliance with privacy regulations.

Stripe

Stripe securely manages all financial transactions, including card and bank payments. All payment data is transmitted over encrypted channels, and Therasee never stores full card details. Stripe is fully PCI-DSS compliant and handles all information in accordance with both UK and EU GDPR. This ensures that your financial and personal data is protected under the highest international standards for data privacy and security.

Microsoft Azure (Speech-to-Text)

Our Speech-to-Text feature, used for example during live session note-taking and within the AI form assistant for voice input, is delivered via Microsoft Azure's secure cloud infrastructure, hosted on UK-based servers. This service uses advanced AI technology and machine learning models to convert spoken words into accurate, real-time text.

Audio data is streamed securely, processed only in memory, and never stored or recorded. We enforce a strict no logging policy with Microsoft, meaning no audio content, transcribed text, or metadata is retained during or after processing. Once transcription is complete, the text is transmitted back to Therasee over encrypted channels and stored securely within our own UK-based infrastructure.

Microsoft acts solely as a sub-processor on our behalf and handles data exclusively for the purpose of delivering the transcription. No data is used to train or improve any AI models, and nothing is retained in Microsoft's systems beyond the live processing window. We treat spoken input with the same strict confidentiality as typed data. The entire process is conducted in full compliance with UK and EU GDPR, ensuring your privacy and data rights are protected at every step.

Google Cloud (AI-Assisted Form Generation)

We use Google Cloud to power our AI-assisted form generation feature, using enterprise-tier services within the Google Cloud platform. This feature allows practitioners to create and refine digital forms, either by describing what they need or by uploading existing documents for conversion.

It is important to understand that AI is only involved in the building and design of forms, not in the completion or editing of them. When practitioners or clients complete forms through Therasee, or when practitioners edit form responses, no information is exchanged with the AI service. That data remains entirely within our UK-based infrastructure.

During the form building process, no personally identifiable client information is shared with the AI service. The AI works with form structure and variables (such as placeholders for client name or date of birth), not with actual client data. Client data variables are masked before any content is sent to Google Cloud for processing. Even so, we have measures in place to ensure that any data processed by the AI is not retained by Google beyond the individual request.

The practitioner's professional profile (such as their title, specialisations, and practice details) may be used to personalise generated content. No client information is included in this context.

As a matter of best practice and in line with data minimisation principles, we recommend that practitioners use blank or template versions of documents when uploading for conversion, rather than documents containing completed client information.

Key safeguards:

Client data is masked before processing. Variables such as client names, dates of birth, and contact details are replaced with placeholders before any content reaches Google Cloud.
These are enterprise-tier services, distinct from consumer products. They operate under the Google Cloud Data Processing Addendum (CDPA), which governs how Google handles customer data.
All processing takes place on European servers, in the EU (Netherlands). This is fully compliant with both UK GDPR and EU GDPR. The EU is recognised as an adequate jurisdiction under UK GDPR adequacy regulations, and processing within the EU is subject to EU GDPR.
Data is not retained by Google. It is processed transiently and is not stored beyond the individual request.
Google does not use any data submitted through these services to train, improve, or develop its AI models. This is contractually guaranteed under the Google Cloud CDPA.
Google acts as a sub-processor on behalf of Therasee under the Google Cloud CDPA.
All AI-generated content is presented to the practitioner for review and approval before being saved or used. No AI-generated content is applied without the practitioner’s explicit approval.

Google Calendar (Optional Integration)

We offer optional integration with Google Calendar to help practitioners synchronise appointments between Therasee and their Google Calendar account. This integration is entirely opt-in and can be enabled or disabled at any time.

We take a data minimisation approach to this integration. When session details are synchronised to your Google Calendar, we do not share any personally identifiable client information. Client names are not included; instead, only the client's initials (first name and last name) are displayed. No client email addresses, phone numbers, or other identifying details are exchanged with Google Calendar.

The integration allows Therasee to read calendar details such as event times, and to write session details including the appointment time, type, and client initials back to your calendar. All data is transmitted over encrypted channels. Google acts as a sub-processor during this integration and processes data in line with both UK and EU GDPR. No calendar data is accessed without your authorisation, and you remain in full control of what is shared.

We only share data with trusted third-party providers where it is essential to deliver core features, such as secure payments, live video sessions, real-time transcription, or AI-assisted form generation. All third-party processing is governed by strict contractual agreements and conducted in full compliance with UK and EU GDPR. Where applicable, we also align with internationally recognised data protection frameworks and healthcare privacy standards to ensure the highest level of security and confidentiality for all users, regardless of location.

How We Use Your Data

Therasee Ltd uses the collected data for various purposes:

To provide and maintain our service
To notify you about changes to our service
To allow you to participate in interactive features of our service when you choose to do so
To provide customer support
To gather analysis or valuable information so that we can improve the service
To monitor the usage of the service
To detect, prevent, and address technical issues
To convert uploaded documents into structured digital forms and to generate forms using AI-assisted tools, where a practitioner chooses to use this feature (see section 12 for further details)

Transfer of Data

Your data is primarily stored and processed within the United Kingdom, on Microsoft Azure infrastructure hosted in UK data centres. All data storage, whether practitioner data or client data, remains within UK jurisdiction and is fully compliant with UK GDPR and EU GDPR.

A limited amount of processing occurs in the European Union. Our AI-assisted form generation feature uses Google Cloud, hosted in the EU (Netherlands). This processing is transient, meaning data is not stored by Google beyond the individual request, and client data is masked before it reaches Google Cloud. The EU is recognised as an adequate jurisdiction for data transfers under UK GDPR adequacy regulations, and processing within the EU is subject to EU GDPR. No additional safeguards such as Standard Contractual Clauses are required for UK-to-EU transfers.

Where we use third-party services that may process data outside the UK and the EU (for example, certain services provided by Intercom and Stripe), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the ICO. All third-party processing, regardless of location, remains fully compliant with UK GDPR and EU GDPR.

Therasee will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. No transfer of your personal data will take place to an organisation or a country unless there are adequate controls in place.

Disclosure of Data

Legal Requirements: Therasee Ltd may disclose your Personal Data in the good faith belief that such action is necessary to:

Comply with a legal obligation
Protect and defend the rights or property of Therasee Ltd
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users of the Service or the public
Protect against legal liability

10.

Security of Data

We understand the significance of protecting your personal information, especially within the digital landscape where no system can be impenetrable. However, we are committed to implementing robust security measures designed to protect your personal data against unauthorised access, use, or disclosure. Our strategies include state-of-the-art encryption technologies and the deployment of our services within highly secure UK-based data centres. While absolute security cannot be guaranteed, we continuously refine our security practices to ensure they meet high standards in accordance with UK GDPR, EU GDPR, and HIPAA guidelines, reinforcing our commitment to data protection.

11.

International Transfer of Data

Therasee is a United Kingdom-based service. All stored data, including both practitioner data and client data, is held on servers within the United Kingdom. All processing remains fully compliant with UK GDPR and EU GDPR, regardless of where it takes place.

To provide certain features, a limited amount of processing occurs outside the UK:

European Union

Our AI-assisted form generation feature uses Google Cloud, hosted in the EU (Netherlands). When a practitioner uses this feature, form content is sent to Google Cloud for processing. Client data is masked before it reaches Google Cloud, and the data is processed transiently and not retained by Google.

The EU is recognised as providing an adequate level of data protection under UK GDPR adequacy regulations (specifically, the UK's Data Protection (Adequacy) (EU and EEA EFTA States) Regulations). Transfers from the UK to the EU do not require additional safeguards such as Standard Contractual Clauses. Processing within the EU is subject to EU GDPR.

United States and Other Jurisdictions

Some of our third-party service providers may process data in, or transfer data to, the United States or other countries. Where such transfers occur, we ensure appropriate safeguards are in place:

Intercom (customer communication): may process data in the EU and US. Transfers to the US are covered by Standard Contractual Clauses.
Stripe (payment processing): may process data in the EU and US. Transfers to the US are covered by Standard Contractual Clauses.
Google Analytics (anonymised web analytics): operates in anonymised mode. No personally identifiable data is transferred.
Google Calendar (optional integration): where a practitioner connects their Google Calendar, only minimal scheduling data is shared, including appointment times and client initials only (no full names or email addresses). This integration is optional and initiated by the practitioner.

We regularly review the data transfer arrangements of all our third-party service providers to ensure they remain compliant with UK GDPR and EU GDPR requirements.

12.

AI and Automated Processing

Overview

Therasee offers an AI-powered form assistant to help practitioners with administrative tasks such as creating and converting clinical and practice forms. This feature is fully compliant with both UK GDPR and EU GDPR. It is designed as an assistive tool only and is not used for automated decision-making about clients or their care.

How the AI Form Assistant Works

The AI form assistant allows practitioners to create new forms by describing what they need, upload existing documents for conversion into digital forms, and refine forms through conversational follow-up. Practitioners can also use voice input (via Microsoft Azure Speech-to-Text, hosted in the UK) to interact with the assistant.

AI is only involved in the building and design of forms. When practitioners or clients complete forms through Therasee, or when practitioners edit form responses, no information is exchanged with the AI service. That data remains entirely within our UK-based infrastructure.

During the form building process, the AI works with form structure and variables, not with actual client data. Client data variables (such as names, dates of birth, and contact details) are masked before any content is sent to Google Cloud for processing. No personally identifiable client information is exchanged with the AI service. Even so, we have measures in place to ensure that any data processed by the AI is not retained by Google beyond the individual request.

The practitioner's professional profile (including their title, specialisations, and practice details) may be used to personalise generated content. No client information is included in this context.

Practitioner Responsibilities

AI-generated content requires professional review. All forms and content produced by the AI are suggestions only and must be reviewed, verified, and approved by the practitioner before use with clients. Clinical judgement remains the practitioner's responsibility. The practitioner is also responsible for ensuring all forms comply with applicable regulations, professional standards, and their organisation's clinical governance requirements.

Safeguards

No client data is shared with the AI service. Client data variables are masked before processing.
All AI processing takes place on European servers (EU, Netherlands) and is fully compliant with UK GDPR and EU GDPR.
Data is not retained by Google beyond the individual request.
No data is used to train or improve AI models. This is contractually guaranteed.
No automated decisions are made by AI. All AI-generated content is advisory and administrative in nature.
All AI output requires practitioner review and approval before being saved or used.
AI does not profile clients or practitioners.

Your Rights

Under UK GDPR and EU GDPR, you have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. Our AI features do not make such decisions. They are tools used by practitioners under their professional judgement. If you have any questions about how AI features are used, please contact us at privacy@therasee.com.

13.

Data Retention

We retain your personal data only as long as necessary to fulfil the specific purposes outlined in this Privacy Policy. Your data will be maintained to the extent required to comply with our legal obligations (such as those mandated by applicable laws), resolve disputes, and enforce our legal agreements and policies. This ensures that we handle your personal information responsibly and in accordance with legal and regulatory requirements.

14.

Password and Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. You are responsible for keeping your password confidential and for notifying us if you believe your password or account has been compromised.

15.

Links to Other Websites

Our Service may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

16.

Data Processing Agreement

Therasee acts as a data processor on behalf of practitioners (who are data controllers) when processing client personal data through our platform. Under Article 28 of UK GDPR and EU GDPR, a Data Processing Agreement (DPA) is required between the controller and the processor.

A comprehensive DPA is available to all practitioners and is incorporated into our Terms of Service for all practitioner accounts. The DPA sets out the subject matter, duration, nature and purpose of processing, the types of personal data processed, the categories of data subjects, and the obligations and rights of both parties.

Practitioners may request a copy of the DPA at any time by contacting privacy@therasee.com.

17.

Your Data Protection Rights

Under UK GDPR and EU GDPR, you have rights including:

Right of access — You have the right to request copies of your personal data from us.

Right to rectification — You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

Right to erasure — You have the right to request that we erase your personal data, under certain conditions.

Right to restrict processing — You have the right to request that we restrict the processing of your personal data, under certain conditions.

Right to object to processing — You have the right to object to our processing of your personal data, under certain conditions.

Right to data portability — You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, under certain conditions.

Right not to be subject to automated decision-making — You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. Our AI features do not make such decisions (see section 12).

18.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will also let you know via email and/or a prominent notice on our website prior to the change becoming effective. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

19.

Contact Us

For questions or concerns about our privacy policy or the use of your personal information, please contact us at privacy@therasee.com or at our address:

privacy@therasee.com

Address

Therasee Ltd, 1 St. Andrews Road, Studio 8,
Montpelier, Bristol, BS6 5EH

ICO Registration: ZB610705