Privacy Policy

Introduction

Therapyway ('we', 'us', 'our') is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website (therapyway.co.uk), use our UI, or submit a form. As a platform connecting individuals with verified therapists, we handle sensitive information, including health data, with the utmost care and in strict compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

1. What We Collect

When you use our UI, interact with our services, or submit a form (including for a free trial), we may collect the following types of personal data. We only collect data that is strictly necessary for the specified purposes:

• Identity and Contact Data: Full name, email address, phone number (if you choose to provide it), company or organization name.
• Professional Data (for Therapists): Information required for HCPC verification, professional body registrations (e.g., BACP, UKCP), qualifications, and professional profiles.
• Health Data (Special Category Data): While our MVP currently focuses on connecting users, any information you provide that may be related to your mental or physical health, or that indicates your health status (e.g., through inquiries about specific therapy needs), will be treated as 'special category data' under UK GDPR. This may include details provided in free trial sign-ups or initial inquiry forms that hint at health conditions or therapy requirements.
• Technical Data: Internet Protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Usage Data: Information about how you use our website and services, such as pages viewed, duration of visit, and navigation paths. This data is primarily collected in aggregate for analytical purposes.
• Any other information you choose to provide voluntarily through forms, direct communication, or feedback.

We commit to the principles of data minimization and purpose limitation, ensuring we collect only the data adequate, relevant, and limited to what is necessary for our stated purposes.

2. How We Use Your Information and Our Lawful Basis

We use your personal data only for specific, explicit, and legitimate purposes. Under UK GDPR, we must have a lawful basis for processing your personal data. For 'special category data' (such as health data), we require both a lawful basis under Article 6 and an additional condition under Article 9.

• To contact you regarding your request or inquiry: To respond to your questions, provide information about our services, or manage your free trial. *Lawful Basis: Legitimate Interests (responding to user inquiries) or Performance of a Contract (for trial services).*
• To facilitate connections with verified therapists: For therapists, this involves verifying your credentials (e.g., HCPC registration) to ensure professional quality and trust on our platform. For users seeking therapy, this involves understanding your needs to match you appropriately. *Lawful Basis (Article 6): Performance of a Contract (to provide platform services) or Legitimate Interests (to maintain a high-quality professional network).* *Condition for Special Category Data (Article 9): Article 9(2)(h) - processing is necessary for the provision of health or social care or treatment, provided it is carried out by or under the responsibility of a health professional or a person who in the circumstances owes a duty of confidentiality. This is supported by DPA 2018 Schedule 1 Part 1, Paragraph 2 (Health and Social Care Purposes).*
• To improve the usability and experience of our UI: We analyze usage patterns to enhance navigation, design, and functionality. *Lawful Basis: Legitimate Interests (to improve our service offerings).*
• To provide updates, service-related messages, or support: This includes important notifications about your account, service changes, or technical assistance. *Lawful Basis: Performance of a Contract or Legitimate Interests (for essential service communications).*
• To analyze interaction data (in aggregate) to improve product design: We use anonymized or aggregated data for statistical analysis and research to understand trends and improve our platform. This data does not identify you personally. *Lawful Basis: Legitimate Interests (to develop and improve our products and services).*
• For compliance with legal obligations: To meet regulatory requirements or respond to lawful requests from public authorities. *Lawful Basis: Legal Obligation.*

We do not use your personal information for unrelated advertising or share it with third parties for their independent marketing purposes without your explicit consent. Your data is processed in a transparent and secure manner.

3. Data Security

We are committed to ensuring the security of your personal information. We implement robust, industry-leading security measures to protect your data from unauthorised access, alteration, disclosure, or destruction. Our 'Secure by Design' approach means security is embedded into every stage of our platform's development, even as an MVP.

• Encrypted Transmission: All data exchanged between your browser and our servers is protected using Transport Layer Security (TLS 1.3) encryption, ensuring secure transmission via HTTPS.
• End-to-End Encryption (where applicable): For highly sensitive data, we aim to implement end-to-end encryption where technically feasible and appropriate, ensuring that only the intended recipient can access the information. This involves robust key management practices.
• Secure Data Storage: Your data is stored in secure data centres with strict access controls, adhering to industry best practices (e.g., ISO 27001 certified facilities). Data at rest is encrypted (e.g., AES-256).
• Restricted Internal Access: Access to your personal data is strictly limited to authorised personnel who require it to perform their job functions, and they are bound by confidentiality obligations.
• Regular Security Audits and Vulnerability Assessments: We conduct regular internal and external security assessments, penetration testing, and code reviews to identify and address potential vulnerabilities proactively.
• Staff Training: All staff handling personal data receive regular training on data protection, privacy, and security best practices.
• Data Protection Impact Assessments (DPIA): Given we process special category data (health data), we conduct DPIAs to identify and mitigate risks to your privacy, even in our early development stages, and on an ongoing basis as our platform evolves.

While no method of transmission over the Internet or method of electronic storage is 100% secure, we strive to use commercially acceptable means to protect your personal information and continuously review and enhance our security posture.

4. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as required by professional guidelines for health data. When data is no longer required, we securely delete or anonymize it.

• Inquiry Data: Data related to general inquiries or free trial sign-ups (where no ongoing service is established) is typically retained for up to 12 months from the last interaction, unless a longer period is legally required.
• Service-Related Data (including health data): For active users of our platform, personal data, especially any health-related information, will be retained for a period consistent with professional health record keeping standards in the UK, which often suggests a minimum of 12 years after the cessation of treatment or service, or after the last entry for minors.
• Anonymized Data: We may retain anonymized data for longer periods for analytical and product improvement purposes, as this data cannot be used to identify you.

In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

5. Your UK GDPR Rights

Under UK GDPR, you have significant rights regarding your personal data. We are committed to facilitating the exercise of these rights:

• The Right to Be Informed: To receive clear, transparent, and easily understandable information about how we use your data (as outlined in this Privacy Policy).
• The Right of Access: To request access to the personal data we hold about you. This enables you to receive a copy of the personal data we hold about you.
• The Right to Rectification: To request correction of the personal data that we hold about you if it is inaccurate or incomplete.
• The Right to Erasure ('Right to Be Forgotten'): To request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This right is not absolute and applies in certain circumstances.
• The Right to Restrict Processing: To 'block' or suppress the processing of your personal data in certain circumstances (e.g., if you contest the accuracy of the data).
• The Right to Data Portability: To obtain and reuse your personal data for your own purposes across different services in a structured, commonly used, machine-readable format.
• The Right to Object: To object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Rights in relation to automated decision-making and profiling: To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except in certain circumstances.
• The Right to Withdraw Consent: Where we are relying on consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at the details provided in Section 7. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We aim to respond to all legitimate requests within one month.

6. Cookies and Analytics

We use cookies and similar tracking technologies (e.g., Google Analytics) to enhance your experience, understand user behaviour, and improve our UI design. These tools do not collect personally identifiable information unless you explicitly provide it (e.g., through a form).

• Essential Cookies: These are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
• Analytics and Performance Cookies (e.g., Google Analytics): These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. We use IP anonymization for Google Analytics and similar features for Hotjar to reduce direct identification. We only use these cookies if you provide your explicit consent.
• Cookie Consent: We operate an explicit opt-in consent mechanism for all non-essential cookies. You will be presented with a clear choice to accept or reject these cookies when you first visit our site. You can change your cookie preferences at any time through our cookie consent banner or by managing your browser settings.

For more detailed information on the cookies we use and how to manage your preferences, please refer to our dedicated Cookie Policy (see Section 8).

7. Compliance, Professional Standards & Safeguarding

At Therapyway, our commitment extends beyond data privacy to upholding the highest standards of professional conduct and safeguarding. Even as an MVP, these principles are foundational.

• GDPR Compliance: Your data and client information are protected under strict UK GDPR and DPA 2018 standards. We never share your details without appropriate lawful basis and consent where required.
• Secure by Design: Our platform is built with security at its core. End-to-end encryption (where applicable) and regular audits ensure your data stays safe, allowing you to focus on therapy with peace of mind.
• HCPC Verification: To maintain professional quality and client trust, only verified HCPC-registered therapists can publish profiles or participate in our network. We rigorously review credentials, ensuring a safe and qualified environment for both clients and therapists.
• Confidentiality & Safeguarding: We understand the sensitive nature of therapy. While therapists on our platform are responsible for their client's confidentiality and safeguarding duties, Therapyway aims to facilitate a secure environment for these interactions. We encourage all users to understand their respective professional and ethical obligations regarding confidentiality and safeguarding.

We are constantly evolving to build a safer, better experience for you, with a strong focus on professional integrity and user well-being.

8. Contact Us

If you have questions or concerns about this Privacy Policy, our Cookie Policy, or how your data is handled, please reach out to us. If you wish to exercise any of your UK GDPR rights, please contact us using the details below:

Please note that for security purposes, we may need to verify your identity before responding to requests related to your personal data.