Privacy policy

1. Who we are

Practiva is operated by [PRACTIVA LTD], a company registered in England and Wales (company number [COMPANY NUMBER]), with its registered office at [REGISTERED ADDRESS]. We are the data controller for the personal information described in this policy.

We are registered with the UK Information Commissioner’s Office (ICO) under registration number [ICO REGISTRATION NUMBER].

2. What data we collect

We collect the following categories of personal data:

2.1 From you, as a Practiva customer

• Account information: name, email address, password (encrypted), profile picture if you upload one.
• Practice information: your professional registration body (e.g. BACP), qualifications, specialisms, modalities, fees, location, business contact details, biography.
• Billing information: name, billing address, partial payment-card details. Full card details are held by Stripe, our payment processor — we never see or store the full number.
• Communication: messages you send us by email or in-app.

2.2 From your website visitors (your clients and prospects)

• Enquiry form submissions: name, email, phone number, and message that people send through the contact form on your Practiva-hosted website.
• Limited technical data: IP address, browser type, pages visited. Used for security and abuse prevention.

Where you upload information about your clients (session notes, contact records, documents) into Practiva, you remain the data controller for that information and we act as your data processor under our terms of service.

2.3 Automatically

• Cookies and similar: see our cookie policy for the full list.
• Server logs: IP address, timestamp, URL requested, user agent. Kept for 30 days for security.

3. How we use your data

We use your personal data only for the following purposes:

• To provide and operate Practiva (delivering the website, dashboard, and tools you signed up for).
• To process payments and manage your subscription.
• To send you essential service communications (e.g. password resets, billing notices, security alerts).
• To send you product updates and tips — only if you’ve opted in.
• To respond to your support requests.
• To detect, prevent, and address fraud, abuse, security issues, and breaches of our terms.
• To comply with our legal obligations (e.g. tax record-keeping, lawful information requests).
• To improve Practiva — using aggregated, de-identified data wherever possible.

4. Legal basis for processing

Under UK GDPR we rely on the following lawful bases:

• Contract: to provide the service you signed up for.
• Legitimate interests: to keep our service secure, prevent fraud, improve our product, and operate our business. Where we rely on this, we have balanced our interests against your rights.
• Consent: for non-essential cookies and for marketing emails. You can withdraw consent at any time.
• Legal obligation: for tax records, lawful disclosures, and similar.

5. Who we share data with

We use the following processors to operate Practiva. Each one is bound by a data-processing agreement and processes your data only on our instructions.

• Supabase (database and authentication hosting, Ireland / EU region where available)
• Vercel (application hosting, EU region)
• Stripe (payment processing)
• Resend (transactional email)
• Anthropic (used to generate the initial draft of your website copy from the details you supply during onboarding)
• Cloudflare (security and network protection)

We do not sell your personal data. We never share your client information with third parties for marketing.

6. International transfers

Some of our processors (Stripe, Resend, Anthropic) are based in the United States. Where data is transferred outside the UK, we rely on the UK’s International Data Transfer Agreement or Standard Contractual Clauses with appropriate supplementary measures, in line with ICO guidance.

7. How long we keep data

• Account data: for as long as your account is active.
• After cancellation: we keep your data for 30 days in case you reactivate, then permanently delete it. Some records are kept longer where law requires (e.g. financial records for 7 years).
• Website enquiries: stored in your dashboard until you delete them. Deleted enquiries are removed from backups within 30 days.
• Marketing email list: until you unsubscribe.
• Server logs: 30 days.

8. Your rights

Under UK GDPR you have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate or incomplete data.
• Erase your personal data (the ‘right to be forgotten’), subject to legal retention obligations.
• Restrict processing of your data in certain circumstances.
• Object to processing based on legitimate interests.
• Portability — receive your data in a portable format.
• Withdraw consent at any time, where consent was the basis for processing.
• Complain to the ICO: ico.org.uk or 0303 123 1113.

To exercise any of these rights, email privacy@practiva.io. We’ll respond within 30 days.

9. Security

We use industry-standard measures to protect your data: encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, regular security review, and the principle of least privilege. No system is perfect; if a breach affects your data we’ll notify you and the ICO within 72 hours where required.

10. Children

Practiva is for qualified therapists in independent practice. We do not knowingly collect data from anyone under 18.

11. Changes to this policy

We’ll update this policy from time to time. Material changes will be notified by email to your account address at least 14 days before they take effect.

12. Contact us

For any privacy-related question: privacy@practiva.io. For general support: hello@practiva.io.