← Back to TheraFlo

TheraFlo — Privacy Policy (placeholder)

This is a placeholder privacy policy. The final version is being prepared by our solicitor and will replace this text before public launch.

1. Who we are

TheraFlo is a practice-management tool for UK-based therapists and counsellors. When you sign up as a therapist, TheraFlo is the data controller for your own account details, and a data processor for the client records you store on our platform — you remain the controller for those records under UK GDPR.

2. What we collect

  • Account details: your email, name, practice name, contact details, BACP number, and bank details (only used on invoices you generate).
  • Authentication data: hashed passwords, session tokens, optional 2FA secrets.
  • Client records you store: client contact details, session notes, appointment data, payments you record. These belong to you — TheraFlo only accesses them to operate the platform or as required by law.
  • Payment information: handled by Stripe. We don't see or store your clients' card details.
  • Technical logs: standard server logs (IP, timestamps, error reports). Errors are sent to Sentry with PII scrubbed.

3. How we use it

  • To run the service you signed up for (legal basis: contract).
  • To protect the platform from abuse, fraud, and security incidents (legal basis: legitimate interest).
  • To send you essential service emails (signup confirmations, billing receipts, security alerts).
  • To improve the product based on aggregated, anonymised usage patterns. We do not sell your data and we do not run advertising trackers.

4. Cookies and similar technologies

TheraFlo uses only strictly necessary cookies:

  • Authentication cookies that keep you signed in and verify two-factor authentication.
  • A short-lived security token to protect against cross-site request forgery.

We do not use advertising cookies, marketing trackers, or third-party analytics that profile individual users.

5. Who we share it with

We share data only with the providers we need to run the service:

  • Supabase — our database and authentication provider (EU region).
  • Stripe — payment processing (handles all card data).
  • MailPace — sends transactional emails on our behalf.
  • Cloudflare — hosts the app and handles network-layer protection.
  • Sentry — receives error reports with PII scrubbed.

We never sell your data and never share it with advertisers.

6. Where your data lives

Your data is stored in EU data centres (Frankfurt). Some processors (Stripe, Cloudflare, Sentry) may transfer limited data outside the EEA under appropriate safeguards (Standard Contractual Clauses).

7. How long we keep it

  • Active account data is kept while your account is open.
  • When you delete your account, we retain it for 30 days in case of accidental deletion, then permanently remove it.
  • Anonymised system logs are kept for up to 90 days.
  • Financial records may be kept for up to 7 years where required by UK tax law.

8. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the data we hold about you.
  • Correct any inaccurate data.
  • Delete your data (subject to legal retention obligations above).
  • Export your data in a portable format.
  • Object to or restrict processing.
  • Complain to the ICO if you're unhappy with how we handle your data.

To exercise any of these rights, email hello@theraflo.co.uk.

9. Changes to this policy

We may update this policy from time to time. Material changes will be flagged on first login.

10. Contact

Questions or concerns? Email hello@theraflo.co.uk.

Last updated: May 2026

Last updated May 2026