Privacy Policy

1. Introduction

This Privacy Policy explains how Counselling Buddy ("we", "us", or "our") collects, uses, and protects your personal information when you use our practice management platform.

By using Counselling Buddy, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our service.

2. Who We Are

Counselling Buddy provides practice management software designed specifically for mental health professionals in the United Kingdom and internationally.

Age Restriction: Our service is only available to individuals aged 18 and over. We do not knowingly collect information from anyone under 18 years of age.

3. Data Controller vs Data Processor

This is an important distinction:

• For your account data (name, email, payment information): We are the data controller. We determine how this data is processed.
• For your clients' data (client records, session notes, appointments): You are the data controller, and we are the data processor. We only process this data on your instructions to provide the service.

This means you remain in full control of your clients' information and are responsible for ensuring you have appropriate consent and legal basis to store their data.

4. Information We Collect

4.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (encrypted and never stored in plain text)
• Professional credentials and practice information (optional)
• Business address (if provided)

4.2 Client Data You Store

You may choose to store the following information about your clients:

• Client names and contact information
• Appointment schedules and history
• Session notes and clinical records
• Documents and files you upload
• Any other information you choose to enter into the system

Important: We never access, read, or use your client data for any purpose other than providing you with the software service. This data is encrypted and protected at all times.

4.3 Payment Information

Payment processing is handled by Stripe, a PCI-compliant payment processor. We do not store your full credit card details on our servers. We only store:

• Last 4 digits of your card (for your reference)
• Card expiry date
• Billing address
• Payment history and invoices

4.4 Technical Information

For security and service delivery purposes, we automatically collect:

• IP address (for security and fraud prevention)
• Browser type and version
• Device information
• Login times and session data
• Error logs and diagnostic information

We do not use third-party analytics, tracking cookies, or advertising technologies.

4.5 Communications

If you contact us for support or feedback, we store:

• Your correspondence with our support team
• Feedback and feature requests you submit

5. How We Use Your Information

We use your information solely for the following purposes:

5.1 Service Delivery

• To create and manage your account
• To provide practice management features (appointments, client records, etc.)
• To process payments and send invoices
• To send service-related notifications (appointment reminders, security alerts)
• To provide customer support

5.2 Security & Legal Compliance

• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations (e.g., data protection laws, lawful requests)
• To enforce our Terms of Service

5.3 Service Improvement

• To fix bugs and improve platform performance
• To understand feature usage and improve user experience (anonymized, aggregated data only)

5.4 Optional Marketing (Opt-In Only)

We will only send you marketing communications if you explicitly opt-in. This includes:

• Product updates and new feature announcements
• Practice management tips and resources
• Newsletter content

You can unsubscribe from marketing emails at any time via the link in each email or through your account settings.

6. How We Protect Your Data

6.1 Encryption

• In Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
• At Rest: All data stored on our servers is encrypted using AES-256 encryption
• Backups: All backups are encrypted with the same standards

6.2 Infrastructure Security

• Servers located in secure, UK-based data centres
• Regular security audits and penetration testing
• Automated daily backups with geographic redundancy
• 24/7 monitoring for security threats
• Firewall protection and intrusion detection systems

6.3 Access Controls

• Multi-factor authentication available for all accounts
• Role-based access control for team accounts
• Strict internal access policies - only authorized personnel can access infrastructure
• All access is logged and monitored

6.4 Staff Training

All team members undergo regular security and privacy training. We maintain strict policies about data access and confidentiality.

7. Data Sharing & Third Parties

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We only share data in the following limited circumstances:

7.1 Essential Service Providers

We work with carefully vetted third-party service providers who help us deliver our service:

• Stripe: Payment processing (PCI-DSS compliant). View Stripe's Privacy Policy
• Cloud Infrastructure: UK-based hosting providers for secure data storage
• Email Service: For sending appointment reminders and account notifications

All third-party providers are contractually bound to GDPR compliance and data protection standards. They may only process data on our instructions and for the purposes specified.

7.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, regulatory requirements). We will notify you of such requests unless prohibited by law.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

Your data is stored on servers located in the United Kingdom. We do not transfer your data outside of the UK/EEA except when necessary for payment processing through Stripe.

Any international transfers comply with GDPR requirements, including the use of Standard Contractual Clauses where applicable.

9. Data Retention

9.1 Active Accounts

We retain your account data and client data for as long as your account is active and as necessary to provide you with our services.

9.2 Account Deletion

When you delete your account:

• All your data and client data is permanently deleted from our servers
• We do not retain backups of deleted accounts
• Deletion is typically completed within 48 hours
• Some metadata may be retained for legal compliance (e.g., payment records for tax purposes) but is anonymized where possible

9.3 Legal Obligations

We may retain certain information where required by law (e.g., financial records for 7 years for tax purposes), but this data is kept to the minimum necessary and securely stored.

10. Cookies & Tracking

10.1 Essential Cookies Only

We use only essential cookies required for authentication and security purposes:

• Session cookies: To keep you logged in securely
• Security cookies: To protect against cross-site request forgery (CSRF)
• Preference cookies: To remember your account settings

10.2 No Tracking or Analytics

We do not use:

• Google Analytics or similar tracking tools
• Advertising cookies or pixels
• Third-party tracking scripts
• Social media tracking buttons

11. Your Rights (GDPR)

Under GDPR and UK data protection law, you have the following rights:

11.1 Right to Access

You do not need to contact us to access your information. All of the information we hold about you can be found in your account settings. You can email us at privacy@counsellingbuddy.com if you have any questions.

11.2 Right to Rectification

You can update incorrect or incomplete data at any time through your account settings.

11.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data at any time from your account settings. Deletion is permanent and immediate.

11.4 Right to Data Portability

You can export all your data in standard formats (CSV, PDF, JSON) at any time from your account dashboard.

11.5 Right to Restrict Processing

You can request that we limit how we process your data in certain circumstances.

11.6 Right to Object

You can object to certain types of processing, including marketing (though we only market to you if you've opted in).

11.7 Right to Withdraw Consent

Where we process data based on your consent, you can withdraw that consent at any time.

To exercise any of these rights, contact us at privacy@counsellingbuddy.com. We will respond within 30 days.

12. Your Responsibilities as a Practitioner

As a mental health professional using our platform, you are responsible for:

• Obtaining appropriate consent from your clients to store their data
• Ensuring you have a lawful basis for processing client data under GDPR
• Maintaining your own privacy policy for your practice
• Responding to data subject requests from your clients
• Keeping your account credentials secure
• Complying with your professional body's data protection requirements

We provide tools to help you meet these obligations, including data export functionality and security features, but ultimate responsibility for client data remains with you as the data controller.

13. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected users without undue delay
• Provide information about the nature of the breach and steps being taken
• Offer guidance on protective measures you can take

14. Children's Privacy

Our service is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18.

If you believe we have inadvertently collected information from someone under 18, please contact us immediately at privacy@counsellingbuddy.com and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational needs.

When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you via email at least 30 days before changes take effect
• We will provide a summary of the key changes
• You will have the opportunity to review and accept the new policy

Continued use of the service after changes become effective constitutes acceptance of the updated policy.

16. Complaints & Supervisory Authority

If you have concerns about how we handle your data, please contact us first at privacy@counsellingbuddy.com. We take all complaints seriously and will investigate promptly.

You also have the right to lodge a complaint with your local data protection supervisory authority:

17. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: