1. Introduction
PracticeGrow ("we", "our", "us") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our practice management platform.
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller vs Data Processor
For practitioner account data: PracticeGrow is the data controller. This includes your account information, billing details, and usage data.
For client data you store: You (the therapist/practitioner) are the data controller. PracticeGrow acts as a data processor, processing client data on your behalf according to your instructions.
3. What Data We Collect
Account Information
- Name and email address
- Practice name and profession
- Password (securely hashed)
- Billing information (processed by Stripe)
Client Data (Stored on Your Behalf)
- Client names and contact details
- Appointment information
- Intake form responses
- Session notes
- Safeguarding records
- Payment history
Technical Data
- IP address and browser type
- Device information
- Usage analytics (anonymised)
4. How We Use Your Data
- To provide our service: Managing your account, processing bookings, sending reminders
- To improve our product: Analysing usage patterns (anonymised) to improve features
- To communicate with you: Service updates, support responses, important notices
- To process payments: Via our payment processor, Stripe
- To comply with legal obligations: Tax records, legal requests
5. Legal Basis for Processing
- Contract: Processing necessary to provide our service to you
- Legitimate interests: Improving our service, preventing fraud
- Legal obligation: Compliance with laws and regulations
- Consent: For marketing communications (you can opt out anytime)
6. Data Sharing
We do not sell your data. We only share data with:
- Stripe: For payment processing (PCI-DSS compliant)
- Supabase: Our database provider (data stored in EU)
- Vercel: Our hosting provider
- Email providers: For sending transactional emails
All third-party providers are bound by data processing agreements and process data only as instructed.
7. Data Storage & Security
- All data is stored on servers within the UK/EU
- Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- We conduct regular security assessments
- Access to production systems is strictly limited and logged
See our Security page for more details.
8. Data Retention
- Active accounts: Data retained while your account is active
- Closed accounts: Account data deleted within 30 days of closure
- Client data: Deleted when you delete it, or when you close your account
- Backups: Removed from backups within 90 days
- Legal requirements: Some financial records retained for 7 years as required by law
9. Your Rights
Under UK GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data
- Portability: Export your data in a common format
- Object: Object to certain processing
- Restriction: Request limited processing
To exercise these rights, contact us at privacy@practicegrow.co.uk.
10. Cookies
We use essential cookies to keep you logged in and remember your preferences. We do not use third-party advertising or tracking cookies.
11. Children's Privacy
PracticeGrow is designed for professional therapists and counsellors. We do not knowingly collect data from children under 16. If you work with young clients, you are responsible for obtaining appropriate parental consent.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes via email or a notice in our application. Continued use after changes constitutes acceptance.
13. Contact Us
For privacy-related questions or to exercise your rights:
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.