Therapists handle some of the most sensitive information that exists. Security isn't an afterthought here — it's built into the foundation.
How we protect your data
All data between your browser and our servers is encrypted with TLS 1.3 — the latest transport layer security standard.
Client data is stored using AES-256 encryption. Even if servers were accessed, your data would be completely unreadable.
Two-factor authentication is enforced platform-wide. Every account requires a second verification step — no exceptions.
Only you can see your client data. Our team cannot access your practice without explicit, logged permission for support.
Your data is backed up automatically every day to geographically separate locations, ensuring full business continuity.
We have documented incident response procedures. In the unlikely event of a breach, you'll be notified within 72 hours as required by UK GDPR.
Compliance
We process data in accordance with UK GDPR. You remain the data controller — we are the data processor. Our Data Processing Agreement is available on request.
We only collect and store data necessary for providing the service. No unnecessary tracking, profiling, or advertising.
You and your clients can request access to or deletion of personal data at any time. We provide built-in export and deletion tools.
All data is stored on servers within the UK and EU. Your client data never leaves Europe.
Your role
As a therapist, you're responsible for how client data is collected and used. Here's what that means in practice.
Inform your clients how their data is collected, stored, and processed. PracticeGrow generates a starter policy for your website.
Ensure clients consent to digital data storage. Our intake forms include a consent and data processing signature field.
Use a strong, unique password. 2FA is mandatory on PracticeGrow — but don't share your login with anyone.
Know where your client data lives. With PracticeGrow, everything stays in the UK/EU on Supabase's secure infrastructure.