Theramie Legal

Legal

Privacy Notice

This notice explains how Theramie Ltd handles personal data when it acts as a controller, when it acts as a processor for therapists, and how to contact us about privacy.

Last updated: 5 May 2026

Who we are

Theramie Ltd (company number 17044207) provides the Theramie practice-management service for therapists and their clients.

Privacy contact: admin@theramie.co.uk

Postal address: 86-90 Paul Street, 3rd Floor, London EC2A 4NE

Theramie does not currently appoint a data protection officer or UK or EU representative.

When this notice applies and who controls what

This notice covers people who visit Theramie websites, create therapist or client accounts, receive our emails, join sessions, pay invoices, or whose personal data is otherwise processed through the service.

Each therapist should also provide their own privacy information for the therapy records and special-category health data they control. This notice explains Theramie's role in those workflows and Theramie-controlled processing. It does not replace the therapist's own clinical privacy notice.

In most day-to-day clinical workflows, the therapist using Theramie is the data controller for client records and Theramie acts as a data processor on that therapist's behalf. That includes client records, session metadata, notes, messages, invoice data and video-session metadata stored in the product.

Theramie is its own data controller for website and product operations, account creation and authentication, subscription billing, support, fraud prevention, operational emails and legal compliance.

If you are a client and want a copy, correction or deletion of therapy records, the therapist is usually the first person who must decide that request. Theramie assists them as processor.

If a therapist creates or updates a client record before that client has their own Theramie login, Theramie usually makes this notice available in the first portal invite, payment request, session link or other direct contact that brings the client into the service.

What personal data we process

  • Website and account data: names, email addresses, sign-in and verification records, password-vault setup data, referral codes, public profile details, subscription tier and connected-account status.
  • Practice and client data: client names, dates of birth, contact details, and clinical notes are stored after being encrypted by the therapist (meaning Theramie cannot read them). Availability, session schedules, messages, and consent flags entered into the platform are stored with standard encryption.
  • Billing and payment data: invoices, ledger entries, cash payments and refunds, Stripe customer, subscription and connected-account identifiers, and payment or refund references.
  • Video and service data: room identifiers, session join tokens, call participation events, timestamps, webhook payloads, cron execution logs and request metadata.
  • Browser-side data: cookies, session storage, local storage and IndexedDB data used for sign-in, referral attribution, UI preferences, device preferences and encrypted vault keys stored locally in your browser.

Where personal data comes from

  • Directly from you when you create an account, sign in, edit your profile, send messages, pay invoices, join sessions or contact us.
  • From a therapist using Theramie when they create or update a client record before that client has their own account or when they manage therapy administration on the client's behalf.
  • From service providers such as Supabase, Stripe, Resend, Daily and Vercel when they send delivery events, billing status, session events or operational logs back to Theramie.
  • From your browser or device when pages load, settings are saved locally or security logs are created.

How and why Theramie uses personal data

  • Provide the service: we use account, profile, session, messaging and billing data to run Theramie, authenticate users, manage subscriptions, provide client-hub access and deliver session, invoice and sign-in emails. For Theramie-controlled processing, the main lawful basis is contract or taking steps before a contract.
  • Run therapist-controlled records: where therapists use Theramie to manage therapy records, Theramie acts as processor on the therapist's instructions. The therapist is responsible for the relevant Article 6 lawful basis and any Article 9 condition for special-category data.
  • Payments and platform administration: we use billing and payout data to manage Theramie subscriptions, connected-account onboarding, charge handling, refunds, bookkeeping and support. The main lawful bases are contract, legitimate interests and legal obligation. Stripe may also use payment data as an independent controller for the parts of payment processing it must run under its own regulatory obligations.
  • Security, operations and support: we use service data and logs to secure the platform, prevent abuse, diagnose incidents and improve reliability. The main lawful basis is legitimate interests.
  • Legal and compliance duties: we keep and use some personal data to meet tax, accounting, anti-fraud and regulatory obligations. The main lawful basis is legal obligation.

Where Theramie relies on legitimate interests, those interests are running a secure therapy-practice platform, preventing fraud and misuse, recovering fees due, maintaining accurate business records, supporting users and improving reliability without using more personal data than necessary.

Therapy records may include health and other special-category data. In normal clinical workflows, the therapist is responsible for choosing and documenting the relevant Article 6 lawful basis and Article 9 condition, and for giving any clinician-facing privacy information required for that processing. Theramie does not determine that clinical condition for the therapist; it processes that data on the therapist's instructions. The most sensitive note content is encrypted in the browser before storage.

Theramie does not currently offer AI summary or session-audio processing. If that changes, we will update this notice, the DPA and the product controls before making that feature available.

When you must provide certain data

Some personal data is needed so Theramie can enter into or perform a contract with you or the therapist account you are using. For example, without account credentials, session details, billing details or payment information, Theramie may not be able to create an account, authenticate you, send security messages, run a booked session, issue an invoice or take payment.

Other fields may be optional. Where a therapist decides what client information to collect for clinical administration or record keeping, the therapist decides what is necessary for that purpose and must explain the consequences of not providing it.

Who we share personal data with

We share personal data with service providers where needed to host the service, send emails, run payments, support video sessions. Some providers act only on our instructions. Others, most notably Stripe for regulated payment activity, may also act as independent controllers for the parts they run under their own obligations.

  • Supabase: Database, authentication, storage and background data services. Data involved: Account records, client records, session metadata, encrypted notes, billing ledgers and operational logs. Theramie uses Supabase for core application storage and access control, including row-level security policies.
  • Stripe: Payment processor and Stripe Connect payout infrastructure. Data involved: Therapist billing details, Stripe customer IDs, subscription data, payment intents, refunds and connected account onboarding data. Stripe handles card processing and therapist payout onboarding; Theramie stores references and billing outcomes.
  • Resend: Transactional email delivery provider. Data involved: Email addresses, email content, billing notices, session reminders and sign-in links. Theramie sends account, session and billing emails from noreply@theramie.co.uk via Resend.
  • Daily: Video session infrastructure provider. Data involved: Session room identifiers, access tokens, timing metadata and call participation events. Theramie creates private video rooms and issues therapist/client meeting tokens through Daily APIs.
  • Vercel: Application hosting and scheduled job platform. Data involved: Application traffic, request metadata, scheduled email and Stripe reconciliation job execution and deployment logs. Theramie uses Vercel-hosted routes and cron jobs for operational processing.

International transfers

Some suppliers, especially payment, hosting, email and video providers, may process personal data outside the UK or permit access to it from outside the UK. Where that happens, Theramie relies on the supplier's adequacy decision or another UK GDPR transfer mechanism, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. Contact us if you want more detail about the safeguard used for a particular supplier.

Retention

We keep personal data only for as long as we need it for the purpose it was collected for, the therapist's instructions where we act as processor, and our legal, accounting, fraud-prevention or security obligations.

  • Therapist account, profile and support data: kept while the account is active and then usually for up to 24 months after closure or last meaningful activity unless earlier deletion is possible.
  • Therapist-controlled client records, notes, messages and session metadata: kept for the life of the therapist account and then usually moved into a 90-day export and deletion window after closure unless the therapist instructs otherwise or law requires longer retention.
  • Billing, tax, payout and anti-fraud records: usually kept for at least 6 years after the end of the relevant financial year, and longer if a dispute, chargeback or legal hold applies.
  • Security, authentication and operational logs: the default retention target is 12 months, shorter where feasible, and longer only if tied to an active incident or legal hold.
  • Referral and preference cookies: referral attribution is kept for up to 30 days, and requested video-device or interface preference cookies are kept for up to 12 months.
  • Browser storage: session storage, local storage and IndexedDB entries are kept until they expire, are overwritten, you sign out, reset the relevant feature, or you clear them from your browser.

Where financial or audit records must be preserved, Theramie may delete direct identifiers and keep only the minimum ledger data needed to preserve bookkeeping integrity.

Theramie does not yet provide full automated retention tooling for every category. Where deletion is not yet automated, it is handled through therapist instructions, account closure processes or manual support steps.

Cookies and browser storage

  • Authentication cookies: Supabase session cookies keep signed-in users logged in and allow secure account access. These are strictly necessary for the service you request.
  • Referral cookie: if a referral link is used, Theramie stores a referral code in an HTTP-only cookie for up to 30 days.
  • Device preference cookie: Theramie stores chosen camera, microphone and speaker settings for up to 12 months when you ask the video preview to remember them for later sessions.
  • Interface preference cookie: Theramie may store collapsed or expanded session-list sections for up to 12 months so the hub can reopen in the state you last chose.
  • Browser storage: Theramie uses session storage, local storage and IndexedDB for pending verification details, UI state and locally stored encryption keys.

Theramie does not currently use behavioural advertising trackers or social-media ad pixels in the product.

Automated decision-making

Theramie does not use solely automated decision-making or profiling that produces legal or similarly significant effects on individuals. Theramie does use automated rules to verify sign-ins, enforce subscription status, send scheduled emails, process billing workflows and prevent misuse, but these are service operations rather than automated legal or similarly significant profiling decisions.

Security measures we currently rely on

  • Access to application data is limited through Supabase authentication checks and row-level security policies on the core tables.
  • Clinical notes are encrypted in the browser with AES-256-GCM before storage, and therapist vault keys are derived with PBKDF2 and stored in wrapped form.
  • Stripe webhook events are verified with webhook signatures before billing changes are applied.
  • Background cron routes require a shared secret before operational jobs can run.
  • Sensitive service credentials are loaded from server-side environment variables rather than being shipped to the browser.
  • Application routes use server-side session checks and ownership validation before returning account, billing, client or session data.
  • Video-session credit controls and session entry links use signed tokens and server-side checks to limit unauthorised access.

We describe only the controls evidenced in the product today. We do not claim automatic deletion, auditable retention tooling, mandatory two-factor authentication or formal certification unless and until those controls are implemented and documented.

Your rights and how to use them

You may have rights to access, correct, erase, restrict, object to, or ask for a copy of your personal data, and in some cases to receive it in a portable format. If a therapist controls the record, they decide how a request about therapy records should be handled and Theramie assists them as processor.

Right to object: if Theramie relies on legitimate interests for Theramie-controlled processing, you have the right to object. Tell us what processing you object to and why.

Withdraw consent: where we rely on consent, you can withdraw it at any time. This will not affect processing already carried out before the withdrawal.

How to make a request: For subject access, correction, restriction, objection, portability or erasure requests about Theramie-controlled data, email admin@theramie.co.uk or write to 86-90 Paul Street, 3rd Floor, London EC2A 4NE. We will usually need to verify identity and, where a therapist is the controller, may direct the request to that therapist so the instruction comes from the correct controller.

Complaints

If you are unhappy with how Theramie handles personal data, please contact us first so we can try to resolve the issue. You can also complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint or call 0303 123 1113.