Privacy Policy

Information We Collect

Information we collect falls into one of two categories: 'voluntarily provided' information and 'automatically collected' information.

'Voluntarily provided' information refers to any information you knowingly and actively provide us when using or participating in any of our services.

'Automatically collected' information refers to any information automatically sent by your devices in the course of accessing our products and services.

Account Information

When you register for an account, we collect:

• Full name
• Email address
• Password (securely hashed - we cannot see your password)
• Profile photo (optional)

Therapist Profile Information

If you are a therapist creating a profile on our directory, we collect:

• Professional details: title, credentials, years of experience, biography
• Contact information: phone number, website URL
• Business address (with your choice of visibility: full address, city only, or hidden)
• Location coordinates (calculated from your address for map display)
• Session formats offered (online, in-person, phone)
• Service offerings: names, descriptions, pricing, duration
• Profile media: photos, banner images, videos you upload
• Availability schedule and booking preferences

Booking Information

When visitors book appointments with therapists, we collect:

• Visitor name and email address
• Phone number (optional)
• Session preferences and notes about your needs
• Selected date, time, and service
• Terms acceptance timestamp and IP address

Email verification is required before bookings are confirmed. Verification tokens expire after 24 hours.

Client Health Information

Special Category Data: This section describes sensitive health data protected under GDPR Article 9.

When therapists invite you as a client, you may be asked to provide:

• Personal details: name, phone number, address
• Emergency contact: name, phone number, relationship
• Health information: medical conditions, current medications, allergies
• GP details: name and practice (optional)

Legal basis: We process this health data based on your explicit consent. Only the therapist you are working with can access this information. You can request deletion of this data at any time by contacting your therapist or us directly.

Messaging

When you use our contact form to message therapists, we collect:

• Your name and email address
• Message content and conversation history
• Your IP address (used for rate limiting and abuse prevention)
• A visitor identifier stored in your browser to maintain your conversation

Email verification is required before your message is delivered to the therapist. Messages are rate-limited to 5 per email address per hour to prevent abuse.

Calendar Integration

Therapists may connect their Google Calendar, Microsoft Calendar, or Zoom account. When connected, we collect and store:

• OAuth access tokens (encrypted - see Data Security section)
• Your calendar's busy/free times (to prevent double-booking)
• Meeting links created for online sessions

You can disconnect your calendar at any time from your dashboard settings. Disconnecting immediately deletes all stored tokens.

Payment and Subscription Information

For therapist subscriptions, we collect:

• Stripe customer ID (links your account to Stripe for billing)
• Subscription status and billing periods
• Trial dates (14-day free trial)

Important: We do NOT store credit card numbers or payment details. All payment processing is handled securely by Stripe. Please see Stripe's Privacy Policy for details on how they handle your payment information.

Technical Data

When you visit our website, our hosting provider (Vercel) may automatically log standard server data including your IP address, browser type, and the pages you visit. This data is used for security monitoring and troubleshooting.

If you encounter errors while using the site, we may collect data about the error to help us diagnose and fix issues.

User-Generated Content

We consider 'user-generated content' to be materials (text, image and/or video content) voluntarily supplied to us by our users for the purpose of publication on our website. This includes therapist profiles, service descriptions, and profile media.

Please be aware that profile content you submit for publication will be publicly visible on our directory. Once published, it may be accessible to third parties and indexed by search engines.

Collection and Use of Information

We may collect personal information from you when you do any of the following on our website:

• Register for an account
• Create or update a therapist profile
• Book an appointment with a therapist
• Send a message to a therapist
• Complete a client onboarding form
• Connect your calendar or Zoom account
• Subscribe to our paid service
• Use a mobile device or web browser to access our content
• Contact us via email or through our website

We may collect, hold, use and disclose information for the following purposes, and personal information will not be further processed in a manner that is incompatible with these purposes:

• To provide you with our platform's core features and services
• To enable therapists to manage their profiles, services, and client bookings
• To enable visitors to find and book appointments with therapists
• To facilitate communication between therapists and potential clients
• To process subscription payments
• To send booking confirmations, reminders, and notifications
• To contact and communicate with you
• For internal record keeping and administrative purposes
• To comply with our legal obligations and resolve any disputes
• For security and fraud prevention

Email Communications and Tracking

We use SendGrid to send emails including booking confirmations, notifications, and reminders. These emails may include tracking to:

• Confirm successful delivery
• Detect bounced or failed emails
• Record when emails are opened (for delivery verification)

This helps us ensure you receive important communications about your bookings and messages.

Disclosure of Personal Information to Third Parties

We may disclose personal information to:

• A parent, subsidiary or affiliate of our company
• Third-party service providers for the purpose of enabling them to provide their services
• Our employees, contractors, and/or related entities
• Courts, tribunals, regulatory authorities, and law enforcement officers, as required by law
• An entity that buys, or to which we transfer all or substantially all of our assets and business

Third-Party Services We Use

We use the following third-party services to operate our platform:

• Supabase - Database and authentication (Privacy Policy)
• Vercel - Website hosting (Privacy Policy)
• Stripe - Payment processing for subscriptions (Privacy Policy)
• SendGrid (Twilio) - Email delivery and notifications (Privacy Policy)
• Google - Calendar integration (when connected) (Privacy Policy)
• Microsoft - Calendar integration (when connected) (Privacy Policy)
• Zoom - Video meeting links (when connected) (Privacy Policy)
• Cloudflare - File and image storage (Privacy Policy)

International Transfers of Personal Information

The personal information we collect is stored and/or processed in the United Kingdom and United States, or where we or our partners, affiliates, and third-party providers maintain facilities.

The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this privacy policy.

Security of Your Personal Information

When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use or modification.

We implement the following security measures:

• Encryption: Calendar OAuth tokens are encrypted using AES-256-GCM encryption before storage
• Password Security: Passwords are securely hashed using industry-standard algorithms (managed by Supabase)
• Session Security: Authentication uses HTTP-only cookies that cannot be accessed by JavaScript
• Email Verification: Required for bookings and messages, using secure random tokens (32 bytes) that expire after 24 hours
• Rate Limiting: Messages are limited to 5 per email address per hour to prevent abuse

Although we will do our best to protect the personal information you provide to us, we advise that no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security.

You are responsible for selecting any password and its overall security strength, ensuring the security of your own information within the bounds of our services.

How Long We Keep Your Personal Information

We keep your personal information only for as long as we need to. Specific retention periods are:

• Account data: Retained while your account is active
• After account deletion: Personal data is anonymised within 90 days
  • Name changed to "Deleted User"
  • Email changed to an anonymised format
  • Profile information, photos, and videos are deleted
  • Calendar tokens are deleted immediately
• Booking and financial records: Retained for 7 years (legal/accounting requirement)
• Calendar tokens: Deleted immediately when you disconnect your calendar
• Verification tokens: Expire and are deleted after 24 hours

However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation or for archiving purposes in the public interest.

Your Rights and Controlling Your Personal Information

Your choice: By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our website or the products and/or services offered on or through it.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.

Access: You may request details of the personal information that we hold about you.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.

Deletion: You may request that we delete your personal information. If you delete your account, we will anonymise your personal data within 90 days. Some records (such as booking history) may be retained for legal compliance.

Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information.

Notification of data breaches: We will comply with laws applicable to us in respect of any data breach.

Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you in writing. You also have the right to contact the Information Commissioner's Office (ICO) in the UK.

Unsubscribe: To unsubscribe from our email database or opt-out of communications, please contact us using the details provided in this privacy policy, or use the unsubscribe link in our emails.

Additional Disclosures for General Data Protection Regulation (GDPR) Compliance (EU/UK)

Data Controller / Data Processor

The GDPR distinguishes between organisations that process personal information for their own purposes (known as "data controllers") and organizations that process personal information on behalf of other organizations (known as "data processors"). We, Remaster Your Mind Ltd, located at 82 Hazelton Road, Colchester, CO4 3DY, are a Data Controller with respect to the personal information you provide to us.

When therapists use our platform to manage client information, we act as a Data Processor on their behalf, and the therapist is the Data Controller for their client data.

Legal Bases for Processing Your Personal Information

We will only collect and use your personal information when we have a legal right to do so. Our lawful bases depend on the services you use and how you use them:

Consent From You

Where you give us consent to collect and use your personal information for a specific purpose. This includes:

• Providing health information during client onboarding (explicit consent required for special category data)
• Connecting your calendar or Zoom account
• Receiving marketing communications

You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place.

Performance of a Contract or Transaction

Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to our entering into a contract. This includes:

• Creating an account and therapist profile
• Processing subscription payments
• Facilitating bookings between therapists and clients

Our Legitimate Interests

Where we assess it is necessary for our legitimate interests, such as for us to provide, operate, improve and communicate our services. This includes:

• Sending booking confirmations and reminders
• Preventing fraud and abuse
• Improving our platform

Compliance with Law

In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include court orders, criminal investigations, government requests, and regulatory obligations.

International Transfers Outside of the European Economic Area (EEA)

We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) or UK to countries outside will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means.

Your GDPR Rights

Restrict: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

Objecting to processing: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest.

Data portability: You may have the right to request a copy of the personal information we hold about you. Where possible, we will provide this information in a commonly used, machine-readable format (such as CSV or JSON). You may also have the right to request that we transfer this personal information to a third party.

Deletion: You may request that we delete the personal information we hold about you at any time. If you terminate or delete your account, we will delete or anonymise your personal information within 90 days. Please be aware that search engines may still retain copies of your public profile information even after you have deleted the information from our services.

Contact Us

For any questions or concerns regarding your privacy, you may contact us:

• Email: Gareth@remasteryourmind.co.uk
• Phone: 07812448415
• Address: 82 Hazelton Road, Colchester, CO4 3DY

For our full terms of service, please see our Terms & Conditions.