TherapyVault.ai
TherapyVault.ai
FeaturesPricingAboutContactSecurity

GDPR Compliance

Our commitment to data protection
Version 1.0
Last Updated: August 1, 2025

1. Executive Summary

TherapyVault.ai is fully committed to protecting personal data and complying with the General Data Protection Regulation (GDPR). This document outlines our comprehensive approach to GDPR compliance, detailing how we protect the sensitive health data entrusted to us by therapists and their clients.

2. Our GDPR Roles

2.1 As Data Controller

When therapists use our platform, we act as a Data Controller for:

  • Therapist account information
  • Subscription and billing data
  • Platform usage analytics
  • Support communications

2.2 As Data Processor

For therapy session data, we act as a Data Processor:

  • Processing data on behalf of therapists
  • Following therapist instructions
  • Implementing technical measures
  • Assisting with compliance

3. Lawful Basis for Processing

3.1 Contract Performance

We process data necessary for:

  • Service delivery
  • Account management
  • Technical support
  • Billing operations

3.2 Legitimate Interests

We rely on legitimate interests for:

  • Service improvements
  • Security monitoring
  • Fraud prevention
  • Analytics (anonymized)

3.3 Consent

We obtain explicit consent for:

  • Marketing communications
  • Optional features
  • AI model training
  • Research participation

3.4 Legal Obligations

We process data to comply with:

  • Financial regulations
  • Healthcare requirements
  • Law enforcement requests
  • Court orders

4. Data Subject Rights

4.1 Right to Access

Data subjects can request:

  • Copies of personal data
  • Processing purposes
  • Data categories
  • Retention periods
  • Recipient information

Response Time: 30 days
Format: Structured, machine-readable
Cost: Free (first request)

4.2 Right to Rectification

Individuals can:

  • Correct inaccurate data
  • Complete incomplete data
  • Update outdated information
  • Verify changes made

Implementation: Immediate
Notification: Affected parties informed

4.3 Right to Erasure

"Right to be forgotten" applies when:

  • Data no longer necessary
  • Consent withdrawn
  • Unlawful processing
  • Legal obligation to erase

Exceptions:

  • Legal requirements
  • Public interest
  • Legal claims
  • Freedom of expression

4.4 Right to Restrict Processing

Restriction available when:

  • Accuracy contested
  • Processing unlawful
  • Data needed for legal claims
  • Objection pending

Effects: Data stored but not processed

4.5 Right to Data Portability

Data subjects receive:

  • Personal data provided
  • Structured format
  • Machine-readable
  • Direct transfer option

Scope: Automated processing based on consent/contract

4.6 Right to Object

Objection rights for:

  • Direct marketing (absolute)
  • Legitimate interests
  • Research purposes
  • Statistical purposes

Response: Cease processing unless compelling grounds

4.7 Automated Decision-Making

Protection against:

  • Solely automated decisions
  • Legal/significant effects
  • Profiling activities

Safeguards: Human intervention available

5. Privacy by Design

5.1 Data Minimization

  • Collect only necessary data
  • Purpose limitation
  • Regular data audits
  • Automatic deletion policies

5.2 Purpose Limitation

  • Clear purposes defined
  • Compatible processing only
  • No mission creep
  • Transparent communication

5.3 Storage Limitation

  • Defined retention periods
  • Automatic purging
  • Archive policies
  • Deletion verification

5.4 Accuracy

  • Regular updates
  • Correction mechanisms
  • Verification processes
  • Audit trails

5.5 Security

  • Encryption standards
  • Access controls
  • Regular testing
  • Incident response

5.6 Accountability

  • Documentation maintained
  • Compliance monitoring
  • Regular assessments
  • Training programs

6. Technical Measures

6.1 Encryption

At Rest:

  • AES-256 encryption
  • Encrypted databases
  • Encrypted backups
  • Key management system

In Transit:

  • TLS 1.3 minimum
  • Certificate pinning
  • Perfect forward secrecy
  • HSTS enforcement

6.2 Access Control

  • Role-based permissions
  • Multi-factor authentication
  • Session management
  • Audit logging
  • Principle of least privilege

6.3 Pseudonymization

  • Identifier separation
  • Key management
  • Re-identification controls
  • Technical safeguards

6.4 Data Integrity

  • Checksums and hashing
  • Version control
  • Backup verification
  • Recovery testing

7. Organizational Measures

7.1 Data Protection Officer

Responsibilities:

  • GDPR compliance monitoring
  • Data protection advice
  • Training coordination
  • Regulatory liaison

Contact:

  • Email: dpo@therapyvault.ai
  • Independence guaranteed

7.2 Staff Training

Program includes:

  • GDPR principles
  • Security awareness
  • Incident response
  • Regular updates
  • Compliance testing

7.3 Vendor Management

Requirements:

  • GDPR compliance verification
  • Data processing agreements
  • Security assessments
  • Regular audits
  • Incident notification

7.4 Privacy Impact Assessments

Conducted for:

  • New technologies
  • High-risk processing
  • Large-scale operations
  • Sensitive data handling

8. International Transfers

8.1 Transfer Mechanisms

Standard Contractual Clauses (SCCs):

  • EU Commission approved
  • Updated versions used
  • Regular reviews
  • Supplementary measures

Adequacy Decisions:

  • UK adequacy relied upon
  • Monitor changes
  • Alternative measures ready

8.2 Transfer Impact Assessments

  • Country law analysis
  • Risk evaluation
  • Supplementary measures
  • Documentation maintained

9. Data Breach Management

9.1 Detection

  • 24/7 monitoring
  • Automated alerts
  • Regular scanning
  • Threat intelligence

9.2 Response Process

Timeline:

  1. Detection: Immediate
  2. Assessment: 24 hours
  3. ICO notification: 72 hours
  4. User notification: Without delay

9.3 Notification Content

To Authorities:

  • Nature of breach
  • Data categories
  • Affected individuals
  • Likely consequences
  • Mitigation measures

To Individuals:

  • Clear language
  • Breach description
  • Potential impact
  • Our actions
  • Recommended steps

9.4 Documentation

  • Breach register maintained
  • Response actions logged
  • Lessons learned
  • Process improvements

10. Special Category Data

10.1 Health Data Protection

Enhanced measures:

  • Additional encryption
  • Stricter access controls
  • Limited retention
  • Explicit consent
  • Purpose limitation

10.2 Processing Conditions

Requirements met:

  • Explicit consent obtained
  • Healthcare provision
  • Professional secrecy
  • Substantial public interest

11. Children's Data

11.1 Age Verification

  • Minimum age: 18 years
  • Verification measures
  • Parental consent (if applicable)
  • Special protections

11.2 Safeguards

  • Enhanced privacy defaults
  • Simplified notices
  • Restricted processing
  • No profiling

12. Data Protection by Default

12.1 Default Settings

  • Maximum privacy
  • Minimal data sharing
  • Opt-in features
  • Transparent controls

12.2 User Control

  • Granular permissions
  • Easy opt-out
  • Clear interfaces
  • Preference center

13. Third-Party Processors

13.1 Current Sub-processors

Infrastructure:

  • Amazon Web Services (AWS)
  • Location: UK regions

Services:

  • AssemblyAI (transcription)
  • Google Gemini (AI analysis)
  • Stripe (payments)
  • DocuSeal (documents)

13.2 Processor Requirements

  • GDPR compliance
  • Security standards
  • Audit rights
  • Breach notification
  • Data return/deletion

14. Compliance Monitoring

14.1 Internal Audits

  • Quarterly assessments
  • Compliance checks
  • Process reviews
  • Corrective actions

14.2 External Audits

  • Annual assessments
  • Independent auditors
  • Published reports
  • Certification maintenance

14.3 Key Performance Indicators

  • Response times
  • Breach metrics
  • Training completion
  • Compliance scores

15. Regulatory Cooperation

15.1 ICO Relationship

  • Proactive engagement
  • Consultation process
  • Guidance implementation
  • Investigation cooperation

15.2 Cross-Border Cooperation

  • Lead authority: UK ICO
  • Cooperation mechanism
  • Consistency approach
  • Joint operations

16. Updates and Changes

16.1 Policy Updates

  • Regular reviews
  • Regulatory changes
  • Best practice adoption
  • Stakeholder feedback

16.2 Communication

  • Advance notice
  • Clear explanations
  • Transition support
  • Training updates

17. Contact Information

Data Protection Officer

Email: dpo@therapyvault.ai

Supervisory Authority

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane, Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk
Phone: 0303 123 1113

Document Control
Version: 1.0
Last Updated: August 1, 2025
Review Date: February 1, 2026
Owner: Data Protection Officer

TherapyVault.ai
TherapyVault.ai

AI-powered therapy session management for UK professionals

Product

FeaturesPricingSecurityPayment Security

Company

AboutContact

Legal

Privacy PolicyTerms of ServiceGDPR ComplianceData ProcessingAI Ethics

© 2025 TherapyVault.ai. All rights reserved. UK Data Residency • GDPR Compliant • SOC 2 Aligned