Privacy Policy

Effective date: 14 May 2026 · Version 1.0

This policy explains what personal data the Therapybook platform collects, why we collect it, who else processes it on our behalf, how long we keep it, and what your rights are. It is written to comply with the UK GDPR and the EU GDPR.

1. Who we are

Data controller: Puresoft Ltd, registered in England and Wales, operating the Therapybook platform.

Contact: support@clientbooking.pages.dev.

Data Protection Officer (DPO): a formal DPO has not yet been appointed; until one is, all data-protection requests are handled by the founder via the support email above. A real DPO will be in place before we begin processing data for paying customers at scale. We'll update this section when that happens.

For client bookings on a practitioner's page, the practitioner is the controller of their clients' data and we are the processor. The relationship is set out in the Data Processing Agreement.

2. What data we collect

2.1 Practitioner data (when you sign up)

• Your name and email address.
• Your URL handle ("slug").
• Your timezone and currency.
• Your working hours, buffer minutes, and blocked dates.
• Brand assets: your display name, bio, brand colour, logo.
• Custom-domain hostnames (if you connect one).
• Cancellation-policy settings (window in hours, cancellation fee %, no-show fee %).
• An optional practitioner SMS number used to notify you of new bookings.
• Your Stripe Connect account ID (we never see your bank details, your payouts, or your card data — Stripe handles all of that on their own systems).

2.2 Client data (when someone books a session with you)

When a client books through your booking page or a connected custom domain, we store, on your behalf:

• Their name and email address.
• Their phone number, if they provide one (stored envelope-encrypted at rest — see section 5).
• Free-text booking notes, if they provide any (envelope-encrypted at rest).
• The session start and end time.
• Payment method (Stripe / insurance) and payment status.
• The Stripe payment intent ID (so we can route refunds).
• Cancellation / no-show status and any refund amount we calculated from the cancellation policy.
• Intake-form answers if the service has an intake form attached — these are envelope-encrypted at rest and may include sensitive health information, depending on the questions you chose to ask.

2.3 Private practitioner notes

Free-text notes you write about your sessions or your clients, optionally linked to a specific session. The note body is envelope-encrypted at rest. We can't read these notes from a database dump; they decrypt only when your signed-in dashboard loads them.

2.4 Scheduled SMS reminders

• For each scheduled SMS we keep: the recipient phone number (client phone is encrypted; practitioner phone is plaintext because you've consented to it being delivered to your own number), the message body, the send-at timestamp, and the delivery status.
• Sent SMS rows are retained indefinitely as an audit record.

2.5 Sent-email metadata

For each transactional email we send, the recipient, subject, and timestamp are written to a `sent_emails` audit table. We do not retain email bodies in the audit table.

2.6 Technical / operational data

• HTTP request logs (IP, user agent, timestamp, path) retained by Cloudflare for short rolling windows under their own policies — see their privacy notice.
• Session cookie state (see Cookie Policy).

3. How we use it (purposes)

• Providing the booking service. Showing a practitioner's services, accepting bookings, sending confirmation emails with iCal attachments, displaying upcoming sessions on the dashboard.
• Sending reminders. 24-hour-before client SMS reminders and 30-minute-before practitioner SMS pings, via Twilio.
• Processing payments. Initiating Stripe Checkout sessions, recording payment status, calculating and executing refunds when the cancellation policy applies.
• Operating the platform. Security monitoring, abuse prevention, fraud detection, debugging.
• Communicating with practitioners. Magic-link sign-in emails, system notices, and (with your separate consent) product updates.
• Complying with legal obligations. Tax, accounting, and lawful requests from authorities.

4. Legal basis for processing

Data	Legal basis (UK / EU GDPR)
Practitioner account data	Contract (Art. 6(1)(b)) — necessary to deliver the platform.
Client booking + payment data	Contract (Art. 6(1)(b)) — necessary to fulfil the booking the client made with the practitioner.
Intake-form answers (health-related)	Explicit consent (Art. 9(2)(a)) collected by the practitioner at intake time, with healthcare-purpose backstop (Art. 9(2)(h)) where appropriate.
Private practitioner notes (if client-identifiable)	The practitioner's legitimate interest in record-keeping and clinical safety (Art. 6(1)(f)), supported by Art. 9(2)(h) for healthcare.
SMS reminders to clients	Contract (Art. 6(1)(b)) — the client consented to a reminder when they ticked the optional phone field at booking.
Security / abuse prevention	Legitimate interest (Art. 6(1)(f)).
Marketing to practitioners	Consent (Art. 6(1)(a)) — opt-in only. We currently do not run a marketing list.

5. Encryption at rest

The platform implements envelope encryption for the most sensitive fields:

• A single master key (the MASTER_KEK secret) lives in Cloudflare's secret store. It never leaves the Worker runtime.
• Each practitioner has a per-tenant key-encryption key (KEK), derived from the master key via HKDF-SHA256 with the practitioner ID as the info parameter. Knowing one practitioner's KEK does not reveal any other practitioner's KEK.
• Each protected row has its own data-encryption key (DEK), a fresh 256-bit AES key. The DEK is wrapped with the tenant's KEK using AES key-wrap and stored alongside the ciphertext.
• The plaintext is encrypted with the DEK using AES-256-GCM with a fresh 96-bit IV per row.
• The stored bundle is JSON of the form {v:1, kv:1, iv, ct, dek}.

Fields encrypted at rest:

• bookings.client_phone_ct — client phone number.
• bookings.notes_ct — free-text booking notes a client wrote when booking.
• intake_responses.answers_json_ct — every intake-form answer, including any health-related fields.
• client_notes.body_ct — your private session notes.

Fields not encrypted at rest: client names, client email addresses, service names, practitioner brand fields, booking start/end times. These are the fields the platform reads on every page load and that are needed by Stripe / iCal / email rendering, so encrypting them would slow normal operation without materially improving privacy.

What this protects against: a database snapshot or backup file leaking. Without the master key, the ciphertext fields are unreadable.

What this doesn't protect against: a compromise of the live Worker runtime (which holds the master key in memory to do its job). For that we rely on Cloudflare's platform isolation and our own engineering hygiene.

6. Sub-processors

We rely on the following sub-processors to deliver the platform. Each one operates under its own terms and privacy notice, linked below. Sub-processor changes will be announced in this policy with at least 30 days' notice.

Sub-processor	Role	Privacy notice
Cloudflare Inc.	Hosting (Pages, Workers, D1, R2, KV), DNS, TLS, transactional email delivery via the Cloudflare Email Service. Edge nodes located globally (incl. UK, EEA, US).	cloudflare.com/privacypolicy
Stripe Inc. / Stripe Payments Europe	Payment processing via Stripe Connect (Standard). Each practitioner has their own Stripe account; we route charges via Stripe-Account headers. We do not see card data and do not hold practitioner funds.	stripe.com/privacy
Twilio Inc. / Twilio Ireland	Outbound SMS reminders (24h-before for clients, 30-min-before for practitioners). Phone numbers + message bodies are shared with Twilio for delivery only.	twilio.com/legal/privacy
WordPress hosts (optional)	If a practitioner chooses to embed their booking page on a WordPress site using our embed plugin, the plugin runs inside their WordPress install. We do not control or share data with that environment; it loads an iframe and the data flows are otherwise the same as the public booking surface.	Per the WordPress host the practitioner chooses.

7. Cookies

The platform sets exactly one cookie: __session, a HttpOnly, Secure, SameSite=Lax cookie issued when a practitioner signs in or completes signup. It identifies the dashboard session for 7 days on a sliding window. We set no tracking cookies, no analytics cookies, and no advertising cookies. Clients browsing a practitioner's booking page do not receive any cookies from us. See the Cookie Policy for the full details.

8. International transfers

Cloudflare, Stripe, and Twilio all operate globally and may process data outside the UK and EEA. We rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission, where data is transferred from the EEA to a non-adequate jurisdiction.
• UK International Data Transfer Addendum (IDTA) as adopted by the UK ICO, where data is transferred from the UK to a non-adequate jurisdiction.
• Adequacy decisions where they apply.

Cloudflare, Stripe, and Twilio each publish their own transfer impact assessments; we link to them in section 6.

9. Retention

Data	Retention
Practitioner account + services + working hours	For the lifetime of the account, plus 30 days after closure for restore. Then permanently deleted (this 30-day window is a draft policy and may be adjusted before launch).
Active bookings	Indefinitely while the practitioner's account is active.
Cancelled bookings	Retained for audit and reconciliation with Stripe; refund records survive.
Intake-form answers	Same as the associated booking.
Private practitioner notes	Indefinitely while the practitioner's account is active.
Sent SMS rows	Indefinitely as an audit log.
Sent-email metadata	Indefinitely on our side; Cloudflare's own retention for email delivery is set by their service.
Magic-link tokens	15 minutes from issue (KV TTL).
Session cookies	7-day sliding window from last request.

10. Your rights

Under UK / EU GDPR you have the right to:

• Access a copy of the data we hold about you.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten"), subject to legal retention obligations (e.g. tax records).
• Restrict processing in some circumstances.
• Object to processing based on legitimate interest.
• Portability — receive your data in a common machine-readable format.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority — in the UK that's the Information Commissioner's Office (ico.org.uk); in the EU it is your national DPA.

To exercise any of these rights, email support@clientbooking.pages.dev. We will respond within 30 days. If your request is about data held by us on behalf of a practitioner (e.g. you are a client and you want your booking deleted), we will forward the request to the practitioner, who is the data controller for that data, and assist them in responding.

11. Children's data

The platform is not designed for people under 16. Practitioners must not enrol clients under 16 without first obtaining verifiable parental or guardian consent and recording that consent in their own records. If we become aware that a child under 16 has booked a session without such consent, we will delete the booking on request.

12. Data breaches

If we become aware of a personal data breach that is likely to result in a risk to data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected practitioners and (where appropriate) their clients without undue delay.

13. Changes to this policy

For non-material changes (clarifying wording, fixing typos) we may publish the updated policy without prior notice. For material changes (new sub-processors, new categories of data, new purposes) we will give you at least 30 days' notice by email and update the “Effective date” above.

14. Contact

Questions about this policy or about how we handle your data? Email support@clientbooking.pages.dev.