Privacy & Cookie Policy

1. Who we are

For the purposes of UK data protection law, Sessionly acts in different roles depending on the data involved:

Controllerof personal data relating to the Sessionly website, enquiries, account creation, billing administration, support, and Sessionly's own business operations.

Processor of therapy practice and client-related data entered into the platform by therapists, practices, or agencies using Sessionly, where those customers determine what data is entered and why it is processed.

If you have any privacy questions, or wish to exercise your data rights, please contact: hello@sessionly.uk

2. Who this policy applies to

This policy applies to:

• visitors to the Sessionly website
• therapists, practice owners, administrators and other authorised users of Sessionly
• individuals who contact Sessionly with enquiries
• people whose personal data is submitted through the service by Sessionly customers, where relevant

3. The data we collect

A. Website and account data

We may collect:

• name
• email address
• account login details
• IP address
• device and browser information
• usage and access logs
• enquiry details and correspondence
• billing and subscription information

B. Practice and client data processed through the app

Depending on how Sessionly is used by a therapist or agency, the platform may process:

• client names
• client email addresses
• encrypted client identifying information
• client notes
• waiting list information
• assessment information
• outcome measures
• diary and appointment-related information
• enquiry tracking information
• invoicing-related information entered by the customer

Sessionly does not provide direct client logins.

C. Payment data

Payments are handled by Stripe. Sessionly does not store full card details.

4. Special category data

Although Sessionly is not intended for general public use, the platform may be used by therapists and agencies to store information relating to a person's mental health or care needs. Where this occurs, such information may constitute special category personal data under UK data protection law.

Where Sessionly processes such data on behalf of a therapist, practice or agency, it does so as a processor acting on that customer's instructions.

5. How we use personal data

We use personal data to:

• provide and operate the website and app
• create and manage user accounts
• authenticate users and maintain account security
• provide customer support
• manage subscriptions, billing and renewals
• send service-related communications
• maintain backups, logs, and system integrity
• detect misuse, fraud, or unauthorised access
• improve and maintain the service
• comply with legal obligations

We do not sell personal data.

6. Lawful bases

Where Sessionly acts as controller, we generally rely on the following lawful bases:

Contract: where processing is necessary to provide the website, app, subscriptions, support, and related services.

Legitimate interests: for operating, securing, improving and administering the service, preventing misuse, and responding to enquiries.

Legal obligation: where we need to retain or disclose information to comply with applicable law, regulation, taxation or accounting obligations.

Consent: where consent is specifically requested, if applicable.

Where Sessionly acts as processor, the relevant therapist, practice or agency is responsible for determining the lawful basis and, where required, the condition for processing any special category data.

7. Sharing of data

We may share personal data with trusted service providers that help us operate Sessionly, including:

• Vercel for hosting
• Supabase for database and infrastructure services
• Resend for email services
• Stripe for payments
• Anthropic Claude where AI features are used within the product or for related service functionality

We may also disclose information:

• where required by law
• to enforce our legal rights
• to protect the security, integrity or operation of the service
• in connection with a business restructuring, sale or transfer, if that ever occurs

We require service providers to handle personal data appropriately and only for authorised purposes.

8. International transfers

Sessionly is intended for UK-only use. Sessionly does not intentionally transfer personal data outside the UK. If this changes in future, we will update this policy and put appropriate safeguards in place where required.

9. Security

We take appropriate technical and organisational measures to protect personal data, including:

• encryption in transit
• encryption at rest
• backups
• restricted access controls
• role-based access for agency accounts
• audit logging
• optional two-factor authentication

No online service can guarantee absolute security, but we take reasonable steps to protect the data we process.

10. Data retention

Unless a longer period is required by law or for dispute resolution, Sessionly generally retains personal data as follows:

• Trial accounts: deleted after 30 days if inactive or cancelled
• Cancelled/inactive paid accounts: deleted after 30 days
• Enquiries: retained for 12 months
• Backups: retained for 12 months
• Support and operational records: retained for as long as reasonably necessary for service administration, security, legal, and accounting purposes

Where Sessionly acts as processor, deletion timing for practice and client data may also depend on the actions and instructions of the relevant customer, subject to Sessionly's operational backup cycles.

11. Marketing communications

Sessionly may send occasional product updates and tips by email, but only where you have given explicit opt-in consent. Consent is collected at first login or via Settings > Profile. You can subscribe or unsubscribe at any time.

We rely on your consent as the lawful basis for these communications under UK GDPR (Article 6(1)(a)) and PECR.

Transactional emails — including account confirmations, password resets, appointment reminders, and invoice reminders — are not marketing communications. We will continue to send these as necessary for the operation of your account regardless of your marketing preference.

We do not sell, rent, or share your email address with third parties for marketing purposes.

12. Cookies

Sessionly uses essential cookies only, including cookies necessary for security, login, session handling, and core website/app functionality. Sessionly does not currently use marketing, analytics or advertising cookies.

13. Your rights

Where Sessionly acts as controller, you may have the right to:

• request access to your personal data
• request correction of inaccurate data
• request deletion of your data
• request restriction of processing
• object to certain processing
• request portability of data, where applicable
• withdraw consent, where processing is based on consent
• complain to the UK Information Commissioner's Office

To exercise your rights, contact: hello@sessionly.uk

If your request relates to therapy practice or client data entered by a therapist, practice or agency using Sessionly, you may need to contact that therapist, practice or agency directly, as they are likely to be the controller for that data.

14. Children

Sessionly is intended for adults only and for professional use by therapists, practices and agencies. It is not directed at children.

15. Changes to this policy

We may update this Privacy & Cookie Policy from time to time. The latest version will always be made available on the Sessionly website or within the app, with the updated date shown at the top.

16. Contact

Mark Devereux trading as Sessionly
PO Box, Poole, Dorset, BH15
hello@sessionly.uk