Sessionly

Privacy & Cookie Policy

Last updated: 8 June 2026

Sessionly is operated by Sessionlyuk Ltd, a company registered in England and Wales (Company Number 17267623). Our registered office is 128 City Road, London, EC1V 2NX. Our ICO registration number is ZC164186. Contact email: hello@sessionly.uk

This Privacy & Cookie Policy explains how Sessionly collects, uses, stores and shares personal data when you visit the Sessionly website, create an account, use the Sessionly app, contact us, or otherwise interact with the service.

1. Who we are

For the purposes of UK data protection law, Sessionly acts in different roles depending on the data involved:

Controllerof personal data relating to the Sessionly website, enquiries, account creation, billing administration, support, and Sessionly's own business operations.

Processor of therapy practice and client-related data entered into the platform by therapists, practices, or agencies using Sessionly, where those customers determine what data is entered and why it is processed.

If you have any privacy questions, or wish to exercise your data rights, please contact: hello@sessionly.uk

2. Who this policy applies to

This policy applies to:

  • visitors to the Sessionly website
  • therapists, practice owners, administrators and other authorised users of Sessionly
  • individuals who contact Sessionly with enquiries
  • people whose personal data is submitted through the service by Sessionly customers, where relevant

3. The data we collect

A. Website and account data

We may collect:

  • name
  • email address
  • account login details
  • IP address
  • device and browser information
  • usage and access logs
  • enquiry details and correspondence
  • billing and subscription information

B. Practice and client data processed through the app

Depending on how Sessionly is used by a therapist or agency, the platform may process:

  • client names
  • client email addresses
  • encrypted client identifying information
  • client notes
  • waiting list information
  • assessment information
  • outcome measures
  • diary and appointment-related information
  • enquiry tracking information
  • invoicing-related information entered by the customer

Sessionly does not provide direct client logins.

C. Payment data

Payments are handled by Stripe. Sessionly does not store full card details.

Google Workspace API Use

Sessionly accesses your Google Calendar via Google's Workspace APIs, with your explicit consent, to provide our calendar synchronisation features. We use this data only to enable calendar event sync between Sessionly and your Google Calendar — we do not transfer this data to third parties, use it for advertising, or use it for any purposes beyond providing the feature you have explicitly enabled.

The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

4. Special category data

Although Sessionly is not intended for general public use, the platform may be used by therapists and agencies to store information relating to a person's mental health or care needs. Where this occurs, such information may constitute special category personal data under UK data protection law.

Where Sessionly processes such data on behalf of a therapist, practice or agency, it does so as a processor acting on that customer's instructions.

5. How we use personal data

We use personal data to:

  • provide and operate the website and app
  • create and manage user accounts
  • authenticate users and maintain account security
  • provide customer support
  • manage subscriptions, billing and renewals
  • send service-related communications
  • maintain backups, logs, and system integrity
  • detect misuse, fraud, or unauthorised access
  • improve and maintain the service
  • comply with legal obligations

We do not sell personal data.

6. Lawful bases

Where Sessionly acts as controller, we generally rely on the following lawful bases:

Contract: where processing is necessary to provide the website, app, subscriptions, support, and related services.

Legitimate interests: for operating, securing, improving and administering the service, preventing misuse, and responding to enquiries.

Legal obligation: where we need to retain or disclose information to comply with applicable law, regulation, taxation or accounting obligations.

Consent: where consent is specifically requested, if applicable.

Where Sessionly acts as processor, the relevant therapist, practice or agency is responsible for determining the lawful basis and, where required, the condition for processing any special category data.

7. Sharing of data

We may share personal data with trusted service providers that help us operate Sessionly, including:

  • Vercel — hosting (UK/EEA region)
  • Supabase — database and infrastructure services (UK region)
  • Resend — email delivery
  • Stripe — payments
  • Anthropic, PBC (United States) — AI-assisted note structuring, where users choose to use AI features. Note content is transferred to Anthropic's API for the duration of the request and is not retained by Anthropic for model training under their standard API terms.
  • Google LLC (United States) — Google Calendar synchronisation, where users choose to connect their Google Calendar. Calendar event metadata (title, start time, end time, time zone) and OAuth tokens are transferred to Google for the purpose of syncing appointments between Sessionly and the user's chosen Google calendar. OAuth tokens are stored encrypted at rest in Sessionly's database. Users can revoke Sessionly's access at any time via their Google account settings or by disconnecting the integration in Sessionly settings.

We may also disclose information:

  • where required by law
  • to enforce our legal rights
  • to protect the security, integrity or operation of the service
  • in connection with a business restructuring, sale or transfer, if that ever occurs

We require service providers to handle personal data appropriately and only for authorised purposes.

8. International transfers

Most personal data is processed within the United Kingdom or European Economic Area, where Sessionly's hosting and core infrastructure are located.

Where users choose to use AI-assisted features (note structuring), certain data is transferred to the United States via our processor Anthropic, PBC.

Where users choose to connect their Google Calendar, certain data is transferred to the United States via Google LLC.

These transfers are protected under the standard contractual clauses included in our processors' terms (UK International Data Transfer Agreement, EU Standard Contractual Clauses, and EU-US Data Privacy Framework as applicable). Both transfers are initiated only when a user actively chooses to use the relevant feature.

9. Security

We take appropriate technical and organisational measures to protect personal data, including:

  • encryption in transit
  • encryption at rest
  • backups
  • restricted access controls
  • role-based access for agency accounts
  • audit logging
  • optional two-factor authentication

No online service can guarantee absolute security, but we take reasonable steps to protect the data we process.

10. Data retention

Unless a longer period is required by law or for dispute resolution, Sessionly generally retains personal data as follows:

  • Trial accounts: deleted after 30 days if inactive or cancelled
  • Cancelled/inactive paid accounts: deleted after 30 days
  • Enquiries: retained for 12 months
  • Backups: retained for 12 months
  • Support and operational records: retained for as long as reasonably necessary for service administration, security, legal, and accounting purposes

Where Sessionly acts as processor, deletion timing for practice and client data may also depend on the actions and instructions of the relevant customer, subject to Sessionly's operational backup cycles.

11. Marketing communications

Sessionly may send occasional product updates and tips by email, but only where you have given explicit opt-in consent. Consent is collected at first login or via Settings > Profile. You can subscribe or unsubscribe at any time.

We rely on your consent as the lawful basis for these communications under UK GDPR (Article 6(1)(a)) and PECR.

Transactional emails — including account confirmations, password resets, appointment reminders, and invoice reminders — are not marketing communications. We will continue to send these as necessary for the operation of your account regardless of your marketing preference.

We do not sell, rent, or share your email address with third parties for marketing purposes.

12. Cookies

Sessionly uses essential cookies only, including cookies necessary for security, login, session handling, and core website/app functionality. Sessionly does not currently use marketing, analytics or advertising cookies.

13. Your rights

Where Sessionly acts as controller, you may have the right to:

  • request access to your personal data
  • request correction of inaccurate data
  • request deletion of your data
  • request restriction of processing
  • object to certain processing
  • request portability of data, where applicable
  • withdraw consent, where processing is based on consent
  • complain to the UK Information Commissioner's Office

To exercise your rights, contact: hello@sessionly.uk

If your request relates to therapy practice or client data entered by a therapist, practice or agency using Sessionly, you may need to contact that therapist, practice or agency directly, as they are likely to be the controller for that data.

14. Children

Sessionly is intended for adults only and for professional use by therapists, practices and agencies. It is not directed at children.

15. Changes to this policy

We may update this Privacy & Cookie Policy from time to time. The latest version will always be made available on the Sessionly website or within the app, with the updated date shown at the top.

16. Contact

Sessionlyuk Ltd
128 City Road, London, EC1V 2NX
United Kingdom
Company Number: 17267623
ICO Registration: ZC164186
hello@sessionly.uk