Sessionly

Security and data protection

Built to keep your data — and your clients' — properly protected.

Sessionly security and data protection — UK-hosted, encrypted, GDPR-first.

Where your data lives

Your data — and your clients' — is hosted entirely within the UK and EU. It never crosses the Atlantic, and never sits on servers outside the jurisdiction GDPR protects.

That matters because therapy work is sensitive. Many widely-used software platforms quietly move your data to US servers for processing or backup. Sessionly does not. Your records stay within the legal and regulatory framework you and your clients expect.

How we protect your data

Every piece of client information stored in Sessionly is encrypted, both while it's held on our servers and while it's being transmitted to and from your browser. If someone managed to access the storage layer directly, they would see nothing readable — only encrypted data that cannot be decoded without the right keys.

Sessionly uses a two-code system for clinical records. Each client is identified by an anonymised code, and the link between that code and the client's real identity is stored separately and protected independently. This means that even within Sessionly itself, clinical notes and client identities are not held together. It's a clinical principle as much as a technical one — and it's how trained therapists are taught to handle records.

Every action taken in your Sessionly account is recorded in a full audit trail. If you ever need to demonstrate compliance, investigate an issue, or simply check what happened when, the record is there.

You can also turn on two-factor authentication or passkey sign-in to add a second layer of protection to your account.

Backups and resilience

Your data is backed up three times every day. If anything were to go wrong — an accidental deletion, a hardware failure, a software bug — we have multiple recent backups to restore from.

Sessionly runs on infrastructure designed for high availability, with automatic failover between geographic regions. Practically, this means very rare interruptions to service, and a clear recovery path when issues do occur.

Compliance

Sessionly is designed GDPR-first. Personal data is processed under explicit lawful basis, special category data (which clinical records are) is handled with the additional safeguards GDPR requires, and clients have clear rights to access, rectification and erasure of their information.

Record retention follows BACP and NCS guidance for UK counselling and psychotherapy. Default retention periods can be adjusted to fit your specific clinical setting — student supervision, agency policy, or your own professional registration requirements.

Questions about security?

If you have a specific security question — about how Sessionly handles a particular piece of data, what happens in a specific scenario, or what we can do for your organisation's compliance review — email us at hello@sessionly.uk. We answer security questions directly.