1. Introduction
This privacy policy explains how Practicos Software Limited ("we", "us", "our") collects, uses, stores, and protects personal data when you use our practice management software for speech and language therapists.
We are committed to protecting your privacy and handling your data in an open and transparent manner. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Who We Are
Data Controller:
Practicos Software Limited37 Ivedon Road
Welling, England
DA16 1NN
Company Registration Number: 16973774
ICO Registration Number: ZC081550
Controller vs Processor: We act as the data controller for account, billing, and marketing data. For Client Data you upload (including clinical records), we act as a data processor on your instructions, and you remain the data controller.
Contact:
Email: privacy@practicos.co.uk
3. What Data We Collect
3.1 Account Information (Practitioner Users)
- Full name
- Email address
- Authentication credentials (managed by our identity provider)
- Practice/organisation name
- Professional registration details
- Profile photograph (optional)
3.2 Client Records
Data you enter about your clients:
- Client name and contact details
- Date of birth
- Guardian/parent contact information
- Referral source and reason
- Communication preferences
3.3 Clinical Notes (Special Category Data)
- SOAP notes and session documentation
- Assessment results and observations
- Treatment goals and progress
- Session attendance records
- Health-related information
Important: Clinical notes contain special category data (health data) under UK GDPR Article 9. This data is processed under the healthcare provision exemption (Article 9(2)(h)) as it is necessary for the provision of health care by a health professional bound by professional secrecy obligations.
3.4 Appointment Data
- Appointment dates, times, and durations
- Appointment types and status
- Session notes and outcomes
3.5 Billing and Payment Information
- Invoice details
- Service rates
- Payment history
- Business bank details (for invoice generation)
We do not store full payment card details. Card payments are processed securely by our payment provider, Stripe.
3.6 Technical and Usage Data
- IP address
- Browser type and version
- Device information
- Pages visited and features used
- Login timestamps
4. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the Practicos service | Account, client records, appointments, billing | Contract performance (Article 6(1)(b)) |
| Process clinical documentation | Clinical notes, health data | Healthcare provision (Article 9(2)(h)) |
| Send service communications | Email address | Contract performance / Legitimate interests |
| Process payments | Billing information | Contract performance |
| Improve our service | Usage data, analytics | Legitimate interests (Article 6(1)(f)) |
| Ensure security and prevent fraud | Technical data, login records | Legitimate interests |
| Comply with legal obligations | All relevant data | Legal obligation (Article 6(1)(c)) |
| Marketing communications | Email (with consent) | Consent (Article 6(1)(a)) |
5. Special Category Data (Health Information)
Clinical notes and client health information constitute "special category data" under UK GDPR. We process this data under Article 9(2)(h) — processing is necessary for the provision of health or social care or treatment, and is undertaken by or under the responsibility of a health professional subject to the duty of confidentiality.
As a registered speech and language therapist, you are responsible for ensuring you have an appropriate legal basis to record and process your clients' health data. Practicos provides the secure platform; you remain the data controller for your client data.
6. Data Sharing and Third Parties
6.1 Service Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk | User authentication | Email, name, login activity | United States |
| Stripe | Payment processing | Billing details, transaction data | United States |
| Neon | Database hosting | All application data (encrypted) | European Union |
| PostHog | Product analytics | Pseudonymised usage data, feature interactions | European Union |
| Vercel | Application hosting and delivery | Application logs, request metadata | United States |
| Sentry | Error monitoring | Error reports, stack traces, device/browser data | United States |
| Twilio | SMS delivery | Phone numbers, message metadata | United States |
| UploadThing | File uploads and storage | Uploaded files and related metadata | United States |
| Resend | Email delivery | Email addresses, message content | United States |
6.2 International Transfers
Some of our service providers are based outside the UK, including in the United States. For these transfers, we rely on:
- The UK-US Data Bridge adequacy regulations
- Standard Contractual Clauses (SCCs) approved by the ICO
- Additional technical safeguards including encryption
We can provide our Data Processing Addendum (DPA) and relevant SCCs on request.
6.3 Other Disclosures
We may disclose personal data if required by law, court order, or to protect our legal rights. We will notify you where legally permitted.
We do not sell your personal data to third parties.
7. Data Retention
We retain personal data only as long as necessary for the purposes outlined above:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 2 years after closure |
| Clinical notes | 8 years from last entry (aligned with professional record-keeping requirements) |
| Child client records | Until client reaches 25 years of age, or 8 years from last entry, whichever is longer |
| Invoices and billing | 7 years (UK tax requirements) |
| Usage analytics | 24 months |
| Security logs | 12 months |
When you delete your account, we will delete or anonymise your data after the export window has ended, typically within 30 days, except where retention is required by law or for the exercise of legal claims.
8. Data Security
We implement appropriate technical and organisational measures to protect your data:
- Encryption: Data is encrypted in transit (TLS) and at rest where supported
- Access controls: Role-based access, multi-factor authentication available
- Infrastructure: Hosted with reputable cloud providers using industry-standard security controls
- Backups: Regular encrypted backups with secure storage
- Monitoring: Continuous security monitoring and incident response procedures
9. Your Rights
Under UK GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Request correction of inaccurate data |
| Erasure | Request deletion of your data ("right to be forgotten") |
| Restriction | Request we limit how we use your data |
| Portability | Receive your data in a portable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Where we rely on consent, withdraw it at any time |
To exercise these rights, contact us at privacy@practicos.co.uk. We will respond within one month.
Note for practitioners: You are responsible for responding to data subject requests from your clients regarding the clinical data you have entered. We will assist you in fulfilling these requests.
10. Cookies
We use cookies and similar technologies to:
- Keep you signed in
- Remember your preferences
- Understand how you use our service (with your consent)
- Improve performance
We ask for your consent before using non-essential cookies. You can change your cookie preferences at any time. For full details, see our Cookie Policy.
11. Children's Data
Practicos is designed for use by adult healthcare professionals. We do not knowingly collect data directly from children under 16. Client records you create for child clients are processed under your professional responsibility.
12. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of significant changes via email or through the application. The "Last updated" date at the top indicates when this policy was last revised.
13. Complaints
If you are unhappy with how we handle your data, please contact us first at privacy@practicos.co.uk.
You also have the right to complain to the Information Commissioner's Office (ICO):
Information Commissioner's OfficeWycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
14. Contact Us
For any questions about this privacy policy or our data practices:
Email: privacy@practicos.co.ukAddress:
Practicos Software Limited
37 Ivedon Road
Welling, England
DA16 1NN