Psy Planner

Contents

1. Introduction
2. What Personal Data We Collect
3. 2A. Cookies and Tracking Technologies
4. How We Use Personal Data (Purposes and Legal Bases)
5. How and Why We Share Your Data
6. International Data Transfers
7. Data Security and Retention
8. Your Rights and How to Exercise Them
9. Changes to this Policy
10. How to Contact Us

1. Introduction

This Privacy Policy explains how Psy Planner ("we", "us", or "our") collects, uses, shares, and secures personal information, and describes the rights individuals have regarding their personal data. Psy Planner offers cloud-based practice management software for therapists, psychologists, and healthcare professionals (the "Services"). We take privacy seriously and maintain technical and organizational safeguards to protect your information.

2. What Personal Data We Collect

Psy Planner processes personal data in different roles depending on the context. We act as a controller for account and business administration data, and as a processor for customer data uploaded by clinics and practitioners.

Account Data

• Name, email address, phone number, and account credentials.
• Organization or business details.
• Billing and subscription administration details.
• Security logs used to prevent misuse and fraud.

Customer Data

When you use Psy Planner to manage your practice, you may create, upload, or generate the following categories of data on behalf of your clients:

• Client profile information: full name, email address, phone number, date of birth, gender, and timezone.
• Clinical information: therapy modality, presenting concerns, session type, referral source, and clinical notes.
• Emergency contact details.
• Session records: appointment dates, times, durations, session prices, session type (online or in-person), and session status.
• Session notes: structured clinical documentation written using note templates (SOAP, DAP, BIRP, GIRP, and others), including therapist observations, clinical formulations, risk assessments, homework assignments, and treatment plans. Notes are stored in structured format alongside a frozen copy of the template used at the time of writing.
• Intake form submissions: responses to client-facing forms including intake questionnaires, standardised clinical assessments (PHQ-9, GAD-7, SRS, and others), consent records, and session feedback. Form responses include timestamps and consent records where applicable.
• Outcome tracking data: standardised assessment scores submitted by clients before sessions, used to generate clinical trend data visible only to the treating therapist.
• Booking requests: data submitted by clients when booking sessions online, including name, email address, and any intake form responses linked to a booking.
• Public form submissions: responses submitted by clients via publicly shared form links, including name, email address, and answers to form questions.

Client-Submitted Data

When a client books a session or completes a form via a public link shared by their therapist, Psy Planner collects the information the client provides directly. This includes name, email address, responses to intake or assessment questions, and consent acknowledgements. This data is stored on behalf of the therapist (acting as data processor) and is accessible only to the treating therapist and authorised members of their practice.

Automatically Collected Data

• Usage data such as IP address, browser type, pages visited, and timestamps.
• Log data for security monitoring, troubleshooting, and reliability.
• Cookies and similar technologies to support functionality and analytics.

2A. Cookies and Tracking Technologies

We use the following categories of cookies:

Essential cookies: required for the platform to function (authentication session, security tokens). These cannot be disabled.

Analytics cookies: used to understand how the platform is used and improve reliability. These are only set with your consent where required by applicable law.

You can manage non-essential cookie preferences at any time via your browser settings or our cookie consent banner. Disabling essential cookies will prevent the platform from functioning correctly.

3. How We Use Personal Data (Purposes and Legal Bases)

Depending on the purpose, we rely on contractual necessity, legal obligations, consent, and legitimate interests (where those interests are not overridden by your rights).

• Service Provision: to deliver core features, maintain account security, and run the platform.
• Marketing and Communications: to send product updates and promotions, where permitted.
• Customer Support: to respond to inquiries and resolve technical issues.
• Analysis and Development: to understand usage patterns and improve reliability and performance.
• Clinical outcome tracking: where a therapist has configured outcome tracking, client assessment responses (such as PHQ-9 or GAD-7 scores) are stored and processed to generate longitudinal trend data. This data is used solely to support clinical decision-making by the treating therapist and is not used for any other purpose, including analytics, advertising, or product development.

You can opt out of non-essential marketing messages at any time. Operational communications (for example security and billing notices) may still be sent when necessary.

4. How and Why We Share Your Data

Third-party Vendors

We use trusted vendors to operate our business and deliver our Services. These vendors receive only data required for their role, and are subject to contractual and security safeguards. This may include hosting, analytics, authentication, communication, and payment providers.

A current list of sub-processors is available at www.psyplanner.app/processors.

Legal Requirements

We may disclose personal data if required to comply with legal obligations, to protect life or safety, or to enforce our legal rights.

Corporate Transactions

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred under appropriate safeguards.

Automated processing

Certain features of Psy Planner use automated processing to provide suggestions, such as recommending note templates based on client modality and session type. These suggestions are generated from data already within your account and do not involve transmission of client data to external AI services.

5. International Data Transfers

Where data is transferred internationally, we apply safeguards required by applicable law (for example, contractual transfer mechanisms) and take reasonable steps to protect personal information.

6. Data Security and Retention

Security Measures

We implement the following technical and organizational safeguards to protect personal data, including sensitive health information:

• All data is encrypted in transit using TLS 1.2 or higher. No unencrypted connections are permitted.
• All data is encrypted at rest on our hosting infrastructure.
• Access to clinical data (including session notes and form submissions) is restricted by row-level security controls — each therapist can access only the data associated with their own account and clients.
• Session notes and clinical assessment data are never included in application logs.
• Audit logs are maintained for access to clinical records and are stored separately from application logs.
• Sensitive form fields (including note answers and assessment responses) are stored in structured encrypted format and are never transmitted to third-party services without a signed Business Associate Agreement (BAA) or equivalent data processing agreement.
• We maintain session timeouts and access controls to limit exposure of clinical data on unattended devices.

No system can guarantee absolute security. In the event of a breach affecting your data, we will notify affected users in accordance with applicable law and within the timeframes required by relevant data protection regulations.

Retention Periods

• Account data is retained during the active account lifecycle and as required for legal, tax, and security obligations.
• Customer data is retained according to customer instructions, contractual commitments, and legal requirements.
• Session notes that have been signed and finalised are retained for a minimum of 6 years from the date of creation, consistent with standard clinical record-keeping obligations in most jurisdictions. Therapists should verify the specific retention requirements applicable in their location. Upon account deletion, data deletion is subject to any applicable legal retention obligations.

Summary retention schedule:

HIPAA — US therapists and protected health information

Psy Planner provides tools for therapists who are subject to the Health Insurance Portability and Accountability Act (HIPAA). Where required, we enter into a Business Associate Agreement (BAA) with covered entities. To request a BAA, contact us at team@psyplanner.app.

Client health information stored within Psy Planner (including session notes, intake form responses, and clinical assessments) is Protected Health Information (PHI) under HIPAA. We implement the technical safeguards described in this policy to support your compliance obligations. Therapists remain responsible for their own compliance with HIPAA's administrative and physical safeguard requirements.

GDPR — EU therapists and special category health data

Psy Planner processes health data on behalf of therapists acting as data controllers. As a data processor under GDPR Article 28, we enter into a Data Processing Agreement (DPA) with EU-based customers who require one. To request a DPA, contact us at team@psyplanner.app. We process special category health data (including session notes and clinical assessments) solely on the documented instructions of the data controller (the treating therapist) and for no other purpose.

7. Your Rights and How to Exercise Them

Depending on your location, you may have rights to access, correct, delete, restrict, object to processing, request portability, and withdraw consent where applicable.

To submit a request, contact us at team@psyplanner.app. We may request verification details to protect your privacy.

We will respond to all data subject requests within 30 days of receipt. Where a request is complex or numerous, we may extend this period by a further two months and will notify you accordingly.

You also have the right to lodge a complaint with your local data protection supervisory authority at any time. If you are located in the EU, you can find your local authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en

8. Changes to this Policy

We may update this policy from time to time. Updates take effect when posted, and the Last Updated date reflects the most recent revision. For material updates, we may provide notice by email, in-app message, or website banner.

9. How to Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, contact us at: