Privacy Notice
Platform: hoito.health — Therapy room booking and practice management platform
Contact: noreply@updates.hoito.health
Last updated: 27 February 2026
Version: 1.0
1. Who We Are
hoito is a therapy room booking and practice management platform. We provide tools for therapy room owners, therapists, and their clients to manage bookings, video sessions, and clinical records.
For data protection purposes:
- hoito health Ltd (Argyle House, Gandy Street, Exeter, EX4 3LS) is the data controller for platform operations, subscription payments, and account management
- Therapists and room owners are independent data controllers for their own client data and clinical records
- hoito acts as a data processor when handling clinical data on behalf of therapists
Our contact email for data protection queries: privacy@hoito.health (monitored during business hours).
2. What Data We Collect
2.1 If you are a Therapy Room Owner
| Data | Purpose |
|---|---|
| Name, email, phone number | Account creation and communication |
| Business/room address | Room listings and client directions |
| Room availability and pricing | Booking management |
| Bank account details (via Stripe) | Receiving payments for room bookings |
| Booking history | Record-keeping and dispute resolution |
| IP address, device information | Security and fraud prevention |
2.2 If you are a Therapist
| Data | Purpose |
|---|---|
| Name, professional title, credentials | Profile and directory listing |
| Email, phone number | Account and client communication |
| Specialisms, therapeutic approach | Directory search and matching |
| Bank account details (via Stripe) | Receiving session fees |
| Client clinical notes | Session documentation |
| Clinical Will data | Emergency contact arrangements |
| Client booking history | Practice management |
| IP address, device information | Security and fraud prevention |
2.3 If you are a Client (booking therapy)
| Data | Purpose |
|---|---|
| Name, email, phone number | Booking confirmations and reminders |
| Emergency contact details | Safety protocols (optional) |
| Session attendance records | Booking management |
| Health/clinical information | Only if voluntarily shared with your therapist |
| Video session metadata | Technical session support |
| IP address, device information | Security |
3. Lawful Basis for Processing
We process personal data under the following legal grounds (GDPR Article 6 and 9):
For hoito as Controller:
| Activity | Lawful Basis |
|---|---|
| Account creation and management | Contract performance (Art.6(1)(b)) |
| Subscription payments | Contract performance (Art.6(1)(b)) |
| Transactional emails (confirmations, reminders, invoices) | Legitimate interests (Art.6(1)(f)) — necessary for service delivery |
| Marketing emails (if sent) | Consent (Art.6(1)(a)) — opt-in only |
| Security monitoring and audit logs | Legitimate interests (Art.6(1)(f)) — protecting our platform |
| Fraud prevention | Legitimate interests (Art.6(1)(f)) |
For hoito as Processor (on behalf of therapists):
| Activity | Lawful Basis |
|---|---|
| Storing client personal data | Contract performance (Art.6(1)(b)) — therapy agreement |
| Clinical session notes | Health care provision (Art.9(2)(h)) — processing by a professional bound by confidentiality |
| Clinical Will data | Health care provision (Art.9(2)(h)) — continuity of care |
| Video therapy sessions | Health care provision (Art.9(2)(h)) — by a professional bound by confidentiality |
Important: Core clinical data (session notes, clinical will) is processed under Art.9(2)(h) because your therapist is a health professional bound by professional confidentiality. This does not require your consent, but your therapist — as the data controller — must inform you about how your data is used.
4. How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Clinical notes | 7 years after last client contact | UK professional standards for therapists |
| Clinical Will data | Until consent is withdrawn or account deleted | Ongoing emergency arrangement |
| Account data | Until you delete your account, or 2 years of inactivity | Service provision and reactivation |
| Financial records | 6 years | UK tax and company law requirements |
| Booking history | 3 years after last booking | Dispute resolution and record-keeping |
| Email communications | 2 years | Customer service and dispute resolution |
| Audit logs / security data | 12 months | Security incident investigation |
| Deleted account data | 30 days post-deletion | Recovery window, then permanent deletion |
| Backups | 30 days rolling | Disaster recovery, then overwritten |
5. Who We Share Data With
Sub-processors
We use carefully selected third-party services to operate our platform:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing (subscriptions, room bookings, session fees) | United States | UK-US Data Privacy Framework (DPF) + DPA with SCCs |
| Resend | Transactional and marketing email delivery | United States | UK-US DPF + DPA with SCCs |
| Anthropic | AI note generation (optional, consent-gated) | United States | DPA with SCCs + explicit consent derogation (Art.49(1)(a)); data only processed with therapist's per-session consent |
Other Recipients
| Recipient | Purpose |
|---|---|
| Your therapist/room owner | Service delivery — they are independent controllers for their client data |
| LiveKit (self-hosted) | Video session hosting — we operate this on our own UK/EU servers, not a third party |
| Regulatory authorities | Legal compliance (if required) |
| Law enforcement | Only when legally compelled |
We never sell your personal data to third parties for marketing purposes.
6. International Data Transfers
Some of our sub-processors (Stripe, Resend, Anthropic) are based in the United States. When we transfer personal data to the US, we protect it using:
- UK International Data Transfer Agreement (IDTA) — UK government-approved standard contractual terms
- EU Standard Contractual Clauses (SCCs) — as appropriate
- Additional technical safeguards — encryption in transit (TLS 1.3) and at rest
AI note generation: Data sent to Anthropic only occurs with your explicit, granular consent for each note. You can disable AI features entirely in your account settings.
7. Your Rights
Under UK data protection law, you have the following rights:
7.1 Right to Access
You can request a copy of all personal data we hold about you.
7.2 Right to Rectification
You can request correction of inaccurate or incomplete data.
7.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your data where there is no compelling reason for us to keep it.
7.4 Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances.
7.5 Right to Data Portability
You can request your data in a structured, machine-readable format (JSON/CSV) to transfer to another service.
7.6 Right to Object
You can object to processing based on legitimate interests, or to direct marketing.
7.7 Right to Withdraw Consent
For any processing based on consent (especially health data and AI features), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
7.8 Rights Related to Automated Decision-Making
We do not make decisions based solely on automated processing that have legal or significant effects on you.
8. How to Exercise Your Rights
Data Subject Access Request (DSAR)
To request your data:
- Log in to your hoito account
- Go to Settings → Privacy → Download My Data (for automated export)
- For complete data including deleted/archived records: email privacy@hoito.health with subject "DSAR Request"
- Verification: We require photo ID (driving licence or passport) to confirm your identity before releasing data
- Response time: Within 30 days of identity verification
Other Requests
Email privacy@hoito.health with:
- Your full name and account email
- Which right you are exercising
- Details of your request
We respond to all requests within 30 days. Complex requests may take up to 60 days, in which case we'll notify you.
9. Right to Complain
If you are unhappy with how we handle your data, you have the right to complain to the UK data protection regulator:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We encourage you to contact us first at privacy@hoito.health so we can try to resolve any issues.
10. Cookies and Tracking
We use cookies and similar technologies for:
| Cookie Type | Purpose | Required? |
|---|---|---|
| Essential (session, authentication) | Login, security, core functionality | Yes — cannot be disabled |
| Preferences | Language, accessibility settings | No — can be disabled |
| Analytics | Understanding how the platform is used (anonymised) | No — requires consent |
When you first visit hoito.health, we display a cookie consent banner. You can change your preferences at any time via the Cookie Settings link in the footer.
For full details, see our Cookie Policy.
11. Changes to This Privacy Notice
We may update this privacy notice from time to time to reflect:
- Changes in how we process data
- New features or services
- Legal or regulatory requirements
Version history:
- v1.0 — 27 February 2026 — Initial version
We will notify you of material changes by:
- Email to your registered address
- Banner notice on login
The "Last updated" date at the top of this notice shows when it was last revised.
12. Special Category Data (Health Data)
Therapy involves special category personal data under GDPR Article 9 (health data). We handle this with extra care:
12.1 What Qualifies as Health Data
- Clinical session notes
- Mental health information shared during therapy
- AI-generated notes summarising therapeutic content
- Clinical Will arrangements
12.2 Legal Basis
We process health data only when:
- You have given explicit consent (Art.9(2)(a)), OR
- Processing is necessary for healthcare provision by a health professional (Art.9(2)(h))
12.3 Consent Ledger
We maintain a consent ledger tracking:
- When consent was given
- What processing it covers
- When consent was withdrawn (if applicable)
You can view your consent history in Settings → Privacy → Consent History.
12.4 Therapist Responsibility
Your therapist is the data controller for your clinical records. They determine:
- What notes are kept
- How long they are retained (minimum 7 years)
- What tools are used for clinical documentation
hoito acts as a processor, storing and securing this data on their behalf according to their instructions.
13. Children's Privacy
Our platform is not intended for children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at privacy@hoito.health and we will delete the data.
14. Security Measures
We protect your data using:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Access controls: Role-based permissions, multi-factor authentication
- Audit logging: All access to clinical data is logged
- Regular security assessments: Penetration testing and vulnerability scanning
- Staff training: All team members trained on data protection
15. Contact Us
For any privacy or data protection questions:
Email: privacy@hoito.health
Platform: https://hoito.health
Response time: Within 2 business days
For urgent matters (data breaches), we will respond within 24 hours.
This privacy notice is provided in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.