TheraScriptsTheraScripts
Help Centre/Data & Privacy/Client Data Security

Client Data Security

Category: Data & Privacy Reading time: ~3 min

Overview

Security and privacy are core to how TheraScripts is built — not features added on top. This article covers the technical and operational measures that protect your data and your clients' data.

Encryption

  • In transit: All data transmitted between your browser and TheraScripts servers uses TLS 1.2 or higher. There is no unencrypted path.
  • At rest: All stored data is encrypted using AES-256 encryption. This applies to your scripts, client profiles, and workspace settings.

What data TheraScripts holds

TheraScripts holds three categories of data:

  1. Your account data — name, email address, billing status. Managed by our authentication provider Clerk.
  2. Workspace data — scripts, client profiles (non-identifying), session notes, export history. Stored in Convex.
  3. Billing data — subscription status, payment history. Managed by our payment provider Polar. We do not hold card numbers.

What TheraScripts does not hold

  • Client names or identifying information (by design — the platform works with non-identifying snapshots)
  • Clinical records or case notes (these stay in your own systems)
  • Audio files after download — generated audio is available for download but not stored indefinitely on our servers

Access controls

  • Your workspace data is accessible only to you and workspace members you have explicitly invited
  • TheraScripts staff do not access individual user data except in response to a verified support request — and only with your knowledge
  • All internal access is logged

UK GDPR compliance

TheraScripts operates under UK GDPR. For special category data (which may be implicated when you describe client context), we process under explicit consent with appropriate safeguards. Full details are in our Privacy Policy and Data Processing Agreement.

Incident response

In the event of a data security incident affecting your data, we will notify you within the timeframes required by UK GDPR (72 hours to the ICO where required, and to affected users without undue delay).

Related articles

Back to Help Centre