GDPR Compliance
Category: Data & Privacy Last updated: March 2026 Reading time: ~5 min
Overview
TheraScripts is fully compliant with UK GDPR and the Data Protection Act 2018. This article covers our legal basis for processing, the documents available to practitioners, your rights as a data subject, and what this means for your own compliance obligations.
Our legal basis for processing
General account and platform use We process your personal data (name, email, billing information) on the basis of contract (Article 6(1)(b) UK GDPR) — it is necessary to deliver the service you have subscribed to.
Special category data Therapeutic client context may implicate special category data under Article 9 UK GDPR. Our platform is designed to minimise this risk — no identifying client information is required at any point. Where special category data is present in a non-identifying form within session context, we process it under explicit consent (Article 9(2)(a)) with Schedule 1 Part 1 (Health) safeguards, as set out in our Appropriate Policy Document.
ICO registration
TheraScripts is registered with the UK Information Commissioner's Office (ICO) as required under UK GDPR for organisations processing personal data. Our ICO registration number is available on request — contact us via the contact page for details.
Data retention
| Data type | Retention period |
|---|---|
| Account data (name, email) | Duration of account + 2 years after deletion request |
| Workspace data (scripts, client profiles) | Duration of account; deleted within 30 days of deletion request |
| Billing records | 7 years (legal requirement for financial records) |
| Audit logs and attestation records | 7 years |
| Support correspondence | 3 years |
All retention periods are governed by our Data Retention Policy, available on request.
Documents available to practitioners
Data Processing Agreement (DPA)
For practitioners operating as Data Controllers, TheraScripts acts as a Data Processor when handling workspace data on your behalf. A signed DPA is available on request. Contact us via the contact page.
Appropriate Policy Document (APD)
Required under the DPA 2018 Schedule 1 Part 4 where special category data is processed. Our APD covers the legal basis, safeguards in place, and the retention and deletion policy for special category data.
Sub-processor List
A current list of all sub-processors. See Data storage and sub-processors for details, or contact us for the formal document.
Privacy Policy
Publicly available at therascripts.com/legal/privacy. Covers all data subjects including practitioners and clients.
Your rights as a data subject
For data relating to your TheraScripts account and workspace, you have the following rights under UK GDPR:
| Right | How to exercise |
|---|---|
| Access (SAR) | Request via the contact page; we respond within 30 days |
| Rectification | Update account data in Account Settings at any time |
| Erasure | Submit a deletion request via the contact page; completed within 30 days |
| Portability | Your scripts and session records can be exported; contact us to request |
| Restriction | Contact us to request restriction of processing |
| Object | Contact us to object to processing based on legitimate interests |
To exercise any of these rights, use the contact page with the subject line "Data Subject Request."
Your obligations as a practitioner
TheraScripts helps reduce your data risk by operating without client PII. However, your own GDPR obligations as a Data Controller for your clients are not transferred to us. You remain responsible for:
- Maintaining your own Records of Processing Activities (ROPA)
- Ensuring appropriate consent or legitimate basis for using technology in client care
- Informing clients appropriately about how technology is used in their sessions
- Handling Subject Access Requests relating to your own clinical records
- Reporting relevant breaches involving your practice to the ICO within 72 hours
Complaints
If you have a concern about how we handle your personal data that you cannot resolve directly with us, you have the right to lodge a complaint with the ICO:
Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Phone: 0303 123 1113 Website: ico.org.uk