Privacy Policy

Document: Privacy Policy Effective Date: 1 March 2026 Version: 1.0

Table of Contents

1. Introduction
2. Who We Are
3. Information We Collect
4. How We Use Your Information
5. Special Category Data
6. How We Share Your Information
7. International Transfers
8. Data Retention
9. Your Rights Under UK GDPR
10. US State Privacy Rights
11. Cookies and Tracking
12. Children's Privacy
13. AI-Generated Content
14. Security Measures
15. Changes to This Policy
16. Contact Us

1. Introduction

This Privacy Policy explains how TheraScripts ("we", "us", "the Company") collects, uses, stores, and shares personal data in connection with the TheraScript platform.

TheraScript is a web-based platform that helps therapists and coaches build personalised therapeutic session scripts using AI-assisted generation. The platform includes client surveys, script planning, AI script generation, text-to-speech audio generation (MP3), and PDF/DOCX export.

This policy applies to all users of the TheraScript platform, which is a business-to-business (B2B) product designed for qualified practitioners. It also describes how we handle personal data relating to your clients that you enter into the platform on their behalf.

This policy should be read alongside our Terms of Service, Data Processing Agreement, and Cookie Policy.

2. Who We Are

TheraScripts is the data controller for practitioner account data and the data processor for client data entered by practitioners.

• Company number: 16196583 (registered in England & Wales)
• Registered address: 167-169 Great Portland Street, London, England, W1W 5PF
• Privacy contact: therascript.com/contact (select "Privacy & Data Rights")
• Website: therascript.com

We have not formally appointed a Data Protection Officer (DPO) as we are a small company that does not meet the mandatory appointment threshold. All privacy queries are handled directly by the company via our contact form (select "Privacy & Data Rights").

3. Information We Collect

We collect and process different categories of personal data depending on how you interact with TheraScript.

3.1 Information You Provide Directly

When you create an account and use TheraScript, you provide us with:

• Account information — your name, email address, and profile picture (provided during registration via our authentication provider, Clerk).
• Professional profile — your professional discipline selections (e.g., coaching, therapeutic practice) and account preferences.
• Subscription information — your chosen plan and billing details, processed by our payment provider, Polar.
• Support communications — any messages you send to us for help or feedback.

3.2 Client Data You Enter

As a practitioner, you may enter personal data about your clients into the platform. This Client Data includes:

• Client alias — a name or "known-as" reference for your client, along with an optional phonetic spelling used for audio generation.
• Survey responses — information your clients have shared with you, which you enter into the TheraScript survey tool. This may include stress modes, recovery tools, content boundaries, engagement signals, representational system preferences, guidance preferences, and metaphor preferences.

Important: You, the practitioner, are the data controller for your Client Data. We process this data on your behalf as a data processor. See Section 5 for how we handle the special category aspects of this data.

3.3 Information Collected Automatically

When you use the platform, we automatically collect:

• Server logs — IP address, browser type, operating system, referring URL, pages visited, and timestamps.
• Session data — authentication tokens and session identifiers needed to keep you logged in.
• Cookie data — essential cookies for platform functionality. See Section 11 and our Cookie Policy for details.
• Error tracking — technical error reports to help us identify and fix issues with the platform.

3.4 Information from Third Parties

We receive limited personal data from third-party services:

• Clerk (authentication provider) — your name, email address, and profile picture when you sign in using a social login or email.
• Polar (billing provider) — your subscription status, plan type, and billing events (we do not receive or store full payment card details).

4. How We Use Your Information

We process your personal data for the purposes set out below, each linked to a lawful basis under UK GDPR Article 6.

4.1 Contractual Necessity — Art 6(1)(b)

We process your data where it is necessary to perform our contract with you (your subscription to TheraScript):

• Creating and managing your account.
• Providing access to platform features based on your subscription tier.
• Processing Client Data to generate scripts, audio files, and exports on your behalf.
• Sending you transactional emails (account confirmations, billing receipts, password resets).
• Providing customer support.

4.2 Legitimate Interests — Art 6(1)(f)

We process your data where we have a legitimate business interest, balanced against your rights:

• Security — detecting and preventing fraud, abuse, and unauthorised access.
• Service improvement — analysing usage patterns (in aggregate) to improve platform features and performance.
• Fraud prevention — monitoring for suspicious activity on accounts and billing.
• Bug fixing — using error tracking data to diagnose and resolve technical issues.

You have the right to object to processing based on legitimate interests. See Section 9.

4.3 Consent — Art 6(1)(a)

We rely on your consent for:

• Marketing emails — product updates, feature announcements, and tips for using TheraScript. You can unsubscribe at any time.
• Optional analytics — if we implement optional analytics cookies beyond what is strictly necessary.

You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4.4 Legal Obligation — Art 6(1)(c)

We process your data where required by law:

• Tax and financial records — maintaining billing records as required by HMRC.
• Law enforcement — responding to valid legal requests from courts or regulatory authorities.
• Regulatory compliance — meeting our obligations under UK data protection law.

5. Special Category Data

5.1 What This Means

Some Client Data entered into TheraScript touches on health and wellbeing. Survey responses may include information about stress patterns, recovery strategies, content boundaries (e.g., topics a client wishes to avoid), and contraindications. Under UK GDPR, this type of information is likely to qualify as special category data under Article 9, as it relates to a person's physical or mental health.

5.2 The Practitioner-Client-Platform Relationship

TheraScript operates within a three-party data relationship:

• Your client (the data subject) shares personal information with you as their practitioner.
• You (the practitioner and data controller) enter that information into TheraScript to generate personalised session scripts.
• We (TheraScripts, the data processor) process the data on your behalf, using sub-processors for storage, AI generation, and audio synthesis.

5.3 Lawful Basis for Special Category Data

We process special category Client Data under the following conditions:

• Article 9(2)(a) — Explicit consent. You, as the data controller, are responsible for obtaining explicit consent from your clients before entering their health-related data into the platform. You must ensure your clients understand how their data will be used, including the involvement of AI and third-party processors.
• Schedule 1, Condition 1 of the Data Protection Act 2018. This condition requires us to maintain an Appropriate Policy Document (APD) that describes our compliance procedures and our policies for retaining and erasing special category data. Our APD is available on request.

5.4 Your Responsibilities as Controller

As the data controller for Client Data, you must:

• Obtain explicit, informed consent from your clients before entering their data.
• Inform your clients about the nature of the processing, including the use of AI technology and international data transfers.
• Maintain your own records of consent and ensure your processing is lawful under your professional obligations.
• Respond to data subject requests from your clients regarding their data (we will assist you as required by the DPA).

6. How We Share Your Information

6.1 Sub-processors

We use the following third-party sub-processors to deliver the TheraScript service. Each processes personal data only as necessary for its specific function, under contractual data processing terms.

We maintain contractual agreements with each sub-processor that require them to protect personal data to standards consistent with UK GDPR. A current sub-processor list is maintained as part of our Data Processing Agreement.

6.2 We Do Not Sell Your Data

We do not sell, rent, or trade your personal data or your Client Data to any third party. We do not use your data for advertising purposes.

6.3 Law Enforcement and Legal Requirements

We may disclose personal data if required to do so by law, regulation, or valid legal process (such as a court order or regulatory request). Where permitted, we will notify you before making such a disclosure.

6.4 Business Transfers

If TheraScripts is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and ensure the receiving party is bound by equivalent data protection obligations.

7. International Transfers

Most of our sub-processors are based in the United States. This means your personal data (including Client Data) is transferred outside the United Kingdom.

We ensure that all international transfers are protected by appropriate safeguards as required by UK GDPR:

• UK adequacy decisions — where the UK government has determined that a country provides an adequate level of data protection, we rely on that decision.
• Standard Contractual Clauses (SCCs) and the International Data Transfer Agreement (IDTA) — for transfers to countries without an adequacy decision, we use UK-approved contractual clauses that impose data protection obligations on the receiving party.
• Sub-processor certifications — our sub-processors maintain their own security certifications and compliance programmes (for example, SOC 2 audits) which provide additional assurance.

If you would like more information about the specific safeguards in place for any particular transfer, please contact us at our contact form.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law.

After the applicable retention period, data is securely deleted or anonymised so that it can no longer be linked to you.

When your account is terminated, you have 30 days to export your data using the platform's export tools (for voluntary termination or termination without cause). After the export period, we delete your data in accordance with our retention schedule and the Data Processing Agreement. See Section 14 of our Terms of Service for full termination details.

9. Your Rights Under UK GDPR

As a data subject, you have the following rights regarding the personal data we hold about you as data controller (i.e., your practitioner account data):

9.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you, along with information about how we process it.

9.2 Right to Rectification (Article 16)

You can ask us to correct any personal data that is inaccurate or incomplete.

9.3 Right to Erasure (Article 17)

You can ask us to delete your personal data where there is no compelling reason for us to continue processing it. This is also known as the "right to be forgotten." Note that we may need to retain certain data to comply with legal obligations (e.g., billing records).

9.4 Right to Restriction of Processing (Article 18)

You can ask us to temporarily stop processing your personal data in certain circumstances — for example, if you contest its accuracy or object to our processing.

9.5 Right to Data Portability (Article 20)

You can request your personal data in a structured, commonly used, machine-readable format, and ask us to transfer it to another service provider where technically feasible.

9.6 Right to Object (Article 21)

You can object to our processing of your personal data where we rely on legitimate interests (Article 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

9.7 Rights Related to Automated Decision-Making (Article 22)

TheraScript uses AI to generate script content, but this does not involve automated decision-making that produces legal or similarly significant effects on you. The AI generates suggested content that you, the practitioner, review and approve before use. You are not subject to decisions based solely on automated processing.

9.8 Right to Withdraw Consent

Where we process your data based on consent (e.g., marketing emails), you can withdraw your consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.

9.9 How to Exercise Your Rights

To exercise any of these rights, email us at our contact form with your request. Please include enough information for us to verify your identity and understand what you are asking for.

We will respond to your request within one calendar month of receiving it. If your request is complex or we receive a large number of requests, we may extend this by a further two months, and we will let you know.

9.10 Right to Complain

If you are not satisfied with how we handle your request, or you believe we have not complied with data protection law, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first.

9.11 Client Data Requests

If you are a practitioner's client and wish to exercise your data rights regarding information held within TheraScript, please contact your practitioner directly. They are the data controller for your data. We will assist the practitioner in responding to your request as required by our Data Processing Agreement.

10. US State Privacy Rights

If you are a resident of the United States, you may have additional privacy rights under state law.

10.1 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information:

• Right to know — You can request details about the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete — You can request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to correct — You can request correction of inaccurate personal information.
• Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is necessary, but you may still contact us to confirm this.
• Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected: Identifiers (name, email), professional information (discipline selections), internet activity (server logs, usage data), and commercial information (subscription and billing data).

10.2 Other US States

Residents of Virginia, Colorado, Connecticut, and other US states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing. We extend the same rights described in Section 10.1 to all US residents, regardless of state.

10.3 Do Not Sell / Do Not Share

We confirm that we do not sell personal information and do not share personal information for cross-context behavioural advertising, as those terms are defined under applicable US state privacy laws.

10.4 How to Make a US Privacy Request

To exercise your US state privacy rights, email us at our contact form with the subject line "US Privacy Request." We will verify your identity and respond within the timeframes required by applicable law (typically 45 days).

11. Cookies and Tracking

11.1 What Cookies We Use

TheraScript uses a limited number of cookies to operate the platform:

• Essential cookies — required for authentication, session management, and security. These cannot be disabled without breaking the platform.
• Analytics cookies — if used, these help us understand how practitioners use the platform in aggregate. They are only set with your consent.

11.2 What We Do Not Use

We do not use:

• Advertising or retargeting cookies.
• Third-party tracking pixels.
• Cross-site tracking technologies.

11.3 Managing Cookies

You can manage your cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the platform.

For full details on the specific cookies we use and how to manage them, please refer to our Cookie Policy.

12. Children's Privacy

TheraScript is a professional platform designed for qualified practitioners and trainees aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18.

If we become aware that we have collected personal data from a child, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at our contact form.

13. AI-Generated Content

TheraScript uses artificial intelligence to generate therapeutic session scripts and audio files. This section explains how personal data is involved in that process.

13.1 Script Generation

When you generate a script, the platform sends a prompt to our AI provider (OpenAI) that includes:

• Client profile signals — derived from survey responses, these are statistical signals (e.g., engagement scores, preference indicators) rather than directly identifying information.
• Client name (when personalised) — if you choose to personalise scripts with your client's name, the name or a phonetic representation of it is included in the generation prompt so that it can be woven naturally into the script text. The name is used only for the immediate generation request and is not stored by OpenAI.
• Module content — therapeutic content templates from the TheraScript content library.
• Your configuration — session type, structure preferences, and approach selections.

13.2 Audio Generation

When you generate audio, the platform sends the script text to one of our TTS providers — OpenAI (gpt-4o-mini-tts) or Google Cloud Text-to-Speech (Gemini) — depending on the voice selected. This may include:

• The full text of the generated script.
• Phonetic spellings of your client's name (if you have chosen to personalise the audio with the client's name).
• Voice delivery instructions (e.g., pacing and tone guidance for the selected voice).

13.3 Your Data Is Not Used for AI Training

We do not use your data, your Client Data, or your generated content to train AI models. Our agreement with OpenAI specifies zero data retention — your prompts and outputs are not stored by OpenAI for training or any other purpose beyond fulfilling the immediate API request.

13.4 Your Review Responsibility

As described in our Terms of Service, AI-generated content is a tool to support your professional practice. You are responsible for reviewing all generated content before using it with your clients. The AI does not provide clinical advice or recommendations.

14. Security Measures

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it.

14.1 Technical Measures

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at rest — data stored in our database and by our sub-processors is encrypted at rest.
• Access controls — access to personal data is restricted to authorised personnel and systems on a need-to-know basis.
• Authentication — practitioner accounts are secured through our authentication provider (Clerk), which supports secure password policies and multi-factor authentication.

14.2 Organisational Measures

• Regular security reviews — we periodically review our security practices and those of our sub-processors.
• Incident response — we have procedures in place to detect, report, and respond to personal data breaches. In the event of a breach affecting your data, we will notify you and the ICO as required by UK GDPR (within 72 hours where applicable).
• Sub-processor vetting — we assess the security practices of our sub-processors before engaging them and ensure they are contractually bound to appropriate data protection standards.

For full details of our technical and organisational measures, please refer to the security annex of our Data Processing Agreement.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

• For material changes that significantly affect how we process your personal data, we will provide at least 30 days notice via email to the address associated with your account. This is consistent with the notice period described in Section 16 of our Terms of Service.
• For minor or clarifying changes, we will update this page and revise the "Effective Date" at the top.

We encourage you to review this policy periodically. Your continued use of TheraScript after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a concern about how we handle personal data, please contact us:

TheraScripts 167-169 Great Portland Street London, England, W1W 5PF

• All privacy and legal queries: contact form

If you are not satisfied with our response, you have the right to complain to the UK supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF

• Website: ico.org.uk
• Telephone: 0303 123 1113

This Privacy Policy was last updated on 1 March 2026.