Trust, security & privacy
Therasize is built for mental-health care, so protecting the people who use it comes first. Here's how we look after your data — in plain English, with the technical detail underneath.
We collect as little as possible
We designed Therasize around data minimisation. Clients are identified by email address only — we don't collect or store client names, dates of birth, or NHS numbers. Clinical content such as correspondence is viewed inside the app, not sent by email.
Under the hood: patient accounts hold an email and a system-generated ID — no name fields; clinicians hold a professional name as standard account data.
Where your data lives
Core application data is hosted in UK and European regions (Google Cloud / Firebase). Some supporting providers operate outside the UK/EEA; where they do, transfers are covered by Standard Contractual Clauses / the UK International Data Transfer Addendum.
Under the hood: Cloud Firestore (eur3), Cloud Storage (EU multi-region), Cloud Functions (europe-west1), Identity Platform (eur3); web tier on Vercel (London/Dublin/Stockholm).
How we protect it
- Encryption — your data is encrypted in transit and at rest.
- Access control — clinicians can only see the clients they're connected to, enforced on our servers on a least-privilege basis.
- Account protection — bot/abuse protection on sign-in, and multi-factor authentication is available.
Under the hood: TLS in transit, managed encryption at rest; role/relationship-based authorisation via server-side security rules; App Check (reCAPTCHA Enterprise) and Cloudflare Turnstile; optional MFA.
A tool for clinicians — not a replacement for them
Therasize supports the work between therapist and client. It does not diagnose, triage, or make treatment decisions, and it isn't an emergency or crisis service. Clinicians remain fully responsible for clinical judgement and care.
Your privacy rights
Therasize Limited (company no. 14110293) is registered with the UK Information Commissioner's Office (ICO) and has a named Data Protection Officer (Peter Ruppert). We've completed a Data Protection Impact Assessment for our care-focused use, and we operate on a privacy-by-design basis to support UK GDPR. You can ask to access, correct, or delete your data — contact contact@therasize.com.
For NHS & enterprise deployments
For NHS and organisational use we are working toward the relevant UK health-IT assurance standards — clinical safety (DCB0129/DCB0160) and the Digital Technology Assessment Criteria (DTAC) — and provide a "pilot mode" that switches off non-essential and higher-risk features (AI assistance, hosted calls, payments, marketing, external calendar sync) for a controlled deployment.
We describe these as in progress; we don't claim certification or NHS endorsement we haven't earned. Organisations evaluating Therasize can request our information-governance and clinical-safety documentation.
Who we work with (sub-processors)
We use a small set of trusted providers. For NHS/clinical deployments, non-essential providers are disabled.
| Provider | Used for | Region | DPA / terms |
|---|---|---|---|
| Google Cloud / Firebase | Hosting, auth, database, storage, functions | UK/EU | Firebase Data Processing Terms |
| Vercel | Web application hosting / CDN | EU regions (US company; SCCs) | Vercel DPA |
| Postmark | Transactional / notification email | US (SCCs) | Postmark GDPR |
| Cloudflare (Turnstile) | Bot / abuse protection | Global | Cloudflare DPA |
| Stream (GetStream) | In-app calls/chat (where enabled) | EU | GetStream DPA |
| OpenAI | AI-assisted drafting (where enabled) | US (SCCs) | OpenAI DPA |
| Stripe | Payments (where enabled) | US/EU | Stripe DPA |
| Mailchimp | Newsletters/marketing (where enabled) | US (SCCs) | Mailchimp DPA |
| Iubenda | Consent & policy management | EU | Iubenda DPA |
See also our Privacy Policy and Terms and Conditions.
Security and privacy are ongoing commitments; this page reflects our current practices. Last updated: [date].