Privacy Policy

1. Who We Are & Data Controllers

Attune Therapeutics Ltd (“attune”, “we”, “us”) operates the attune-therapeutics.uk platform, connecting clients with UK-registered therapists through personality-based matching. We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679).

Territorial scope. The platform is offered to residents of the United Kingdom; UK GDPR is our primary regulatory framework. Because our application servers and database are hosted inside the EU (Helsinki, Finland), the EU GDPR also applies to that processing. UK GDPR and EU GDPR are substantively equivalent: every right described below (access, rectification, erasure, restriction, objection, portability, withdrawal of consent) is available to you whether you are in the UK, the EEA, or elsewhere. If you are an EU/EEA resident you may complain to your local supervisory authority in addition to the UK ICO, the choice is yours.

Two distinct data controllers operate on this platform, each responsible for a different category of personal data:

In practice this means: if you exercise a right under UK GDPR (access, erasure, rectification, portability), platform data is handled by attune via the contact above; clinical records are handled by your therapist directly. We will route requests appropriately on your behalf if you’re unsure which controller is relevant.

2. Information We Collect

Personal data you provide directly:

• Account information: name, email, date of birth (to verify you are over 18), authentication data when you sign up
• Payment information: handled by Stripe; we never store card numbers
• Assessment responses: answers to the attune Index questionnaire used for matching
• Profile and preferences: location (UK region), session preferences, scheduling availability, optional identity & lived-experience preferences
• Messaging content: messages you send to your therapist or to attune support
• Wellbeing & feedback: session check-ins, post-session reflections, between-session check-ins (see sections 8, 9, 10 below)

Special category data (UK GDPR Article 9):

Your assessment responses, profile preferences, wellbeing scores, and message content disclose information about your mental and emotional state. This is special category data and we treat it accordingly - lawful basis is your explicit consent under Article 9(2)(a) at the point each item is collected, recorded with the version of the consent text shown to you. You can withdraw consent at any time.

Data we collect automatically:

• Device and connection data (IP address, browser type, device type, language)
• Usage data (pages visited, features used, timing) for service improvement
• Cookies and similar technologies (see section 12)

3. Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR:

• Contract (Art 6(1)(b)), processing necessary to provide the matching service you signed up for: account, bookings, payments, messaging.
• Explicit consent (Art 6(1)(a) + Art 9(2)(a)), for the initial collection of special category data such as your assessment, wellbeing prompts, and identity preferences. Recorded per submission with the version of the disclosure text you saw.
• Provision of health and social care (Art 9(2)(h) + Schedule 1 Part 1 §2 Data Protection Act 2018), the primary lawful basis for the clinical-content side of the platform: therapist-client messaging, between-session check-ins, session feedback, and the audit trail your therapist needs to deliver safe care as a UK-registered professional. Processed under appropriate confidentiality safeguards consistent with the standards of a regulated mental-health practitioner.
• Legitimate interests (Art 6(1)(f)), for service improvement, fraud prevention, and platform analytics, balanced against your rights and freedoms.
• Legal obligation (Art 6(1)(c)), tax records (HMRC), regulatory inquiries, and safeguarding referrals where required by law.

Withdrawal of consent does not affect processing carried out before the withdrawal. Where processing is necessary for the provision of health and social care under Art 9(2)(h), withdrawing consent does not stop processing that is required to deliver safe ongoing care, but you can still close your account at any time.

4. How We Use Your Information

• To match you with compatible therapists based on your assessment results
• To facilitate booking, scheduling, and payment for therapy sessions
• To enable secure messaging between clients and therapists
• To send transactional communications (booking confirmations, reminders, password resets) - you cannot opt out of these while you have an active account
• To improve our matching engine and platform, using anonymised or aggregated data wherever possible
• To send marketing communications - only if you have explicitly opted in (see section 14)

5. Data Sharing & Sub-processors

We do not sell your personal data. We share information only with:

• Your matched therapist: name, contact details, relevant assessment summary, and any messages you send to them
• Sub-processors who help us run the platform: hosting, payment processing, transactional email, error monitoring, analytics. Each operates under a Data Processing Agreement.
• Professional advisors (accountants, legal counsel) under confidentiality
• Authorities where required by law

The full, current list of sub-processors and the personal data they handle is published at attune-therapeutics.uk/legal/sub-processors. We give therapists 30 days’ notice before adding a new sub-processor.

6. International Transfers

Your personal data is primarily stored in the EU. The application servers and database run in Hetzner’s Helsinki (Finland) data centre, with encrypted offsite backups in Falkenstein (Germany). Where we transfer data outside the UK or EEA, we rely on the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses (SCCs), or other approved transfer mechanisms. The current sub-processor list at /legal/sub-processors flags any vendor with international transfer.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), AES-256-GCM encryption at rest for sensitive content (messages, wellbeing comments, identity preferences), secure authentication, role-based access controls, audited backups, and a documented Data Breach Response Plan with 72-hour ICO notification timeline. Therapist-client communications stay confidential within the platform.

8. Wellbeing check-ins & session feedback

Before and after each therapy session you can optionally share a short structured reflection about how the session felt. This is part of how we measure whether our matching is producing genuine relational fit, and the answers are used to improve the platform overall and to give your therapist constructive aggregate signal.

Lawful basis. Wellbeing data is treated as special category data (data concerning health) under UK GDPR Article 9. We process it only with your explicit consent under Article 9(2)(a) - you tick the consent box on the prompt itself, and the exact version of that consent text is recorded on every submission.

How it’s protected.Free-text comments are encrypted at rest with AES-256-GCM under a key that is unique to your booking, so the database row alone is not legible without the application’s master key. Your therapist sees only aggregate ratings and anonymised comments, never your name attached to a single submission.

Erasure. When you delete your account, the encrypted comments are permanently scrubbed (the ciphertext is zeroed, making them undecryptable).

Therapist responses. Your therapist may write a short personal reply to your post-session reflections, which surfaces inline next to your submission on the /bookings page. The reply is encrypted at rest under the same per-booking key as your own note. It is never displayed publicly or shared with admin.

9. Optional identity & lived-experience preferences

You can optionally share preferences about identity, culture, and lived experience that may matter to you in feeling understood by a therapist. These answers are used only to optionally re-rank your matches when you explicitly turn that on, never to filter therapists out, never as part of any algorithm without your consent.

Lawful basis. Some questions concern special-category data (UK GDPR Article 9). We process under Article 9(2)(a) explicit consent, recorded with the version of the disclosure text you saw at submission. Free-text answers are AES-256-GCM encrypted at rest under a per-user key.

What therapists see. Therapists never see your identity preferences attached to your name. The matcher reads them in-process to compute a re-rank; only the resulting order is exposed.

10. Between-session check-ins

You can send a private check-in to your therapist between sessions: an optional wellbeing signal and two short, structured prompts. The check-in goes one way: your therapist sees it on their dashboard and may bring it into your next session.

How it’s protected. Free-text encrypted at rest under a key derived from your therapist relationship (not the booking). Admin sees row counts only, never plaintext content. Lawful basis: Article 9(2)(a) explicit consent + Article 6(1)(b) contract performance.

11. Data Retention

We retain personal data for as long as your account is active and for a reasonable period afterwards, in line with the following retention schedule:

• Account & assessment data: while account is active, plus up to 24 months after closure
• Booking & financial records: 7 years (HMRC requirement)
• Therapist session notes: held by the therapist for the period required by their professional body. We align with the NHS Records Management Code of Practice 2023, which sets adult mental-health record retention at 20 years after last contact or 8 years after death. Encrypted at rest on the platform.
• Marketing consents: until withdrawn, plus 24 months
• Crisis-flagged messages: in line with our Safeguarding Policy
• Encrypted check-in / reflection content: permanently scrubbed (ciphertext zeroed) when you delete your account

12. Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you (Subject Access Request, Article 15)
• Rectify inaccurate data (Article 16)
• Request erasure (“right to be forgotten”, Article 17), subject to legal retention obligations
• Restrict processing in certain circumstances (Article 18)
• Object to processing on grounds of legitimate interest or for direct marketing (Article 21)
• Data portability (Article 20), receive your data in a structured, machine-readable format
• Withdraw consent at any time
• Lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk / 0303 123 1113

For everything else, including erasure, rectification, or objection, contact our data-protection inbox at [email protected] (or [email protected] for anything that isn’t specifically about your personal data). We will respond within 30 days (extendable by a further 60 days for complex requests, with reasoned notice).

13. Automated Decision-Making

The attune Index produces a numeric compatibility score and a suggested-match list using an automated process. The score informs the suggestions presented to you, but it does not make decisions on your behalf. You retain the right to choose any therapist regardless of their score, and the therapist retains the right to accept or decline any match. The processing therefore does not constitute solely automated decision-making with legal or similarly significant effects within the meaning of Article 22 UK GDPR.

14. Marketing

We will only send you marketing communications if you have given explicit, granular opt-in consent. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by emailing us. Withdrawal of marketing consent does not affect transactional or service communications (booking confirmations, reminders, password resets) which we are required to send while your account is active.

15. Google API Services

attune’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google APIs for the following purposes:

• Google Sign-In: We request your name and email address to create and authenticate your account. We do not access your contacts, files, or other Google data.
• Google Calendar (therapists only): With explicit consent, therapists can connect their Google Calendar to manage availability and automatically create session events with Google Meet links. We only read and write calendar events related to attune bookings.

We do not use Google user data for advertising, do not sell it to third parties, and do not use it for purposes unrelated to providing the attune platform. You can revoke Google access at any time through your Google Account permissions.

16. Cookies

We use essential cookies for authentication and session management, plus a small set of analytics cookies (PostHog, EU-hosted) to understand how the platform is used. We do not use advertising or third-party tracking cookies. See our Cookie Policy for details.

17. Changes to this Policy

We may update this Privacy Policy from time to time. The current version is always available at attune-therapeutics.uk/privacy. We will notify you by email or through the platform of any material change before it takes effect.

18. Contact & Complaints

For privacy-related enquiries or to exercise your data rights, contact [email protected]. For general support questions, use [email protected].

Supervisory authority. If you are dissatisfied with our response, you can complain to the UK Information Commissioner’s Office: ico.org.uk/make-a-complaint / 0303 123 1113. EU and EEA residents may complain to their local data protection authority instead, the list is at edpb.europa.eu/about-edpb/board/members.