Privacy Policy

MyTherapyTracker, Ltd. is committed to protecting and respecting the privacy of all our customers and the end users of our service and software.

This Privacy Policy together with the Terms of Service contract applicable to your use of the service where you are our customer make up your User Agreement which includes your acceptance of these policies and agreement to abide by the terms set out in these policies. By using our services, you are accepting and consenting to our practices as described in these policies.  This policy is designed to reflect the legal implementation of the General Data Protection Regulation (GDPR) from May 25, 2018 and as such is subject to change following additional guidance from the Information Commissioner’s Office (ICO) or other changes to Data Protection Legislation which may be in effect in the future.

Terms & Definitions

Us, Our, We or Company: Refers to MyTherapyTracker, Ltd.

You/ Your/ Customer: Refers to your organisation.

Agreement/Contract: Refers to the contract between you and us in reference to the supply of the Service in accordance with these Terms of Service.

Clients: Refers to the Subscriber’s clients or patients, individuals who receive the services of our Subscribers.

Client’s Data: Refers to Personal Data pertaining to the Subscriber’s individual client.

Data Protection Regulation: Up to but excluding 25 May 2018, the Data Protection Act 1998 and thereafter unless and until the GDPR is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then any successor legislation to the GDPR or the Data Protection Act 1998.

Data Controller, Data Processor, Data Subject: Shall have the meaning given in the Data Protection Legislation.

Data Protection Laws: The Act, GDPR, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the ICO or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction.

MyTherapyTracker as the Data Controller:

We are considered the Data Controller in respect of your involvement with us as a customer with access to the services we provide.  This applies to any data you supply is with as part of subscribing to our services such as data about your organisation and staff.  This is considered Customer Data.  As a Data Controller, we determine the purposes for which and the manner in which Customer Data is processed, and according to GDPR we are required to inform you about how we do this.  Any data we request from you is subject to our data processing requirements under GDPR.

The Customer as the Data Controller and MyTherapyTracker as the Data Processor:

Where you or your staff are responsible for holding and processing of information relevant to your clients, this is considered Personal Data for the individuals who are your service users, and you are both Data Controller and Data Processor.  In that instance, MyTherapyTracker is the Data Processor only and responsible for processing the data you hold in accordance with our legal obligations not to access your clients’ personal data according to our terms of service.

In your role as Data Controller, you will collect, store and process information relevant to your clients’ personal data and will determine the purposes for which and the manner in which that personal data is processed.  You will be responsible for informing your clients of your Privacy Policy and relevant terms of service with respect to your lawful basis for holding their personal data.  You are also responsible for informing us is any of your clients objects to either you or our processing.

Your Rights as a Data Subject

MyTherapyTracker in its role as a Data Controller while processing your personal data is required by GDPR to respect the following rights that you have as a data subject:

Right to be Informed:  This Privacy Policy and the Terms of Service jointly provide you with the information to which this right refers.

Right to Access your Data: You can request access to the data we hold when requested in writing which we will supply free of charge or for a reasonable reasonable fee for additional copies of the information or if access requests are unfounded or excessive.  We may be required to withhold the supply of your Personal Data where the rights and freedoms of others may be affected or where we are required or permitted by law.

Right to Rectify your Data: In the event that you think we hold any inaccurate or incomplete Personal Data, you can ask us to correct any inaccurate data or to complete any incomplete data we hold.

Right to Erasure: MyTherapyTracker will not hold any Personal Data for longer than is necessary for the purposes for which it was collected.  Requests for erasure of your data apply to only your Personal Data and not to any of the data you are responsible for as a Data Controller which are required to export and take with you upon ending your contract with MyTherapyTracker services.

Right to Restrict Processing: You can request that we restrict processing your personal data in a certain way, however this may mean we can no longer abide by our contractual agreement to provide the service to you and your contract may need to be terminated.

Right to Object to Processing of your Data: You may object to our processing of your data where processing is based on legitimate interests by us or a third party or for direct marketing.  In such cases, MyTherapyTracker will stop processing your data unless we need to process the data to establish or defend legal claims.

Right to Portability: In some circumstances, you may have the right to request your data to be provided to you in a format so that you can store it for your own personal use or transmit to another Data Controller where technically possible.

Right to Complain: If you believe our processing infringes Data Protection Laws, you have the right to lodge a complaint with a supervisory authority responsible for data protection such as the ICO within the European Union member state where you live.

Right to Notification of a Data Breach: In the event that there is a Personal Data breach which is likely to result in a high risk to your rights, MyTherapyTracker will notify you of the breach without undue delay.

Data Processing Agreement

The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of client or staff Personal Data to MyTherapyTracker for the duration and purposes of the services. The customer acknowledges that for the purposes of the Data Protection Laws, the customer will be the Data Controller and that MyTherapyTracker is the Data Processor. MyTherapyTracker shall adhere to the following, in relation to any Personal Data processed in connection with the performance by MyTherapyTracker to deliver the service:

  • Only process clients’ Personal Data on your written instructions except where we are required to by Law including applicable laws within the UK and the EU.
  • Ensure appropriate technical and organisational measure are in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of your clients’ Personal Data as are reasonably appropriate.
  • Limit access to your clients’ Personal Data to only those who need access to process it and that they are obligated to keep Personal Data confidential.
  • Not transfer any of your clients’ Personal Data outside of the European Economic Area (EEA) without prior written consent from you, ensuring appropriate safeguards are in place for the transfer, that the data subject has enforceable rights and effective legal remedies, we comply with the obligations under Data Protection Laws by providing an adequate level of protection to and Personal Data being transferred and that we comply with all reasonable instructions provided in advance by the customer with respect to the processing of the Personal Data.
  • Assist you, at your own cost, in responding to any request from a data subject and in ensuring compliance with its own obligations under the Data Protection Laws with regard to security, breach notifications or impact assessments.
  • Delete any Personal Data and copies thereof, within 30 days of the termination or cancellation of your contract, where not required to store such Personal Data according to applicable laws to store the data for a specified period of time.
  • Notify you without on becoming aware of a Personal Data breach without undue delay.
  • Maintain complete and accurate records and supporting information to demonstrate compliance with these obligations.

Third Party Suppliers: You acknowledge that we use third-party suppliers to support the running of the service including our hosting partners and secure back-up services.   You accept that such use will be in accordance with the contracts MyTherapyTracker has with these suppliers as outlined by their terms of service, privacy policy and data processing agreements.  We ensure that we will notify you it we plan to enter into any agreements with any third-party processor.  You will ensure you have informed your clients about these subsequent data processing agreements.

MyTherapyTracker may revise this part of the privacy policy by replacing it with any applicable data controller to data processor standard clauses which are issued as guidance from the ICO regarding compliance to the GDPR.  You will be notified of this revision with reasonable notice in order to ensure that you are aware and understand the implication of any changes which may be included and the impact on your organisation’s policies and procedures.

MyTherapyTracker is not liable in respect of any Personal Data which is controlled by the customer as the Data Controller in breach of Data Protection Laws or outside the scope of the permissions granted to you by your agreement with your clients.


MyTherapyTracker provides you with a password which enables you to access your account, and you are responsible for keeping this password confidential and secure. According to our terms of service and acceptable use policy, you are asked not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although MyTherapyTracker will do its best to protect your personal data, we cannot guarantee the security of your data transmitted via the site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security measures to try to prevent unauthorised access.

What information do we hold?

MyTherapyTracker collects and processes personal information that you provide with us, information we collect about you and information supplied to us by third parties.  We may process the following kinds of Personal Data:

Customer Data: This is information you give us about you and your Staff and may include: Name, Address, e-mail address: and phone number which constitutes contact information or other information necessary for the provision and operation of the service and may be supplied by you when you visit our website, make an enquiry or support request via e-mail or other means, use our services and correspond to us by phone, e-mail or any other means.  This data may be processed by us for the purposes of responding to your enquiry, providing technical support, marketing and selling our products and services to you, sending you publications you have requested or enabling and monitoring your use of the site, software and services.

Client/Patient Data: This is information that you enter into MyTherapyTracker while using the software or additional services which includes but is not limited to: Contact information, medical record information, details of other professionals, relatives, parents, carers, notes, reports, documents and media relative to your clients.  This information may be supplied by you when you use our services in the course of your business and when you report a problem with the service.  This Personal Data may be processed by us for the purposes of storing the data on MyTherapyTracker or on back-up servers, enabling and assisting us to comply with all legal, regulatory and compliance obligations to which we are subject, ensuring the security of our services and communicating with you.

Usage Data: When you access the site, we will automatically collect the following information: technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, your login information and information about your visit via our cookie policy.

Lawful Basis for Processing Data

Our lawful basis for processing Personal Data as the Data Controller or as a Data Processor is outlined below as there is a different lawful basis for each category.

Processing Customer Data: The lawful basis for processing this data is contract because it is necessary in order for us to supply the services to you and perform our contract or to take steps at your request to enter into such a contract. In some aspects, the lawful basis for processing this data is legitimate interest i.e. for the purpose of our legitimate interests or those of a third party.

Processing Client/Patient Data: The lawful basis for processing this data is consent from the client/patient who is considered the data subject.  An additional lawful basis for processing this data is contract in that it is necessary for your use of MyTherapyTracker and the supply of the services to you in accordance with that contract.  Finally, legitimate interest is the lawful basis for the processing of this data relevant to the supply of your services to your clients/patients.

Processing Usage Data: This lawful basis for processing this type of data is legitimate interest for the purposes of providing you with the service you are entering into a contract to receive via MyTherapyTracker.

Withdrawal of Consent: In all cases where the legal basis for our processing of your Personal Data is consent, you have the right to withdraw that consent at any time. Such withdrawal will not affect the lawfulness of any processing before you withdraw consent.

How will we use information we hold?

We process Customer Data for the purposes of internal record keeping, performance and administration of services provided by MyTherapyTracker including maintenance and back-ups, to maintain efficient procedures, to provide you with information regarding improvements, updates, offers or other information relevant to your subscription to MyTherapyTracker and to notify you about changes to the service or policies which make up our agreement with you.

We process Client/Patient Data for the purposes of storing data on MyTherapyTracker servers and back-ups, provision of the service, enabling us to comply with all legal, regulatory and compliance obligations and to ensure the security of the service.

We collect Usage Data for internal operations including data analysis, testing, troubleshooting, statistical or survey purposes, to ensure the functionality and security of the service.

Where do we store the data we hold?

MyTherapyTracker stores all information provided to and collected by the service in accordance with industry standard security measures in secure servers located within the UK and back-ups within the EU managed by our hosting partners with 24/7 manned security and only accessible with pre-approved access via the authorisation security gate.

How long will we store your data?

MyTherapyTracker will retain Customer and Client/Patient Data for such time as this is required in connection with the services we are supplying to you.  We may retain Customer Data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Upon request, within 30 days thereof, we will remove all ‘Primary instances’ of the subject’s personal data (copies of their data held on production servers). However personal data may reside in backup archives that must be retained for a longer period of time – either because it is impractical to isolate individual personal data within the archive, or because the controller is required to retain data longer for contractual, legal or compliance reasons.  Individuals can be assured that their personal data will not be restored back to production systems (except in certain rare instances, e.g., the need to recover from a natural disaster or serious security breach). In such cases, the user’s personal data may be restored from backups, but the controller will take the necessary steps to honour the initial request and erase the primary instance of the data again.  Backup archives containing personal data will be protected with strong encryption, so that even if criminals were able to steal the archive, its contents would remain useless to them.  We reserve the right to charge a fee to remove personal data upon request of the subject to cover our costs of doing so.

Change of Purpose for Processing Data

We are Data Controller pertaining to Customer Data and Usage Data only and as such will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.  We may process your personal information without your knowledge or consent in compliance with the above rules where this is required or permitted by law.

We are the Data Processor in respect of your Client/Patient Data and as such will only process that data in accordance with the processing agreement set forth in this policy and only while our contract with you, the customer, is in place and will cease all processing according to our terms of service which states this is when requested by the customer or the data subject or on termination of the contract.

Disclosure of Your Information

You agree that MyTherapyTracker, Ltd. has the right to share Customer Data with our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006 as well as selected third parties including our business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you including third party IT providers, hosting and back-up service providers.

We will disclose Customer Data to the third parties previously mentioned in the following situations:

  • If MyTherapyTracker or substantially all of its assets are acquired by a third party, personal data held by MyTherapyTracker will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply the Terms of Service or the other agreements.
  • To protect the rights, property, or safety of MyTherapyTracker, our customers, or others.
  • To assist us in improving the service provision. We monitor aggregated data that is collected by the site and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information.

Changes to this Privacy Policy

Any changes we make to this Privacy Policy in the future will be posted on the website and, where appropriate, you will also be notified by e-mail.  Please ensure that you review this policy regularly to be aware of any updates or changes to our privacy policy.

Questions, Complaints & Support

Questions, comments, complaints and requests regarding this privacy policy are important to us and should be addressed to as soon as possible if and when a concern arises so that we can provide you with the best outcome for your situation.

Company Information

MyTherapyTracker, Ltd.

Unit 2
Suite 3
Stansted Courtyard
Parsonage Road
Bishop’s Stortford
Herts CM22 6PU

Company Number: 11205703