Privacy Policy for Aligned Therapy

Aligned Privacy Policy

*Effective Date: July 1st 2025*

Summary of Our Privacy Practices - What we collect: Personal details, therapist credentials, intake responses, AI chat transcripts - Why: To provide therapist matching, improve the platform, meet legal obligations - Who we share with: Only trusted processors with contracts (e.g., AI models, analytics, payment providers) - How long: Usually 3–7 years, depending on the data type - Your rights: Access, erase, restrict, object, withdraw consent

Introduction

L J Hyde Ltd, trading as Aligned or Aligned Therapy (“Aligned,” “we,” “us,” or “our”) is committed to protecting the personal data of everyone who interacts with our Platform—both therapists (“Therapists”) and clients (“Clients,” and together, “you”). This Privacy Policy explains:

  • Who we are and how to contact us

  • What categories of personal data we collect (examples only, not an exhaustive list)

  • Why we collect and process your data (purposes, lawful bases)

  • How and with whom we share your data

  • How long we retain your data

  • Your rights under UK GDPR and the Data Protection Act 2018

  • How we secure your data

  • How we use cookies and similar tracking technologies

By registering for or using our Platform, you consent to the collection and use of your personal data as described herein.

---

1. Data Controller & Contact Details

Data Controller:

L J Hyde Ltd (Company Number: 15161926)

Trading as Aligned or Aligned Therapy

Registered Office: Flat 604, Adansbeck Court, 35 Rookwood Way, London, E32XT

Data Protection Officer / Contact:

For any questions, concerns, or to exercise your rights, please contact our DPO at:

  • Email:

For general queries, you may also contact our support team at

---

2. Categories of Personal Data Collected (Examples Only)

We group the data we collect into broad categories so we can evolve our forms and processes without rewriting this Policy every time we add a new field. Below are examples of the types of data we might collect from Therapists and Clients.

2.1. Therapist Data (Examples)

1. Therapist Personal Information (e.g., full name, date of birth, username, password, profile photo)

2. Therapist Pricing and Therapy Types Provided (e.g., fee structure, therapy modalities)

3. Therapist Logistics and Availability (e.g., practice address, availability status)

4. Therapist Clinical Information (e.g., indemnity insurance details, certifications)

5. Therapist Demographics and Inclusivity (e.g., optional demographic data, languages spoken)

6. Therapist Experience and Credentials (e.g., professional body registration, years of experience)

7. Therapist Contact Details (e.g., business email, phone number, bank account information)

8. Account & Usage Information (e.g., login metadata, usage metrics, onboarding/feedback transcripts)

2.2. Client Data (Examples)

1. Client Personal Information (e.g., full name, date of birth, username, password, email, phone)

2. Client Health & Special Category Data (e.g., mental health history, therapy goals, intake questionnaires)

3. Client Preferences & Matching Criteria (e.g., preferred therapist characteristics, session format, availability)

4. Account & Usage Information (e.g., login metadata, AI MatchBot chat transcripts, usage metrics)

5. Referral & Session Data (e.g., matched therapist details, session feedback or ratings)

Note: These lists are not exhaustive. We may collect additional data elements that fall under these categories.

---

3. Purposes of Processing & Lawful Bases

We process your personal data for the purposes outlined below. Where “special category” (health) data is involved, we rely on explicit consent (Article 9(2)(a) UK GDPR). Non-sensitive data is processed under one or more of the lawful bases listed.

3.1. Therapist Processing Purposes

1. Registration & Vetting

  • Purpose: Verify professional credentials, insurance, and eligibility to be listed on the Platform.

  • Lawful Basis: Contract necessity; legal obligation to ensure professional compliance.

2. Matchmaking & Lead Generation

  • Purpose: Use your profile, availability, and Client Review data to match you with prospective Clients.

  • Lawful Basis: Legitimate interests (optimising matching accuracy) and contract necessity.

3. Payment & Accounting

  • Purpose: Invoice and collect referral fees; issue VAT invoices once VAT registration is in effect.

  • Lawful Basis: Contract necessity.

4. Platform Improvement & Analytics

  • Purpose: analyse anonymised usage data and call/chat transcripts (with explicit consent) to enhance the AI MatchBot, UX design, and overall Platform performance.

  • Lawful Basis: Legitimate interests (improving our service).

5. Regulatory & Legal Compliance

  • Purpose: Comply with professional body audits, HMRC accounting rules, and any lawful requests (e.g., court orders).

  • Lawful Basis: Legal obligation.

6. Customer Support & Communications

  • Purpose: Respond to support inquiries, send service updates, policy changes, or urgent account notifications.

  • Lawful Basis: Contract necessity; legitimate interests.

3.2. Client Processing Purposes

1. Account Registration & Maintenance

  • Purpose: Create and manage your Client account, secure credentials, and communicate critical account information.

  • Lawful Basis: Contract necessity.

2. Health Intake & Matching

  • Purpose: Collect special category (health) data via intake forms or AI MatchBot for the sole purpose of matching you with suitable Therapists.

  • Lawful Basis: Explicit consent (you must check the required box at registration before providing health details).

3. AI MatchBot Operations

  • Purpose: Process your free-text inputs and preferences through third-party LLMs (e.g., third-party AI providers (e.g., OpenAI, Deepseek, or similar models)) to generate recommended Matches.

  • Lawful Basis: Explicit consent for any health data; legitimate interests for non-sensitive preference data.

4. Human Match Intervention & Out-of-Network Search

  • Purpose: When AI cannot find a suitable Therapist, anonymise your case summary (no personal identifiers) and share with Therapists inside or outside our network. Once you explicitly consent, your personal details (name, email, phone) are shared only with the chosen Therapist.

  • Lawful Basis: Explicit consent; legitimate interests. Just-in-time consent prompts are displayed before you submit any health data through the AI MatchBot.

5. Call & Chat Transcript Analysis

  • Purpose: Record and analyse your AI MatchBot chat transcripts and any intake/feedback video-call transcripts to improve matching logic, user experience, and AI training.

  • Lawful Basis: Explicit consent (special category data); legitimate interests (service improvement).

6. Customer Support & Communications

  • Purpose: Respond to support requests, send system alerts (e.g., password resets), or critical security updates.

  • Lawful Basis: Contract necessity; legitimate interests.

7. Regulatory & Legal Compliance

  • Purpose: fulfil data subject access requests, comply with ICO inquiries, or provide data to law enforcement under lawful request.

  • Lawful Basis: Legal obligation.

---

4. Sharing & Recipients of Your Data

We do not sell your personal data. We share it only with the following categories of recipients, each under a binding Data Processing Agreement (DPA) and, where applicable, UK-approved Standard Contractual Clauses (SCCs) for international transfers:

1. Third-Party AI/Analytics Providers

  • Examples: Notably AI (transcript analysis), Google Analytics and Mixpanel (usage tracking), third-party AI providers (e.g., OpenAI, Deepseek, or similar models) (LLM processing), Squarespace and Vercel (for website and webapp hosting).

  • Data Shared: AI MatchBot conversation logs (anonymised as needed), call/chat transcripts (with explicit consent), basic usage analytics.

  • Purpose: Improve AI matching accuracy, generate usage insights, and refine user experience.

2. Payment Processors & Accountants

  • Examples: Stripe, PayPal, Xero (once VAT registration is in effect); external accounting firm.

  • Data Shared: Therapist bank account details, referral-fee invoicing history, VAT registration information.

  • Purpose: Process referral-fee transactions, issue VAT invoices, and comply with financial reporting.

3. Regulatory Authorities & Law Enforcement

  • Examples: ICO, courts, professional bodies (BACP, UKCP).

  • Data Shared: Only in response to lawful requests or court orders (e.g., IP logs, account records).

  • Purpose: Compliance with legal obligations.

4. Professional Indemnity Insurer (Therapists Only)

  • Examples: Insurer or broker providing required insurance coverage.

  • Data Shared: Proof of insurance, policy details.

  • Purpose: Verify compliance with professional and legal requirements.

5. External Human Matching Partners

  • Examples: Qualified Therapists outside Aligned’s network if no in-network match is found.

  • Data Shared: Anonymised case summary (no personal identifiers) until a client accepts a specific Match. After your consent, only your name, email, and phone are shared with the chosen Therapist.

  • Purpose: Ensure you receive a suitable Therapist when our in-network pool does not suffice.

---

5. International Data Transfers & Safeguards

Although we design our systems to store and process data in the UK, some of our service providers (e.g., Notably AI, third-party AI providers (e.g., OpenAI, Deepseek, or similar models)) may operate servers in countries outside the UK/EEA. When transferring personal data to such countries that do not benefit from an adequacy decision, we rely on UK-Approved Standard Contractual Clauses (SCCs) and conduct transfer impact assessments. Supplementary measures may be used where necessary. You may request a copy of the relevant safeguards (e.g., SCCs) by contacting .

---

6. Retention Periods

We retain your personal data only as long as necessary to fulfil the purposes described above or to comply with our legal obligations. Specific retention timelines:

1. Therapist Data

  • Account & Profile Data: Retained for up to 7 years after account deactivation (to satisfy professional body, HMRC, and our legal obligations).

  • Onboarding/Feedback Transcripts: Retained for up to 3 years after collection, unless you withdraw consent earlier. After 3 years (or upon withdrawal), transcripts will be permanently deleted or anonymised.

2. Client Data

  • Non-Health Account Data: Retained for up to 5 years after account deactivation (to handle any post-termination support or complaints).

  • Health & Special Category Data (transcripts, intake questionnaires): Retained for up to 3 years after collection, unless you withdraw consent earlier. Upon withdrawal, we delete or anonymise data within 30 days (unless we must retain it to comply with legal requirements or defend a legal claim).

3. Marketing Subscriptions & Permissions

  • Consent Records: Retained for up to 5 years to demonstrate compliance with data protection laws.

After these periods expire, we either delete your data entirely or irreversibly anonymise it.

---

7. Cookies & Tracking Technologies

We use cookies, local storage, and similar technologies to make our Platform function properly and to enhance your experience. Non-essential cookies are blocked by default using Cookiebot or similar tools until you provide affirmative opt-in consent. to make our Platform function properly and to enhance your experience. Below is a summary of what we use and how you can control them.

7.1. Types of Cookies We Use

1. Strictly Necessary Cookies

  • Purpose: Essential for basic Platform functionality, such as login sessions and maintaining secure access.

  • Example: Session ID cookies that keep you logged in.

2. Performance & Analytics Cookies

  • Purpose: Collect anonymous data about how visitors use the Platform (e.g., pages visited, time spent) via services such as Google Analytics.

  • Benefit: Helps us identify issues, optimise load times, and improve the overall user experience.

3. Functional Cookies

  • Purpose: Remember your preferences (e.g., language selection, cookie-banner dismissal).

  • Benefit: Ensures the Platform “remembers” you when you return, so you don’t have to re-enter settings.

4. Targeting/Advertising Cookies (If introduced in the future)

  • Purpose: Deliver relevant marketing content if you opt into marketing communications.

  • Example: Third-party ad networks or remarketing pixels.

  • Control: Only used if you explicitly opt in through your account settings or cookie preferences banner.

7.2. Managing Your Cookie Preferences

  • Upon First Visit: A cookie banner will appear advising you of cookie use. You can accept all non-essential cookies or customize your preferences.

  • Withdraw or Modify Consent: At any time, click the “Cookie Settings” link in the website footer to adjust your preferences or withdraw consent for performance/functional/targeting cookies.

  • Browser Controls: You can also block cookies via your browser settings, but this may affect the Platform’s functionality.

---

8. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data. To exercise any right, please submit a request to . We will respond within one month (or up to two months if your request is complex).

1. Right of Access

  • Request a copy of the personal data we hold about you (Subject Access Request).

2. Right to Rectification

  • Request correction of inaccurate or incomplete data (e.g., profile information, health details).

3. Right to Erasure (“Right to be Forgotten”)

  • Request deletion of your personal data when it is no longer necessary for the purposes collected, you withdraw consent, or it was processed unlawfully.

  • We will delete or anonymise your data within 30 days, unless we must retain it to comply with legal obligations (e.g., financial records for HMRC or professional body audits).

4. Right to Restrict Processing

  • Request that we temporarily suspend processing your data if you contest accuracy or have objected to processing under certain lawful bases.

5. Right to Data Portability

  • If processing is based on consent or contract and data is processed electronically, request a copy of your data in a machine-readable format.

6. Right to Object

  • Object to processing based on legitimate interests (e.g., profiling for matching) or to marketing communications at any time.

7. Right to Withdraw Consent

  • For any processing based on explicit consent (e.g., recording of AI MatchBot chats, intake-call transcripts), you can withdraw consent via your account settings or by emailing [SUPPORT_EMAIL]. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

8. Right to Lodge a Complaint

  • If you believe we have violated UK GDPR, you may lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk. We request you first contact us at [LEGAL_EMAIL] so we can attempt to resolve your concerns directly.

---

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

1. Encryption

  • All data in transit is encrypted using TLS/SSL.

  • Sensitive data (e.g., transcripts, health information) is encrypted at rest.

2. Access Controls

  • Role-based access control for employees and contractors; Therapists see only the data necessary to perform their function.

  • Multi-factor authentication (MFA) for administrative and support accounts.

3. Data Minimisation & Pseudonymisation

  • We collect only the data strictly necessary for each purpose.

  • “Case summaries” used in out-of-network searches are anonymised—no direct identifiers are included until you explicitly consent to a Match.

4. Regular Audits & Testing

  • We conduct periodic vulnerability scans, penetration tests, and internal audits to ensure ongoing compliance.

  • All third-party processors (e.g., Condens, third-party AI providers (e.g., OpenAI, Deepseek, or similar models), Bubble (or similar hosting frameworks)) are contractually bound to maintain at least equivalent security standards.

5. Incident Response Plan

  • We maintain a documented protocol for responding to data breaches, including notifying the ICO within 72 hours when required, and notifying affected data subjects if there is a high risk to their rights and freedoms.

---

10. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or to comply with new legal requirements. When we do, we will post the revised version on the Platform with a new “Effective Date.” We will notify registered users via email at least 14 days before any material changes take effect. Your continued use of the Platform after the Effective Date constitutes acceptance of the updated Policy.

---

11. Additional Information

1. Browser-Based Controls

  • You may control certain data-collection settings directly in your browser (e.g., cookie preferences, location services). However, restricting cookies may affect Platform functionality.

2. Platforms & Frameworks

  • Our WebApp is built on Vercel, and our website on Squarespace. Any personal data processed through the web front end inherently flows through these providers’ hosting infrastructure. They operate under their own Security & Privacy controls, and we have a Data Processing Agreement them to ensure UK GDPR compliance.

3. Third-Party Links

  • Our Platform may contain links to external websites (e.g., professional resources). This Policy does not apply to those third-party sites. We encourage you to review each site’s privacy and cookie policies before sharing personal data.

4. Children’s Privacy

  • Our Platform is for adults (18+). We do not knowingly collect data from minors. If we become aware that a minor’s data was collected inadvertently, we will delete it promptly.

**Note:** Our AI MatchBot is powered by a third-party language model (LLM) that interprets your inputs to recommend therapist matches. It is not a diagnostic tool or a substitute for human therapists.

We do not make legally binding decisions solely based on automated processing.

You may grant or withdraw consent granularly for each category of non-essential cookies (e.g., analytics, functional, targeting)