Preparing your clinical workspace...

Privacy Policy

Last Updated: June 12, 2026

1. Introduction

CocoPsych Ltd ("CocoPsych," "we," "us," or "our") is committed to protecting the privacy and security of personal data processed through our platform. CocoPsych is an AI-powered psychology practice management system that processes sensitive health data on behalf of mental health practitioners.

This Privacy Policy explains how we collect, use, store, and protect personal data. It applies to all users of the CocoPsych platform, including practitioners (our direct customers) and the patients whose data practitioners process through our Service.

Data Protection Contact: privacy@cocopsych.com

2. Data Controller and Processor Roles

CocoPsych as Data Processor

Under the UK GDPR, EU GDPR, and Data Protection Act 2018, CocoPsych acts as a Data Processor. Under HIPAA, CocoPsych acts as a Business Associate. We process personal data and health data solely on behalf of practitioners (the Data Controllers / Covered Entities) and under their documented instructions.

Practitioner as Data Controller

The individual practitioner or practice is the Data Controller (GDPR) or Covered Entity (HIPAA). They determine the purposes and means of processing patient data, obtain patient consent, and bear responsibility for compliance with applicable data protection laws.

Patient Data Subject Rights

Patients (data subjects) should exercise their rights — including access, rectification, erasure, and portability — through their practitioner (the Data Controller). CocoPsych will assist practitioners in fulfilling data subject requests as required by our Data Processing Agreement.

3. Data We Collect

3.1 Practitioner Account Data

When you register and use CocoPsych, we collect:

  • Name, email address, and professional credentials
  • Practice name and business information
  • Billing and payment information (processed by third-party payment providers)
  • Usage data and preferences
  • Device information and IP address (for security and authentication)

3.2 Patient Clinical Data (Processed on Behalf of Practitioners)

On behalf of practitioners, we process:

  • Patient demographics (name, contact information, date of birth)
  • Session transcripts generated from audio
  • AI-generated clinical notes
  • Appointment and scheduling data
  • Billing records associated with patient sessions

This data constitutes special category data (Article 9, UK GDPR/EU GDPR) and Protected Health Information (HIPAA). It receives the highest level of protection.

3.3 Sandbox (Professional Development Data)

The Sandbox workspace generates the following data:

  • Thinking Space reflective notes and AI conversation history
  • Task lists (pre-session and post-session planning)
  • Supervision session transcripts and AI-generated supervision notes
  • CPD activity records and evidence file uploads

Sandbox data is primarily professional development data rather than clinical patient data. However, supervision transcripts may contain patient-identifiable information and are treated with equivalent security protections.

3.4 Audio Recordings

Audio recordings are never stored. When a practitioner records a session (clinical or supervision) for transcription purposes, the audio exists only transiently during the transcription process. Audio is automatically and permanently deleted immediately upon completion of transcription. We do not retain, archive, back up, or store audio recordings under any circumstances. Once deleted, audio cannot be recovered.

4. How We Use Data

4.1 Clinical Data (Processor Role)

We process clinical data solely to:

  • Provide transcription and AI note generation services
  • Store and organise clinical records on behalf of the practitioner
  • Enable client management, scheduling, and billing functions
  • Facilitate data export and portability

4.1A Sandbox Data (Processor Role)

We process Sandbox data solely to:

  • Provide AI-assisted reflective practice (Thinking Space)
  • Enable task management for session preparation
  • Provide supervision session transcription and AI note generation
  • Store CPD activity records and evidence uploads

We do not use clinical or Sandbox data for AI model training, marketing, advertising, analytics, research, or any purpose beyond providing the Service.

4.2 Account Data (Controller Role)

For practitioner account data, CocoPsych acts as Data Controller and uses this data to:

  • Provide and maintain the Service
  • Process payments and manage subscriptions
  • Send service communications (updates, security alerts, billing)
  • Improve the Service (using aggregated, anonymised usage patterns only)
  • Comply with legal obligations

5. Legal Basis for Processing

Clinical Data (as Processor)

We process clinical data under Article 28 (UK GDPR/EU GDPR) processor obligations, pursuant to our Data Processing Agreement with each practitioner. The practitioner's lawful basis for processing health data is typically:

  • Article 9(2)(h) — necessity for healthcare provision; or
  • Article 9(2)(a) — explicit patient consent

Account Data (as Controller)

  • Contract: Processing necessary to perform our contract with you (Article 6(1)(b))
  • Legal obligation: Processing required by law, including tax and accounting requirements (Article 6(1)(c))
  • Legitimate interests: Service improvement using anonymised data, security monitoring (Article 6(1)(f))

6. Data Retention

6.1 Audio Recordings

Not retained. Deleted immediately after transcription completes. No exceptions.

6.2 Clinical Data (Notes, Transcripts, Client Records)

Retained for the duration of the practitioner's active subscription. Practitioners may delete clinical data at any time. Post-cancellation grace periods:

  • Starter plan: 30 days
  • Professional plan: 90 days
  • Organisation plan: 1 year

After the grace period, clinical data is permanently deleted.

6.2A Sandbox Data

Thinking Space notes, tasks, supervision records, CPD logs, and evidence uploads are retained for the duration of your active subscription. Sandbox data may be deleted at any time without restriction. Post-cancellation, Sandbox data follows the same grace periods as clinical data.

6.3 Mandatory Retention (Cannot Be Deleted)

  • Audit logs: 7 years — immutable, tamper-evident
  • Billing records: 7 years — tax and HIPAA compliance
  • Consent records: 7 years — GDPR Article 7(1) accountability
  • BAA/DPA documents: 6 years post-termination — HIPAA 45 CFR 164.530(j)

6.4 Account Data

Retained for the duration of your account plus any mandatory retention period. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.

7. Data Security

We implement technical and organisational measures appropriate to the sensitivity of health data:

  • Encryption at rest: AES-256 for all stored data
  • Encryption in transit: TLS 1.3 for all data transmission
  • Access control: Role-based access, unique user IDs, automatic session timeout
  • Authentication: Multi-factor authentication, device verification
  • Audit controls: Immutable logging of all access to personal data, 7-year retention
  • Integrity controls: Checksums, versioned storage, tamper-evident logs
  • Regular testing: Security assessments and vulnerability scanning

8. Sub-Processors

We use the following categories of sub-processors to deliver the Service:

  • Cloud infrastructure: Data hosting and compute services
  • Authentication: Identity and access management services
  • AI processing: Clinical note generation services
  • Payment processing: Billing and subscription management

All sub-processors are bound by appropriate data processing agreements and maintain security standards consistent with health data requirements. A full list of sub-processors is available on request. We maintain sub-processor BAAs where required by HIPAA.

9. International Data Transfers

CocoPsych primarily processes data within the European Economic Area (EEA) and United Kingdom. Where data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place:

  • UK International Data Transfer Agreement (IDTA)
  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable

For Australian users: in accordance with Australian Privacy Principle 8, we inform you that your data is processed on infrastructure located outside Australia. Appropriate contractual protections are in place.

10. Your Rights (Practitioner Account Data)

Under the UK GDPR and EU GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to mandatory retention)
  • Restriction: Request restriction of processing
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent

To exercise these rights, contact privacy@cocopsych.com. We will respond within one month (extendable by two months for complex requests).

You have the right to lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk.

11. US Privacy Rights

For practitioners in the United States, CocoPsych complies with HIPAA requirements as a Business Associate. PHI regulated by HIPAA is exempt from CCPA/CPRA per Civil Code 1798.145(c)(1).

Under applicable US state privacy laws, you may have additional rights including:

  • The right to know what personal information is collected
  • The right to request deletion of personal information
  • The right to opt out of the sale of personal information (we do not sell personal information)
  • The right to non-discrimination for exercising privacy rights

We do not sell personal information or health data. We do not share personal information for cross-context behavioural advertising.

12. Data Breach Notification

In the event of a personal data breach:

  • UK/EU GDPR: We will notify affected practitioners (controllers) without undue delay. Practitioners must notify their supervisory authority within 72 hours where required.
  • HIPAA: We will notify affected covered entities without unreasonable delay (and no later than 60 days from discovery).
  • Singapore PDPA: Notification to PDPC within 3 calendar days where applicable.

13. Cookies and Tracking

CocoPsych uses strictly necessary cookies for authentication and session management. We use limited analytics to understand Service usage. For full details, please see our Cookie Policy.

We do not use tracking cookies for advertising purposes. We do not engage in cross-site tracking or behavioural profiling of our users.

14. Children's Data

CocoPsych accounts are for adult practitioners only. Where practitioners treat minor patients, the practitioner (as Data Controller) is responsible for ensuring appropriate consent and safeguards are in place. We do not knowingly collect data directly from children.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or in-app notification. The "Last Updated" date at the top of this policy indicates when the most recent changes were made.

16. Contact

For privacy-related enquiries:

Email: privacy@cocopsych.com

Data Protection matters: dpo@cocopsych.com

CocoPsych Ltd, United Kingdom

Latest update: June 12, 2026