Legal

Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement (DPA) forms part of the Terms of Service between Practeese (the Processor) and the practitioner using the platform (the Controller). It applies to all personal data processed by Practeese on the Controller's behalf.

By using Practeese you agree to the terms of this DPA.

Definitions

Controller means the practitioner who determines the purposes and means of processing patient personal data.

Processor means Practeese, which processes personal data on behalf of the Controller.

Personal data has the meaning given in UK GDPR.

Special category data means health data and any other data falling under Article 9 of UK GDPR.

Subject matter and purpose

Practeese processes patient personal data on behalf of the practitioner for the sole purpose of providing the Practeese practice management service, including:

  • Storing patient records, session notes, and contact details
  • Sending appointment reminders and confirmations to patients
  • Sending intake forms and collecting responses
  • Processing payment links and tracking outstanding amounts

Categories of data processed

  • Patient names, dates of birth, and contact details
  • Session notes and clinical observations entered by the practitioner
  • Intake form responses including health history
  • Appointment history and scheduling data
  • Payment amounts and outstanding balances

This includes special category health data under UK GDPR Article 9. The Controller is responsible for ensuring a lawful basis exists for processing this data.

Processor obligations

Practeese will:

  • Only process personal data on documented instructions from the Controller, unless required by law to do otherwise
  • Implement appropriate technical and organisational security measures to protect the data
  • Ensure that personnel with access to the data are bound by confidentiality obligations
  • Not engage new sub-processors without informing the Controller and providing an opportunity to object
  • Assist the Controller in responding to data subject rights requests
  • Assist the Controller in meeting its obligations under Articles 32 to 36 of UK GDPR
  • Delete or return all personal data upon termination of the agreement, at the Controller's choice
  • Provide all information necessary to demonstrate compliance with this DPA

Sub-processors

Practeese currently uses the following sub-processors to deliver the service. By agreeing to this DPA you authorise their use.

Sub-processor Purpose Location
Supabase Inc Database and authentication infrastructure EU (Ireland)
Resend Inc / AWS SES Transactional email delivery EU West
Stripe Inc Payment processing (subscription billing only) EU / USA (PCI DSS compliant)
Netlify Inc Application hosting and serverless functions EU / USA

Security measures

Practeese implements the following technical and organisational security measures:

  • All data encrypted in transit using TLS 1.2 or higher
  • All data encrypted at rest using AES-256
  • Row-level security enforced at the database level so practitioners can only access their own data
  • Authentication via magic link (no passwords stored)
  • Access to production systems restricted to authorised personnel only
  • Regular security reviews and dependency updates

Personal data breach notification

In the event of a personal data breach affecting patient data, Practeese will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of individuals and records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

The Controller is responsible for notifying the ICO and affected data subjects where required.

Data subject rights

Where a patient exercises their rights under UK GDPR (access, rectification, erasure, portability), the Controller is responsible for responding. Practeese will assist by providing access to the relevant data upon request from the Controller, within a reasonable timeframe.

Termination and data deletion

Upon termination of the practitioner's account, Practeese will delete all patient data associated with that account within 30 days, unless the Controller requests export of data before deletion. Data required to be retained by law is exempt from deletion until the retention period expires.

Governing law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the courts of England and Wales.

Contact

For any questions regarding this DPA or data processing, contact us at hello@practeese.com.