Privacy Policy

HypnoVox is a business-to-business (B2B) software-as-a-service (SaaS) platform that enables hypnotherapists and other qualified practitioners to record, manage, and securely share therapy session recordings with their clients.

Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), the therapist who uses HypnoVox is the data controller for their clients' personal data. HypnoVox operates as a data processor, processing personal data on behalf of and under the instructions of each therapist.

For data relating to therapists' own accounts (registration details, login credentials), HypnoVox acts as the data controller.

2.1 Therapist Account Data (Controller)

We collect the following data when therapists register:

• Full name — to identify the account holder
• Email address — for authentication, account recovery, and essential communications
• Practice name — displayed on shared recordings
• Password — stored as a cryptographic hash; we never store plaintext passwords

2.2 Client Data (Processor)

Therapists may store the following client data within their HypnoVox account:

• Client name — to identify and organise recordings
• Client email — used to send shared recording links (when the therapist initiates sharing)

2.3 Recording Data (Processor — Special Category)

When a therapist records a session, the following data is collected:

• Audio recording files — the session recording itself, stored as WebM or M4A
• Recording title and notes — therapist-provided metadata
• Duration — length of the recording
• Sharing metadata — share tokens, expiry dates, download permissions

3.1 Therapist Account Data (Article 6)

• Performance of a contract (Article 6(1)(b)) — we process therapist data to provide the HypnoVox service as agreed in our Terms of Service.
• Legitimate interests (Article 6(1)(f)) — for account security, fraud prevention, and service improvement.

3.2 Client Data and Recordings (Articles 6 and 9)

As a data processor, HypnoVox processes client data and recordings on behalf of the therapist (data controller). The therapist is responsible for establishing an appropriate legal basis. Typically this includes:

• Article 6(1)(a) — Consent or Article 6(1)(b) — Contract: the client has consented to or contracted for the recording of their session.
• Article 9(2)(a) — Explicit consent: for processing special category health data, the client has given explicit consent to their therapist for their session to be recorded and shared via HypnoVox.

Therapists are responsible for obtaining and documenting appropriate consent from their clients before recording sessions or storing client data in HypnoVox.

Audio recordings of therapy sessions are classified as special category data under Article 9 of the GDPR because they relate to an individual's physical or mental health.

We apply additional safeguards to this data:

• Audio files are stored in isolated, encrypted storage buckets with path-based access controls
• Each therapist can only access their own recordings — enforced at the database level via Row Level Security (RLS)
• Shared recordings use time-limited, tokenised URLs that automatically expire
• Therapists control sharing permissions and can revoke access at any time
• Download permissions are configurable per recording by the therapist

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit — all data is transmitted over HTTPS/TLS
• Encryption at rest — database and storage are encrypted using AES-256
• Row Level Security (RLS) — database policies ensure therapists can only access their own data
• Password hashing — passwords are hashed using industry-standard algorithms (bcrypt) and never stored in plaintext
• Signed URLs — audio files are served via short-lived, cryptographically signed URLs
• Session management — secure, HTTP-only authentication tokens with appropriate expiry
• Access controls — service-level keys are kept server-side only and never exposed to clients

We use the following third-party services to deliver HypnoVox. Each operates as a sub-processor under a Data Processing Agreement (DPA):

Some of our sub-processors are based in the United States. Where personal data is transferred outside the UK or the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• EU-U.S. Data Privacy Framework (DPF) — where our sub-processors are certified under the DPF, transfers are made in reliance on their certification
• Standard Contractual Clauses (SCCs) / International Data Transfer Agreement (IDTA) — where DPF certification is not available, we rely on Commission-approved SCCs (for EU GDPR) or the UK IDTA (for UK GDPR) to provide adequate protection
• Supplementary measures — including encryption in transit and at rest, access controls, and contractual commitments from sub-processors

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Therapist account data — retained for the duration of the account. Upon account deletion, data is removed within 30 days.
• Client data — retained until deleted by the therapist or upon account closure. Therapists may delete individual client records at any time.
• Audio recordings — retained until deleted by the therapist or upon account closure. Therapists can delete individual recordings at any time.
• Shared recording links — expire automatically after the period set by the therapist. Expired tokens are purged periodically.
• Server logs — retained for up to 30 days for security and debugging purposes, then automatically deleted.

Therapists (as data controllers) are responsible for implementing appropriate retention schedules for their client data, consistent with their professional obligations and applicable regulations.

Under the UK GDPR and EU GDPR, individuals have the following rights regarding their personal data:

• Right of access (Article 15) — request a copy of the personal data we hold about you
• Right to rectification (Article 16) — request correction of inaccurate or incomplete data
• Right to erasure (Article 17) — request deletion of your personal data (“right to be forgotten”)
• Right to restrict processing (Article 18) — request that we limit how we use your data
• Right to data portability (Article 20) — receive your data in a structured, machine-readable format
• Right to object (Article 21) — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

For Therapists

As data subjects whose account data we control, therapists may exercise these rights directly with us (see Section 10).

For Clients

As the data controller for client data, your therapist is your primary point of contact for exercising data rights. If your therapist is unable to assist, you may contact us and we will facilitate your request in coordination with your therapist.

To exercise any of your data protection rights, you may:

• Email us at privacy@hypnovox.app
• Include your full name and email address so we can verify your identity
• Describe the right you wish to exercise and any relevant details

We will respond to your request within one month of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

• UK: Information Commissioner's Office (ICO) — ico.org.uk
• EU: Your local Data Protection Authority (DPA)

HypnoVox uses only essential cookies that are strictly necessary for the application to function:

• Authentication session cookies — to keep you signed in and secure your session
• CSRF protection cookies — to prevent cross-site request forgery attacks

We do not use any analytics, advertising, or tracking cookies. Because we only use strictly necessary cookies, consent is not required under the Privacy and Electronic Communications Regulations (PECR) or the ePrivacy Directive.

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will:

• Notify affected therapists (as data controllers) without undue delay and no later than 72 hours after becoming aware of the breach, as required by Article 33
• Provide details of the nature of the breach, the categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• Assist therapists in fulfilling their own breach notification obligations to supervisory authorities and affected individuals under Articles 33 and 34

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also take reasonable steps to directly notify affected individuals.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the “Last updated” date at the top of this page
• We will notify registered therapists by email at least 14 days before material changes take effect
• Continued use of HypnoVox after the effective date constitutes acceptance of the updated policy

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

HypnoVox is intended for use by adults aged 16 years and over only. We do not knowingly collect personal data from individuals under the age of 16. If you are a therapist working with clients under 16, you must not store their data in HypnoVox without appropriate parental or guardian consent, and you bear responsibility as data controller for ensuring that any such processing is lawful.