ProTherapy

Privacy Policy

Effective date: 21 June 2026

This Privacy Policy explains how ProTherapy collects, uses, stores, shares, and protects personal data when you use the ProTherapy platform. Please read it together with our Terms of Service.

ProTherapy is a technology platform for independent mental-health professionals. ProTherapy is not a healthcare provider, is not a clinic, and does not provide therapy, counselling, diagnosis, medical advice, or any emergency service. Therapy is provided solely by the independent therapist you book with. ProTherapy provides the software those therapists use to run their practice (booking pages, scheduling, reminders, record-keeping, messaging, and payment tracking).

If you are in distress or facing a mental-health emergency, ProTherapy cannot help you in real time. Please contact your nearest emergency service or a crisis helpline immediately. Helpline details are listed on our crisis page.

1. Who we are

ProTherapy is a sole proprietorship (an MSME registered under Udyam Registration No. UDYAM-PB-03-0076949), operated by its proprietor, Mr. Uppinder Singh Chugh ("ProTherapy", "we", "us", "our").

  • Location: Bathinda, Punjab, India. The full registered address is available on request via support@protherapy.in.
  • Support / general contact: support@protherapy.in
  • Grievance Officer: Mr. Uppinder Singh Chugh — uppinder.chugh@gmail.com (see Section 17).

This Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 and rules made under it.

In this Policy, "personal data" means any data about an individual who is identifiable by or in relation to such data. "Data Principal" means the individual to whom the personal data relates (that is, you). "Data Fiduciary" and "Data Processor" have the meanings given to them under the DPDP Act.

2. ProTherapy's role and the therapist's role

Two roles co-exist on the platform, and it is important to understand which applies to which data.

2.1 ProTherapy as Data Fiduciary (platform and account data)

ProTherapy is the Data Fiduciary for the data we collect and use to operate the platform itself — for example, your account details, login credentials, booking and session metadata, billing records, and (for therapists) payment-routing details. For this data, ProTherapy decides the purposes and means of processing, and ProTherapy is accountable to you under the DPDP Act.

2.2 The therapist as Data Fiduciary (clinical content); ProTherapy as Data Processor

For clinical content — the session notes a therapist writes about you, your pre-session questionnaire responses, in-app messages, and therapist-authored session summaries — the therapist (or their practice) is the Data Fiduciary, and ProTherapy acts as a Data Processor on the therapist's behalf. The therapist decides what to record about you and is responsible for the clinical relationship.

ProTherapy cannot read your clinical content. Clinical notes, pre-session responses, in-app messages, and session summaries are encrypted at the application layer (see Section 6). We store this content only as encrypted data and process it on the therapist's instructions. Because both roles co-exist, ProTherapy still carries Data Fiduciary obligations for clinical content as well (for example, security and breach response), but the therapist controls what is recorded and why.

If you have a question about clinical content held by your therapist — for example, you want it corrected, exported, or erased — that request is directed to and decided by your therapist. We explain how this works in Sections 12 and 13.

3. The personal data we collect

We practise data minimisation — we ask for the minimum needed to deliver the service. The categories below are collected depending on how you use ProTherapy.

3.1 Account data

  • Email address (your primary identity on the platform — see Section 4).
  • Name.
  • For therapists: phone number, professional credentials and any RCI registration details you supply, and your encrypted payment-integration tokens once you connect a payment account.
  • Login is via a one-time code (OTP) sent to your email or, where applicable, your mobile number.

3.2 Booking and session data

  • Booking details and session metadata (timing, status, session type, billing status).
  • Optional WhatsApp number, collected only if you choose to receive reminders on it (see Section 9).
  • Pre-session responses you provide on a therapist's booking page — only the questions that therapist has configured.

3.3 Data collected later, with the therapist's onboarding

After your first session, if your therapist invites you to complete a fuller onboarding form, you may be asked for additional details such as date of birth, emergency-contact details, presenting concern, and prior-therapy history. These are not collected at the booking stage. Some of these fields form part of clinical content held encrypted (see Section 2.2).

3.4 Clinical content (held encrypted; therapist-controlled)

  • Session notes written by your therapist.
  • Pre-session questionnaire responses.
  • In-app messages between you and your therapist.
  • Optional therapist-authored session summaries shared with you.

We store all of the above as encrypted data and cannot read it (Section 6).

3.5 Payment data

At the pilot stage, payments are offline only. You pay your therapist directly (for example, by UPI, bank transfer, or cash). ProTherapy never holds, processes, or receives your money, and ProTherapy never sees your bank account number, card number, UPI ID, or other payment instrument. When a therapist marks a session as paid offline, we store only a payment-method category (for example, "UPI" or "cash"), an optional short free-text reference the therapist types, and a record of who marked it and when. Online card/UPI payments through a payment gateway (Razorpay) are not live yet; if and when they are enabled, this Policy will be updated to describe that flow.

3.6 Technical and essential-storage data

We use essential cookies and similar local storage to keep you logged in and to make the service work (see Section 16). We do not use advertising or third-party tracking cookies.

4. Email as your identity

ProTherapy uses email as the primary identity anchor, not your phone number. This is a deliberate privacy choice. Phone numbers are commonly shared within Indian households; using email keeps two people who share a phone (or a family WhatsApp number) as separate accounts, and reduces the risk of one person seeing another's reminders or details. Your WhatsApp number, if provided, is stored separately and used only for reminders you opt into.

5. Why we use your data, and purpose limitation

We use personal data only for the purposes you were informed of when it was collected:

  • Account data — to operate the platform: create and secure your account, log you in, and provide support.
  • Booking and session metadata — to schedule sessions, send confirmations and reminders, and track billing status.
  • WhatsApp number and opt-in — solely to send session reminders you asked for.
  • Clinical content — held encrypted, for your therapist's professional record-keeping. ProTherapy does not use it for anything else.
  • Therapist payment-integration data — to support the therapist's own payment account where applicable.

We do not sell your personal data. We do not use your data for advertising or profiling.

Clinical data is never used for any other purpose. It is not used for analytics, for training any AI or machine-learning model, or to generate cross-therapist insights. Any future AI feature would require both the therapist's explicit opt-in and notice to you, and would still be limited to that therapist's own records.

6. Security and encryption

We apply security safeguards appropriate to the sensitivity of mental-health data:

  • Application-layer encryption. Clinical notes, pre-session responses, in-app messages, therapist-authored session summaries, and stored payment-integration tokens are encrypted using AES-256-GCM before they are stored. They are held as ciphertext at rest. ProTherapy administrators cannot read this content.
  • Access controls. Database-level row access controls and application-layer checks restrict data so that, in general, only you and your booking therapist can access content related to your relationship.
  • Administrative access is metadata-only. ProTherapy's operations staff can see operational metadata (for example, session status, timestamps, and billing state) to provide support, but never read decrypted clinical notes, pre-session responses, in-app messages, or session summaries.
  • Audit logging. Sensitive actions are recorded in append-only audit logs.
  • Encrypted backups, stored within India.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We describe what happens in the event of a data breach in Section 14.

7. Lawful basis and consent

Under the DPDP Act, we process personal data on the basis of your consent or, where applicable, for certain legitimate uses permitted by law (for example, retaining records to comply with a legal obligation — see Section 8).

Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous, and given through a clear affirmative action. Accordingly:

  • At first login / onboarding, before you can proceed, you are shown this Privacy Policy and our Terms of Service and asked to accept them. Choosing to continue records your acceptance.
  • On a therapist's booking page, a short disclosure is shown and your submission of the booking is the affirmative action that records your agreement, including that your details are shared only with that therapist.
  • For WhatsApp reminders, consent is a separate, explicit checkbox (see Section 9).

How consent is recorded. At the pilot stage, your acceptance of this Policy and the Terms is recorded by reference to your account-creation timestamp; booking-page agreement is recorded against the booking record; and your WhatsApp opt-in is recorded with its own dated timestamp.

Withdrawing consent. You can withdraw consent at any time, and we make withdrawing as easy as giving consent. For WhatsApp reminders, you can withdraw at any time using any of the methods in Section 9 — including a one-click unsubscribe link in every reminder message and an in-app toggle once you have access to your account. Withdrawing your overall consent to use the platform is done through account deactivation (Section 13). Withdrawing consent does not affect processing that already took place, and does not override retention we are legally required to maintain (Section 8).

If we materially change this Policy in future, we may ask you to review and re-accept it (see Section 18).

8. Data retention and storage limitation

We keep personal data only as long as needed for the purpose it was collected, or as required by law, and then delete or anonymise it. Our retention periods are:

| Data category | Retention | | --- | --- | | Account data (after deactivation) | 30 days, then anonymised | | Session notes (after the therapist–client relationship ends) | 3 years from the date the relationship ended, then deleted | | Pre-session responses | 3 years from the session date, then deleted | | Online payment records (when online payments are enabled) | 8 years (to meet GST and income-tax retention requirements) | | WhatsApp send logs | 13 months | | Audit logs | 8 years |

Clinical records (notes, pre-session responses) and related audit logs are retained for 3 years from the end of each therapist–client relationship (or from deactivation, if the relationship was active at that point), because mental-health records carry professional and legal-defence retention norms in India. This retention is enforced by an automated process.

Your right to erasure (Section 12) does not override these retention periods. Records subject to statutory or professional retention are kept for the periods above; other personal data is anonymised within 30 days of deactivation.

9. WhatsApp reminders — opt-in and opt-out

WhatsApp session reminders are entirely optional.

  • Opt-in. You only receive WhatsApp reminders if you provide a WhatsApp number and tick the explicit checkbox: "Send me session reminders on this WhatsApp number." No reminder is sent unless you have done both. Your opt-in is recorded with a timestamp.
  • What is sent. Only session reminders. Reminders are utility messages and do not include crisis-helpline content (that lives on our dedicated crisis page so the signal is not diluted).
  • Opt-out, at any time, by any of these:
  • A one-click unsubscribe link included in every reminder message ("Stop reminders"). It works whether or not you have logged into the app.
  • Replying "Stop" to the WhatsApp message.
  • An in-app toggle ("Receive session reminders on WhatsApp") in your settings, once you have claimed your account.

Opting out takes effect before the next scheduled reminder and is logged.

10. Sharing of your data

We share personal data only as needed to provide the service, and never sell it.

  • With your booking therapist. The therapist you book with receives the personal data necessary to provide the service to you (your name, email, booking details, any pre-session responses, and — where you provide them — later onboarding details). Your details are shared only with that therapist.
  • With our service providers (Data Processors). We use trusted infrastructure providers to run the platform, under contractual confidentiality and security obligations. These include our hosting and database provider (Supabase, in the Mumbai region), our application hosting provider (Vercel), and our messaging provider (Twilio, for WhatsApp reminders). These providers process data on our instructions.
  • When required by law. We may disclose data if required by a valid legal order, or to protect rights, safety, or property as permitted by law.
  • On a business transfer. If ProTherapy is involved in a merger, acquisition, or asset transfer, data may be transferred subject to this Policy.

We do not sell, rent, or trade personal data, and we do not share it for advertising.

11. Data residency — India only

All ProTherapy data — the database, file storage, and encrypted backups — is stored and processed in India (Supabase, Mumbai region, `ap-south-1`). The DPDP Act applies to this processing regardless of where you are located. It is our policy not to move ProTherapy data outside India; any future region we add would also be an Indian region.

12. Your rights under the DPDP Act

As a Data Principal, you have the following rights in respect of your personal data:

  • Right to access — to obtain a summary of the personal data we process about you. You can use the "Export all data" feature in your settings, which returns your data in machine-readable form (see Section 13).
  • Right to correction and completion — to have inaccurate or incomplete data corrected or completed. You can edit your profile in-app; some fields (for example, email or RCI number) require verification or support assistance.
  • Right to erasure — to have personal data erased where it is no longer needed and not subject to a retention obligation. Erasure is initiated through account deactivation (Section 13); statutory and professional retention (Section 8) continues to apply to the data it covers.
  • Right to nominate — to nominate another individual to exercise your rights in the event of your death or incapacity. At the pilot stage, please make a nomination request to the Grievance Officer; an in-app option is planned.
  • Right of grievance redressal — to raise a grievance with our Grievance Officer (Section 17). We aim to respond within 7 working days.

For clinical content held by your therapist (notes, pre-session responses), your therapist is the Data Fiduciary. Requests to access, correct, or erase that content are decided by your therapist; ProTherapy supports the therapist in giving effect to a valid request, but does not decide it. See also Section 13 on clinical exports.

To exercise any right, contact us at support@protherapy.in or the Grievance Officer (Section 17).

13. Data export

We make it easy to get a copy of your data.

  • Self-serve export. In your settings, "Export my data" lets you download your own data (profile, session metadata, mood logs, exercises, billing records, and reminder history) without needing to contact us.
  • *What the self-serve export does not include. For your protection and the protection of others, raw clinical notes and pre-session responses are not* included in the automated self-serve export. Therapy notes often contain personal information about third parties (for example, family members), and releasing them without the therapist's review could harm others and create legal risk.
  • Full clinical export (on request, with safeguards). A copy of clinical content can be released through a reviewed process: you make a written request, your therapist reviews and approves it, the export is generated and logged, and the download link expires after a short period. This protects against accidental disclosure of third-party information.

Therapists can export their own practice data, including the decrypted notes they authored.

14. Data breach

If a personal-data breach occurs, we will act under our breach-response procedure: detect and contain the incident (including rotating affected keys), assess which data was affected, notify the Data Protection Board of India within the timeline required by law, and notify affected users — telling you what happened, what data was affected, what we are doing, and what you should do. Our application-layer encryption is designed to materially reduce the impact of any breach affecting clinical content.

15. Minors

ProTherapy is intended for adults — both adult clients and adult mental-health professionals. We do not knowingly onboard minors directly, and we do not verify the age of people who book through a therapist's public booking page.

If a therapist chooses to treat a minor client, the therapist or their practice is responsible for obtaining legally valid guardian consent (in writing, before the first session) and for maintaining the statutory safeguards for minors' records under applicable law, including the Mental Healthcare Act, 2017. Any guardian-consent records are held by the therapist, not by ProTherapy. ProTherapy's role is limited to providing the platform.

If you believe a minor has provided us personal data directly, please contact the Grievance Officer so we can take appropriate action.

16. Cookies and essential storage

We use only essential cookies and similar local storage — for example, to keep you securely logged in and to make core features work. We do not use advertising cookies or third-party tracking. Because these are strictly necessary to provide the service, disabling them may prevent the platform from working.

17. Grievance Officer and contact

If you have any question, request, or complaint about your personal data, you may contact:

Grievance Officer: Mr. Uppinder Singh Chugh Email: uppinder.chugh@gmail.com General / support contact: support@protherapy.in Postal address: ProTherapy, Bathinda, Punjab, India. The full registered address is available on request via support@protherapy.in.

We aim to acknowledge and respond to grievances within 7 working days. If you are not satisfied with our response, you may have the right to complain to the Data Protection Board of India.

18. Clients outside India (including NRI clients)

ProTherapy is available to clients located outside India, including non-resident Indians (NRIs). Wherever you are located:

  • Your personal data is stored and processed in India (Mumbai region), and the DPDP Act applies to that processing.
  • By using ProTherapy, you understand and agree that your data is processed in India.
  • If you are located in a jurisdiction with its own data-protection law (for example, the EU under the GDPR, or the UK under the UK GDPR), that law may also apply to the processing of your data. We aim to apply security and data-handling standards (versioned encryption, access controls, audit logging, and retention limits) consistent with strong international baselines for the categories of data we collect. This Policy does not, however, purport to be a complete statement of your rights under any non-Indian law.

19. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the "Effective date" date above. If a change is material, we will take reasonable steps to notify you and, where appropriate, ask you to review and re-accept the updated Policy before you continue using the platform. Your continued use of ProTherapy after an update means you accept the revised Policy, subject to any re-acceptance we require.

20. Governing law and jurisdiction

This Policy is governed by the laws of India. The courts at Bathinda, Punjab, India shall have exclusive jurisdiction over any dispute arising out of or in connection with this Policy, subject to any non-waivable rights you may have under applicable law.