Wellspring Scheduling Ltd — 

Effective Date: [Insert Date]
Last Updated: [Insert Date]

1.1 Introduction

Wellspring Scheduling Ltd (“we”, “our”, “us”) provides a scheduling and client management platform for healthcare and therapy professionals. Protecting the privacy and security of your personal and patient data is a priority.

This Privacy Policy explains:

• What information we collect
• How we use it
• Who we share it with
• Your rights under data protection laws
• We are the Data Controller for account and billing data and the Data Processor for patient data entered by our users.

1.2 Information We Collect

• Practitioner / Account Data:
• Name, email, phone
• Business name and address
• Professional registration numbers
• Notes/files uploaded for internal use
• Patient / Client Data (entered by users):
• Name, DOB, contact details
• Medical history and clinical notes
• Consent forms and uploaded documents/images
• Technical / Operational Data:
• AWS-hosted system usage data
• Cookies (essential only)

Note: We do not store credit card information; payments are handled by Stripe, Square, and PayPal.

1.3 Legal Basis for Processing

• Contractual necessity: Providing access and platform functionality
• Legal obligations: Compliance with UK GDPR and health record regulations
• Legitimate interests: Security, fraud prevention, and system improvement
• Explicit consent: Required for processing health data

1.4 Use of Data

• Platform functionality: Scheduling, client management, reporting, billing
• Email & calendar integration (Gmail, Outlook, etc.)
• Security and access control
• Optional features: Telehealth, messaging, AI-assisted tools, other api apps

1.5 Data Sharing / Third-Party Services

We may share or transmit data to:

• Core Platform Services
• AWS (hosting and storage)
• Stripe, Square, PayPal (payment processing)
• Email & Calendar Integrations
• Gmail, Outlook, and other calendar/email platforms
• Data shared only for providing two-way sync and email functionality

Important Notes

• You acknowledge and agree that all third-party providers’ terms and privacy policies apply
• We are not responsible for how third parties process or store data
• Users are responsible for maintaining patient confidentiality and obtaining consent

1.6 Data Storage & Transfers

• Hosted primarily in UK / EU regions
• Data is encrypted where technically feasible (at rest and in transit)
• Backups and redundancy implemented per AWS standard practices
• Transfers outside the UK/EU comply with GDPR standard contractual clauses

1.7 Patient Access

• Patients may log in to view or edit their data if enabled by the practitioner
• Users (practitioners) are responsible for obtaining consent to store and process patient data
• 1.8 Your Rights
• Access, correction, deletion of personal data
• Object to processing
• Data portability requests
• Lodge complaints with the ICO (ico.org.uk)
• Requests can be sent to: privacy@wellspring.bizrar.com

1.9 Data Retention

• Practitioner account data: retained until account closure
• Patient data: retained as required by users and applicable law
• Upon termination: data deleted after 14-day export window, unless retention is required by law

1.10 Security

• Access restricted to authorised personnel
• Industry-standard measures implemented
• Regular system reviews performed

Note: Security measures are described in good faith; audit details may be adjusted as infrastructure matures.

1.11 Cookies

• Only essential cookies used at launch
• Optional analytics/tracking may be added later with explicit consent
• Users can manage cookie preferences in browser settings
• 1.12 International Users
• Governed by England & Wales law
• GDPR and local data protection laws apply for EU users

Lawyer Review Note:
High-risk health professions and patient logins should be reviewed by a UK data protection lawyer to confirm compliance.