Privacy Policy
Last updated: 9 March 2026
Effective date: 9 March 2026
1. Who We Are
This Privacy Policy explains how SLPractice Ltd (company number 17070357, registered at 12 Hillside Road, St Albans, AL1 3QL, UK) collects, uses, stores, and shares your personal data when you use our platform at www.slpractice.com (the "Service"). Contact us at support@slpractice.com with any questions.
When you input Profile Data (information about children or students), you are the data controller and we act as your data processor under our DPA.
Plain-English Summary
Before the full policy, here are the key points:
- We collect minimal data. Your email, display name, and how you use the Service. We do not collect data directly from children.
- We use your data to run the Service — to log you in, process payments, and improve the product. We don't sell your data or use advertising trackers.
- Profile Data you input is your responsibility. Any information you enter about children or students is processed on your behalf as your data processor. We do not use it for marketing or advertising.
- AI processing involves third parties. When you create a resource, your inputs are sent to AI providers (such as OpenAI and Fal) to generate content.
- Your data is stored in the EU. Some processing happens in the US, with appropriate safeguards in place.
- Your data stays yours. You can view, update, export, or request deletion of your data by emailing support@slpractice.com.
2. What Data We Collect
2.1 Account data (data you provide)
When you create an account, we collect your email address, display name, and optional preferences (such as language and user type). We authenticate you via a one-time passcode sent to your email — we do not store passwords. We use this data to identify you within the Service, authenticate your login, and tailor your experience.
2.2 Profile Data (data you input about children or students)
When you create Profiles, we store the information you provide — such as nicknames, age, interests, language, and voice preference — to generate personalised resources. We recommend using first names or initials rather than full names, and avoiding unnecessary sensitive information in free-text fields where a general description would suffice.
You control what Profile Data you input. The specific fields available may change as we develop the Service.
2.3 Billing and payment data
We use Stripe to process payments. We store:
- Your Stripe customer ID (a reference number, not your card details).
- Subscription tier, status, and billing interval.
- Credit usage per billing period.
We do not store your payment card number, bank account details, or billing history. This information is held exclusively by Stripe. See Stripe's Privacy Policy.
2.4 Usage and analytics data
We automatically collect certain data when you use the Service:
| Data | Source | Purpose |
|---|---|---|
| IP address | Login sessions, page requests | Security, fraud prevention |
| Browser and device information | Login sessions | Security, compatibility |
| Feature usage and interactions | Amplitude (analytics) | Product improvement |
| Page views and session data | Amplitude | Understanding user behaviour |
| Error logs | Sentry (error monitoring) | Debugging and reliability |
2.5 CRM and communications data
We use Crisp for live chat support and may store basic professional information (such as your email, name, and communication preferences) to support onboarding, communications, and understanding our user base.
3. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Data used |
|---|---|
| Provide the Service | Account data, Profile Data, resource configurations — to generate and deliver therapy resources |
| Process payments | Stripe customer ID, subscription data — to manage billing |
| Communicate with you | Email address — for account notifications, onboarding, and support |
| Improve the Service | Usage analytics — to understand how features are used and prioritise improvements |
| Ensure security | IP addresses, session data — to detect and prevent unauthorised access |
| Customer relationship management | CRM data — to support your onboarding and understand our user base |
| Marketing (with consent) | Email address — to send product updates, tips, and educational content |
We do not use Profile Data for marketing, advertising, or profiling.
4. Legal Basis for Processing
Under UK GDPR, we process your data on the following legal bases:
| Legal basis | Applies to |
|---|---|
| Contract performance (Article 6(1)(b)) | Account data, billing data — necessary to provide the Service you signed up for |
| Legitimate interests (Article 6(1)(f)) | Analytics and product improvement, security and fraud prevention, CRM data for user base understanding (see balancing assessment below) |
| Consent (Article 6(1)(a)) | Marketing emails — you can opt out at any time via the unsubscribe link or by emailing support@slpractice.com |
| Processor role (Article 28) | Profile Data — we process this solely on your behalf as your data processor (see Section 5) |
Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. A detailed balancing assessment is available on request. You have the right to object to any processing based on legitimate interests by contacting support@slpractice.com.
5. Child and Patient Data
5.1 Our role
When you input Profile Data, you are the data controller and SLPractice is your data processor. We process it only to provide the Service and do not use Profile Data for marketing or advertising. See our DPA for contractual details.
5.2 Your responsibilities
As the data controller for Profile Data, you are responsible for having a lawful basis, obtaining necessary consents, and responding to data subject requests from parents.
5.3 Children's Code
Children may interact with therapy resources under adult supervision. We comply with the UK Age Appropriate Design Code: we do not profile children or share their data with third parties, and default to the highest privacy settings. The therapist or educator controls all data collection.
6. AI Processing and Sub-Processors
When you create a Resource, your inputs (including Profile Data and resource configuration) are sent to third-party AI services to generate content. We use API-tier access to all AI providers; data is used solely to generate the requested content.
Beyond AI providers, we use additional third-party services to operate the platform. The following table lists our sub-processors:
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, Profile Data, Resources | EU |
| Stripe | Payment processing | Billing data, Stripe customer ID | US |
| OpenAI | AI text generation | Resource inputs, Profile Data | US |
| Fal | AI image and audio generation | Resource inputs, Profile Data | US |
| Amplitude | Product analytics | Usage data, anonymised interactions | EU |
| Sentry | Error monitoring | Error logs, IP address, user ID | EU (DE) |
| Crisp | Live chat and customer support | Email, display name, user ID | EU |
| Resend | Transactional email (login codes) | Email address | US |
| Vercel | Application hosting | All request data (in transit) | US/EU |
| QStash (Upstash) | Background job processing | Resource generation job data | US |
7. International Data Transfers
Your primary data is stored in the EU (Supabase). Some sub-processors are located in the US. For US transfers, we rely on the UK-US Data Bridge (where certified) or UK International Data Transfer Agreements / Standard Contractual Clauses. See the sub-processor table in Section 6 for details.
8. Data Retention
We retain your data while your account is active. Billing records are kept as required by law. You may request deletion at any time by contacting support@slpractice.com.
9. Your Rights
Under UK GDPR, you have rights to access, correct, delete, export, restrict, and object to processing of your personal data. You can manage most of your data through the Service. To request data export or account deletion, email support@slpractice.com. We will respond within the timeframes required by applicable law.
If you are a parent wanting to exercise rights over your child's data, please contact the therapist or educator who created the Profile, as they are the data controller.
10. Security
We implement appropriate technical and organisational measures to protect personal data. Primary data storage is in the EU. Payments are processed by Stripe (PCI DSS Level 1). We use Sentry for error monitoring, which may process IP addresses and user identifiers for debugging purposes. Report vulnerabilities to support@slpractice.com.
If a personal data breach affects your data, we will notify you and relevant authorities as required by law. We may also be required to disclose data in response to valid legal requests; where permitted, we will notify you.
11. Data We Receive from Third Parties
We may receive professional data (name, email, workplace) from enrichment services or referrals, solely about adult professionals, for outbound marketing purposes (legitimate interests basis). We will inform you within 30 days of obtaining your data or at first communication. You can opt out of marketing or request deletion at any time by contacting support@slpractice.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you by email before the changes take effect.
- We will update the "Last updated" date at the top of this page.
- Material changes will be highlighted clearly.
We encourage you to review this policy periodically.
13. Contact Us and Complaints
Contact
If you have any questions about this Privacy Policy or how we handle your data:
- Email: support@slpractice.com
- Address: SLPractice Ltd, 12 Hillside Road, St Albans, AL1 3QL, United Kingdom
Complaints
If you are not satisfied with how we have handled your data, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first at support@slpractice.com.