← Back to home

Our Privacy Policy

Our Privacy Policy outlines how your personal information is collected, used, and protected. Your privacy and security are priorities.

Last updated: 20 March 2026

Background

1.1 This notice (Privacy Notice) tells you how your personal data is looked after when you visit the website at www.couch-work.com (Website). Couchwork is a practice management platform for therapists. This notice applies when you purchase or use the service, when you are a prospective customer, or when you are another type of business contact such as a supplier or service provider.

1.2 This notice sets out what information is collected about you, what it is used for, and whom it is shared with. It also explains your rights under data protection laws and what to do if you have any concerns about your personal data.

1.3 This Privacy Notice may be updated from time to time to reflect changes to the way the service is provided or to comply with new business practices or legal requirements. You should check this Privacy Notice regularly to see whether any changes have occurred.

Who Couchwork Is and Other Important Information

2.1 Couchwork is a brand operated by Jelifish Ltd, registered in England and Wales.

2.2 For all visitors to the Website and for users who purchase the service, Jelifish Ltd is the controller of your information (which means it decides what information is collected and how it is used).

2.3 For client data entered by therapists (session notes, outcome measures, clinical records), the therapist is the data controller and Couchwork acts as a data processor, processing data on the therapist's instructions.

2.4 Registration with the Information Commissioner's Office (ICO) is pending.

Contact Details

3.1 If you have any questions about this Privacy Notice or the way that information is used, please get in touch using the following details:

Email address: hello@jelifish.co.uk

The Information Collected About You

4.1 Personal data means any information which does (or could be used to) identify a living person. The types of personal data collected are grouped below.

4.2 Therapist account data (Couchwork as controller):

  • Identity Data: first name, last name, professional title, qualifications.
  • Contact Data: email address, telephone number.
  • Profile Data: email address, hashed password, account preferences, login timestamps.
  • Financial Data: subscription tier, billing history, payment method details (processed by Stripe and GoCardless; Couchwork does not store card numbers).
  • Professional Development Data: supervision logs, CPD entries, supervisor details.

4.3 Client data entered by therapists (Couchwork as processor):

  • Identity Data: client name, date of birth.
  • Contact Data: client email, phone number, address.
  • GP and Insurance Data: GP name, practice details, insurance provider (BUPA, AXA, Aviva, Vitality, WPA, Cigna), policy numbers.
  • Special Category (Health) Data: session notes (SOAP, DAP, treatment plan, risk assessment), outcome measure scores (PHQ-9, GAD-7, CORE-10/34, PCL-5, AUDIT-C, ORS, SRS), diagnosis information, consent form and intake form responses. This is health data under UK GDPR Article 9.
  • Communication Data: secure messages between therapist and client.
  • Video Session Data: meeting metadata and optional session recordings.
  • Documents: uploaded files and attachments.

4.4 Technical data collected automatically: IP addresses (for security and rate limiting), session tokens (authentication cookies), and device information from video calls.

How Your Information Is Used

5.1 A legal justification (lawful basis) is required for collecting and using personal data. Below are the lawful bases relied upon.

5.2 Contract (Art. 6(1)(b)): to create and manage your account, process subscription payments, send service emails (appointment confirmations, payment receipts), and provide customer support.

5.3 Legitimate interests (Art. 6(1)(f)): to maintain security (login monitoring, rate limiting, fraud prevention).

5.4 Legal obligation (Art. 6(1)(c)): to retain tax and billing records as required by HMRC.

5.5 Client health data: the therapist, as data controller, determines the lawful basis. The primary Article 9 condition is 9(2)(h): processing for health or social care provision by a professional subject to a duty of confidentiality. Video recording requires explicit client consent.

5.6 Where personal data is needed to fulfil a contract, failure to provide it may mean the service cannot be provided.

Who Your Information Is Shared With

6.1 Personal data is shared (or may be shared) with:

  • Amazon Web Services (AWS): infrastructure provider. Data stored in eu-west-2 (London).
  • Stripe: card payment processing. PCI DSS Level 1 compliant.
  • GoCardless: direct debit collection. UK-headquartered.
  • Xero / QuickBooks: accounting integrations, if activated by the therapist.

6.2 Couchwork does not sell personal data to any third party and does not share data with advertisers or analytics companies.

6.3 If asked to provide personal data in response to a court order or legal request, legal advice would be sought before disclosing any information.

6.4 Personal data may be shared with any actual or potential buyer of the business.

Where Your Information Is Located or Transferred To

7.1 All personal data is stored on servers in the United Kingdom (AWS eu-west-2, London).

7.2 Information will only be transferred outside of the UK where a valid legal mechanism is in place (such as contracts approved by the ICO or the UK Secretary of State).

7.3 Stripe may transfer payment data outside the UK under Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).

How Your Information Is Kept Safe

8.1 Security measures have been implemented to prevent personal data from being accidentally or illegally lost, used, or accessed by those who do not have permission. These measures include:

  • Encryption in transit (TLS) and at rest (AWS server-side encryption).
  • Passwords hashed, never stored in plaintext.
  • Access controls and user authentication.
  • Rate limiting on authentication endpoints.
  • Card numbers never stored; payments handled by Stripe (PCI DSS Level 1) and GoCardless.

8.2 If there is an incident which has affected your personal data, the regulator will be notified and you will be kept informed where required under data protection law. Where Couchwork acts as processor, the relevant therapist (controller) will be notified without undue delay.

8.3 If you notice any unusual activity on the platform, please contact hello@jelifish.co.uk.

How Long Your Information Is Kept

9.1 Personal data is only retained for as long as necessary to fulfil the purposes it was collected for.

9.2 To decide how long to keep personal data, the volume, nature, and sensitivity of the data is considered, along with the potential risk of harm, whether the purposes can be achieved through other means, and any applicable legal requirements.

9.3 Therapist account data, contact data, and billing records may be kept for up to seven years after the end of the contractual relationship.

9.4 Client clinical records are retained as configured by the therapist (controller). BACP recommends a minimum of six years for adults and until the client reaches age 25 for minors.

9.5 Authentication logs are kept for 90 days. Deleted account data is purged within 30 days of deletion, except where legal retention obligations apply.

Your Legal Rights

10.1 You have specific legal rights in relation to your personal data.

10.2 A request may not be actioned where identity has not been confirmed or if the request is considered unfounded or excessive. Usually there is no cost for exercising data protection rights, but a reasonable fee may be charged for unfounded or excessive requests.

10.3 Requests will be responded to without undue delay, within one month of receiving the request or confirming identity (whichever is later). This deadline may be extended by two months for complex or multiple requests.

10.4 For client data where Couchwork acts as processor, requests will be forwarded to the relevant therapist (controller). Clients should contact their therapist directly in the first instance.

10.5 To make any of the rights requests listed below, contact hello@jelifish.co.uk.

10.6 Your rights include:

  • Access: You must be told if your personal data is being used and you can ask for a copy, as well as information about how it is being used.
  • Correction: You can ask for personal data to be corrected if it is inaccurate or incomplete.
  • Deletion: You can ask for personal data to be deleted or removed if there is no good reason to continue holding it. If there is a good reason to keep it (for example, regulatory requirements), you will be informed.
  • Restriction: You can ask for the use of personal data to be restricted and temporarily limited.
  • Objection: You can object to the use of personal data where processing is based on legitimate interests.
  • Portability: You can ask for an electronic copy of your personal data in a structured, machine-readable format.
  • Complaints: If you are unhappy with the way personal data is collected and used, you can complain to the ICO, but please contact hello@jelifish.co.uk first. ICO: ico.org.uk, helpline 0303 123 1113.

Cookies

11.1 Couchwork uses only strictly necessary cookies: authentication session cookies and CSRF protection tokens. These are essential for the platform to function.

11.2 No analytics cookies, advertising cookies, tracking pixels, or third-party cookies are used.

Profiling

12.1 Personal data will not be used for profiling or other automated decision-making. Outcome measure scoring is a calculation tool; clinical interpretation is solely the therapist's responsibility.