All Flutura infrastructure is hosted in the UK, in AWS London (eu-west-2). That includes:
Your account and client records
Session recordings (stored encrypted in S3)
The Neon PostgreSQL database
The API, marketing site, web app, and background workers
Two third-party AI providers process data outside the UK during processing:
A SOC 2 certified transcription provider that operates under a strict no-training policy
An analysis provider that operates under a data-processing agreement with Flutura
Both transfers are governed by UK GDPR international data transfer rules (IDTAs or SCCs). Data is encrypted at rest and in transit throughout. We do not use your client data to train any AI model, ours or anyone else's.
Session recordings are accessible only to the therapist who created them. Recordings are stored encrypted in UK servers, with access strictly limited to the therapist's authenticated account. Flutura staff do not access session audio.
The Alma and Note Assist failures of December 2024 (fabricated child abuse history, fabricated substance misuse, fabricated suicidal ideation) would not pass Flutura's prompt-level rules. Six structural constraints are built into how every note is generated.
Fixed CBT structure. Every note populates seven sections: Agenda, Week Review, Homework Review, Activities, Risk Issues, Homework Given, Next Steps. The model cannot invent new categories.
Mandatory null on missing data. If information for a section cannot be found in the transcript, that section stays empty. The model is structurally forbidden from inventing content to fill a gap.
Defined clinical risk taxonomy. Risk flags are extracted against a fixed list: suicidal ideation, self-harm threats, non-compliance, avoidance, rumination, hopelessness, alliance ruptures. The model does not improvise new risk categories.
Two-stage extraction then synthesis. Each transcript segment is summarised against its own grounded chunk. A second stage then merges those grounded summaries into the final report. Hallucination cannot compound across stages.
Explicit source-grounding instruction. The system prompt directs the model to stay objective and based on the transcript.
Therapist sign-off and source retention. You review and sign every note before it is saved. The source recording is retained so you can verify any note against what was actually said in the session.
Clients can request access, correction, or erasure of their data at any time. Flutura handles UK GDPR data-subject requests as standard, including the right to erasure under UK GDPR Article 17.
You can export client notes and recordings on request. We can issue a Data Processing Agreement (DPA) on request.
Three layers sit between your AI-generated note and the client record:
The transcript (source-grounding evidence)
The note draft (schema-constrained, null-on-missing)
Your sign-off (the moment the note enters the client record)
If a future review (clinical, supervisory, or regulatory) needs to verify what was said, the source recording is retained for that purpose, restricted to your authenticated account.
BABCP-accredited co-founders (Alison Triste, Professor Patrick McGhee)
GDPR compliant
ICO registered
UK-hosted infrastructure (AWS London)
Class I wellness software, not a medical device
Q: Is my session audio used to train AI?
A: No. The transcription provider operates under a strict no-training policy and SOC 2 compliance. The analysis provider does not train on your data either. We do not use your client data to train any AI model, ours or anyone else's.
Q: Can my clients request a copy of their data?
A: Yes. Clients can request access, correction, or erasure of their data. You can export client notes on their behalf, or direct them to contact us directly.
Q: What if I close my practice?
A: Export your data before closing your account. Once deleted, records cannot be recovered. We can support a structured handover process if required.
Q: Do you have a DPA we can sign?
A: Yes. Contact support and we will issue one.
Q: What does "Class I wellness software" mean for me?
A: Flutura is not a medical device and does not diagnose or treat. It is a tool for therapists who already hold clinical responsibility for their work. Clinical judgement, sign-off, and outcome remain yours.
Last updated 4 June 2026.
Flutura is Class I wellness software, not a medical device. Data stored in UK servers under UK GDPR. See Privacy Notice.
