Privacy and Consent Explained Simply

Summary

Flutura keeps client data private, secure, and under your control.
This guide explains how privacy, consent, and data visibility work inside the platform so you can meet compliance standards.

1. What Privacy and Consent Mean in Flutura

Flutura was built to meet GDPR and HIPAA requirements from the start.
Every feature protects therapist–client data and keeps you compliant without adding admin.

Key points:

Client data is stored securely in UK-based servers.
Flutura never sells data or uses identifiable information for advertising.
You remain the data controller; Flutura acts as your data processor under GDPR and as a HIPAA Business Associate in the US.

2. Who Can See What

Data Type	You (Therapist)	Client	Flutura Support (only if authorised)
Session notes	Full access	No	Access only if you request troubleshooting
Assigned worksheets	Full	Full	Limited, anonymised metadata
Outcome measures	Full	No	Aggregated only
Account details	Full	Own data	Minimal access for account setup
Billing information	Own	No	Finance team only, encrypted view

Note: Any Flutura support access is time-limited, logged, and approved by you. Once the issue is resolved, access ends.

3. Getting Client Consent

You are responsible for ensuring your clients understand:

What data will be stored and shared within Flutura
How it supports therapy (e.g., progress tracking, shared worksheets)
That they can withdraw consent at any time

Consent can be captured verbally, in writing, or via your onboarding paperwork.
You can upload a signed consent note to each client’s secure profile for your records.

Suggested consent wording:

“I understand that my therapist uses Flutura, a secure digital platform, to share worksheets, track progress, and store therapy notes. My data will be stored in the UK under GDPR standards, encrypted, and shared only with my therapist. I can ask to view or delete my data at any time.”

When a client activates their account, Flutura automatically logs the date and consent.

4. Data Storage and Security

Location: UK-based servers
Retention: Records remain until you delete or anonymise them. Backups are securely removed within 90 days.
Audit logging: All access is timestamped and periodically reviewed.
Breach response: Flutura will notify you within 72 hours (GDPR) / 60 days (HIPAA) if a notifiable breach occurs.

5. Your Controls

You can manage client data directly from your dashboard:

Export data → Download notes or reports for supervision or auditing.
Delete data → Remove a client record when therapy ends (permanent after 90 days).
Restrict processing → Mark a client inactive to retain history without ongoing processing.

Need a copy of Flutura’s Data Processing Addendum (DPA) or HIPAA BAA?
→ Email privacy@flutura.app to request a signed copy.

6. When Support Can Access Data (Rare Cases)

Support access occurs only when:

You raise a technical issue requiring diagnostic review
A client’s data fails to sync properly
A verified legal or security obligation requires inspection

All such access:

Requires written authorisation from you
Is time-bound and logged
Masks sensitive fields wherever possible

7. Quick Compliance Reference

Topic	Policy
GDPR / HIPAA overview	Compliance Policy
Privacy principles & rights	Privacy Policy
Cookie usage	Cookies Policy
Billing & refunds	Refund Policy
Terms of Service	Terms of Service

Key Takeaway

You own your clinical data.
Flutura’s role is to protect it, process it securely, and make compliance effortless — never to use it.

Help center