Site Under Development — This website is a work in progress. Content, wording, pricing, availability, and features are subject to change without notice and do not reflect the final product or any professional offering.
Legal

Privacy Policy

Last updated: 2026

This policy complies with GDPR Article 13 (transparency at collection). If you are in the EU/EEA, the rights described below are legally enforceable.

Data Controller

Panayi Therapy
[Controller name, address, and contact details to be confirmed by client before launch.]

Data We Collect and Why

We collect only the personal data necessary to provide our services:

Data Purpose Legal Basis (GDPR)
Email address Account identity and communication Contract performance
Full name, phone, gender (encrypted) Session management and personalisation Consent (explicit)
Appointment notes (encrypted) Session continuity and record-keeping Consent (explicit)
Messages (encrypted) Communication between client and practitioner Contract performance / Consent
Passkey credential (public key only) Passwordless authentication Contract performance / Legitimate interest

How We Protect Your Data

All personally identifiable fields (name, phone, gender, appointment notes, message content) are encrypted at the application layer using AES-256 via the ASP.NET Core Data Protection API. Encryption keys are stored outside the database and outside version control.

Authentication uses passkeys (WebAuthn/FIDO2). Only the public key credential is stored; biometric data never leaves your device.

Data Retention

We retain personal data only for as long as necessary:

  • Account and appointment data: retained for [period TBC — confirm with client] after last session
  • Messages: retained for [period TBC] or until deleted by the user
  • Consent logs: retained for the duration of the relationship plus [period TBC]
  • On erasure request, PII is anonymised; non-PII records may be retained for audit purposes

Your Rights

Under GDPR and applicable data protection law, you have the following rights:

Right What It Means How to Exercise
Access (Art. 15) Receive a copy of your personal data Portal → Account → Export Data
Rectification (Art. 16) Correct inaccurate data Portal → Account → Edit Profile
Erasure (Art. 17) Request deletion of your data Portal → Account → Delete Account
Portability (Art. 20) Receive your data in a machine-readable format Portal → Account → Export Data (JSON)
Restriction (Art. 18) Restrict processing in certain circumstances Contact us via portal messaging
Object (Art. 21) Object to processing based on legitimate interest Contact us via portal messaging

Withdrawing Consent

Where processing is based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.

Lodging a Complaint

If you believe your rights under GDPR have not been respected, you have the right to lodge a complaint with a supervisory authority. In the EU, this is the data protection authority in your country of residence. In the UK, this is the ICO.

Contact

For any privacy-related enquiries or to exercise your rights, please contact us through the client portal messaging system.