Privacy policy

TherapyRoute is not intended for children under 13, and children under 13 must not use the platform. We do not intentionally collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take reasonable steps to delete it.

Users aged 13–17 may browse the platform. They must contact therapists only with the involvement or supervision of a parent or legal guardian, where this is required or appropriate under local law.

Therapist listings and accounts may be created or managed only by individuals aged 18 or older who have legal capacity to enter into binding agreements in their jurisdiction.

A. When you contact a therapist

If you use a contact form or enquiry feature to contact a therapist, we collect the information you submit through the form. This typically includes:

• name (if you provide it);
• email address;
• phone number (if you provide it); and
• the message you write.

We also collect limited technical information associated with the submission (for example, timestamp, IP address, and anti-spam/security signals) to route the message, prevent abuse, and troubleshoot delivery issues.

By submitting the form, you instruct us to forward your message to the therapist you selected. Please do not include any information you would not want sent by ordinary email, or any information you are not comfortable sharing with the therapist you selected.

Your message is forwarded to the therapist you select. After delivery, the therapist becomes an independent recipient of that message and is responsible for how they store and use it in their own practice, in accordance with their legal and professional obligations.

B. When you create or manage a therapist listing

If you create or manage a therapist listing, you may provide information for publication on your listing and for account administration. This may include:

• your name and professional title(s);
• registration or licence information (where applicable);
• qualifications, training, and areas of practice;
• practice location(s) and telehealth regions;
• contact details (email, phone number, website);
• profile text, biography, and service descriptions;
• pricing information (if you choose to display it);
• availability indicators; and
• images or other media you choose to upload.

You should not include confidential client information or clinical notes in your listing content.

C. When you subscribe, upgrade, or pay for services

Payments are processed by our payment partner (PayProGlobal). We do not receive or store full payment card details. We may receive limited information from PayProGlobal necessary to administer subscriptions and accounting, such as confirmation of payment, subscription tier, billing status, country, currency, and transaction identifiers.

D. When you contact us

If you contact TherapyRoute (for example, by email or via a support form), we collect the information you provide, such as your name, email address, message content, and any files you choose to attach.

When you browse or use TherapyRoute, we automatically collect certain technical and usage information to operate the platform, maintain security, prevent abuse, and understand how the site is used. This information is generally collected through our hosting, security, analytics, and advertising tools, and may include the following:

A. Technical and usage information

This may include:

• IP address;
• device type;
• operating system;
• browser type and settings;
• pages viewed and approximate time spent;
• referring page or URL (where available);
• interaction events (for example, clicks and page navigation); and
• approximate region or country (often inferred from IP address and not precise).

B. Server, security, and infrastructure logs

Our infrastructure providers and security services generate logs to help us: detect attacks, prevent fraud and spam, diagnose errors, and maintain platform performance. These logs may include request metadata (such as IP address, timestamps, response codes, and error traces) and security-related signals.

C. Cookies and Similar Technologies

We use cookies and similar technologies for:

• security and abuse prevention;
• session management and core functionality;
• analytics to understand how the platform is used; and
• advertising measurement and campaign effectiveness (where enabled).

You can control cookies through your browser settings. Where we provide cookie controls on the site, you can also use those controls to accept, reject, or adjust optional categories (such as analytics or advertising). Depending on your region, certain cookie-based activities may be treated as “sharing” for targeted advertising purposes; where applicable, you can opt out through cookie controls and/or by contacting us with a “Do Not Sell or Share My Personal Information” request.

We may receive limited information about you from third parties involved in operating the platform. This information depends on how you interact with TherapyRoute and which features you use.

A. Advertising and measurement providers

If you arrive at TherapyRoute via advertising or if advertising measurement is enabled, we may receive aggregated reporting and conversion information from advertising platforms (such as whether an ad led to a visit or signup). This information is generally provided in aggregated or pseudonymous form and is used to measure campaign performance.

B. Anti-spam and security services

We use anti-spam and security providers to reduce abusive traffic and fraudulent submissions. These providers may provide risk signals (for example, IP reputation and bot-likelihood indicators) associated with form submissions or traffic patterns.

C. Email delivery services

When we send operational emails (such as verification, notifications, and enquiry forwarding), our email delivery provider processes sender/recipient details, message content for delivery, and delivery metadata (for example, bounce status). We may receive delivery status information to help ensure messages are sent and to troubleshoot problems.

D. Payment processing

When you subscribe or pay for services, our payment partner (PayProGlobal) processes the payment and provides us with limited information needed to administer subscriptions and accounting (for example, confirmation of payment, billing status, subscription tier, and transaction identifiers). We do not receive or store full payment card details.

E. AI Providers

We may use AI tools (for example, OpenAI and Google Gemini) to assist with:

• formatting and readability of therapist-submitted listing text;
• generating summaries or previews of listing content;
• categorisation to support search and navigation; and
• internal moderation support focused on public listing content.

We implement controls designed to prevent the following from being sent to AI systems:

• private enquiries submitted through contact forms;
• sensitive mental health disclosures from users;
• identity documents; or
• clinical notes or records.

Where AI is used, we minimise the data shared and focus on public or therapist-submitted listing content that is intended for publication. AI is used as an assistive tool with human oversight, not as an automated decision-maker affecting user rights or access.

We use personal information to operate TherapyRoute and deliver core features, including to:

1. display therapist listings and directory pages;
2. route and forward enquiries to the therapist you select;
3. administer therapist accounts and authentication;
4. provide listing management features (such as availability indicators and search filters);
5. administer subscriptions and paid features (including billing status and renewals through our payment partner); and
6. maintain platform functionality and performance through our hosting, database, security, and delivery infrastructure.

We use personal information submitted through TherapyRoute to enable people to find and contact therapists, including to:

• route enquiries to the therapist you choose;
• reduce spam, fraud, and abusive submissions;
• maintain the integrity and accuracy of the directory; and
• improve navigation and search so users can locate relevant listings.

We do not provide therapy or clinical services, and we do not assess or interpret the content of enquiry messages for clinical meaning. We process enquiry content only to transmit it to the selected therapist and to support limited operational functions such as delivery troubleshooting and abuse prevention. We do not use enquiry message content for marketing, profiling, or advertising purposes.

We use therapist-provided information to create, publish, and administer therapist listings and related account features, including to:

• create and display listings and profile pages;
• administer therapist accounts, subscriptions, and access to paid features;
• categorise services and locations to support search and navigation;
• format and edit listing content for clarity, consistency, and safety;
• contact therapists about account, billing, compliance, or operational matters; and
• request information or documentation where needed to address verification, safety, or compliance concerns.

Where TherapyRoute provides editorial support or optional AI-assisted tools for listing content, the therapist remains responsible for ensuring that published information is accurate, lawful, and compliant with applicable professional and advertising rules.

We use technical and usage information to keep TherapyRoute secure, reliable, and functional. This includes using information generated by our hosting, security, and anti-spam providers to:

• detect and prevent spam, bots, fraud, and malicious activity;
• investigate and respond to security incidents;
• maintain service stability and performance;
• diagnose errors and improve reliability; and
• enforce platform rules and prevent misuse.

Where analytics and advertising measurement tools are enabled, we also use aggregated usage and event information to:

• understand how the platform is used;
• improve navigation, content structure, and usability; and
• measure the effectiveness of outreach and advertising.

We do not use enquiry message content for analytics or advertising measurement.

If you contact us, we use the information you provide to respond and to resolve issues, including to:

• answer enquiries and provide assistance;
• troubleshoot technical problems;
• guide therapists through listing or account updates; and
• administer subscriptions and billing support.

Where necessary to protect accounts and prevent fraud, we may take reasonable steps to verify identity or account ownership before acting on certain requests. Support communications are handled by TherapyRoute staff and are not used for advertising profiling.

We may send emails that are necessary to provide and administer TherapyRoute services, including emails about:

• account creation, verification, and password resets;
• enquiry forwarding and delivery notifications (where applicable);
• subscription renewals, payment issues, and billing notices;
• changes to platform features that materially affect service delivery; and
• legal or policy updates where notice is required or appropriate.

These communications are sent to support service operation and account administration. They are distinct from optional marketing communications described below.

Where permitted by law, and where required based on your location and relationship with TherapyRoute, we may send optional communications such as newsletters, feature updates, events, or offers that may be relevant to therapists or subscribers. Where consent is required, we will ask for it, and you can withdraw consent at any time.

You can opt out of optional marketing emails at any time by using the unsubscribe link (where provided) or by contacting us at contact@therapyroute.com.

Separately, we may run advertising and measure advertising effectiveness using tools such as Google and Meta. Where required by law, advertising cookies or similar technologies will be enabled only with your consent and can be controlled through our cookie settings and/or your browser controls.

We do not sell personal information to third parties.

Subscriptions and payments are processed by our payment partner (PayProGlobal). We use limited information provided by PayProGlobal (such as payment confirmation, billing status, subscription tier, currency, and transaction identifiers) to:

• create and maintain subscription records;
• enable paid features;
• manage renewals, cancellations, discounts, and billing notices; and
• meet accounting and legal record-keeping obligations.

We do not receive or store full payment card details. Any payment-related risk checks are performed by the payment provider as part of payment processing.

We process certain information to help keep the platform safe, trustworthy, and resistant to fraud and misuse. This may include reviewing listings and related account information to:

• detect misleading or unsafe claims;
• investigate suspected impersonation or fraudulent listings;
• enforce our Terms and platform standards;
• respond to complaints or reports; and
• reduce spam and abusive behaviour.

Moderation may involve both automated assistance (for example, pattern detection and formatting support) and human review. We use AI tools to support our team, but significant moderation decisions (such as suspension or removal of a listing) are made with human oversight.

We may process and, where lawful, disclose information when necessary to:

• comply with applicable laws and legal processes;
• respond to lawful requests from authorities or regulators;
• enforce our Terms and protect our rights and the rights of others;
• investigate suspected fraud, abuse, or security incidents; and
• respond to credible threats to safety where disclosure is reasonably necessary and permitted by law.

When we disclose information for these purposes, we aim to disclose only what is relevant and necessary for the specific situation.

We rely on consent primarily where you have a genuine choice, including:

1. subscribing to optional marketing emails;
2. accepting optional cookies (such as analytics or advertising cookies), where required;
3. submitting optional information through support channels;
4. uploading optional media files or images; and
5. requesting optional AI-assisted refinement of therapist-submitted listing text (where offered as an option).

Where you withdraw consent, we will stop processing that information for the consent-based purpose. Withdrawal does not affect processing that is lawful on another basis (for example, where processing is necessary to provide a service you requested or to meet legal obligations).

We rely on contractual necessity (or steps taken at your request before entering into a contract) when processing is required to provide the services you request from TherapyRoute. This includes processing needed to:

• create and administer therapist accounts and listings;
• publish listing information and provide listing management features;
• forward enquiries to the therapist you choose;
• provide authentication, account access, and service communications; and
• administer subscriptions, paid features, renewals, cancellations, and billing status through our payment provider.

If you do not provide the information needed for these purposes, we may not be able to provide the relevant service or feature.

We rely on legal obligations where processing is necessary to comply with laws that apply to TherapyRoute, including obligations relating to:

• company administration and record keeping;
• tax and financial reporting;
• consumer protection and e-commerce requirements (where applicable);
• responding to legally valid requests from courts, regulators, or authorities; and
• meeting data-protection compliance duties (for example, documenting certain requests and responses where required).

Where we rely on this basis, we process only what is reasonably necessary to meet the specific legal obligation.

We rely on legitimate interests where processing is reasonably necessary for the operation, security, and improvement of TherapyRoute, and where those interests are not overridden by your rights and freedoms. Examples include:

• protecting the platform and users from spam, fraud, and malicious activity (including abuse detection and security monitoring);
• ensuring the integrity and reliability of the directory (including detecting misleading listings and suspected impersonation);
• maintaining and improving platform performance, stability, and usability (including diagnostics and error analysis);
• understanding how the platform is used so we can improve navigation and content structure using aggregated usage signals; and
• limited AI-assisted support for formatting, categorisation, and quality checks of therapist-submitted listing content (restricted to non-sensitive content as described in this policy).

Where we rely on legitimate interests, we apply an internal balancing assessment. Depending on your location, you may have the right to object to processing based on legitimate interests.

We rely on vital interests only in exceptional situations where processing or disclosure is necessary to protect someone’s life or physical safety and is permitted by law.

We rely on public interest (where applicable) only where processing is necessary for a task carried out in the public interest or in the exercise of official authority, such as cooperating with regulators or authorities where a valid legal framework requires it.

If you choose to contact a therapist through TherapyRoute, we transmit the information you submit to the therapist you selected. This typically includes:

• your name (if provided);
• your email address;
• your phone number (if provided);
• your message content; and
• limited metadata needed for delivery (such as timestamp and technical routing signals).

We transmit this information so your message can be delivered. We do not use message content for marketing or advertising purposes, and we do not review messages for clinical meaning.

Once delivered, the therapist’s handling of the message (including storage, retention, and any further use) is governed by that therapist’s own professional duties, policies, and applicable laws. TherapyRoute does not control how a therapist stores or uses the copy they receive.

We use third-party service providers (“processors”) to host and operate TherapyRoute, deliver emails, prevent abuse, process payments, and support internal operations. These providers process personal information only to provide services to us and under contractual safeguards appropriate to their role.

A. Hosting, CDN, and Infrastructure

We use hosting, database, and security/CDN providers to deliver the platform and protect it from attacks and abuse. These providers may process IP addresses, request metadata, logs, and platform content needed to render pages and serve media.

We configure services to avoid processing private enquiry messages through infrastructure providers except where necessary for delivery and security (for example, email routing).

We contractually require our processors to use personal information only to provide services to us, and not for their own independent marketing purposes.

B. Email Delivery and Message Routing

We use an email delivery provider to forward contact-form enquiries and send platform emails (such as account verification and operational notices). This provider processes:

• sender and recipient email addresses;
• message content (solely to transmit the message); and
• delivery metadata (such as timestamps, routing, bounces, and spam signals).

C. Anti-Spam and Security Tools

We use anti-spam and abuse-prevention tools to protect forms and prevent automated abuse. These tools may process:

• IP address and browser/device signals;
• form interaction metadata; and
• spam/abuse risk indicators.

They are used to block spam and misuse and are not used to profile users for advertising.

D. Analytics and Advertising Measurement

We use analytics and advertising to understand aggregated usage patterns and measure campaign effectiveness. These tools may process:

• cookie identifiers (where enabled);
• device and browser information;
• approximate region (non-precise);
• pages visited and interaction events; and
• referrer URLs and conversion events (for example, “signup completed”).

We do not send therapist-client message content to analytics or advertising tools. Where required by law, these technologies are enabled only with your consent and can be controlled through cookie settings.

E. AI Tools (Limited Use)

We may use AI service providers to assist with non-sensitive processing such as formatting, summaries, categorisation, and quality checks of therapist-submitted listing text intended for publication. We implement controls designed to prevent private enquiries submitted through contact forms, sensitive mental health disclosures from users, identity documents, and clinical notes or records from being sent to AI systems. Details of AI safeguards and limits are described in this policy.

F. Payment Processing

Payments are processed by PayProGlobal. PayProGlobal processes payment details directly and provides us with limited subscription and billing status information needed to administer your subscription. We do not receive or store full payment card information.

G. Productivity and Internal Tools

We may use business productivity tools (for example, email and document services) for internal administration, support workflows, and document management. We do not use these tools to store clinical records. Where support work requires reviewing platform-related communications, we apply strict access controls and confidentiality.

Provider list changes
Our providers may change over time as the platform evolves. Where changes are material, we will update this Privacy Policy and, where required, provide notice.

We may share data when necessary to:

• comply with the law;
• respond to lawful requests from authorities;
• enforce our Terms and protect our rights;
• investigate fraud or abuse;
• prevent harm or respond to credible threats; or
• cooperate with regulators or professional bodies investigating serious misconduct.

We disclose only what is relevant and legally necessary for the specific situation.

If TherapyRoute undergoes a merger, acquisition, restructuring, or asset transfer, personal data may be transferred to the succeeding entity, subject to this Privacy Policy continuing to protect your rights. You will be notified where legally required.

If a therapist links their TherapyRoute listing to personal websites, social media accounts, or practice management systems, those third parties may independently collect data. TherapyRoute does not control third-party tools operated by therapists or other external services.

Data may be transferred to other countries for hosting and infrastructure, content delivery across CDNs, email delivery, image hosting, payment processing, AI-assisted listing-content tools (where enabled), and internal organisational tools.

These transfers are used to keep the platform online, deliver content efficiently, maintain security, comply with legal and financial obligations, and provide support to users worldwide.

We rely on a combination of safeguards, which may include:

A. Standard Contractual Clauses (SCCs)

Where required (for example, for transfers from the EEA/UK), we rely on recognised transfer mechanisms (such as SCCs) and apply supplementary measures where appropriate, which may include encryption, contractual controls, and vendor assessments of transfer risks.

B. Data Processing Agreements (DPAs)

We put contractual obligations in place with key processors to address confidentiality, security, and compliance responsibilities.

C. Adequacy Decisions

Where a destination country is recognised by the EU/UK as providing adequate protection, transfers may rely on that status.

D. POPIA Section 72 Compliance

For South African users, transfers outside South Africa occur only where:

• the recipient is subject to adequate data protections; or
• binding agreements provide POPIA-level protection; or
• the transfer is required for performance of a service; or
• the user consents to the transfer (for example, by contacting a therapist in another country).

E. Encryption & Security Measures

We use encryption in transit (TLS/HTTPS) and, where supported by our providers and configurations, encryption at rest for stored data and backups. We also rely on contractual safeguards and vendor security controls appropriate to the services being provided.

Depending on service provider configuration, data may be processed in South Africa, the European Union, the United Kingdom, the United States, Canada, Singapore, and other regions used by global cloud/CDN networks. We do not control the exact routing of global CDNs, but they operate under contractual and technical safeguards.

OpenAI and Google Gemini may process limited, non-sensitive text (for example, therapist profile descriptions and optional edits submitted by therapists). We implement controls designed to prevent personal client messages, private therapeutic enquiries, sensitive mental health disclosures, contact form content, and identity documents from being sent to AI systems.

If you message a therapist in another country, your data will be transmitted to that country because you chose to send the message to that therapist. TherapyRoute does not control how that therapist handles personal information after delivery, including their security measures, retention practices, or onward disclosures. After delivery, the therapist is responsible for handling the message in accordance with their professional duties and applicable laws.

Depending on your jurisdiction, you may request information about transfer safeguards, request a copy of applicable SCCs (with redactions where necessary), object to certain types of transfer, or withdraw consent where consent was the basis for the transfer. We will comply unless doing so prevents us from delivering the service you requested (for example, hosting the site or forwarding your message).

CDN providers may store small, temporary copies of content at global edge locations to improve performance. Cached data is typically stored briefly, protected by contractual and technical safeguards, and routed based on network conditions rather than country preference.

When you submit a message to a therapist through TherapyRoute, we process that message solely to route and deliver it to the therapist you selected. TherapyRoute does not operate a secure therapeutic messaging system and does not maintain therapist–client communications as clinical records.

Retention (typical):

• Message content is processed as necessary to deliver the message and support limited retries and abuse prevention. We configure systems to minimise storage duration and access to message content.
• Technical delivery and security logs (such as routing metadata, timestamps, and abuse signals) may be retained for a limited period, typically up to 30–90 days, to troubleshoot delivery issues and prevent misuse.
• TherapyRoute does not retain enquiry message content as a long-term archive. Message content may persist for limited periods in delivery systems, retry queues, abuse-prevention workflows, and encrypted backups as part of ordinary technical operations.

Once delivered, the therapist becomes an independent recipient of the message and is responsible for retaining, storing, and handling it in accordance with their own legal, professional, and ethical obligations.

We retain therapist listing and account information for as long as a listing remains active so that the directory can function and the therapist can manage their profile.

If a listing is deleted or deactivated, we may retain limited account- and listing-related information for up to 24 months where reasonably necessary for purposes such as:

• preventing fraud, impersonation, or repeated abuse;
• responding to complaints, reports, or disputes;
• maintaining audit trails for moderation and enforcement decisions; and
• establishing, exercising, or defending legal claims.

Where post-deletion retention applies, we aim to limit retained data to what is necessary for the relevant purpose (for example, identifiers, account history, moderation records, or administrative metadata), and not to retain full public-facing profile content unless required for a specific lawful reason.

Backups created for disaster recovery and business continuity may contain fragments of listing or account data for a limited period. Backup retention is provider-dependent and typically ranges from 90 to 180 days, after which backups are overwritten or deleted in the normal course.

9.2.1 Public Listings and Third-Party Copies We Cannot Control

If information is published publicly on the internet (for example, on a therapist listing), copies may be created and retained by third parties that are outside our control. This may include:

• search engines that index or cache pages;
• public web archives;
• content delivery networks (CDNs) that temporarily cache content to improve performance; and
• automated scrapers or crawlers that collect publicly available information.

If you request removal or deletion of content from TherapyRoute, we will remove or update it on our platform subject to lawful retention requirements. However, we cannot guarantee deletion or removal of copies held by third parties that have independently indexed, cached, archived, or copied publicly available content.

This is a technical limitation of the modern internet. Where GDPR or similar laws apply, rights to erasure are also subject to lawful exceptions (for example, where retention is necessary for compliance with legal obligations or the establishment, exercise, or defence of legal claims). We have no control over third-party search engines or archives and cannot force them to refresh, remove, or update cached copies on any specific timeline.

Subscription payments are processed by our payment partner (PayProGlobal). TherapyRoute retains limited subscription and billing-related information as necessary to administer subscriptions, resolve billing issues, and comply with accounting and tax obligations.

Retention (typical):

• invoices, transaction records, and accounting documentation: up to 7 years (or longer where required by applicable law);
• subscription status and billing history required for account administration, dispute handling, and audits: up to 7 years.

TherapyRoute does not store full payment card numbers or sensitive payment credentials. Payment details are handled directly by the payment processor.

If you contact TherapyRoute for support or administrative matters, we retain communications and related internal records for as long as reasonably necessary to:

• respond to and resolve your request;
• maintain continuity where issues recur;
• investigate abuse, impersonation, or security incidents; and
• establish, exercise, or defend legal claims.

Retention (typical):

• routine support communications: 1–3 years after the matter is closed;
• serious complaints, abuse investigations, billing disputes, or legal matters: retained for longer where reasonably necessary and lawful.

Access to retained support data is restricted to authorised personnel.

Our infrastructure providers and security tools generate logs to support platform stability, performance, and security. These logs may include IP addresses, timestamps, request metadata, error traces, performance metrics, and security events (such as blocked threats).

Retention (typical):

• performance and error logs: 14–90 days;
• security, abuse-prevention, and fraud-detection logs: up to 12 months where reasonably necessary to investigate incidents and prevent repeated attacks;
• email delivery logs: retained for limited periods to support delivery troubleshooting.

We periodically review log-retention settings and aim to retain logs only for as long as necessary for security, troubleshooting, and platform integrity.

We use analytics tools to understand aggregated usage patterns and improve platform usability and performance. Depending on your region and cookie choices, analytics may involve cookies or similar identifiers.

Retention (typical):

• analytics event data and aggregated reports: 14–26 months, depending on tool configuration;
• analytics cookies or identifiers: according to provider settings and your browser or consent preferences.

Analytics data is not used to interpret the content of therapist enquiries or to identify users for advertising based on message content.

Cookies and similar technologies may be used for security, session management, functionality, analytics, and advertising measurement (where enabled). Retention varies by category and configuration:

• strictly necessary cookies (security/session): typically expire at session end or within a short period;
• functional cookies: may persist for up to 12 months where needed to remember preferences;
• analytics and advertising cookies (where enabled): retained for limited periods defined by the provider and your consent choices.

You can delete cookies at any time through your browser settings and, where available, manage preferences through our cookie controls.

Where AI tools are used to assist with formatting, summaries, categorisation, or quality checks of therapist-submitted listing text, we may retain:

• AI-assisted outputs that are incorporated into published listing content; and
• limited internal audit records (such as timestamps, moderation notes, or quality-control flags).

Retention (typical):

• AI-assisted outputs used in listings: retained for as long as the listing remains active (and subject to deletion rules in this policy);
• internal AI-related audit records: 90–180 days, unless a longer period is reasonably necessary to investigate abuse, resolve disputes, or defend legal claims.

We do not send private therapist-client enquiries or sensitive mental health disclosures to AI systems, and we do not permit submitted data to be used for public model training where contractual controls are available.

We and our service providers maintain backups of databases, configurations, and media assets for disaster recovery and business continuity. Backups are encrypted and access is restricted to authorised personnel.

Retention (typical):

• backups are retained for 90–180 days, depending on provider configuration and operational requirements.

Data may persist in backups for the duration of the backup cycle even after it is deleted from live systems.

In certain circumstances, we may retain information for longer than the periods described above where reasonably necessary and lawful, including to:

• comply with legal or regulatory obligations;
• respond to lawful requests from authorities;
• investigate fraud, abuse, or security incidents;
• resolve billing disputes; or
• establish, exercise, or defend legal claims.

Where extended retention applies, we restrict access and retain only the information necessary for the specific purpose.

We use technical safeguards that may include:

• Encryption in transit: Data transmitted to and from TherapyRoute is protected using TLS/HTTPS.
• Encryption at rest: Where supported by our providers and configurations, stored data and backups are encrypted.
• Secure hosting and infrastructure: Use of established hosting, database, CDN, and security providers to support availability, resilience, and protection against common threats.
• Network protection: Firewalls, web application firewalls (WAF), DDoS mitigation, rate limiting, and bot-detection tools to protect the platform and forms.
• Access controls: Administrative access is restricted to authorised personnel using strong authentication methods and role-based access where appropriate.
• Monitoring and logging: System logs, alerts, and monitoring tools are used to detect errors, performance issues, and suspicious activity.

These measures are intended to reduce risk but do not eliminate it entirely.

We apply organisational safeguards that may include:

• limiting staff access to systems and data on a need-to-know basis;
• confidentiality obligations for staff and contractors with access to operational systems;
• internal procedures for handling support requests, moderation tasks, and incident response;
• vendor due diligence and contractual safeguards (including Data Processing Agreements and Standard Contractual Clauses where required); and
• data minimisation practices, including not storing clinical records or maintaining therapist-client enquiries as a long-term message archive.

Where AI tools are used, we apply additional controls, including:

• restricting AI processing to non-sensitive therapist-submitted listing content and internal operational text;
• implementing technical and organisational controls designed to exclude private therapist-client enquiries, sensitive mental health disclosures, and identity documents from AI processing;
• minimising the amount of data shared with AI providers; and
• applying contractual and configuration controls intended to limit retention and prevent use of submitted data for public-model training where such controls are available.

AI tools are used as assistive systems with human oversight and are not used to make automated decisions that produce legal or similarly significant effects on users.

You are responsible for maintaining the security of your own devices, email accounts, and login credentials. If you create an account, you should use a strong password, keep credentials confidential, and notify us promptly if you suspect unauthorised access or misuse.

No method of transmission over the internet or method of electronic storage is completely secure. While we take reasonable steps to protect personal information, we cannot guarantee absolute security.

If we become aware of a personal-data security incident affecting information under our control, we will assess the risk and respond in accordance with applicable law, including notifying affected individuals and authorities where required.

You may request confirmation of whether we process your personal information and, where applicable, request access to that information.

Where required by law, we will provide information about:

• the categories of personal information we hold;
• the purposes for which it is processed;
• the categories of recipients with whom it is shared;
• applicable retention periods; and
• the sources of the information (where not collected directly from you).

You may request correction of inaccurate or incomplete personal information.

• Therapists can update most listing and account information directly through their account.
• Other users may request corrections to information held in support records, logs, or administrative systems.

You may request deletion of your personal information where:

• it is no longer needed for the purpose for which it was collected;
• you withdraw consent and no other lawful basis applies;
• the processing was unlawful; or
• applicable law provides a right to deletion.

Limitations:
We may retain information where retention is required or permitted by law, including for accounting, fraud prevention, security, dispute resolution, or the establishment, exercise, or defence of legal claims. Deletion may also be limited where it would prevent us from delivering a service you requested (for example, forwarding an enquiry you initiated).

You may request that we restrict processing of your personal information where:

• you contest the accuracy of the data;
• the processing is unlawful and you prefer restriction to deletion;
• we no longer need the data but you require it for a legal claim; or
• you have objected to processing based on legitimate interests and verification is pending.

While processing is restricted, we may store the information but will not actively use it for other purposes unless permitted by law.

You may object to processing where it is based on legitimate interests, including objection to direct marketing.

If you object, we will stop the relevant processing unless we have compelling legitimate grounds or a legal obligation that overrides your interests, rights, or freedoms.

We do not conduct automated decision-making or profiling that produces legal or similarly significant effects.

Where we rely on consent as the legal basis for processing, you may withdraw that consent at any time.

Withdrawal of consent does not affect:

• processing that occurred before withdrawal;
• processing necessary to provide a service you requested; or
• processing based on another lawful basis (such as contract, legal obligation, or legitimate interest).

You may withdraw consent to optional marketing communications at any time.

Where applicable, you may request a copy of personal information you provided to us that is processed by automated means, in a structured, commonly used, and machine-readable format.

This right applies only where processing is based on consent or contract and does not apply to derived, inferred, or internal administrative data.

South African users have rights under POPIA, including the right to:

• be notified that personal information is being collected;
• access their personal information;
• request correction or deletion;
• object to processing in certain circumstances;
• withdraw consent where applicable; and
• lodge a complaint with the Information Regulator.

We handle POPIA requests with the same priority and care as GDPR-based requests.

If you are a California resident, you may have the right to:

• know the categories and specific pieces of personal information we collect, use, and disclose;
• request deletion of personal information (subject to legal exceptions);
• request correction of inaccurate personal information;
• opt out of the “sale” or “sharing” of personal information as defined by California law; and
• not be discriminated against for exercising your privacy rights.

TherapyRoute does not sell personal information for money. Certain cookie-based advertising or measurement activities may be considered “sharing” under California law; where applicable, you may opt out through cookie controls or by submitting a “Do Not Sell or Share My Personal Information” request.

To protect users and prevent unauthorised disclosure, we may take reasonable steps to verify your identity before responding to a rights request.

Verification may include confirmation via email or other information reasonably necessary to confirm account ownership or prior interaction. We do not request sensitive personal information solely for verification purposes.

To exercise your rights, contact us at:

Email: contact@therapyroute.com
Subject line: Privacy Request

Please include:

• your name;
• your country of residence;
• your relationship to TherapyRoute (visitor, therapist, subscriber); and
• a clear description of your request.

We respond within the timeframes required by applicable law, typically:

• GDPR / UK GDPR / POPIA: within 30 days of receiving a verifiable request (extensions permitted where allowed);
• CCPA / CPRA: within 45 days of receiving a verifiable request (with one permitted extension where allowed).

If you believe we have not adequately addressed your privacy concerns, you may lodge a complaint with the relevant authority:

• South Africa (POPIA): Information Regulator – https://www.justice.gov.za/inforeg/
• European Union (GDPR): Your local Data Protection Authority – https://edpb.europa.eu/about-edpb/board/members_en
• United Kingdom (UK GDPR): Information Commissioner’s Office (ICO) – https://ico.org.uk/
• California (CCPA/CPRA): California Privacy Protection Agency – https://cppa.ca.gov/

We encourage you to contact us first so we can attempt to resolve the issue promptly.

• TherapyRoute is not intended for use by children under 13.
• We do not knowingly collect or store personal information from anyone under 13.
• If we become aware that personal information relating to a child under 13 has been collected, we will take reasonable steps to delete it.
• Parents or guardians who believe a child’s information has been submitted to TherapyRoute may contact us at contact@therapyroute.com.

This section is intended to meet applicable requirements under COPPA (United States), POPIA (South Africa), and GDPR (EU/UK).

• Users aged 13–17 may browse the TherapyRoute directory.
• Users aged 13–17 must contact therapists only with parental or guardian involvement.
• TherapyRoute does not knowingly process sensitive personal information directly from minors.
• Therapist accounts and listings may not be created or managed by individuals under 18.

Therapists remain responsible for complying with all laws and professional requirements governing services provided to minors, including consent and safeguarding obligations.

When a user contacts a therapist through TherapyRoute:

• TherapyRoute does not analyse message content;
• TherapyRoute does not monitor or supervise therapist–client relationships; and
• therapists are responsible for ensuring compliance with all child-protection, consent, and safeguarding laws in the relevant jurisdictions.

This maintains a clear separation between the platform’s role and the therapist’s professional responsibilities.

When changes are made:

• the “Last Updated” date at the top of the policy will be revised; and
• where changes are material and required by law, we may provide notice by email, on the website, or through the platform.

Minor wording or clarification changes may be made without individual notice.

Updates take effect when the revised Privacy Policy is published, unless a later effective date is specified.

Where applicable law requires notice, consent, or an opt-in for a material change (for example, a new marketing purpose or new category of cookies), we will provide the required notice and obtain consent before applying the change.

We will not:

• retroactively reduce your privacy rights;
• introduce new processing purposes incompatible with those described in this policy without updating it;
• sell personal information; or
• materially expand data sharing without appropriate disclosure.

Where explicit consent is legally required for a change, we will request it.

TherapyRoute (Pty) Ltd
Registered in the Republic of South Africa
Registered Office:
29 Wargrave Road
Kenilworth
Cape Town
Western Cape
7708
South Africa

Email: contact@therapyroute.com

This address is used for legal notices, privacy requests, regulator correspondence, and escalation of support matters.

For privacy-related requests or questions, contact:

Email: contact@therapyroute.com
Subject line: Privacy Request

For South Africa, TherapyRoute’s Information Officer (as contemplated by POPIA) is responsible for handling privacy-related matters. Where applicable law requires appointment of a specific role (such as a Data Protection Officer), we will meet those requirements and provide updated contact details.

If you believe we have not adequately addressed your privacy concerns, you may lodge a complaint with the relevant authority:

• South Africa (POPIA): Information Regulator – https://www.justice.gov.za/inforeg/
• European Union (GDPR): Your local Data Protection Authority – https://edpb.europa.eu/about-edpb/board/members_en
• United Kingdom (UK GDPR): Information Commissioner’s Office – https://ico.org.uk/
• California (CCPA/CPRA): California Privacy Protection Agency – https://cppa.ca.gov/

We encourage you to contact us first so we can attempt to resolve the matter promptly.