Privacy & Data Practices

1. Plain-language summary

PracticeKit is an iPad app designed for counsellors and therapists. Here is what you need to know about your data, in plain English:

• No account required. You do not sign in or create an account to use PracticeKit.
• No internet connection required. The app works entirely offline.
• No data is sent to us during normal use. We have no access to your client records, session notes, or safeguarding information — ever.
• Backups are optional and encrypted. If you choose to export a backup, it is encrypted with a password you choose using AES-256-GCM — a military-grade encryption standard. We do not receive this backup.
• Crash reports are anonymous. If the app crashes, a small anonymous report is sent to our bug-tracking tool (Sentry) to help us fix the issue. This report contains no client names, session notes, or personal information. See Third parties for full details.
• Deleting a client deletes all their data. There are no hidden copies or archives.

2. What data we store and how

Data you enter into PracticeKit

PracticeKit stores the following data locally on your device:

Data type	Where it's stored	Who can access it
Client names and year groups	On your device only	You (protected by Face ID / Touch ID)
Session notes and dates	On your device only	You (protected by Face ID / Touch ID)
Safeguarding records	On your device only	You (protected by Face ID / Touch ID)
CPD log entries	On your device only	You (protected by Face ID / Touch ID)
Supervision session records	On your device only	You (protected by Face ID / Touch ID)
Photos attached to session notes	On your device only (EXIF metadata stripped)	You (protected by Face ID / Touch ID)

How your data is protected on-device

• iOS file protection — all data uses NSFileProtectionCompleteUntilFirstUserAuthentication, meaning files are encrypted by iOS when the device is locked.
• Face ID / Touch ID — the app requires biometric or device passcode authentication to open.
• 5-minute auto-lock — the app automatically locks after 5 minutes of inactivity.
• App switcher privacy — when you switch away from PracticeKit, the app hides its content from the iOS app switcher preview, preventing client data from appearing in screenshots.

Encrypted backups

You can export an encrypted backup from the Settings area at any time. This is entirely optional. Backups are encrypted using:

• AES-256-GCM encryption with a password you choose
• PBKDF2-HMAC-SHA256 key derivation with 600,000 iterations and a unique random salt
• Minimum 8-character password enforced

Backup files can only be decrypted with the password you set. We do not have access to your backups or your password. If you lose your password, the backup cannot be recovered.

Photos

Photos attached to session notes are processed through UIImage.jpegData() before storage, which strips all EXIF metadata — including GPS location, device information, and timestamps. Only the image itself is stored.

What we do not collect

• We do not collect analytics, usage statistics, or behavioural data
• We do not use advertising SDKs or tracking tools
• We do not have access to the content of your records at any time
• We do not sync your data to any cloud service

3. Third parties

Sentry (crash reporting)

PracticeKit uses Sentry to collect anonymous crash and error reports. This helps us identify and fix technical problems. We have configured Sentry with the following privacy settings:

• Personal data transmission is permanently disabled (sendDefaultPii: false) — no IP addresses, device identifiers, or user data are sent
• Low sampling rate — only a small fraction of sessions are included in performance monitoring (maximum 10%)
• No screenshots or view hierarchies — these features are disabled entirely
• No client data in error reports — client names, session notes, and safeguarding details are never included in error metadata

Sentry is the only third-party service used by PracticeKit. There are no advertising SDKs, analytics platforms, or other external services.

Sentry's privacy policy: sentry.io/privacy

4. Your rights under UK GDPR

PracticeKit handles UK GDPR Article 9 "special category" personal data — specifically, children's counselling and safeguarding records. As the practitioner using PracticeKit, you are the data controller for your clients' records. You are responsible for ensuring you have the appropriate lawful basis and consent to record and retain this data.

Your clients' rights

Because data is stored only on your device and we have no access to it, requests from data subjects (your clients or their guardians) must be handled directly by you as the data controller. PracticeKit provides the following tools to help you comply:

• Right to erasure — deleting a client record in PracticeKit permanently removes all associated sessions, notes, photos, and safeguarding records from the device
• Data export — you can export a client's records as a PDF for subject access requests
• Data retention — PracticeKit will remind you to review records for clients in "Completed" status after a period of inactivity

Your consent responsibilities

5. Accessibility statement

PracticeKit is designed to be accessible to all users, including those who use assistive technologies.

Target standard: WCAG 2.1 Level AA

Accessibility features

• VoiceOver — all interactive elements have meaningful accessibility labels; composite rows use combined labels; decorative icons are hidden from VoiceOver
• Dynamic Type — all text uses semantic font styles and scales correctly with your device's text size settings
• Reduce Motion — all animations respect the iOS Reduce Motion accessibility setting
• Smart Invert — photo and image content is excluded from Smart Invert so images display correctly
• Bold Text — the app respects the iOS Bold Text setting automatically
• Color — status information is never conveyed by colour alone; all status indicators include text labels
• Keyboard navigation — the app supports full keyboard navigation on iPads with a connected keyboard

If you encounter an accessibility issue, please contact us at the address below and we will address it as a priority.

6. Disclaimer — not a medical device

PracticeKit is a professional administration and practice management tool for qualified counsellors and psychotherapists. It is designed to support the practitioner's administrative and compliance activities — record-keeping, CPD logging, supervision tracking, and safeguarding documentation.

PracticeKit is not regulated by the MHRA (Medicines and Healthcare products Regulatory Agency) as a medical device under the UK Medical Devices Regulations 2002, as it does not perform a clinical function or make medical claims.

Intended users

PracticeKit is intended for use by:

• Qualified counsellors, psychotherapists and therapists
• Practitioners working towards BACP accreditation or equivalent professional qualification
• Practitioners who are members of, or registered with, a recognised professional body such as BACP, UKCP, or BPC

PracticeKit is not intended for use by clients, parents, carers, or members of the public. It is not a therapy app, self-help tool, or crisis service. If you or someone you know needs mental health support, please contact your GP or a mental health helpline.

7. Contact

For questions about this privacy policy, data practices, or accessibility:

• Email: hello@practicekit.app

We aim to respond to all enquiries within 5 working days.