Privacy policy

## 1. Introduction

This privacy notice explains how BLU handles personal data relating to:

- visitors to the BLU website;
- people who contact us, join a waiting list, request information, or seek support;
- customers who subscribe to, activate, or use BLU software;
- limited account, licensing, billing, and support records connected with BLU.

It is designed to give a clear public explanation of what BLU processes and what remains under the therapist's own control.

## 2. Who We Are

BLU is operated by:

- Legal business name: David Dodd
- Trading name: `BLU Clinical
- Product name: BLU Solo
- Contact email: Info@BluClinical

In relation to our own business, website, billing, licensing, and support records, we act as a controller of that personal data.

## 3. Important Scope Statement

BLU is designed as local-first desktop software.

That means the working clinical record is intended to remain under the therapist's own control on their own device, with backup choices controlled by the therapist.

BLU does not need to routinely host, access, or inspect client clinical records in order for the software to function.

If a therapist chooses to back up data to OneDrive, iCloud, Dropbox, Google Drive, or another provider, that storage arrangement is the therapist's own chosen storage arrangement.

## 4. The Difference Between BLU Data And Therapist-Controlled Clinical Data

### Data BLU may process

BLU may process limited personal data relating to:

- website enquiries;
- waitlist or launch-interest forms;
- account contact details;
- subscription and billing status;
- device activation and licence records;
- customer support communications;
- product feedback voluntarily provided by customers.

### Data the therapist controls inside BLU

A therapist or practice using BLU may store and process:

- client identifying details;
- therapy notes and assessments;
- safety planning documents;
- invoices, letters, and correspondence;
- clinical measures, risk documentation, and other practice records.

For that clinical workspace data, the therapist or practice remains responsible for their own legal and professional obligations.

## 5. What Personal Data We Collect

Depending on how you interact with BLU, we may collect:

### Website and enquiry data

- name;
- email address;
- organisation or practice name;
- messages or enquiry details;
- website usage information such as technical logs, page views, and similar analytics if enabled.

### Commercial and account data

- billing email and account identifiers;
- subscription status;
- plan type;
- transaction references from the billing provider;
- activation and device identifiers;
- licence events and account status.

### Support data

- support emails and support attachments;
- diagnostic or technical information you choose to send us;
- limited system information needed to investigate a reproducible software issue.

We ask customers not to send identifiable client information unless it is strictly necessary for a support issue and no less intrusive option is available.

## 6. How We Use Personal Data

We may use personal data to:

- operate and improve the BLU website;
- respond to enquiries and launch-interest requests;
- create and manage subscriptions, accounts, and activations;
- provide software updates, support, and recovery guidance;
- investigate reproducible product issues;
- maintain security, fraud prevention, and service integrity;
- comply with legal, regulatory, tax, and accounting obligations.

## 7. Lawful Bases

Depending on the context, we may rely on:

- contract;
- steps taken at your request before entering a contract;
- legal obligation;
- legitimate interests;
- consent, where that is the appropriate basis.

If we ever need to process special category data for a support issue, this should be exceptional, minimised, and handled only where an appropriate lawful basis and condition applies.

## 8. Billing, Licensing, And Third-Party Services

BLU may use third-party providers to support the commercial operation of the service, for example:

- payment and subscription providers;
- web hosting and email services;
- licensing or activation infrastructure;
- support tooling;
- analytics or security tooling where used.

At launch, billing is expected to be handled through Paddle.

Where third-party providers process personal data on our behalf, we aim to use them in a way that is appropriate for the service being provided.

## 9. Cloud Storage Chosen By The Therapist

BLU may support copying backups to a recovery folder or to the therapist's own chosen storage or cloud-sync location.

Examples may include:

- OneDrive;
- iCloud;
- Dropbox;
- Google Drive;
- another provider or custom folder chosen by the user.

This does not mean BLU becomes the host of the therapist's clinical records. The therapist remains responsible for the cloud or storage arrangement they choose to use.

## 10. How Long We Keep Data

We keep different categories of personal data for different periods, depending on why we collected them.

In general:

- website enquiries are kept for a reasonable business period;
- account, billing, and tax records are kept as required for commercial and legal obligations;
- support records are kept for support continuity, security, and audit purposes for a reasonable period;
- activation and licence records are kept for account administration and fraud prevention as appropriate.

Detailed retention periods should be finalised before public launch.

## 11. Security

We take reasonable technical and organisational steps to protect the personal data we process for our own business operations.

However:

- no website, email, or internet transmission is entirely risk-free;
- therapists are responsible for the security of their own devices, passwords, local storage, and chosen backup locations;
- therapists should ensure that any third-party cloud or sync service they choose is suitable for their own professional and legal obligations.

## 12. International Transfers

If any of our providers process personal data outside the UK, we will need to ensure that appropriate safeguards are in place where required.

The exact wording for this section should be aligned to the live provider stack before launch.

## 13. Your Rights

Depending on the circumstances, you may have rights under data protection law, including rights to:

- be informed;
- access your personal data;
- request correction of inaccurate personal data;
- request erasure in some cases;
- restrict processing in some cases;
- object to processing in some cases;
- data portability in some cases;
- withdraw consent where processing relies on consent.

These rights are subject to legal limits and exceptions.

## 14. How To Contact Us About Privacy

If you have a privacy question, concern, or request, contact:

- Email: `[insert privacy or support email]`
- Business name: `[insert legal business name]`

Please give enough information for us to understand the issue and confirm your identity where appropriate.

## 15. Complaints

We would usually expect you to contact us first so we can try to resolve your concern.

If you remain unhappy, you may be able to complain to the Information Commissioner's Office (ICO).

## 16. Changes To This Notice

We may update this privacy notice from time to time.

The latest version published on the website will apply from the date shown at the top of the page.

## Pre-Launch Notes

Before publishing this page:

- insert the correct business identity and contact details;
- align provider references with the live stack;
- confirm retention wording;
- align this page with the live billing flow, support flow, and licence service;
- confirm international-transfer wording once the final services are fixed;
- ensure the website, checkout flow, and in-app legal area all use consistent privacy language.