Skip to main content

Data Processing Agreement

Last updated: 8 June 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the practitioner using Hypno Admin Pro, “you”) and Dante Harker, operator of Hypno Admin Pro (“we”, “us”, “our”). It describes how we process personal data relating to your clients on your behalf, in line with Article 28 of the UK GDPR. By using the Service to store or process client data, you accept this DPA.

1. Roles of the Parties

For the personal data of your clients that you enter into the Service (such as client records, contact details, intake information, session notes, and reflection threads), you are the data controller and we are your data processor. We process that data only to provide the Service and only on your documented instructions, which include your use of the Service's features.

For your own practitioner account data (your name, email, login, billing, and usage of the Service), we act as an independent data controller, as described in our Privacy Policy.

2. Subject Matter, Duration, Nature & Purpose

  • Subject matter: processing of client personal data to provide a practice management and content-creation workspace for hypnotherapists.
  • Duration: for as long as you hold an account, plus the retention periods in our Privacy Policy, after which data is deleted.
  • Nature & purpose: storing, organising, displaying, transmitting, and otherwise processing client data so you can manage clients, bookings, notes, scripts, audio, and reflection.

3. Types of Data and Categories of Data Subjects

Data subjects: your clients and any contacts you add to the Service.

Types of personal data: names and contact details; appointment and booking information; session notes and presenting issues; intake and consent information; and any other content you choose to enter. This may include special category data (such as health information) where you record it. You are responsible for ensuring you have a lawful basis and appropriate conditions to process such data, and for being transparent with your clients about how their data is used.

4. Our Obligations as Processor

We will:

  • process client data only on your documented instructions, unless required otherwise by law (in which case we will inform you where permitted);
  • ensure that people authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational security measures (see section 5);
  • assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations;
  • delete or return client data at the end of the Service as set out in section 8; and
  • make available information reasonably necessary to demonstrate compliance with Article 28.

5. Security Measures

We maintain measures appropriate to the risk, including: encryption of data in transit (HTTPS); storage on secure Supabase infrastructure (hosted on AWS) with encryption at rest provided by that infrastructure; account-based access controls and Row Level Security so each account can only access its own data; optional two-step verification and automatic sign-out after inactivity; and ongoing review of access and security practices.

6. Sub-processors

You authorise us to engage the sub-processors listed in our Privacy Policy (currently including Supabase, Vercel, OpenAI, Stripe, Resend, Trigger.dev, Google, and — only when you opt to use AI voice — Google Cloud Text-to-Speech). We require sub-processors to provide protections consistent with this DPA. If we add or replace a sub-processor, we will update the Privacy Policy and, for material changes, give you reasonable notice so you can object.

7. International Transfers

Some sub-processors may process data outside the UK. Where they do, we rely on appropriate safeguards permitted under UK data protection law (such as adequacy decisions or the International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses).

8. Return and Deletion of Data

You can export a copy of your data at any time from your account settings, and you can delete individual client records yourself. When your account ends, your data remains accessible for 90 days and is then deleted; if you request account deletion, we will delete client data within 30 days, unless retention is required by law.

9. Personal Data Breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your client data, and will provide the information reasonably available to help you meet your own notification duties to the ICO and affected individuals.

10. Audit

On reasonable written request, we will provide information necessary to demonstrate compliance with this DPA. Audits will be limited to what is reasonable and proportionate, conducted on reasonable notice, and must not compromise the security or confidentiality of other customers' data.

11. Contact

For any questions about this DPA or to discuss your data protection requirements, contact us at info@hypnoadminpro.com.