Privacy Policy

Pasu Health Ltd (trading as Theras) (“we”, “us”, “Theras”) provides an AI-assisted reflective-practice platform for qualified therapists in the UK and Ireland/EU. This policy explains what personal data we collect about you, the therapist, why we use it, and the rights you have over it. It applies to your use of the platform at app.theras.ai.

If you record or enter information about your clients (session transcripts, clinical notes, documents, client records), we handle that data only as a data processor acting on your instructions. You are the controller of your clients’ data. That processing is governed by our Terms of Service and Data Processing Agreement, not by this policy. See Section 5.

The data controller is Pasu Health Ltd (trading as Theras), a company registered in England and Wales (company number 16730287), registered address 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom.

We are registered with the Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER].

For any privacy question or to exercise your rights, contact us at contact@pasuhealth.com. We have not appointed a Data Protection Officer, as we are not required to.

EU representative (Article 27). As we offer services to data subjects in the EU, we have appointed an EU representative: [EU REPRESENTATIVE FULL NAME], [EU REPRESENTATIVE IRISH SERVICE ADDRESS], email contact@pasuhealth.com. EU/EEA users may contact our representative on any matter relating to this policy.

We collect the following personal data about you when you create and use an account:

We do not run third-party analytics, advertising, or behavioural tracking, and we do not buy or sell personal data.

We rely on the following lawful bases under Article 6 UK/EU GDPR:

• Contract (Art. 6(1)(b)) — to create your account, provide the platform, and manage your subscription. Without this data we cannot provide the service.
• Legal obligation (Art. 6(1)(c)) — to keep billing and tax records as required by UK and EU law.
• Legitimate interests (Art. 6(1)(f)) — to secure the platform, prevent fraud and abuse, meter usage and enforce plan limits, and send you essential service messages (such as trial and account reminders). We have assessed that these interests do not override your rights; you can object at any time (see Section 8). You can request a summary of our balancing assessment.

We do not currently send marketing emails and do not process your data for marketing. If we introduce marketing in future, we will ask for your separate, opt-in consent (Art. 6(1)(a)), which you will be able to withdraw at any time.

The clinical information you record or enter about your clients — session audio and transcripts, clinical notes, clinical documents, client records, and chat content — is special category health data under Article 9. For that data:

• You are the data controller and we are your data processor. We process it only on your documented instructions to deliver the features you use.
• This processing is governed by the data processing terms in our Terms of Service, which set out our Article 28 obligations. It is your responsibility to have a lawful basis and an Article 9 condition (normally your client’s explicit consent) for entering that data, and to give your clients their own privacy information.
• All such content is encrypted at rest. Audio is deleted automatically once it has been transcribed.

We do not knowingly collect special category data about you, the therapist.

The platform uses AI services to deliver features you actively invoke — generating draft notes and documents, transcribing audio, searching the knowledge base, and answering reflective questions. These run through EU-based providers (Anthropic Claude and Cohere via AWS Bedrock in the EU, and AssemblyAI in Dublin). None of these providers train their models on your data.

AI output is always a draft for you, a qualified professional, to review, edit, and decide on. We do not make any solely-automated decision that produces a legal or similarly significant effect about you (Article 22 UK/EU GDPR does not apply to your use of the service). AI does not determine your access, eligibility, or standing.

We share data only with the service providers (“sub-processors”) we rely on to run the platform, each under a data processing agreement. Most processing happens in the EU; the transfers outside the EU are protected by Standard Contractual Clauses / the UK International Data Transfer Agreement.

We may also disclose data where we are legally required to — for example to comply with a court order or a safeguarding or law enforcement obligation — and to professional advisers where necessary.

Your account data is stored and processed within the UK and EU. The UK and EU recognise each other as providing adequate protection (the UK-EU adequacy decision was renewed in December 2025), so transfers between them need no additional safeguard.

A limited amount of data is processed by providers in the United States (see the table above — transactional email via Resend and operational logging via Axiom). These transfers are protected by Standard Contractual Clauses and/or the UK International Data Transfer Agreement, with supplementary safeguards including encryption. You can request a copy of the relevant safeguards by emailing us.

Under UK and EU GDPR you have the right to: be informed (this policy); access a copy of your data; have inaccurate data corrected; have your data erased; restrict our processing; data portability; object to processing based on legitimate interests; and not be subject to solely-automated decisions with significant effect. Where we rely on consent, you can withdraw it at any time.

• Access and portability — download a structured copy of your data at any time from Settings → Data & Privacy.
• Rectification — update your profile and account details directly in Settings.
• Erasure — request account deletion from Settings → Data & Privacy. Your account and associated data are permanently deleted 30 days after the request, except where we must retain limited records (e.g. billing) to meet a legal obligation.
• Restriction and objection — to restrict or object to any processing, email contact@pasuhealth.com.

We respond to rights requests within one month. There is no charge in normal circumstances.

• Account and profile data — for the life of your account.
• Chats, notes, documents and session records — kept until you delete them or delete your account.
• Session audio — deleted automatically after transcription.
• Billing and tax records — retained for 6 years to meet tax law requirements.
• On account deletion — your data is permanently deleted after the 30-day window; we keep only a minimal deletion audit record (your email and the request date) as proof the request was actioned.

We use only essential cookies: an authentication/session cookie that keeps you signed in, and a small cookie that remembers an interface preference (whether the sidebar is open). Both are exempt from consent under UK PECR (as amended by the Data (Use and Access) Act 2025) and the EU strictly-necessary exemption, so we do not show a cookie banner. We use no analytics, advertising, or tracking cookies.

If you have a concern, please contact us first at contact@pasuhealth.com so we can try to resolve it. You also have the right to lodge a complaint with a supervisory authority:

• UK — Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. https://ico.org.uk · 0303 123 1113
• EU / Ireland — Data Protection Commission (DPC), Ireland, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. https://www.dataprotection.ie · +353 57 868 4800. If you are based elsewhere in the EU, you may also contact your local national data protection authority.

The platform is intended for use by qualified therapists, who are adults. It is not directed at, and we do not knowingly create accounts for, anyone under 18.

We may update this policy from time to time. If we make a material change we will notify you by email or in the app before it takes effect. The date at the top shows when this version was published.