Privacy Policy

This Privacy Policy explains how Digita1 OÜ, trading as CBT Flow (“CBT Flow”, “we”, “us”, or “our”), collects, uses, stores, shares, and protects personal data when you use the CBT Flow website, platform, client portal, and any related mobile application or services (collectively, the “Service”).

This Privacy Policy applies to therapists, clinics, organisations, invited clients, website visitors, and other individuals whose personal data we process in connection with the Service.

Please read this Privacy Policy carefully. By accessing or using the Service, creating an account, submitting information to us, or otherwise interacting with us, you acknowledge that your personal data will be processed as described in this Privacy Policy.

1. Who We Are

CBT Flow is operated by Digita1 OÜ, an Estonian company.

Digita1 OÜ
Registry code: 17003669
VAT: EE102745881
Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia

If you have any questions about this Privacy Policy or our data practices, you can contact us at legal@cbtflow.com.

2. Scope of This Privacy Policy

This Privacy Policy covers personal data we process when you:

  • visit our website;
  • create an account;
  • use the Service;
  • communicate with us;
  • receive emails from us;
  • take part in demos or early access programmes; or
  • otherwise interact with CBT Flow.

This Privacy Policy should be read together with our Terms and Conditions, Cookie Policy, and, where applicable, our Data Processing Agreement.

3. Data Protection Roles

Depending on the context, CBT Flow may act either as a data controller or as a data processor/service provider.

  • Where we collect and use personal data for our own business purposes, such as operating our website, managing accounts, billing, security, support, analytics, legal compliance, and communications, CBT Flow acts as the data controller.
  • Where therapists, clinics, or organisations use the Service to store or manage client-related data, including health-related or special category data, those therapists, clinics, or organisations are generally the data controllers for that client data, and CBT Flow acts as a data processor or service provider on their behalf.
  • If you are a client invited by a therapist, clinic, or organisation, your therapist, clinic, or organisation is generally responsible for deciding why and how your client-related data is processed through the Service.

4. Personal Data We Collect

Depending on how you use the Service, we may collect and process the following categories of personal data:

  • Account and identity data – such as your name, email address, login details, account type, organisation name, job title, invitation status, and profile information.
  • Contact data – such as your email address and any contact details you choose to provide.
  • Client and therapy-related data – such as client names, email addresses, notes, worksheets, homework, assessments, journal entries, uploaded files, therapist-client messages, treatment plans, protocol-based records, and similar information processed through the Service.
  • Payment and billing data – such as subscription plan, billing status, payment history, invoice details, and limited payment-related information received from payment providers. We do not store full payment card details ourselves unless expressly stated otherwise.
  • Communications data – such as emails, support requests, feedback, demo applications, early access applications, and other communications with us.
  • Usage data – such as information about how you use the Service, features accessed, actions taken, pages viewed, session activity, and preferences.
  • Technical data – such as IP address, browser type and version, device identifiers, operating system, time zone, access times, log data, and similar technical information.
  • Marketing and preference data – such as your communication preferences, newsletter preferences, and responses to promotional emails.
  • Special category data – where therapists, clinics, organisations, or invited clients choose to process therapy-related, health-related, or other sensitive information through the Service.

5. How We Collect Personal Data

We may collect personal data:

  • directly from you when you create an account, fill in forms, contact us, apply for a demo or early access, make a purchase, upload materials, or use the Service;
  • from therapists, clinics, or organisations that invite users to the Service or upload client-related information;
  • automatically when you use the website or Service, including through logs, cookies, and similar technologies; and
  • from service providers or integration partners involved in payments, hosting, analytics, communications, security, or infrastructure.

6. Why We Use Personal Data

We use personal data to operate, provide, maintain, improve, and protect the Service. Depending on the context, we may use personal data for the following purposes:

  • to create and manage user accounts;
  • to provide the website, platform, client portal, and related features;
  • to facilitate therapist-client workflows, treatment planning, protocols, tasks, communication, and record management;
  • to process subscriptions, payments, invoices, and billing administration;
  • to provide customer support and respond to enquiries;
  • to send service-related notices, technical updates, billing messages, and administrative communications;
  • to monitor usage, performance, reliability, and security of the Service;
  • to troubleshoot issues, prevent misuse, detect fraud, and protect users and the Service;
  • to comply with legal, regulatory, tax, accounting, and contractual obligations;
  • to improve our website, user experience, and product offering;
  • to manage demos, waitlists, early access programmes, and onboarding activities; and
  • where permitted, to send marketing communications or updates about CBT Flow.

7. Lawful Bases for Processing

Where applicable data protection laws require us to identify a lawful basis, we generally rely on one or more of the following:

  • performance of a contract or taking steps at your request before entering into a contract;
  • our legitimate interests, such as operating and improving the Service, securing the platform, communicating with users, preventing misuse, and managing our business;
  • compliance with legal obligations; and
  • your consent, where consent is required by law.

Where special category data is processed, this is generally done on the instructions of the relevant therapist, clinic, or organisation, or otherwise under a lawful condition permitted by applicable law.

8. When We Act as Processor for Therapists and Organisations

When therapists, clinics, or organisations use CBT Flow to process client-related personal data, we generally process that data only on their documented instructions and for the purpose of providing the Service to them.

In such cases:

  • the relevant therapist, clinic, or organisation is responsible for ensuring that it has an appropriate legal basis for using the Service;
  • the relevant therapist, clinic, or organisation is responsible for providing any necessary notices and obtaining any required consents; and
  • the relevant therapist, clinic, or organisation is responsible for handling data subject requests relating to client data.

If you are a client and have questions about how your therapist, clinic, or organisation handles your data, you should usually contact them first.

9. Sharing of Personal Data

We may share personal data with:

  • hosting, cloud, infrastructure, database, security, support, communications, analytics, and other technology service providers that help us operate the Service;
  • payment processors, billing providers, accounting providers, and invoicing partners;
  • professional advisers such as lawyers, auditors, insurers, or accountants where reasonably necessary;
  • regulators, courts, law enforcement agencies, or public authorities where required by law or necessary to protect rights, safety, or the Service;
  • actual or prospective buyers, investors, or transaction advisers in connection with a merger, acquisition, financing, restructuring, or sale of all or part of our business; and
  • other parties where you have asked us to share information or where sharing is otherwise permitted or required by law.

We do not sell personal data in the ordinary meaning of that term.

10. Aggregated and De-Identified Data

We may use aggregated, statistical, anonymised, or de-identified information for product improvement, service analytics, benchmarking, reporting, research, commercial insights, and similar purposes, provided that such information does not identify you personally.

Where we generate aggregated or de-identified data from personal data, we will take reasonable steps intended to prevent re-identification, where applicable.

11. International Data Transfers

We aim to host and process personal data within the European Union or European Economic Area.

Where personal data is transferred outside the European Union or European Economic Area, we will take appropriate steps designed to ensure that such transfers are protected in accordance with applicable data protection law, including by using appropriate safeguards where required.

12. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to:

  • provide the Service;
  • comply with legal obligations;
  • resolve disputes;
  • enforce agreements;
  • maintain security; and
  • support legitimate business needs.

Retention periods may vary depending on the type of data, the role in which we process it, applicable legal requirements, customer instructions, and the nature of the relationship.

Where we act as processor for therapists, clinics, or organisations, retention and deletion of client-related data will also depend on their instructions, contractual arrangements, and applicable law.

13. Security

We take reasonable technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures may include:

  • access controls;
  • encryption;
  • authentication measures;
  • logging and monitoring;
  • backups; and
  • other administrative, technical, and organisational safeguards appropriate to the nature of the Service.

However, no online service, software platform, transmission method, or storage system can be guaranteed to be completely secure. Accordingly, we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials and for using the Service securely.

14. Your Rights

Depending on your location and the applicable law, you may have rights in relation to your personal data, including the right to:

  • request access to your personal data;
  • request correction of inaccurate or incomplete data;
  • request deletion of your personal data;
  • request restriction of processing;
  • object to certain processing activities;
  • request portability of data, where applicable; and
  • withdraw consent where processing is based on consent.

These rights are not absolute and may be subject to legal limitations, exceptions, or conditions.

Where CBT Flow acts only as a processor on behalf of a therapist, clinic, or organisation, we may need to direct your request to that controller or ask you to contact them directly.

15. How to Exercise Your Rights

If you wish to exercise your data protection rights, please contact us at legal@cbtflow.com.

We may request information to verify your identity before responding to your request.

We will respond within the time required by applicable law, although this may be extended where legally permitted due to the complexity or volume of requests.

16. Marketing Communications

We may send you service-related communications where necessary to provide the Service.

Where permitted by law, we may also send you:

  • product updates;
  • newsletters;
  • launch news;
  • demo information; or
  • marketing communications.

You can opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting us.

17. Cookies and Similar Technologies

We may use cookies, pixels, local storage, and similar technologies to:

  • operate the website and Service;
  • remember preferences;
  • analyse usage;
  • improve performance; and
  • support security.

Some cookies may be strictly necessary, while others may be optional and subject to your consent where required by law.

Please see our Cookie Policy for more information.

18. Children and Minors

CBT Flow is intended for professional therapeutic use by therapists, clinics, organisations, and invited clients.

Where the Service is used in relation to minors or individuals requiring parental, guardian, or other legal authorisation, the relevant therapist, clinic, or organisation is responsible for ensuring that all necessary permissions, notices, and legal bases are in place.

19. Third-Party Links and Embedded Content

The Service may contain links to third-party websites, integrations, tools, or embedded content. We do not control those third-party services and are not responsible for their privacy practices, content, or security.

You should review the privacy policies and terms of any third-party service you use.

20. Complaints

If you have concerns about how we process your personal data, please contact us first at legal@cbtflow.com so that we can try to resolve the issue.

You may also have the right to lodge a complaint with your local data protection supervisory authority.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, the law, our data practices, or operational requirements.

When we make material changes, we will take reasonable steps to notify users where appropriate, such as by:

  • posting the updated version on our website;
  • showing it within the Service; or
  • sending notice by email.

Your continued use of the Service after the updated Privacy Policy takes effect means that you acknowledge the updated policy.

22. Contact Us

If you have any questions about this Privacy Policy or our handling of personal data, please contact us at legal@cbtflow.com.

Digita1 OÜ
Registry code: 17003669
VAT: EE102745881
Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia