Privacy Policy

Theratea ("we", "us", or "our") is a psychological counselling practice based in Johannesburg, South Africa. We are committed to protecting your personal information and your right to privacy.

This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website at www.theratea.co.za and our counselling services. It is drafted in compliance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa.

By using our website, creating an account, or engaging our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms outlined here, please do not use our website or services.

We collect the following categories of personal information:

We collect personal information through the following means:

• Directly from you when you fill in forms on our website, create an account, book appointments, or communicate with us via email, phone, or WhatsApp
• Through your use of our website via cookies and similar technologies that automatically collect technical and usage data
• From third-party services such as Google when you choose to sign in using Google OAuth
• During counselling sessions through notes and records maintained as part of the therapeutic process

We process your personal information for the following purposes:

• Service delivery: to provide counselling services, manage appointments, and facilitate video sessions
• Communication: to send booking confirmations, session reminders, and respond to your enquiries
• Account management: to create and maintain your user account and authenticate your identity
• Service improvement: to analyse usage patterns and improve our website and services
• Legal compliance: to comply with HPCSA record-keeping obligations and other applicable laws
• Security: to protect our website, detect fraud, and prevent abuse

We will not process your personal information for purposes other than those described above without your consent, unless permitted or required by law.

Under POPIA, we process your personal information based on one or more of the following lawful grounds:

• Consent (Section 11(1)(a)): you have given your consent for processing, for example when submitting a contact form or creating an account
• Contract (Section 11(1)(b)): processing is necessary to fulfil our contractual obligations to you, such as providing booked counselling sessions
• Legal obligation (Section 11(1)(c)): processing is necessary to comply with legal requirements, including HPCSA regulations on record-keeping
• Legitimate interest (Section 11(1)(f)): processing is necessary for our legitimate interests, such as ensuring the security of our website and improving our services, provided this does not infringe on your rights

We do not sell, rent, or trade your personal information. We may share your information with the following third parties, solely for the purposes described in this policy:

• Daily.co: our video conferencing provider, which facilitates online counselling sessions. Your name is shared when you join a video session.
• Google: if you choose to sign in with Google OAuth, your basic Google profile information (name, email) is shared with us by Google.
• Hostinger: our web hosting provider, which stores our website data on its servers.
• Email service: transactional emails (confirmations, reminders) are sent via our hosting provider's SMTP service.

We require all third-party providers to respect the security of your personal information and treat it in accordance with applicable data protection laws. We do not transfer your personal information outside of South Africa unless adequate safeguards are in place.

We take appropriate technical and organisational measures to protect your personal information, including:

• Encryption in transit: all data transmitted between your browser and our website is encrypted using SSL/TLS (HTTPS)
• Encryption at rest: sensitive data such as session notes are encrypted at the application level before storage
• Access controls: role-based access ensures that only authorised personnel (your counsellor and platform administrators) can access your information
• Password protection: user passwords are securely hashed and never stored in plain text
• Session security: sessions expire after periods of inactivity and are protected against cross-site request forgery (CSRF)

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to implementing industry-standard protections.

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: retained for as long as your account remains active. You may request deletion of your account at any time.
• Counselling records: retained in accordance with HPCSA guidelines, which require healthcare practitioners to maintain clinical records for a minimum period as prescribed by law.
• Contact form submissions: retained for up to 12 months to ensure we can follow up on your enquiry.
• Technical logs: retained for up to 90 days for security and troubleshooting purposes.

When personal information is no longer needed, it will be securely deleted or anonymised.

As a data subject under POPIA, you have the following rights:

• Right of access (Section 23): you have the right to request confirmation of whether we hold your personal information and to request a copy of it
• Right to correction (Section 24): you have the right to request that we correct or update inaccurate or incomplete personal information
• Right to deletion (Section 24): you have the right to request the deletion of your personal information, subject to any legal retention obligations
• Right to object (Section 11(3)): you have the right to object to the processing of your personal information on reasonable grounds
• Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal
• Right to lodge a complaint: you have the right to lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated

To exercise any of these rights, please contact our Information Officer using the details provided in Section 13 below. We will respond to your request within a reasonable time, and no later than 30 days as required by POPIA.

Our website uses the following cookies, which are essential for the operation of the site:

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track your behaviour across other websites.

Our website and online services are not directed at children under the age of 18. We do not knowingly collect personal information from children under 18 without the consent of a parent or legal guardian.

If counselling services are provided to a minor, parental or guardian consent is obtained in accordance with POPIA and HPCSA guidelines. If you believe we have inadvertently collected information from a child without appropriate consent, please contact us immediately so we can take corrective action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Post the revised policy on our website
• Where appropriate, notify registered users via email

We encourage you to review this page periodically to stay informed about how we protect your information.

If you have any questions about this Privacy Policy, wish to exercise your rights under POPIA, or want to make a complaint about our handling of your personal information, please contact our designated Information Officer: