My Portal

Articles in this section

GDPR and Practice Better: Overview and FAQ

Avatar
Help @ Practice Better
Updated
Follow

This article explains how Practice Better complies with UK and EU GDPR requirements and answers common questions about data protection, international transfers, security measures, and your responsibilities as a practitioner managing client data.

In this article:

Understanding GDPR and Practice Better's Role

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that strengthens the protection of personal data in light of rapid technological developments and complex international data flows. Both the UK GDPR and EU GDPR require organizations to implement appropriate safeguards when collecting, storing, and processing personal data.

Q: What is Practice Better's role under GDPR?

A: Practice Better acts as a data processor on your behalf, while you (the practitioner) remain the data controller. This means you determine why and how your clients' personal data is processed, and Practice Better processes that data according to your instructions. This controller-processor relationship is governed by Practice Better's GDPR Data Processing Agreement, which you can access through your account settings.

Q: Does Practice Better comply with both UK GDPR and EU GDPR?

A: Yes. Practice Better's compliance framework is designed to align with both UK GDPR and EU GDPR requirements. The provisions of the EU GDPR have been incorporated into UK law as the UK GDPR, and in practice, the core data protection principles, rights, and obligations remain largely unchanged between the two regulations.

πŸ“ Note: Following Brexit, organizations operating in the UK are subject to UK GDPR and the Data Protection Act 2018. If you serve clients in both the UK and EU, you should be aware that while the regulations are closely aligned, they are enforced by separate authorities.

Data Storage and Infrastructure

Q: Where is my client data stored?

A: Practice Better stores data in North American data centers operated by Amazon Web Services (AWS) and Box.com, located in the United States and Canada. This includes both primary storage and backups.

Q: Does Practice Better own and operate its own servers?

A: No. Practice Better uses cloud infrastructure provided by third-party services including Amazon Web Services (AWS) and Box Inc. for data storage and processing. These third-party services are HIPAA-compliant and SOC 2 Type II certified, ensuring secure handling of healthcare data.

Q: Are these data centers secure?

A: Yes. AWS data centers are ISO 27001-certified and maintain SOC 2 Type II certification. Both AWS and Box.com implement industry-leading security standards, including encryption, multi-factor authentication, and various compliance certifications specifically designed for handling sensitive healthcare information.

UK GDPR Compliance

Q: I'm a UK practitioner. Does Practice Better specifically comply with UK GDPR requirements?

A: Yes. Practice Better processes special category health data in accordance with UK GDPR Article 9 and acts as a data processor on behalf of you as the data controller. The controller-processor relationship is governed by Practice Better's GDPR Data Processor Agreement.

Q: If I have clients in both the UK and EU, do I need separate consent mechanisms?

A: No, you generally don't need separate consent mechanisms. The UK GDPR and EU GDPR share the same core principles regarding consent, data protection, and processing. Since Practice Better's compliance framework aligns with both regulations, you can use a single consent mechanism that meets the stricter requirements of both. However, we recommend consulting with your own legal advisor to ensure your Privacy Notice meets the specific requirements for your practice.

International Data Transfers

Q: How does Practice Better handle international data transfers?

A: Practice Better maintains appropriate safeguards for international data transfers under both UK and EU GDPR. Transfers are governed by our Data Processing Agreement with technical safeguards, including encryption in transit and at rest, access controls, and contractual protections with all sub-processors. We continue to review and update our data transfer mechanisms to ensure alignment with current UK and EU requirements.

Q: What should I tell my clients about where their data is stored?

A: You can inform your clients that their data is stored in North American data centers operated by Amazon Web Services (AWS) and Box.com in the United States and Canada, and that international transfers are subject to appropriate safeguards under UK GDPR. For UK practitioners, we recommend including the following in your Privacy Notice:

  • That you use Practice Better (operated by Green Patch Inc.) as a data processor for client records.
  • That client data is stored in North American data centers operated by Amazon Web Services (AWS) and Box.com in the United States and Canada.
  • International transfers are subject to appropriate safeguards under GDPR as outlined in Practice Better's Data Processing Agreement.
  • A reference to Practice Better's sub-processor list: https://trust.practicebetter.io/subprocessorsΒ 

We recommend consulting with your own legal advisor to ensure your Privacy Notice meets UK ICO or EU requirements specific to your practice.

πŸ“ Note: GDPR applies based on where your client is physically located at the time of data processing, not their citizenship. If your client is a UK/EU citizen living abroad, UK/EU GDPR protections would not apply to that processing.

Security and Technical Measures

Q: What security measures does Practice Better use to protect client data?

A: Practice Better implements comprehensive technical and organizational measures to protect special category health data, including:

  • Encryption at rest and in transit using industry-standard protocols (TLS for data in transit, AES-256 for data at rest).
  • Access controls with role-based permissions and principle of least privilege.
  • SOC 2 Type II certification (via AWS).
  • ISO 27001-certified data centers (via AWS).
  • Regular backups and continuous monitoring.
  • Staff subject to confidentiality agreements and data protection training.
  • Audit logging of access to client records.

For comprehensive information about Practice Better's security measures, please visit:

Q: Who are Practice Better's sub-processors and where are they located?

A: Practice Better maintains GDPR Data Processing Agreements with all sub-processors that store or process client data. Our complete list of sub-processors, including cloud infrastructure providers (AWS), communication services, analytics, and payment processing vendors, is available at https://trust.practicebetter.io/subprocessors.

Sub-processors are contractually bound to the same data protection obligations as Practice Better and are held accountable under our Data Processing Agreement. We also maintain HIPAA Business Associate Agreements with relevant vendors for US healthcare compliance.

Data Breach Notification

Q: What happens if Practice Better experiences a data breach?

A: Practice Better will provide notice of any breaches of security or privacy to affected parties via email within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

The notification will include:

  • The nature of the breach, including categories of data affected.
  • The name and contact details of the data protection officer or other contact point.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate its possible adverse effects.

Q: What are my responsibilities if Practice Better notifies me of a breach?

A: As the data controller for your practice, you would be responsible for assessing whether you need to notify your clients and the relevant Data Protection Authority based on the severity and nature of the breach. You must notify the appropriate Data Protection Authority within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms.

Your Clients' Data Rights

Q: Can I export all my client data if I need to switch platforms or if a client requests their data?

A: Yes. Under GDPR Article 20 (Right to Data Portability), both you and your clients have the right to receive personal data in a structured, commonly used, and machine-readable format. Practice Better provides data export functionality that allows you to export client records.

When your clients request their data from you, you're responsible for providing it to them in an accessible format. You can use Practice Better's export features to fulfill these requests efficiently.

Q: How long does Practice Better retain client data after I delete a client record?

A: When you delete a client record from Practice Better, the data is removed from active systems immediately. However, data may remain in backup systems for up to 30 days until those backups are overwritten as part of Practice Better's standard backup retention schedule.

This backup retention is necessary for disaster recovery purposes. The data in backups is put "beyond use," meaning Practice Better won't access or process it for any purpose during this period. This approach aligns with guidance from the UK Information Commissioner's Office (ICO).

Learn more about deleting client records β†’

Q: If a client withdraws consent, am I required to delete their data immediately?

A: The right to erasure is not absolute. Even when a client withdraws consent, you may be required or permitted to retain their data if you have another legal basis for processing, such as:

  • Compliance with legal or regulatory obligations (e.g., tax records, healthcare recordkeeping requirements).
  • Establishment, exercise, or defense of legal claims.
  • Public interest or health purposes as defined in UK/EU law.

You must delete the data "without undue delay" (typically within one month) unless one of these exemptions applies. When exemptions apply, clearly communicate to the client why you're retaining their data and for how long.

Learn more about Allowing Clients to Delete Their Accounts β†’Β 

⚠️ Important: Consult with your legal advisor to understand your specific retention obligations based on your profession and jurisdiction. Some healthcare professionals have mandatory minimum retention periods that override the right to erasure.

Your Responsibilities as a Practitioner

As a data controller, you have specific responsibilities under GDPR. Practice Better provides the tools and infrastructure to help you meet these obligations, but ultimately, you are responsible for how you collect, use, and manage your clients' personal data.

Obtaining Consent: How do I obtain proper consent from my clients?

A: You must obtain affirmative consent BEFORE clients' data is collected. This is necessary because the moment their information is submitted, their data has already been collected.

If you're working with clients in the UK or EU, you must include either:

  • A consent form on your Bookings Page requiring clients to provide consent to store their information in Practice Better and other services you use to manage client data. Learn more β†’
  • Terms & Conditions for clients to accept before purchasing services/packages/programs from your Bookings Page or widget. Learn more β†’

Even if you're not targeting UK/EU clients, we strongly recommend collecting consent at the time of booking in case an EU resident discovers your website and requests a session with you.

Client Portal Access

We strongly recommend obtaining a signed waiver from UK/EU subjects before storing client data in Practice Better. Practice Better allows you to send forms and waivers to clients before granting them access to the Client Portal, ensuring you collect proper consent before processing their personal data.

Privacy Notices

Your Privacy Notice should clearly explain how you collect, use, and protect client data. For UK practitioners, we recommend including:

  • That you use Practice Better (operated by Green Patch Inc.) as a data processor for client records.
  • That client data is stored in North American data centers operated by Amazon Web Services (AWS) and Box.com in the United States and Canada.
  • That international transfers are subject to appropriate safeguards under GDPR as outlined in Practice Better's Data Processing Agreement.
  • A reference to Practice Better's sub-processor list: https://trust.practicebetter.io/subprocessorsΒ 

Explore Practice Better’s library of Form Templates you can use and adapt for your Privacy Policy.

Withdrawing Consent & Client Rights

Provide your clients with clear instructions on how they can withdraw consent and have their data removed from Practice Better. As a practitioner, you can remove client data from our system at any time using the Delete Client Record option in your account.

Learn more about deleting client records β†’

Provide clients with a means to withdraw consent, either by email, phone, or secure communication within Practice Better through Secure Messaging.

Learn more about Allowing Clients to Delete Their Accounts β†’Β 

πŸ“ Note: When a client withdraws consent, you should make them aware that data may remain in backups for up to 30 days before being permanently deleted.

Marketing and Communications

Practice Better may occasionally send you emails which include promotions and announcements of new features and updates. These emails are only sent to you, the practitioner, and are never sent to your clients. You can always unsubscribe or update your email choices by using the Unsubscribe and Manage Preferences links at the bottom of these emails.

Practice Better sends transactional email, text (SMS), and push notifications on your behalf. Examples include new protocols and forms to complete, invoices and receipts, and reminders for upcoming sessions. Practice Better does not send your clients any communication regarding promotions or special offers for products and services associated with Practice Better or otherwise.

If you plan on using client contact information to promote or sell products and services, clearly state this by using disclaimers on your Bookings Pages or waivers, both of which can be delivered using Practice Better.

UK GDPR Addendum (2026)

Practice Better is updating its EU Data Processing Agreement to include a UK GDPR Addendum. This addendum provides UK-specific data protection commitments required under UK GDPR law, ensuring practitioners serving clients in the United Kingdom have a compliant agreement in place.

Q: Why is Practice Better adding a UK GDPR Addendum?

A: Following Brexit, the United Kingdom operates under its own data protection framework: UK GDPR and the Data Protection Act 2018. While the UK GDPR closely mirrors the EU GDPR, UK practitioners require UK-specific contractual commitments from their data processors. The addendum formalizes those commitments within Practice Better's existing Data Processing Agreement.

Q: Do I need to do anything?

A: It depends on whether you have previously signed the EU Data Processing Agreement.

  • If you have previously signed the EU Processing Agreement: You'll receive an in-app notification asking you to review and countersign the updated agreement, which now includes the UK GDPR Addendum. Select Review & Sign Amendment in the notification and countersign to ensure your agreement reflects current practices. You can access the agreement at any time by navigating to Settings (gear icon) > All Settings & Preferences > Regulatory Compliance.
  • If you have not previously signed the EU Processing Agreement: No immediate action is required. The updated agreement, which includes the UK GDPR Addendum, will be available in your account settings if and when you need to sign it.

Q: What happened to my previously signed EU Processing Agreement?

A: When the updated agreement is published, the previous version will be archived and will no longer be accessible in-app. If you require a copy of the previously signed version, please contact us at help@practicebetter.io from the email address associated with your Practice Better account.

Keeping Up with Changes

Q: How will I know if Practice Better's data processing practices change?

A: Practice Better maintains current information about sub-processors and data processing locations on the Trust Center at https://trust.practicebetter.io/subprocessors . Any material changes to data processing practices or locations that would impact GDPR compliance will be communicated to practitioners.

You should regularly review the Trust Center for updates. Additionally, Practice Better's Data Processing Agreement includes provisions requiring notification of changes to sub-processors.

Q: Where can I find Practice Better's Data Processing Agreement?

A: The GDPR-compliant Data Processing Agreement is available for practitioners on paid plans through your account settings. The DPA covers the processing of special category health data and references international data transfers.

Learn more about signing regulatory compliance agreements β†’

πŸ’‘ Tip: If you're evaluating Practice Better and would like to review the DPA before signing up, contact our support team and we can arrange to share a copy directly.

Additional Resources

For more detailed guidance on implementing GDPR compliance in your practice:

External Resources:

⚠️ Please note: Practice Better is providing this information only as a courtesy, and this does not constitute the provision of legal advice. We recommend consulting with your own legal advisor to ensure your data protection practices meet all applicable requirements for your specific jurisdiction and profession.

Practice Better takes data protection seriously and continuously works to maintain the highest standards of security and compliance. If you have additional questions about GDPR compliance or data protection, please don't hesitate to reach out to our support team.

Related articles

Article is closed for comments.