Privacy Policy | Clear Practise

Last Updated: 30 April 2026

Welcome to Clear Practise. We believe that privacy is not a luxury—it is a fundamental requirement for mental health professionals and their clients. This policy explains how we handle your data with surgical precision and zero tolerance for tracking.

🇬🇧 Built in the UK. 🇫🇮 Hosted in Finland.

Clear Practise is a private company registered in the United Kingdom. Our data controller is based in England & Wales. However, our entire digital infrastructure is sovereign and located exclusively in Helsinki, Finland.

This means:

Your data never leaves the European Economic Area (EEA).
We comply with both UK GDPR and EU GDPR, adhering to the stricter standard where they differ.
We are not subject to the US CLOUD Act or other extraterritorial surveillance regimes.
ICO Registration: Clear Practise is registered with the UK Information Commissioner's Office (ICO) as a data controller. You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe we have mishandled your data.

1. What Data We Collect

We collect only what is strictly necessary to operate the platform. We do not track your browsing habits, sell your data, or use third-party analytics.

Website Visitors

Server Logs: Temporary IP address, timestamp, and request details are retained for 24 hours for security monitoring (DDoS protection) and then permanently deleted. No persistent profiling occurs.
Cookies: We use no tracking cookies. Essential session cookies (if you log in) are deleted when you close your browser.

Customers (Domain & Hosting)

Contact Details: Name, email address, and billing address (required for invoicing and ICANN domain registration).
Identity Verification: For hosting customers, we require government-issued ID and proof of professional status (e.g., therapist registration). This is retained securely for the duration of your contract and deleted within 90 days of termination.
Payment Data: For cryptocurrency payments, we process transactions via non-custodial wallets. We do not store transaction IDs or link them to your identity. For card payments, we use Stripe (PCI-DSS compliant) and never store card details on our servers.
Domain Registration Data: Per ICANN requirements, your contact details are submitted to the domain registry. We include free WHOIS privacy protection to mask this from the public.

We do NOT collect: Behavioral analytics, device fingerprints, social media tracking, or data from third-party sources.

2. Legal Basis for Processing (UK GDPR)

We process your data under the following legal bases:

Contract: To provide the services you have purchased (hosting, domain registration).
Legal Obligation: To comply with ICANN domain registration rules and UK financial regulations.
Legitimate Interest: For security monitoring (server logs) and fraud prevention.
Consent: For optional communications (e.g., newsletter). You can withdraw consent at any time.

3. How We Use Your Data

Your data is used for one purpose only: to serve you.

To respond to your inquiries.
To provide the hosting/domain services you have purchased.
To process payments and issue invoices.
To maintain the security and integrity of our sovereign server.
To verify your identity (hosting customers only, as per our Terms of Service).

4. Where Your Data Lives

All data is stored on our sovereign server in Helsinki, Finland. The infrastructure is hardened with:

Encryption at Rest: Full disk encryption (LUKS).
Encryption in Transit: TLS 1.3 (Let’s Encrypt).
No Third-Party Cloud: No AWS, Google Cloud, or Azure. Just us, running on bare metal.
Backups: Encrypted database backups are retained for 7 days and then permanently deleted. Backups are stored on the same sovereign infrastructure.

5. International Data Transfers

Most of our infrastructure is EEA-based. However, some processors operate outside the EEA:

Stripe (Payment Processing): Stripe operates globally and may process data in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.
Openprovider (Domain Registry): Based in the Netherlands (EEA). No international transfer required.

6. Payment Processing

We offer multiple payment options to respect your financial privacy:

Cryptocurrency (BTC, LTC, XMR): Processed via self-hosted, non-custodial wallets. No KYC required. Transactions are peer-to-peer. Monero (XMR) is recommended for maximum transaction privacy.
Card Payments: Processed via Stripe (PCI-DSS Level 1 compliant). We do not store card details on our servers. Stripe may retain transaction records as required by financial regulations.

6a. Payment Webhook Processing

When a payment is completed, Stripe sends an automated notification (webhook) to our secure server. This notification contains your email address, order metadata (domain name, order type), and a Stripe session ID. We use this data solely to:

Confirm your payment was received.
Trigger domain registration and hosting provisioning.
Send you a welcome email with next steps.

This data is stored on our sovereign server in Finland and is not shared with any third party. We do not store your card details at any point.

7. Third Parties & Affiliate Links

We do not share your data with advertisers or data brokers. However, we do recommend tools we trust (like Proton) to help you stay secure.

Affiliate Disclosure: Some links on this site are affiliate links. If you purchase a recommended service (e.g., Proton Mail) through these links, we may earn a small commission at no extra cost to you. Crucially, we do not use tracking pixels or cookies to monitor your journey after you click. We rely on the privacy-preserving nature of the partners themselves.

8. Data Retention

We retain your data only as long as necessary:

Server Logs: 24 hours.
Customer Account Data: Duration of your contract + 7 years (UK tax law requirement for invoicing).
Identity Verification Documents: Duration of your contract + 90 days, then securely deleted.
Deleted Accounts: All personal data is purged within 30 days of account closure, except where retention is required by law.

9. Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will notify you within 72 hours as required by UK GDPR. Notifications will be sent via email to the address on file.

10. Your Rights

Under UK GDPR, you have the right to:

Access: Request a copy of any data we hold about you.
Rectification: Correct inaccurate data.
Erasure: Request deletion of your data (“Right to be Forgotten”), subject to legal retention requirements.
Portability: Receive your data in a machine-readable format.
Restriction: Request limitation of how we process your data.
Objection: Object to processing based on legitimate interest.
Complaint: Lodge a complaint with the UK Information Commissioner’s Office (ICO).

To exercise these rights, email us at enquiries@clearpractise.com. We will respond within 30 days.

11. Children’s Data

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are under 18, please do not use our services.

12. Changes to This Policy

We may update this policy occasionally to reflect changes in law or our practices. Significant changes will be notified via email or a banner on the site. Continued use constitutes acceptance of the new policy.

13. Contact Us

If you have questions about this policy or our sovereignty, contact us at:

Clear Practise
Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA
Registered in England & Wales
Server Location: Helsinki, Finland
Email: enquiries@clearpractise.com