SupervisiaSign in
Legal

Privacy Policy

Last updated: 25 May 2026

Note: This document was last reviewed by Supervisia’s team. We recommend users seek independent legal advice regarding their specific obligations. This is not legal advice.

Supervisia (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have. It applies to your use of the Supervisia platform at supervisia.ai and related services.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Supervisia is operated by Supervisia Ltd, a private limited company registered in England and Wales (Company No. 17018774), with registered office at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF. ICO registration: [ICO_REF_PLACEHOLDER].

For the purposes of UK GDPR, Supervisia Ltd is the data controller for personal data we collect about you as a user of the Service. When you upload clinical content about third parties (for example, discussions of supervisees’ clients), Supervisia Ltd acts as a data processor on your behalf.

Contact for privacy matters: hello@supervisia.ai

2. What Data We Collect

We collect the following categories of personal data:

Account data

Name, email address and authentication identifiers, provided through our authentication partner Clerk when you sign up.

Supervision records

Information you enter to log supervision activity, including session dates and durations, supervision methods, modality, attendees, written notes, action points and metadata.

Audio recordings

When you choose to record supervision sessions, the audio file is stored in Supabase in our London (eu-west-2) region. Recording is always opt-in and initiated by you.

Transcriptions

Text transcripts generated by OpenAI’s Whisper service from your audio recordings. Transcripts are stored against the corresponding supervision record in our database.

Usage data

Information about how you interact with the Service, such as feature usage, session counts, voice practice minutes consumed, log-in timestamps and device/browser metadata used for security and service quality.

Payment data

When you subscribe to a paid tier, payments are processed by Stripe. We receive billing metadata (subscription status, plan, last 4 digits of card and country) but we do not store full card numbers or payment credentials.

Communications

Records of correspondence (e.g. support emails sent to hello@supervisia.ai) and your preferences for receiving service emails.

3. How We Use Your Data

We use your personal data to:

  • Deliver the service — provide supervision records, hours tracking, exports, and the broader training and supervision platform.
  • Process AI features — including transcription of audio recordings, report generation, form-fill from transcripts, voice practice drills and competency analysis.
  • Manage billing and accounts — via Stripe and Clerk, including sending invoices and renewal notices.
  • Secure the service — detecting abuse, fraud and breaches of our Terms.
  • Improve the service — using anonymised and aggregated data only. We do not use your supervision content to train third-party AI models.
  • Communicate with you — about service updates, security notices and (where you have consented) product news.

4. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases:

  • Contract performance (Article 6(1)(b)) — processing necessary to deliver the services you have subscribed to, including hosting your records, generating exports and handling billing.
  • Legitimate interests (Article 6(1)(f)) — for service security, fraud prevention, abuse detection, and improving the platform using aggregated non-identifying data. We balance these interests against your rights and freedoms.
  • Consent (Article 6(1)(a)) — for optional features such as AI-generated analysis of your content, voluntary marketing communications, and any optional cookies. You can withdraw consent at any time from your account settings.
  • Legal obligation (Article 6(1)(c)) — where we are required to retain certain information (e.g. financial records) by law.

Special category data (UK GDPR Article 9)

Where supervision content includes special category data (information about health, including mental health), we rely on Article 9(2)(h) of the UK GDPR — processing necessary for the provision of health or social care services — together with Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018. Processing is carried out under conditions of confidentiality consistent with professional clinical obligations.

5. Third Party Processors

We use the following sub-processors to deliver the Service. We have appropriate contracts in place with each (including, where applicable, UK GDPR-compliant data processing agreements and Standard Contractual Clauses for international transfers):

ProcessorPurposeLocationPrivacy policy
AnthropicAI features (Claude) — report writing, summarisation, form-fillUSAanthropic.com/privacy
OpenAITranscription (Whisper) and AI features (GPT)USAopenai.com/privacy
ElevenLabsVoice synthesis for AI client practice sessionsUSAelevenlabs.io/privacy
SupabaseDatabase and audio file storageEU / UK (London, eu-west-2)supabase.com/privacy
ClerkAuthentication and account managementUSAclerk.com/privacy
StripePayment processingUSA / UKstripe.com/privacy

Audio recordings and supervision records are stored in our Supabase project hosted in the London (eu-west-2) region. Audio is processed by OpenAI for transcription. AI-generated content (reports, summaries, drills) is produced by Anthropic, OpenAI and ElevenLabs as described above. Our agreements with these providers prohibit them from using your content to train their general-purpose models.

Data Protection Impact Assessment (DPIA)

Given the use of AI processing on supervision content that may contain special category data, we have carried out a Data Protection Impact Assessment under UK GDPR Article 35. A summary of our DPIA is available on request by emailing hello@supervisia.ai.

6. Clinical Data

Supervision content held within Supervisia (notes, recordings, transcripts) may include sensitive information about third parties — in particular, the clients of supervisees being discussed during supervision.

When you upload such content, Supervisia acts as a data processor carrying out your instructions. You, as the supervisor or practitioner uploading the content, are the data controller for any third-party data within it.

You agree that:

  • You will not include directly identifiable client information (full names, dates of birth, NHS numbers, addresses or other unique identifiers) in any content uploaded to Supervisia. Use initials, pseudonyms or codes.
  • You will obtain all appropriate consents from supervisees and, where relevant, their clients, before recording or transcribing supervision content.
  • You will comply with your own professional and legal obligations around confidentiality and data protection.

Where supervision content includes discussion of clients who are under 18, you remain responsible for ensuring appropriate safeguards are in place and that any data handling complies with UK GDPR’s enhanced protections for children’s data (including, where applicable, parental or guardian consent obligations under your professional and regulatory context).

7. Data Retention

We retain personal data only as long as necessary:

  • Account data and supervision records: kept for the duration of your subscription. Following cancellation, we retain your data for 90 days to allow account recovery and export, after which it is deleted (subject to legal retention obligations).
  • Audio recordings: retained for 12 months from the date of recording and then deleted automatically, unless you extend retention from your account settings or your subscription tier specifies a different period.
  • Transcriptions: retained with their associated supervision record for the duration of your account.
  • Billing records: retained for at least 7 years in line with UK financial record-keeping requirements.
  • Support correspondence: retained for up to 3 years.

8. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure — you can ask us to delete your personal data, subject to legal retention obligations.
  • Right to data portability — you can request an export of your data in a structured, commonly used, machine-readable format.
  • Right to restriction of processing — you can ask us to limit how we use your data in certain circumstances.
  • Right to object — you can object to processing based on our legitimate interests.
  • Rights relating to automated decision-making — AI-generated competency scores, CTS-R ratings, draft reports and feedback are advisory drafts that require human review by you before any reliance, accreditation submission, or formal record creation. These do not constitute solely automated decisions under UK GDPR Article 22.

To exercise any of these rights, email hello@supervisia.ai. We will respond within one month of receiving a valid request.

9. Data Breaches

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you without undue delay and provide guidance on protective steps you can take.

We maintain internal logs of all incidents and near-misses, and regularly review our incident-response procedures.

10. International Transfers

Some of our sub-processors (notably Anthropic, OpenAI, ElevenLabs, Clerk and Stripe) are based in the United States. Where personal data is transferred outside the UK, we ensure that an appropriate safeguard is in place, including:

  • The UK’s adequacy decisions, where applicable.
  • UK International Data Transfer Agreements or the UK Addendum to EU Standard Contractual Clauses.
  • Supplementary technical and organisational measures (encryption in transit and at rest, access controls and contractual restrictions on the use of your data).

Audio recordings and primary database records are stored in the UK (London, eu-west-2). Transcription and AI processing are performed by US-based providers under the safeguards described above.

11. Cookies

We use a minimal number of cookies and similar technologies:

  • Essential / authentication cookies — required to keep you signed in, set by our authentication provider Clerk. These cannot be disabled without breaking the Service.
  • Functional cookies — to remember your in-app preferences (such as UI mode).
  • Analytics — where used, anonymised, aggregated usage analytics to help us improve the Service. Where required, we will ask for your consent before setting non-essential analytics cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will give you reasonable advance notice by email and update the “Last updated” date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Contact and Complaints

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact us at hello@supervisia.ai. We will do our best to resolve any issue you raise.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please do reach out to us first.

Last updated: 25 May 2026