Effective Date: 25 March 2026 | Last Updated: 25 March 2026
Blether Health Limited (SC883133) (“Blether”, “we”, “us”) operates a cloud-based practice management platform for Allied Health Professionals at blether.health. This policy explains how we collect, use, and protect personal data in connection with the Service.
We comply with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Address: 11 Crawfurd Gardens, Glasgow, G73 4JP
Email: privacy@blether.health
ICO Registration: ZC108185
We act in two capacities depending on the data involved:
As Data Controller: For data we collect directly from you (account details, billing, usage analytics). We decide how and why this data is processed.
As Data Processor:For Client Data you input into the Service (your clients' personal and health information). You are the data controller; we process it only on your instructions under our Data Processing Agreement.
If you are a client of a practitioner who uses Blether, your practitioner controls your data. Please direct any data requests to them in the first instance.
| Category | Data | Purpose |
|---|---|---|
| Account | Name, email, professional qualifications and registration details | Account creation and verification |
| Billing | Payment details (via our payment provider), billing address, invoices | Subscription management |
| Usage | Log-in times, feature usage, pages visited, device/browser info, IP address | Service improvement and security |
| Communications | Support emails and correspondence | Customer support |
| Cookies | See our Cookie Policy | Website functionality and analytics |
| Category | Data | Purpose |
|---|---|---|
| Client Details | Names, contact details, dates of birth, emergency contacts | Practice management on your instructions |
| Health Data (Special Category) | Session notes, assessments, treatment records, diagnoses | Clinical record-keeping on your instructions |
| Audio Recordings | Session recordings (where you use AI transcription) | Transcription and note generation |
| AI-Generated Notes | Draft clinical notes from transcriptions | Assistive note drafting for your review |
| Appointments | Scheduling and attendance records | Calendar management |
| Invoicing | Invoice records between you and your clients | Financial management |
We do not use Client Data for marketing, product development, or AI model training. We may use fully anonymised, aggregated data for service improvement.
| Activity | Lawful Basis | Detail |
|---|---|---|
| Providing the Service | Contract (Art. 6(1)(b)) | Necessary to deliver what you signed up for |
| Payment processing | Contract (Art. 6(1)(b)) | Managing your subscription |
| Security monitoring | Legitimate interests (Art. 6(1)(f)) | Protecting the Service and users |
| Service analytics | Legitimate interests (Art. 6(1)(f)) | Improving the Service |
| Marketing | Consent (Art. 6(1)(a)) | Only with your opt-in |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Tax, accounting, regulatory requirements |
You determine the lawful basis for processing your clients' data, including the Article 9 condition for health data. We process Client Data solely on your instructions under our Data Processing Agreement.
The Service uses third-party AI providers for two purposes:
Transcription: Session audio is sent securely to a third-party speech-to-text provider, transcribed, and returned. Audio is not retained beyond the time needed to complete transcription.
Note Generation: Transcribed text is sent to a third-party large language model provider to produce draft clinical notes. Input text is not used to train the model and is not retained beyond processing.
No automated decision-making under Article 22 of the UK GDPR takes place. All AI output is a draft for your professional review.
Our current AI sub-processors are listed in our Sub-Processor Register, available on request at privacy@blether.health.
We share personal data only with sub-processors who deliver parts of the Service, under data processing agreements requiring them to act only on our instructions. A current list is maintained in our Sub-Processor Register. We notify Users in advance of sub-processor changes.
We may also disclose data where required by law or court order, or to protect the rights and safety of Blether, our users, or others.
We do not sell personal data. We do not share data with third parties for their marketing purposes.
Where data is transferred outside the UK, we use appropriate safeguards under the UK GDPR, including adequacy decisions, the UK International Data Transfer Agreement, or UK Addendum to EU Standard Contractual Clauses. Details are available on request at privacy@blether.health.
| Data | Retention | Reason |
|---|---|---|
| Account data | Account duration + 90 days | Service provision and export period |
| Billing records | 7 years | HMRC requirements |
| Client Data | Account duration + 90 days | On your instructions; you control retention |
| Audio (transcription) | Deleted on completion | Data minimisation |
| Usage/analytics | 36 months | Service improvement |
| Support emails | 3 years from resolution | Quality and dispute resolution |
You are responsible for your own Client Data retention requirements under your professional body's guidance.
Under the UK GDPR, you may:
Contact privacy@blether.health to exercise any right. We respond within one month (extendable by two months for complex requests).
You may also complain to the ICO at ico.org.uk or 0303 123 1113.
We protect personal data with appropriate technical and organisational measures, including encryption in transit and at rest, access controls, regular security testing, and breach notification procedures under Articles 33–34 of the UK GDPR. No system is completely secure, and we cannot guarantee absolute security.
The Service is for professional practitioners and is not directed at children. We do not knowingly collect data from children under 13. Where you process minors' data through the Service, you are responsible for ensuring appropriate safeguards and lawful bases.
We may update this policy from time to time. Material changes will be notified at least 30 days in advance. The “Last Updated” date above indicates the most recent revision.
Email: privacy@blether.health
Post: 11 Crawfurd Gardens, Glasgow, G73 4JP
ICO: ico.org.uk | 0303 123 1113