← Back to blether

Effective Date: 25 March 2026 | Last Updated: 1 May 2026

Privacy Policy

1. About Us

Blether Health Limited (SC883133) (“Blether”, “we”, “us”) operates a cloud-based practice management platform for Allied Health Professionals at blether.health. This policy explains how we collect, use, and protect personal data in connection with the Service.

We comply with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

Address: 11 Crawfurd Gardens, Glasgow, G73 4JP
Email: privacy@blether.health
ICO Registration: ZC108185

2. Our Role

We act in two capacities depending on the data involved:

As Data Controller: For data we collect directly from you (account details, billing, usage analytics). We decide how and why this data is processed.

As Data Processor:For Client Data you input into the Service (your clients' personal and health information). You are the data controller; we process it only on your instructions under our Data Processing Agreement.

If you are a client of a practitioner who uses Blether, your practitioner controls your data. Please direct any data requests to them in the first instance.

3. What We Collect

3.1 From Users (as Controller)

CategoryDataPurpose
AccountName, email, professional qualifications and registration detailsAccount creation and verification
BillingPayment details (via our payment provider), billing address, invoicesSubscription management
UsageLog-in times, feature usage, pages visited, device/browser info, IP addressService improvement and security
CommunicationsSupport emails and correspondenceCustomer support
CookiesSee our Cookie PolicyWebsite functionality and analytics

3.2 Client Data (as Processor)

CategoryDataPurpose
Client DetailsNames, contact details, dates of birth, emergency contactsPractice management on your instructions
Health Data (Special Category)Session notes, assessments, treatment records, diagnosesClinical record-keeping on your instructions
Audio RecordingsSession recordings (where you use AI transcription)Transcription and note generation
AI-Generated NotesDraft clinical notes from transcriptionsAssistive note drafting for your review
AppointmentsScheduling and attendance recordsCalendar management
InvoicingInvoice records between you and your clientsFinancial management

We do not use Client Data for marketing, product development, or AI model training. We may use fully anonymised, aggregated data for service improvement.

4. Lawful Basis for Processing

4.1 User Data (Controller)

ActivityLawful BasisDetail
Providing the ServiceContract (Art. 6(1)(b))Necessary to deliver what you signed up for
Payment processingContract (Art. 6(1)(b))Managing your subscription
Security monitoringLegitimate interests (Art. 6(1)(f))Protecting the Service and users
Service analyticsLegitimate interests (Art. 6(1)(f))Improving the Service
MarketingConsent (Art. 6(1)(a))Only with your opt-in
Legal complianceLegal obligation (Art. 6(1)(c))Tax, accounting, regulatory requirements

4.2 Client Data (Processor)

You determine the lawful basis for processing your clients' data, including the Article 9 condition for health data. We process Client Data solely on your instructions under our Data Processing Agreement.

5. AI Processing

The Service uses third-party AI providers for two purposes:

Transcription: Session audio is sent securely to a third-party speech-to-text provider, transcribed, and returned. Audio is not retained beyond the time needed to complete transcription.

Note Generation: Transcribed text is sent to a third-party large language model provider to produce draft clinical notes. Input text is not used to train the model and is not retained beyond processing.

No automated decision-making under Article 22 of the UK GDPR takes place. All AI output is a draft for your professional review.

Our current AI sub-processors are listed in our Sub-Processor Register, available on request at privacy@blether.health.

6. Google Calendar Integration

If you choose to connect your Google account, Blether requests the following Google API scopes:

  • calendar.events: read and write events on your selected Google Calendar.
  • calendar.readonly: read your list of calendars so you can pick which one to sync.
  • openid and email: read your Google account email address to confirm which account you have connected.

We use your Google Calendar data to:

  • Create, update, and cancel calendar events that correspond to sessions you schedule in Blether.
  • Generate Google Meet links for online sessions and attach them to the events we create.
  • Read events on your selected calendar so we can display them as ghost blocks for conflict awareness when you schedule new sessions.
  • Read attendee response status (accepted, declined, tentative) so we can show client RSVPs in Blether.

Your Google Calendar data is used solely to deliver the calendar sync features described above, in line with the Google API Services User Data Policy, including the Limited Use requirements:

  • We do not use Google Calendar data for advertising of any kind, including targeted advertising or remarketing.
  • We do not transfer or sell Google Calendar data to third parties for advertising, marketing, market research, sales lead generation, or similar purposes.
  • We do not transfer Google Calendar data to any third party except where necessary to provide or improve the user-facing features of Blether (i.e. to our infrastructure sub-processors operating on our behalf under data processing agreements), or where required by applicable law.
  • We do not allow humans to read Google Calendar data except (a) with your explicit prior consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised and is used for internal operations.
  • We do not use or transfer Google Calendar data to develop, improve, or train generalised or non-personalised AI or machine learning models.

Refresh tokens are encrypted at rest using AES-256-GCM. Access tokens are short-lived and refreshed on demand. We never store the contents of events that we did not ourselves create, beyond the minimum required for conflict display (event start, end, and an optional title that you can hide from a settings toggle).

You can disconnect your Google account at any time from Settings › Integrations. On disconnect we revoke the refresh token at Google and remove our stored credentials. Previously created calendar events are not removed automatically; you can delete them from your Google Calendar manually.

Blether's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7. Data Sharing

We share personal data only with sub-processors who deliver parts of the Service, under data processing agreements requiring them to act only on our instructions. A current list is maintained in our Sub-Processor Register. We notify Users in advance of sub-processor changes.

We may also disclose data where required by law or court order, or to protect the rights and safety of Blether, our users, or others.

We do not sell personal data. We do not share data with third parties for their marketing purposes.

8. International Transfers

Where data is transferred outside the UK, we use appropriate safeguards under the UK GDPR, including adequacy decisions, the UK International Data Transfer Agreement, or UK Addendum to EU Standard Contractual Clauses. Details are available on request at privacy@blether.health.

9. Data Retention

DataRetentionReason
Account dataAccount duration + 90 daysService provision and export period
Billing records7 yearsHMRC requirements
Client DataAccount duration + 90 daysOn your instructions; you control retention
Audio (transcription)Deleted on completionData minimisation
Usage/analytics36 monthsService improvement
Support emails3 years from resolutionQuality and dispute resolution

You are responsible for your own Client Data retention requirements under your professional body's guidance.

10. Your Rights

Under the UK GDPR, you may:

  • Access a copy of your data (Art. 15)
  • Correct inaccurate data (Art. 16)
  • Request erasure in certain circumstances (Art. 17)
  • Restrict processing (Art. 18)
  • Request data portability (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time, without affecting prior processing

Contact privacy@blether.health to exercise any right. We respond within one month (extendable by two months for complex requests).

You may also complain to the ICO at ico.org.uk or 0303 123 1113.

11. Security

We protect personal data with appropriate technical and organisational measures, including encryption in transit and at rest, access controls, regular security testing, and breach notification procedures under Articles 33–34 of the UK GDPR. No system is completely secure, and we cannot guarantee absolute security.

12. Children's Data

The Service is for professional practitioners and is not directed at children. We do not knowingly collect data from children under 13. Where you process minors' data through the Service, you are responsible for ensuring appropriate safeguards and lawful bases.

13. Changes

We may update this policy from time to time. Material changes will be notified at least 30 days in advance. The “Last Updated” date above indicates the most recent revision.

14. Contact

Email: privacy@blether.health

Post: 11 Crawfurd Gardens, Glasgow, G73 4JP

ICO: ico.org.uk | 0303 123 1113