Who we are
ViaCara Ltd connects people in private mental health and wellbeing care with the practitioners who fit them. This notice describes how we handle data about practitioners -- distinct from the client privacy policy because the data flows and lawful bases are different.
- Company number: 17138185 (England and Wales)
- Registered office: 66 Paul Street, London, EC2A 4NA, United Kingdom
- ICO registration: ZC116531
- Data protection contact: dataprotection@viacara.com
We are the data controller for the practitioner-side data described below. Where we make introductions to clients, you remain the independent data controller for everything that flows inside the therapeutic, coaching or counselling relationship that follows.
How we discover and contact you
We add practitioners to our platform through three paths. Each path has its own legal basis.
1. You came to us directly
You signed up via /app/join, accepted an existing practitioner's referral link, or arrived from one of our paid acquisition campaigns and submitted the form. In every case the data we hold about you exists because you provided it knowingly. Legal basis: Article 6(1)(a) consent.
2. You were introduced by another practitioner
A practitioner already on the platform referred you to us. We hold your contact details because the introducing practitioner shared them with the legitimate expectation that you might want to hear from us. Legal basis: Article 6(1)(f) legitimate interest in growing a trusted practitioner network through warm referrals.
3. We discovered you on a public professional register
We curate a directory of practitioners by sourcing from publicly available professional information: professional register entries (such as the BACP, NCPS, UKCP and similar), Companies House records for registered practices, and professional networking. We use this information to decide whether your practice is a fit for the platform and to send you a single, opt-out-respecting introduction.
We perform a Companies House check before sending any cold electronic communication. We only send to practices that are registered companies (which the Privacy and Electronic Communications Regulations 2003 treat as "corporate subscribers"). Sole-trader practitioners -- whom PECR treats as individual subscribers -- are never sent unsolicited electronic marketing; we wait until you come to us instead.
Legal basis: Article 6(1)(f) legitimate interest, balanced against your rights under a documented Legitimate Interests Assessment. At this discovery and outreach stage we never process special-category data (UK GDPR Article 9) about you. That changes only if you choose to join and share something personal during onboarding, which we describe in "Your working style and lived experience" below.
What we collect and why
| Data | Purpose | Source |
|---|---|---|
| Name, professional title, town and country | Contact and routing | You, the introducing practitioner, or the public register |
| Email address | To send introductions, invitations and operational mail | You or the public register |
| Practice trading name and Companies House number (if registered) | To confirm corporate subscriber status before any cold contact | Companies House Public Data API |
| Professional register entry URL | To verify accreditation and contact you in context | Public register |
| Service type and approach | To route introductions to people you can actually help | You |
| Practice website URL (optional) | Profile pre-fill at your request | You |
| Onboarding profile data once you join | Display to clients during the introduction step | You |
| Subscription, credit balance and billing data | To run the commercial relationship | You and our payment processor |
| Introduction history (accept / decline / outcome) | To improve matching and route future fits | Generated by your platform activity |
| Outreach event log (sends, deliveries, bounces, opens, clicks, signups, unsubscribes, complaints) | Deliverability hygiene, audit trail for ICO scrutiny | Generated by our systems |
Lawful bases
| Purpose | Lawful basis |
|---|---|
| Maintaining the practitioner directory | Article 6(1)(f) legitimate interest, with the LIA on file |
| Sending you the initial introduction (corporate subscribers only) | Article 6(1)(f) legitimate interest plus PECR Reg 22 corporate-subscriber permission |
| Sending operational invitations and onboarding once you engage | Article 6(1)(a) consent (you replied or submitted) |
| Running the commercial relationship after you join | Article 6(1)(b) performance of a contract |
| Processing lived experience, disability or neurodivergence you choose to share | Article 9(2)(a) explicit consent, captured once at activation |
| Maintaining suppression and deliverability records after you opt out | Article 6(1)(c) legal obligation under PECR |
| Improving the platform | Article 6(1)(f) legitimate interest |
Your working style and lived experience
When you join, onboarding includes a short voice conversation (you can type instead) so we can understand how you actually work. From it we keep five measures of your relational style and a "voice signature" of your tone and phrasing, which we use to write each client-facing match summary in your own voice. The audio itself is processed in real time to text and not stored; only the text understanding and the derived signature are kept.
If, and only if, you choose to mention something personal you have lived through (your own grief, addiction, a health condition, neurodivergence or a disability), we treat that as special-category data under UK GDPR Article 9 and process it on the basis of your explicit consent (Article 9(2)(a)), which we ask for once when you activate your profile. The same basis covers any disability or neurodivergence you record on your profile.
We use lived experience only to connect you with clients facing something you understand first-hand. We never show clients the details: at most a client sees an anonymous note that you have personal experience of what they are going through, and only if you have opted in to that. You can review, edit or remove any of this from your dashboard at any time, and you can withdraw your Article 9 consent at any time without affecting anything we did beforehand.
Your profile photos
When you upload a headshot or an environment photo we run an automatic check on it: a quality pass (lighting, focus, whether the face is clearly visible) and a safety pass (that it is a genuine photo and shows no other identifiable people). From a headshot we also note broad, apparent details -- an approximate age range and apparent gender presentation -- for two narrow purposes: to offer to complete a profile detail you left blank, and to flag an obvious discrepancy with what you told us so a person can check it. We never infer your ethnicity, race or nationality from a photo, and we never use any of these observations to override what you have told us: your own declared details always take precedence, and anything we observe is shown to you, never applied silently. The original photo is kept in EU object storage; cropped versions for display are generated on request.
How to opt out
Every outreach email carries a one-click unsubscribe link. Clicking it writes a permanent suppression keyed on your email address -- we will not contact you again, and a future re-import from another register will see the suppression and skip you. You can also write to the data protection contact at the top of this notice and we will action your request manually. We never share suppression evidence with third parties.
Suppression is permanent unless you ask us to revoke it (for example by signing up at /app/join yourself). Revocation is recorded with evidence so the audit trail stays intact.
If you later want to leave the platform after onboarding, you can request account deletion at any time. Profile and matching data is removed; billing records are anonymised and retained for the period required by HMRC for tax purposes.
Sub-processors
We use the same set of carefully chosen service providers across the platform. The full list is in the client privacy policy -- it does not vary by audience. Core hosting and database storage are in the EU (Frankfurt). Companies House lookups go to the UK government's Public Data API. All sub-processors are engaged under written data processing agreements that meet Article 28 requirements.
Retention
| Data | Retention |
|---|---|
| Prospect rows (cold-discovered, never engaged) | Retained while the source register is still publicly listing you, deleted on a periodic sweep when the source removes you |
| Lead and active practitioner data | Retained while your account is active, deleted on request |
| Outreach event log | 24 months from the event date, then deleted |
| Suppression records | Retained indefinitely (legal obligation under PECR -- required to honour the opt-out across future re-imports) |
| Billing records | Anonymised and retained for the period required by HMRC after account closure |
Your rights
You have the same rights as any data subject under UK GDPR -- access, correction, deletion, restriction, portability, objection, and the right to withdraw consent. To exercise any of them, write to the data protection contact at the top of this notice. We respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office if you are unhappy with how we handle your data.
Changes to this notice
We update this page when our practices change. Material changes are communicated by email to active practitioners. Inactive prospects are not emailed about policy changes -- that would itself be unsolicited contact.
Last updated: May 2026
This notice is written in plain language and is periodically reviewed for accuracy.