Who we are
ViaCara Ltd is a referral platform that connects people with therapists, counsellors, coaches and hypnotherapists across Europe.
- Company number: 17138185 (England and Wales)
- ICO registration: ZC116531
- Registered office: 66 Paul Street, London, EC2A 4NA, United Kingdom
- Data protection contact: dataprotection@viacara.com
We are the data controller for the personal data described in this policy.
Which laws apply
ViaCara is a UK-based service and we process personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Where we serve clients located in the European Union or the European Economic Area, we also process their personal data in accordance with the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679). Your rights under EU GDPR mirror those set out below.
The UK holds an adequacy decision from the European Commission (valid until December 2031), meaning personal data flows freely between the UK and the EU without additional safeguards.
Storing information on your device, or reading information already stored there, is governed by the Privacy and Electronic Communications Regulations 2003 (PECR), enforced in the UK by the Information Commissioner's Office. PECR Regulation 6 applies to all browser storage, not only cookies. We rely on the strict-necessity exemption under Regulation 6 for the only thing we store on your device: your theme preference, written when you choose light or dark mode.
EU representative
When we actively serve clients in the EU or EEA, we will appoint a representative under Article 27 of the EU GDPR. Their contact details will be published here. In the meantime, EU and EEA residents can contact us directly at dataprotection@viacara.com.
What we collect and why
When you have a conversation with us
- What you share -- the content of your conversation (text or voice). We use this to understand your needs and find the right professional for you
- Voice data -- if you choose to speak with us, your audio is processed in real time by our speech-to-text service. Raw audio is not stored after the conversation ends. Only the text understanding is retained
- Extracted preferences -- communication style, service type, practical requirements (such as availability, location and language), and optional preferences you express about the practitioner themselves (such as gender, sexuality, age bracket, language, ethnicity, faith, neurodivergence, or physical disability). You can decline to give any of these. Preferences guide our recommendations rather than exclude people outright. Retained while your account is active
- Context about you that you choose to share -- when you disclose things about yourself, we keep what you asked for separate from what you disclosed, so you remain in control of how it is used. We will not use disclosed context to infer unstated preferences without surfacing what we've inferred to you first
When you create an account
- Email address -- to send you your recommendations and keep you updated. We do not share this with professionals until you choose to connect
- Name -- if you provide one. Optional
When you browse our site
- Browser context at the moment you start talking to us -- when you begin a conversation, we also receive a snapshot of your preferred language, approximate time of day, device type (mobile, tablet or desktop) and the referring page. This helps us make the conversation feel relevant: we can start in your language, suggest times that fit your day, and not ask questions the context already answers. None of this is sent to us unless you start a conversation, and it is treated as triage data under the retention rules below
- Marketing campaign parameters (UTM) -- if you arrived from a link that contains
utm_source,utm_medium,utm_campaign,utm_termorutm_content, we capture those values so we can see which content is actually helping people find support. We use this for our own tuning decisions, nothing more. These values are also only sent when you start a conversation and follow the same retention rules - Analytics -- we use a privacy-focused, cookieless analytics service that collects no personal data and is fully GDPR compliant
What we do not collect
- We do not buy data from third parties
- We do not use cookies of any kind, tracking or otherwise
- We do not use your data for advertising. UTM parameters we capture are used for our own tuning decisions (understanding which pages help people find support); we do not build advertising profiles from them, and we do not share them with ad networks
- We do not sell or share your data with anyone beyond what is needed to provide the service
Practitioners -- see the dedicated privacy notice
If you are a practitioner, this client policy does not cover the data flows that apply to you (waitlist signup, public-register discovery, profile import, billing, matching introductions). Those are documented separately in our practitioner privacy notice, alongside the practitioner terms of service.
Legal basis
| Purpose | Legal basis |
|---|---|
| Providing recommendations | Article 6(1)(b) -- performance of a contract |
| Processing health-related information | Article 9(2)(a) -- explicit consent |
| Improving the service | Article 6(1)(f) -- legitimate interests |
| Sending service updates | Article 6(1)(b) -- performance of a contract |
Who processes your data
We use a small number of carefully selected service providers to operate the platform. All core infrastructure is hosted in the European Union.
| Category | Purpose | Data residency |
|---|---|---|
| Content delivery and security | Serves pages, protects against attacks, manages DNS | Global network (request metadata only) |
| WebRTC relay | Relays voice connections when direct peer-to-peer fails. Sees your IP address and connection metadata; does not process audio content | Global network (EU points of presence preferred) |
| Static content hosting | Hosts marketing site pages | EU |
| Object storage | Stores uploaded files (e.g. profile photos) | EU |
| Cloud hosting | Runs the application | EU (Frankfurt) |
| Database | Stores your account and profile data | EU (Frankfurt) |
| Language understanding | Processes your conversation to extract preferences; also retrieves URLs you supply during practitioner onboarding so we can pre-fill your profile | EU (France) |
| Voice processing | Converts speech to text in real time | EU |
| Payment processing | Handles commitment fees via direct debit | UK/EU, PCI compliant |
| Analytics | Measures page visits (cookieless, no personal data) | EU |
| Authentication | Manages your login securely via passkeys | EU |
| IP geolocation | Infers approximate country from your IP address for routing | Local offline database (no data sent to provider) |
| Postcode geocoding | Converts your postcode to approximate coordinates for matching | Open-source geocoding service (postcode only) |
| Typography | Loads fonts for the website | Self-hosted (same-origin, no third-party CDN) |
A detailed sub-processor list is available on request -- use the contact address at the top of this page.
Every service provider listed above is engaged under a written data processing agreement that meets the requirements of Article 28 of the UK GDPR and the EU GDPR. Where a provider processes personal data outside the UK or the European Economic Area, the agreement incorporates the European Commission's Standard Contractual Clauses and, for UK personal data, the UK International Data Transfer Addendum, so the same level of protection follows the data across borders.
How we use artificial intelligence
Our service uses artificial intelligence to help understand what you are looking for and connect you with someone who fits. Here is how it works and what it does not do.
What the AI does. When you have a conversation with us (by text or voice), an AI language model processes what you share to understand your needs, preferences and practical requirements. It extracts structured information -- such as the type of support you are looking for, your communication style preferences and your availability -- which is then used to find suitable professionals.
What the AI does not do. The AI does not diagnose, treat or make clinical decisions. It does not assess your mental health. It does not decide who you should see. Its role is to listen carefully and understand what matters to you, so that the right information reaches the matching process.
How matching works. Once your preferences have been extracted, the actual matching is performed by a rule-based, deterministic algorithm -- not by AI. This algorithm scores practitioners against your stated needs using transparent, auditable logic. Every scoring factor and its weight can be inspected and explained. There are no opaque machine learning models in the matching pipeline.
Quality review. We keep a short record of how the conversation progressed (which questions were asked, which signals were detected, how long each turn took) so we can improve the system. This record does not store the words you said. See the retention table below.
Crisis safety. If you share something that suggests you may be in immediate danger, the system is designed to detect this and can escalate to human review. We never rely solely on AI for crisis decisions.
EU AI Act. We are aware of our obligations under the EU AI Act (Regulation 2024/1689). High-risk provisions are scheduled to apply from August 2026, subject to ongoing regulatory development and any future guidance or legislative changes affecting implementation timing. We are monitoring how the regulation applies to referral platforms. Our system assists with finding a suitable professional based on your stated preferences. It does not provide healthcare, make clinical assessments or replace professional judgement. Formal risk classification under the AI Act is pending legal review. We are committed to transparency and auditability in how our system operates.
International data transfers
All core data (your profile, account and matching results) is stored in the European Union (Frankfurt, Germany). Where a service provider processes data outside the EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission. We do not transfer data to countries without adequate protection unless these safeguards are in effect.
Your rights
Under the UK GDPR and the Data Protection Act 2018, you have the right to:
- Access -- request a copy of your data
- Correction -- fix anything that is wrong
- Deletion -- have all your data removed
- Restriction -- pause processing while you raise a concern
- Portability -- receive your data in a machine-readable format
- Objection -- tell us to stop processing for a specific purpose
- Withdraw consent -- for health data, at any time
To exercise any of these rights, email dataprotection@viacara.com. We will respond within one calendar month.
Data retention
| Data | Retention |
|---|---|
| Voice audio | Not stored -- processed in real time and discarded |
| Triage conversation transcripts | Deleted within 30 days |
| Incomplete triage | Deleted within 14 days of last activity |
| Conversation quality records (no raw text) | Deleted within 90 days |
| Extracted preferences | While your account is active, deleted on request |
| Deferred matching profiles | Held for up to 60 days without renewal, then deleted |
| Email address | While your account is active, deleted on request |
| Authentication credentials | Retained for the duration of your account and deleted on account closure |
| Analytics | Aggregated, never linked to your identity |
Cookies and browser storage
We do not use cookies of any kind, tracking or otherwise. One small piece of information is stored on your device, relying on the strict-necessity exemption under PECR Regulation 6:
- Your theme preference -- if you switch between light and dark mode, we remember your choice so the site honours it next time. This is written only when you make the choice.
It is not a tracking technology, does not identify you, and nothing is written to your device while you are simply reading the site. Our analytics service is cookieless, uses no persistent identifiers and collects no personal data, so it also falls within the PECR exemption for privacy-preserving aggregate analytics.
Changes to this policy
We will update this page when our practices change. Significant changes will be communicated by email to active users.
Complaints
If you are not satisfied with how we handle your data, you can contact us at dataprotection@viacara.com or lodge a complaint with the Information Commissioner's Office (ICO). If you are resident in the EU or EEA, you may also lodge a complaint with the supervisory authority in your country of residence.
Last updated: April 2026
This policy is written in plain language and is periodically reviewed for accuracy.