PsychScape – Privacy Policy

1. Overview

PsychScape ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy describes the types of information we collect, how we use it, and the steps we take to keep it secure. By using our platform, you agree to the practices described in this policy.

2. Information We Collect

We may collect the following types of information:

Account Information

Name, email address, and role when you register for an account.

Assessment Data

Your responses and results from psychological assessments you complete on the platform.

Usage Data

Information about how you interact with the platform, such as pages visited and features used.

Device Information

Browser type, operating system, and device identifiers collected automatically.

Session Technical Metadata

When you begin a psychological assessment, your IP address and browser user agent string are automatically recorded and stored alongside your session data. This technical metadata is collected solely for security monitoring and abuse prevention — it is the minimum information needed to detect and prevent misuse of the platform. Both fields are encrypted at rest and are retained only for the period required by applicable clinical record-keeping obligations (see Section 6 — Data Retention).

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the PsychScape platform
Generate your assessment results and personalised insights
Enable therapists and practices to manage client assessments (with your consent)
Send important service-related communications
Analyse usage patterns to improve user experience
Ensure the security and integrity of the platform

4. Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR), we are required to identify a lawful basis for each processing activity. Under the Australian Privacy Principles (APPs), we must collect personal information only by lawful and fair means. The table below sets out the lawful basis we rely on for each category of processing:

Processing Activity Lawful Basis (GDPR) Data Categories

User registration & authentication Performance of a contract — Art. 6(1)(b) Name, email, password hash

Client record management Legitimate interest — Art. 6(1)(f); Explicit consent for health data — Art. 9(2)(a) Name, email, date of birth, therapist assignment

Psychological assessment administration & scoring Explicit consent — Art. 9(2)(a) Assessment responses, scores, results (special-category health data)

Email notifications Performance of a contract — Art. 6(1)(b) Name, email address

Audit logging Legal obligation — Art. 6(1)(c); Legitimate interest — Art. 6(1)(f) User ID, email, IP address, user agent, action details

Assessment session technical metadata (IP address, user agent) Legitimate interest — Art. 6(1)(f) IP address, browser user agent string

Data breach management Legal obligation — Art. 6(1)(c) Incident details, affected data categories

Where we rely on explicit consent (GDPR Article 9(2)(a)) for special-category health data — such as psychological assessment responses and results — that consent is freely given, specific, informed, and unambiguous. You may withdraw your consent at any time (see Section 5 below), although this does not affect the lawfulness of processing carried out before withdrawal.

PsychScape processes special-category health data (psychological assessment responses and results) which requires your explicit consent under GDPR Article 9(2)(a) and informed consent under AHPRA and APS professional standards.

5.1 How We Obtain Consent

At registration: When you create an account, you are presented with this Privacy Policy and asked to acknowledge it before proceeding. This constitutes consent under GDPR Article 6(1)(a) and satisfies APP 5 notification requirements.
Before assessments: Before starting any psychological assessment, you are presented with an informed consent notice explaining what data will be collected, how it will be used, who may access your results, and the limitations of the assessment. You must explicitly agree before proceeding.
Therapist-initiated assessments: When a therapist sends you an assessment invitation, the invitation includes a link to this Privacy Policy and a summary of data handling practices. Consent is captured before you begin the assessment.

5.2 Withdrawing Consent

Under GDPR Article 7(3) and the Australian Privacy Principles (APP 3), you have the right to withdraw your consent at any time. Withdrawal of consent is as easy as giving it. To withdraw consent:

Via your account settings: Authenticated users can withdraw consent programmatically through the platform's consent management feature. This immediately marks the relevant consent record as withdrawn and is logged in our audit trail.
By email: Contact us at privacy@psychscape.com to request withdrawal of consent for specific processing activities. We will process your request within 30 days.
Withdrawal does not affect the lawfulness of processing carried out before the withdrawal
Where consent is withdrawn for assessment data, we will cease processing but may retain data where required by Australian clinical record-keeping laws (see Section 6)

5.3 Consent Records

In accordance with GDPR Article 7(1) and APP 3, we maintain records of consent that demonstrate when consent was given, what was consented to, how it was given, the version of the privacy notice presented at the time, and — where applicable — when consent was withdrawn. Consent records are retained for the same period as the associated data (see Section 6).

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The retention periods below reflect both GDPR Article 5(1)(e) storage limitation principles and Australian clinical record-keeping obligations under AHPRA, the Psychology Board of Australia (PsyBA), and the APS Code of Ethics.

Data Category Retention Period Legal Authority

Clinical assessment data (responses, scores, results) 7 years from last service PsyBA, AHPRA, APS Code of Ethics

Client records (name, email, therapist assignment) 7 years from last service PsyBA, APP 11

User account data Duration of account + 7 years after closure APP 11, GDPR Art. 5(1)(e)

Audit logs 7–10 years PsyBA, GDPR Art. 5(2)

Data breach incident records 7 years minimum Notifiable Data Breaches Scheme, GDPR Art. 33(5)

Session metadata (IP address, user agent) 7 years (co-terminus with associated clinical data) APP 11

For EU/EEA data subjects: The 7-year retention period for clinical data is justified under GDPR Article 6(1)(c) (legal obligation — compliance with Australian health record-keeping laws) and Article 9(2)(h) (health and social care purposes). At the end of the retention period, data is securely deleted or de-identified unless a continuing legal basis for retention exists.

7. Data Protection & Security

We take the security of your data seriously and implement industry-standard measures to protect it:

Encryption in Transit & at Rest

Data is encrypted in transit using TLS 1.2+. PII and health-data fields are additionally encrypted at field level using the ASP.NET Core Data Protection API before storage, so sensitive values remain protected even if the underlying database media is accessed.

Access Control

Role-based access ensures only authorised users can view sensitive data.

Regular Audits

We regularly review our security practices and update them as needed.

Secure Storage

Personal and assessment data is stored in secure, access-controlled databases.

8. Confidentiality

We understand that psychological assessment data is highly personal. We commit to:

Never selling your personal or assessment data to third parties
Not sharing your individual results with anyone without your explicit consent
Ensuring that therapist-client data is only accessible to the assigned therapist and authorised practice administrators
Anonymising data used for research or platform improvement

9. Recipients of Your Data

Under GDPR Article 13(1)(e), we disclose the categories of recipients who may receive your personal data:

Infrastructure / Hosting Provider

Our cloud hosting provider operates the virtual servers and PostgreSQL database on which all personal data is stored and processed. The provider is bound by a data processing agreement and Standard Contractual Clauses (where applicable). All data is hosted in Australia.

Your Assigned Therapist

The therapist managing your care has access to your client records, assessment responses, and results.

Practice Administrators

Authorised administrators of the psychology practice you are enrolled in may access your records for practice management purposes.

Email Service Provider

We use a third-party email service to send notifications and assessment invitations. Only your name and email are shared transiently for delivery.

When a therapist emails assessment results to you, the results are always delivered as a password-protected PDF attachment. If the sender does not supply a password, PsychScape generates one and provides it to the therapist, who shares it with you out-of-band (e.g. by phone or in-session). Your clinical results are never sent as plaintext over email (GDPR Art. 32; AHPRA electronic communication of clinical information).

Regulatory Authorities

In the event of a data breach or regulatory inquiry, we may be required to share information with the OAIC (Australia) or an EU/EEA supervisory authority.

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

10. Automated Decision-Making

Under GDPR Article 22 and Article 13(2)(f), we inform you that PsychScape uses automated scoring and classification when processing your psychological assessment data:

What is automated: Your responses to psychological assessments (e.g., PHQ-9, GAD-7, K10, DASS-21, Big Five, MBTI, Love Languages, Enneagram) are scored using validated psychometric algorithms. Scores are classified into severity bands or personality categories based on published clinical thresholds.
Logic involved: Scoring follows the standardised methodology defined by each instrument's authors (e.g., PHQ-9 uses a sum score classified into Minimal, Mild, Moderate, Moderately Severe, and Severe depression). No proprietary or opaque AI models are used.
Significance and consequences: Assessment results are intended as screening tools to support clinical decision-making by qualified psychologists. They do not constitute a clinical diagnosis and should always be interpreted by a qualified mental health professional.
Your rights: You have the right to request human review of any automated assessment result, to express your point of view, and to contest the result. Contact your therapist or privacy@psychscape.com to exercise this right.
In-app transparency: Each assessment result page includes a "How your results are calculated" section explaining the scoring methodology, instrument attribution, and your right to contest the result. A clinical disclaimer with a contact mechanism for requesting human review is also displayed on every result page.

11. International Data Transfers

Under GDPR Articles 44–49 and Australian Privacy Principle 8, we disclose the following regarding international transfers of your personal data:

Primary data storage: Your data is stored and processed on servers located in Australia. The data flow is: your browser (TLS 1.2+) → PsychScape.Web (Australia) → PsychScape API service (Australia) → PostgreSQL database (Australia). We do not routinely transfer personal data outside Australia after this initial ingestion.
EU/EEA and UK data subjects: If you are located in the EU/EEA or the United Kingdom, your data is transferred to Australia for processing. Australia does not have an EU adequacy decision; transfers are safeguarded by executed Standard Contractual Clauses (SCCs) as approved by the European Commission in Implementing Decision (EU) 2021/914, supplemented (where applicable) by the UK ICO International Data Transfer Addendum. We have completed a Transfer Impact Assessment in line with the Schrems II judgment and the EDPB Recommendations 01/2020 to confirm that the supplementary technical, contractual, and organisational measures we apply provide a level of protection essentially equivalent to that guaranteed within the EEA/UK.
Sub-processors: Where third-party service providers (e.g., email delivery) process data outside Australia or the EU/EEA, they are bound by SCCs (Module 3) or equivalent transfer safeguards, including contractual obligations to notify and challenge any compelled government-access requests to the maximum extent permitted by law.
Your rights: You may request a copy of the operative SCCs (with commercially sensitive detail redacted as required) and a summary of our Transfer Impact Assessment by contacting privacy@psychscape.com. You also have the right to lodge a complaint with your local supervisory authority (or the UK ICO).

12. Your Rights

Under the GDPR (Articles 15–22) and the Australian Privacy Principles, you have the following rights regarding your personal data:

Right to Access (Art. 15)

Request a copy of the personal data we hold about you. You can download a complete JSON export of your data (profile, assessment sessions, responses, results, and consent records) from your account settings via the data rights panel, or by contacting privacy@psychscape.com.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data. Profile information can be updated via your account settings; for corrections to clinical records, contact your therapist or privacy@psychscape.com.

Right to Erasure (Art. 17)

Request deletion of your personal data via your account settings (data rights panel) or by contacting privacy@psychscape.com. Non-clinical data is deleted immediately; clinical records are flagged for secure deletion at the end of the mandatory 7-year AHPRA/APS retention period (Art. 17(3)(c)).

Right to Portability (Art. 20)

Request your data in a structured, commonly used, machine-readable format (JSON). You can export all personal data associated with your account — including profile, assessment sessions, responses, results, and consent records — from your account settings via the data rights panel, or by contacting privacy@psychscape.com.

Right to Restrict Processing (Art. 18)

Request that we restrict the processing of your data in certain circumstances. When a restriction is applied, your data is securely stored but excluded from active processing — including reports, analytics, and new assessments. You may request restriction when the accuracy of your data is contested, the processing is unlawful, or you have objected under Article 21 pending verification. To request restriction, contact privacy@psychscape.com or use the data rights features available in your account settings.

Right to Object (Art. 21)

Object to processing of your personal data based on legitimate interests, including analytics and research activities. When you submit an objection, we record your objection with a reason and timestamp and apply processing restrictions to your data. To exercise this right, contact privacy@psychscape.com or use the objection endpoint available through your account. You may opt out of analytics and research processing at any time.

To exercise any of these rights, please contact us at privacy@psychscape.com. We will respond to your request within 30 days (or one month under GDPR).

13. Right to Lodge a Complaint

Under GDPR Article 77 and the Privacy Act 1988 (Cth), you have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed unlawfully or your rights have not been respected.

Australia — Office of the Australian Information Commissioner (OAIC)

Website: www.oaic.gov.au
Phone: 1300 363 992

EU/EEA — Your Local Data Protection Authority

If you are located in the EU or EEA, you may lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at edpb.europa.eu.

We encourage you to contact us first at privacy@psychscape.com so we can try to resolve your concern directly.

14. Cookies & Tracking

PsychScape may use essential cookies to maintain your session and preferences. We do not use third-party advertising cookies. Any analytics cookies are used solely to understand how the platform is used and to improve the user experience.

15. Children's Privacy

PsychScape is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from individuals under 16. If we become aware that a person under 16 has provided personal information or created an account, we will delete that data promptly and without notice.

Users aged 16 or 17 may access the Service only via the practitioner-referred pathway (i.e., when invited directly by a registered mental health practitioner). In that case, parental or guardian consent is required and must be obtained and documented by the referring practitioner before the assessment commences. We do not directly collect or verify parental consent — this is the responsibility of the referring practitioner under their professional obligations.

General self-registration accounts require users to be at least 18 years of age. See Section 4 of our Terms of Service for the full age policy and its legal basis.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page. We encourage you to review this page periodically to stay informed about how we protect your data.

17. Contact Us & Privacy Officer

If you have any questions or concerns about this Privacy Policy or how your data is handled, please don't hesitate to reach out:

privacy@psychscape.com

Contact Form

Privacy Officer

PsychScape has formally designated a Privacy Officer who is responsible for overseeing our compliance with the Australian Privacy Act 1988 (including the Australian Privacy Principles) and advising on our obligations under the GDPR. The Privacy Officer is your primary contact for:

Privacy enquiries and requests to access, correct, or delete your personal data
Complaints about our handling of your personal information
Exercising any of the rights described in Section 12 of this Policy
Requests relating to automated decision-making (Section 10) or international data transfers (Section 11)

Role: Privacy Officer — PsychScape

Email: privacy@psychscape.com

Response time: We will respond to privacy enquiries and data subject rights requests within 30 calendar days. For complex requests, this period may be extended by a further 60 days in accordance with GDPR Article 12(3), in which case we will notify you of the extension within the initial 30-day period.

Note on formal DPO designation: PsychScape has conducted a formal analysis under GDPR Article 37 and determined that, at its current scale of operations, a statutorily mandatory Data Protection Officer is not required. PsychScape nonetheless voluntarily maintains a Privacy Officer performing equivalent functions. This determination is reviewed annually and whenever the organisation's scale or processing activities materially change. Details of this analysis are recorded in our internal Privacy Governance documentation.

Privacy Policy