Legal

Privacy Policy

Last updated: June 2026

ReformWithin (“we”, “us”, or “the Service”) provides practice-management software for hypnotherapy practitioners, including practice pages, booking, client intake, and behavioural assessment tools. This policy explains what personal information we collect, how we use it, and the choices available to you. We have written it to be readable — if anything is unclear, contact us and we will explain it plainly.

1. Who this policy covers

This policy covers two groups of people:

  • Practitioners — professionals who create an account and use ReformWithin to run their practice.
  • Clients — individuals who interact with a practitioner's public page: booking a session, completing an intake form, or taking a behavioural assessment.

For client data, the practitioner is the data controller and ReformWithin acts as a data processor on their behalf. Clients with questions about how their information is used should contact their practitioner first; we will support any request the practitioner passes to us.

2. What we collect

From practitioners

  • Account details: name, email address, password (stored as a secure hash).
  • Practice details you provide during setup: business name, services, biography, branding preferences.
  • Billing information, processed entirely by a third-party payment processor. We never see or store full card numbers.

From clients

  • Contact details submitted when booking or completing intake: name, email, phone.
  • Intake responses: the reasons for reaching out and related answers the client chooses to share.
  • Behavioural assessment responses: answers to assessment questions and response timing, used to compute behavioural scores.
  • Booking details: selected session type, date, and time.

3. How we use information

  • To operate the Service: displaying leads to the relevant practitioner, computing assessment results, managing bookings, and sending booking confirmations.
  • To generate practitioner-facing summaries and session preparation material (see Section 4 on AI).
  • To process subscription payments and manage accounts.
  • To maintain security, prevent abuse, and comply with legal obligations.

We do notsell personal information. We do not use client data for advertising. We do not contact a practitioner's clients except to deliver service messages on the practitioner's behalf (such as booking confirmations).

4. How AI is used — and how it is not

Some features use a third-party AI provider to generate text for the practitioner: lead summaries, consultation briefs, and session preparation guides.

  • AI only processes information the client themselves submitted through the public intake and assessment flow, together with algorithm-computed scores.
  • Behavioural scores, profiles, and signal-confidence results are computed by a deterministic algorithm — not by AI.
  • AI-generated content is advisory, clearly labelled in the practitioner dashboard, and never sent to clients automatically.
  • Our API agreements with the provider do not permit the use of this data to train their models.

5. Sharing and processors

We do not sell or rent personal information. We share it only with the categories of service provider needed to operate ReformWithin:

  • A payment processor, to handle subscription billing securely.
  • An AI provider, to generate the practitioner-facing summaries described above.
  • An email delivery provider, to send transactional messages such as confirmations and notifications.
  • Hosting and infrastructure providers, to store data and serve the application.

Each is a data processor, bound by contract to use the information only to provide its service to us — not for its own purposes. None is an advertising or tracking service, and each receives only the data necessary for its function. We may also disclose information if required by law or to protect the safety of any person.

6. Cookies and analytics

We keep cookies to a strict minimum and use no third-party tracking, advertising, or analytics services.

  • Browsing the public site — including the home page and the waitlist sign-up — sets no cookies. You can read and use the public site without accepting anything.
  • Signed-in accounts. When a practitioner or administrator logs in, we set a small number of essential, first-party cookies for the sole purpose of keeping you securely signed in. They are strictly necessary for the Service to function and are never used for tracking or advertising.
  • No advertising or cross-site tracking. We do not use advertising cookies, marketing pixels, or third-party trackers, and we do not allow third parties to follow you across other websites through our Service.

Our analytics are first-party and cookieless. To understand aggregate traffic — such as page views, approximate visitor numbers, referring sites, and country — we use analytics built into the Service itself. It does not set a cookie or store a persistent identifier: visitor counts are derived from a salted value that rotates every day and cannot be linked back to you or used to follow you over time. Country is estimated from your IP address locally and is not shared with anyone. We do not use Google Analytics or any other third-party analytics service, and this analytics data never leaves our systems.

Payments.If you make a payment, you are taken to our payment provider's secure hosted checkout to enter your card details. They process the payment and may set their own cookies on their own pages under their own privacy and cookie policies; we never receive or store your full card number.

7. Data retention and deletion

Practitioner accounts and associated data are retained while the account is active. When an account is closed, data is deleted within a reasonable period except where retention is legally required. Practitioners may delete individual client records at any time, which removes the client's intake, assessment, and booking data.

8. Security

Data is encrypted in transit. Access to production systems is restricted and authenticated. Passwords are stored only as cryptographic hashes. No system is perfectly secure, but we design conservatively: we collect only what the Service needs, and sensitive operations are isolated.

9. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. Practitioners can exercise these rights directly through their account or by contacting us. Clients should contact their practitioner, who can action requests in the dashboard or escalate them to us.

10. Not a medical service

ReformWithin supports complementary wellness services. The behavioural assessment is not a medical or psychological diagnostic instrument, and nothing in the Service constitutes medical advice. If a client submission contains language suggesting a safety concern, we flag it prominently to the practitioner for human review.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect information from them. If you believe a child has provided us personal information, contact us and we will delete it.

12. Changes to this policy

If we make material changes, we will notify practitioners by email and update the date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance.

13. Contact

Questions or requests regarding privacy — including access, correction, or deletion of your data — can be sent to the operator of ReformWithin at info@reformwithin.com.