Logo

Privacy Policy

UMA BOX

Last updated: April 2026

Important Notice

This privacy policy explains how UMA BOX collects, uses, and protects your personal data. We are committed to protecting your privacy and handling your data with the care it deserves, particularly given the sensitive nature of mental health information.

Please read this policy carefully. If you have any questions, contact us at nicole@theumabox.com.

1. Who We Are

UMA BOX is a specialist online therapy platform connecting clients with vetted therapists for complex trauma and CPTSD support.

Data Controller: UMA BOX
Contact: hello@theumabox.com

2. What Data We Collect

From clients:

  • Contact information (name, email address, phone number)
  • Payment information (processed via third-party providers)
  • Health history and mental health information
  • Consultation notes and therapy-related records

From therapists:

  • Contact and professional information
  • Qualifications and registration details
  • Session records

3. Why We Collect Your Data

  • Provide and manage therapy sessions
  • Match clients with appropriate therapists
  • Process payments securely
  • Maintain clinical records as required by law
  • Improve platform safety and quality
  • Comply with legal obligations
  • We do not sell your data or use it for advertising

4. Legal Basis for Processing (GDPR)

  • Contract — to provide therapy services
  • Legal obligation — compliance with laws
  • Vital interests — protecting safety
  • Explicit consent — for sensitive health data

5. GDPR Rights (UK & EU Clients)

  • Access your data
  • Correct inaccurate data
  • Request deletion (where applicable)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent anytime

Contact us at hello@theumabox.com. We respond within 30 days.

6. HIPAA Compliance (US Clients)

Your health data is treated as Protected Health Information (PHI). We:

  • Only use/disclose PHI as permitted
  • Apply safeguards to protect data
  • Notify you of breaches
  • Require authorization unless legally required

Your rights:

  • Access your records
  • Request corrections
  • Know how data is shared
  • File complaints

7. How We Store Your Data

  • Secure internal systems
  • Trusted third-party providers
  • Compliance with data protection laws
  • Stored in UK/EEA where possible
  • Safeguards for international transfers

8. How Long We Keep Your Data

  • Clinical records: ~8 years
  • Payment records: 7 years
  • Non-clinical data deletable upon request

9. Sharing Your Data

  • With therapists (to provide care)
  • With payment processors
  • With tech providers
  • With legal/regulatory authorities
  • In emergencies
  • We never sell your data

10. Cookies

We use essential cookies and may use analytics cookies to improve the platform. Manage preferences via your browser.

11. Children's Data

Our services are for adults (18+). We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this policy and will notify users of significant changes via email or platform notice.

13. Complaints

You may contact relevant authorities such as the ICO (UK), EU data protection authorities, or the U.S. Department of Health & Human Services.

14. Contact Us

Email: hello@theumabox.com