Last updated: May 2026
CDRA (Clinical Depth Reflection Assistant) is a clinical reflection tool built for registered psychotherapists and counsellors. It is developed and operated by David Waterman, a registered psychotherapist based in the UK.
ICO Registration: ZC138142
Contact: d@davidwatermanpsychotherapist.co.uk
This policy explains what personal data we collect when you use CDRA, how we use it, how we protect it, and what your rights are. We've written it in plain English because we think you deserve to actually understand it.
When you register, we collect your name and email address. We also record the date and time you accepted our terms of use.
As part of our beta verification process, we ask you to email a copy of your current professional registration certificate. This is used solely to verify that you are a registered practitioner. It is not stored in the CDRA system — once verified, your account is marked as verified and the certificate is deleted.
When you use CDRA, you enter session notes, reflections, and check-ins. This is the core clinical content of the product. It is sensitive by nature and we treat it accordingly.
You may optionally enter details about your practice — such as session fees, session length, and delivery method. This helps CDRA personalise its analysis for your context.
We collect basic technical information about how the app is used (for example, when sessions are created or analysed). We do not use third-party analytics tools. We do not track your behaviour across other websites.
| Data | Why we use it |
|---|---|
| Name and email | To manage your account and send you important updates |
| Registration certificate | To verify you are a registered practitioner (then deleted) |
| Clinical reflection content | To generate AI-assisted analysis and support your reflective practice |
| Practice information | To personalise your experience and analysis |
| Usage data | To understand how the product is being used and improve it |
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described below.
CDRA uses AI to analyse your clinical content. Before content is sent to our AI provider, it passes through an anonymiser — a process that attempts to detect and replace names and identifying details with neutral placeholders. This significantly reduces the risk of identifiable information being transmitted, but it is a best-effort process: if you use real client names rather than pseudonyms, some identifying details may not be caught. We strongly recommend using pseudonyms or initials for all clients.
Our AI provider is Anthropic. We use their API. This means your content is sent to and processed on Anthropic's servers in order to generate a response. Under Anthropic's API terms, your content is not used to train AI models and is not retained after your request is complete. We have requested a formal Data Processing Agreement with Anthropic to confirm this in writing; this is pending.
Your clinical content is encrypted before it is stored in our database. This means that even in the unlikely event of a database breach, stored content cannot be read. Content is decrypted in your browser when you use the app, then re-encrypted before being saved.
“Best-effort de-identification before AI processing. AES-256 encryption before storage. Use pseudonyms for all clients.”
All clinical content stored in CDRA is encrypted using AES-256-GCM encryption. This means that even in the unlikely event of a database breach, your clinical content cannot be read.
Your data is stored in Supabase, a secure cloud database provider with servers in the UK.
Access to your data is protected by secure login (magic link email authentication, with Face ID/biometric support on supported devices).
We keep your data for as long as your account is active. If you close your account or request deletion, we will delete all your personal data and clinical content within 30 days.
Registration certificates received by email are deleted once your account has been verified.
Under UK GDPR, you have the right to:
To exercise any of these rights, email us at d@davidwatermanpsychotherapist.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we are not handling your data correctly.
We process your data under the following lawful bases:
Clinical content is processed under your consent, given at the point of registration.
CDRA uses cookies solely to manage your login session. We do not use tracking cookies or advertising cookies. You cannot opt out of session cookies as they are required for the app to function.
CDRA is currently in beta. This means the product is still in development. Features may change, and while we work hard to ensure stability, we cannot guarantee uninterrupted service. We will always give reasonable notice of any significant changes that affect your data or how you use the product.
If we make significant changes to this policy, we will notify you by email. The “last updated” date at the top of this page will always reflect the most recent version.
If your therapist uses CDRA, this section is for you.
CDRA is a tool used by registered psychotherapists to support their clinical reflection after sessions — not during them. It is not a separate service you sign up to, and you will not have an account with CDRA.
What happens to your information: Your therapist may enter notes about their session with you into CDRA. Before any content is processed by AI, names and identifying details are replaced with neutral placeholders. CDRA is designed so that identifying information about you should never reach the AI system. Processed content is encrypted before storage.
Your consent: Your therapist is responsible for telling you about their use of AI-assisted tools and obtaining your consent. If you are unsure, ask your therapist directly. You have the right to request that your therapist does not use AI-assisted reflection with your session material — this will not affect your care.
Your rights: Your therapist is the data controller for your personal information. Any requests to access, correct, or delete your data should be made directly to your therapist. If you have concerns about how your therapist handles your data, you can contact the Information Commissioner's Office (ICO) at ico.org.uk.
If you have specific questions about CDRA itself, you can contact us at d@davidwatermanpsychotherapist.co.uk
If you have any questions about this policy or how we handle your data: d@davidwatermanpsychotherapist.co.uk