The privacy your practice deserves
Your job is to listen. Ours is to protect what you hear. Email-based two-step verification, per-device security PIN and one-time link consent signing. Three layers designed for the reality of a psychology practice, not for a bank. Toggle them on with a click, at no extra cost.
Real privacy for the psychology practice
Professional confidentiality isn't a slogan, it's a commitment. The three tools below are designed for real situations: a colleague entering your office, a laptop left in a café, a patient who needs to sign the consent but is off-sick.
Defence in depth
Password + 2FA at sign-in, PIN for sensitive areas, sessions that expire. If one layer fails, the others stand.
Frictionless
Trusted devices skip 2FA. The PIN is only asked every now and then. Link signing works on the patient's phone, no app needed.
GDPR done right
Consents stored with date, time, IP and device. Ready to audit. No need to remember where you put the signed paper.
You decide what to protect
Toggle on/off whenever you want. Configure which actions require the PIN. Mark devices as trusted. Controls in your hands.
Access traceability
List of linked devices with their last IP and date. If something looks off, you unlink it in a click.
Data in the EU
Infrastructure hosted within the European Union. Encryption in transit and at rest. Daily encrypted backups with 7-day retention.
How you protect your psychology practice step by step
Email-based two-step verification
When you sign in from a new device, in addition to your password we send a 6-digit code to your email. You enter it and you're in. Simple, nothing to install.
- Branded email with the code — 6 digits, valid for 10 minutes
- Trusted devices — mark your laptop and we won't ask again for 30 days
- Mid-flow resilience — reload the page or close the tab and you come back to the code step without losing progress
- Linked-devices list with last IP and last sign-in; revoke one or all of them
- Easy logout from the code screen itself, in case it wasn't you
- Max 10 code resends per day to prevent abuse
Why email and not SMS? Because your email is yours to control (with its own 2FA if you want), SMS depends on your mobile carrier and is vulnerable to SIM swapping. For psychology, email is safer and cheaper.
Per-device security PIN
A 4-digit PIN required for sensitive actions. Designed for those times you leave your computer on and someone walks by: your session stays open but the patient file is locked away.
- Configurable per device: your office laptop can ask for the PIN, your home one doesn't
- You choose what to protect: opening Settings, viewing clinical history, deleting appointments, exporting stats, changing the password…
- Anti brute-force lockout: after 5 wrong attempts the keypad locks for a few minutes
- Configurable validity: the PIN is re-prompted every 30s, 5 min, 30 min… whatever you choose
- For practice managers: special PIN when entering each therapist's tabs in the practice
- Bcrypt hash on the server — nobody can see your PIN, not even us
Different from 2FA. 2FA prevents someone who isn't you from signing in. The PIN prevents someone who's already at your screen from seeing things they shouldn't. They add up.
One-time link consent signing
The patient isn't in your office and you need to collect the informed consent. You generate a one-time link from the patient's record, share it (WhatsApp, email, copy to clipboard) and the patient signs from their phone, no app needed.
- Modal with 4 share options: WhatsApp, email, copy link or QR code for the patient to scan
- Live status in the patient record: "Pending signature" appears until they sign, then it becomes a normal consent with PDF
- Any device: the link works on the patient's mobile, tablet or PC. They sign with a finger or a mouse
- One-time token: once signed, the link expires. If unsigned after 7 days, it expires too
- PDF with metadata: date, time, IP and patient device are stamped in the signed PDF, audit-ready
- Support for adult and minor consents (with legal guardian)
GDPR-friendly. The consent lives in your system, signed with date, IP and device. Full traceability without papers to misplace.
The tech that supports your privacy
Concrete technical decisions, not marketing.
HTTPS/TLS 1.3
All traffic encrypted end-to-end with Let's Encrypt certificates that renew automatically. No exceptions.
Bcrypt passwords
Salted hash per user. Even if our database leaked, passwords couldn't be reversed.
AES-256 backups
Daily automatic backups encrypted with AES-256-GCM. 7-day retention. Only the administrator can decrypt them.
EU servers
Infrastructure hosted in the European Union. Personal data never crosses to third countries without guarantees.
Anti brute-force
Automatic lockout after 5 wrong PIN or 2FA attempts. reCAPTCHA on the public login form.
Security logs
Every sign-in is logged. Revoking a device invalidates its tokens instantly.
Start your secure psychology schedule today
Turn on 2FA, configure your PIN and start signing consents by link in under 5 minutes. No lock-in, no commitment.
FAQ: security and privacy for psychologists
What is email-based two-step verification?
When you sign in from a new device, in addition to your password we email you a 6-digit code. Devices you mark as trusted won't ask for it again for 30 days. It's optional and you toggle it from Settings › Security.
What is the security PIN for?
The 4-digit PIN protects sensitive actions from people walking past your screen. You configure it per device, pick which actions require it (opening Settings, viewing clinical history, deleting an appointment…) and how often it's re-prompted.
How does link-based consent signing work?
You generate a one-time link from the patient modal. You send it via WhatsApp, email or copy to clipboard. The patient opens it on any device, signs directly, and the signature is saved to their record. While waiting, the modal shows "Pending signature" in real time.
Is it GDPR compliant?
Yes. My Psico Agenda is GDPR-compliant: encryption in transit (HTTPS/TLS 1.3), encrypted backups (AES-256-GCM), passwords hashed with bcrypt, device-level access control and sign-in traceability. Data hosted on EU servers.
Can I revoke a specific device?
Yes. From Settings › Security › Two-step verification you can see every linked device with its last IP and last sign-in, and revoke them one by one or all at once.
Are these security features free?
Yes. Two-step verification, the security PIN and link-based consent signing are included in every plan (Junior, Senior, Practice Mini, Practice Super) at no extra cost.
What if my patient has no WhatsApp or email?
You can show them the link directly from your screen via the QR code in the modal and have them scan it with their phone. If they're physically in your office, hand them your device and they sign on the spot — no sharing needed.
What if I lose access to my email for 2FA?
Contact our support via WhatsApp or from the email associated with the account. We verify your identity and disable 2FA so you can sign back in and reconfigure it with a new email. We will never ask for your password in writing.