This page is the central index for PracticeGrid’s legal, privacy and data-protection
documents. It is designed for partners, practice managers, compliance teams and advisers
who need a clear view of how we contract with you and how we handle personal data.
Each document below has a short description to help you understand its role. Together,
they form the legal and compliance framework for using PracticeGrid and products such as
CinchFlow, and support your own Records of Processing Activities (RoPA), DPIAs and
vendor due-diligence work.
These summaries are provided for convenience only. The legally binding terms for your
subscription are set out in the full Master Services Agreement (MSA), Data Processing
Agreement (DPA) and related documents provided at the point of contract or checkout.
Contract
Master Services Agreement (MSA)
The primary services contract for your licence to use PracticeGrid and CinchFlow —
covering what we provide, how you may use the service, key responsibilities and
how either party can bring the agreement to an end.
Read MSA overview
Data protection
Data Processing Agreement (DPA) (with UK IDTA/Addendum)
Sets out how PracticeGrid processes personal data on your behalf, our role as processor,
key security measures, use of sub-processors and international transfers under the
UK IDTA/Addendum where needed.
Read DPA overview
Privacy
Privacy Notice
Explains what personal data we collect about users and website visitors, how and why
we use it, where it is stored, how long we keep it and the rights individuals have
under UK GDPR and the Data Protection Act.
Read Privacy overview
Cookies
Cookie Policy
Describes the cookies and similar technologies used on the PracticeGrid website and app,
the purposes of each category, and how visitors can control or withdraw their consent
via our cookie banner and settings.
Read Cookie overview
Service levels
Service Level Agreement (SLA)
Sets expectations for service availability, maintenance windows, support hours and
target response times, and describes how we communicate incidents and outages.
Read SLA overview
Use of service
Acceptable Use Policy (AUP)
Defines how PracticeGrid may and may not be used, including restrictions on unlawful
content, abuse and attempts to bypass security, plus actions we may take if the rules
are broken.
Read AUP overview
Vendors
Sub-processor list
Lists the third-party providers that process customer data on our behalf — such as
hosting, email delivery, analytics and support tools — together with their role in
the service and (where relevant) region.
Read Sub-processor overview
Security
Security & compliance policy
Extended overview of hosting regions, encryption, access control, backups, monitoring,
incident response and responsible disclosure for PracticeGrid and CinchFlow.
Visit Security & Compliance page
Need the full legal texts? The library below provides a short overview of each document and
direct download links to the latest version of our core legal and data-protection terms.
Master Services Agreement (MSA)
Contract · Commercial terms · Licence & responsibilities
The Master Services Agreement is the main contract between your firm and PracticeGrid.
It explains the service we provide (including products such as CinchFlow), how you are
allowed to use it, and the key commercial terms that apply to your subscription.
- Defines your licence to use PracticeGrid and CinchFlow for your practice and team.
- Sets out your responsibilities, including correct use of the service and keeping account details secure.
- Explains subscription fees, invoicing, renewals, upgrades, downgrades and how the agreement can be ended.
- Includes important provisions such as limitations of liability, disclaimers and governing law/jurisdiction.
- Identifies the contracting entity and how PracticeGrid is described in invoices and tax documentation.
- Works together with the Data Processing Agreement and any Order Forms agreed with your firm.
Typical audience: partners, procurement, legal advisers and finance teams.
Data Processing Agreement (DPA) with UK IDTA/Addendum
Data protection · Roles & security · International transfers
The Data Processing Agreement describes how PracticeGrid processes personal data for you
as a processor, and how this aligns with UK GDPR and the Data Protection Act. It works
alongside the MSA and includes the UK IDTA/Addendum for international transfers where
required.
- Clarifies roles: your firm as controller, PracticeGrid as processor (in most cases).
- Describes the categories of personal data and purposes of processing linked to PracticeGrid and CinchFlow.
- Summarises the technical and organisational measures we apply to protect data.
- Explains how we use sub-processors and how you are notified of changes to the Sub-processor list.
- Covers data transfers outside the UK/EEA using the UK IDTA/Addendum or other recognised transfer tools.
- Sets out how we assist you with data subject rights and incident notification obligations.
- Supports your own RoPA and DPIA work when assessing PracticeGrid as a vendor.
Typical audience: compliance, data protection leads, DPOs and legal advisers.
Privacy Notice
Individuals’ rights · Transparency · How we use personal data
The Privacy Notice is written for individuals — including users of PracticeGrid and
visitors to our website. It sets out, in clear language, what personal data we collect,
why we use it and what rights people have.
- Explains who we are: Sapphire Info Solutions Pvt. Ltd. trading as PracticeGrid.
- Lists the types of personal data we collect (e.g. account details, billing data and usage information).
- Explains the purposes and legal bases for our processing, such as contract performance and legitimate interests.
- Describes where data is stored, how long we keep it and who we share it with (including key sub-processors).
- Summarises any international transfers and refers to the DPA for details of safeguards such as the UK IDTA/Addendum.
- Explains rights under UK GDPR, including access, correction, deletion, restriction and data portability.
- Includes contact details for privacy queries and complaints, and links to the UK ICO where relevant.
To exercise your data protection rights or ask a privacy question, contact
privacy@practicegrid.co.uk.
Cookie Policy
Cookies · Analytics · Consent & control
The Cookie Policy explains how we use cookies and similar technologies on the
PracticeGrid website and, where relevant, in the app. It helps visitors understand
which tools are essential and which are optional.
- Distinguishes between essential, analytics and marketing cookies.
- Lists key tools we use (for example, analytics, helpdesk widgets or consent platforms), and who provides them.
- Explains how long cookies last, whether they are first-party or third-party, and what they are used for.
- Describes how visitors can change or withdraw their consent at any time via the cookie banner or settings link in the footer.
- Reflects our consent-mode approach: no non-essential scripts are loaded before consent is given.
Service Level Agreement (SLA)
Availability · Support · Incident communication
The Service Level Agreement focuses on the operational side of PracticeGrid, including
uptime, performance and how support is delivered.
- States our target service availability over a defined period and how availability is calculated.
- Explains planned maintenance windows and how they are communicated in advance where possible.
- Sets out support channels, hours (typically UK business hours) and target response times by priority.
- Describes how we classify incidents, communicate updates and work towards resolution, typically via our status page and email updates.
- Links to any status or incident pages once they are live.
Acceptable Use Policy (AUP)
Fair use · Misuse · Platform protection
The Acceptable Use Policy sets practical rules for how PracticeGrid can be used. It
protects both your firm and other customers from misuse of the platform.
- Prohibits unlawful content and activity on the service, including anything that infringes third-party rights.
- Restricts abusive behaviour, harassment and abusive messaging towards staff or other users.
- Forbids attempts to bypass security, compromise accounts or disrupt the service or underlying infrastructure.
- Clarifies any fair-use expectations (for example, reasonable API or storage usage) where applicable.
- Explains the actions we may take if these rules are breached, including suspension or termination of access.
Sub-processor list
Third-party providers · Roles · Locations
The Sub-processor list identifies the third-party services we use to deliver PracticeGrid
and CinchFlow, where they process data and what they do.
- Lists hosting, storage and infrastructure providers (for example, cloud platforms and database services).
- Covers email delivery, analytics, logging and support tools that may process personal data.
- Describes the role of each provider in the service and the relevant region (for example, UK / EEA).
- Supports your own vendor risk assessments, RoPA entries and DPIAs.
- Is kept up to date, with material changes notified through the DPA process and, where appropriate, email or in-app notice.
Security & compliance policy
Hosting · Encryption · Access control · Monitoring
The Security & compliance policy is an extended overview of how PracticeGrid protects
your data, and how security is built into the product and our operations.
- Summarises hosting regions, core architecture and environment separation (production, staging, test).
- Explains encryption in transit and at rest, and how access to systems is controlled and logged.
- Describes backup, monitoring and incident-response practices, including 72-hour breach notification expectations under UK GDPR.
- Outlines our approach to secure development, vulnerability management and third-party security assessments where applicable.
- Explains our responsible disclosure approach and how to contact security@practicegrid.co.uk.
As PracticeGrid evolves, these documents may be updated. Where required, we will notify
customers of material changes in line with the MSA and DPA.
