Privacy
Privacy Notice
Last updated: 7 May 2026
Version: 1.0
Your privacy is very important to me. This notice explains, in plain language, what personal information I collect about you, why, how I keep it safe, and what your rights are.
I adhere to current data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003. I also adhere to the ethical guidelines on confidentiality and record-keeping set by the British Association for Counselling and Psychotherapy (BACP).
Contents
1. Who is responsible for your data
Under data protection law, the "data controller" is the person or organisation that decides why and how your personal information is used. For this counselling practice, the data controller is me personally.
2. What data I collect
The information I hold depends on the stage of our relationship. The table below summarises this.
| Stage | Information collected |
|---|---|
| Initial enquiry (phone, email, contact form) | Your name, contact details (phone, email), and the content of your initial message about why you are looking for counselling. |
| If we agree to work together | Date of birth, GP details (if relevant), emergency contact, any health information you choose to share, and a signed therapy agreement. |
| During counselling | Brief session notes (kept separately from your contact details), records of session attendance and dates, and any messages or emails relating to appointments. |
| Payment | Records of fees paid, dates, and payment method (but not card details, which I do not store). |
| After counselling ends | Closed records held in line with BACP retention guidance (see section 4). |
Counselling involves discussing personal and sensitive information. Under UK GDPR, this is treated as special category data (data about your physical or mental health), which has extra legal protections.
3. My lawful basis for using your data
UK GDPR requires me to identify a lawful basis for using your personal data. The basis depends on what I am doing with your data and at what stage.
| Activity | Lawful basis (Article 6) | Special category basis (Article 9) |
|---|---|---|
| Responding to your initial enquiry | Article 6(1)(b): steps taken at your request prior to entering a contract | Not applicable at this stage unless you choose to share health information |
| Providing counselling sessions | Article 6(1)(b): performance of our therapy contract | Article 9(2)(h): provision of health treatment by a professional bound by an obligation of confidentiality |
| Keeping records after therapy ends | Article 6(1)(f): legitimate interests (defending against potential complaints, complying with BACP ethical framework, providing continuity of care if you return) | Article 9(2)(h): provision of health treatment |
| Financial and tax records | Article 6(1)(c): legal obligation (HMRC requires retention of tax records for 6 years) | Not applicable |
| Website analytics | Article 6(1)(f): legitimate interests (understanding how visitors use the site to improve it) | Not applicable |
4. How long I keep your data
I keep different types of data for different lengths of time, depending on what the data is for and what the law and BACP guidance require.
| Type of data | Retention period |
|---|---|
| Initial enquiry where you don't proceed to counselling | Deleted within 3 months of last contact, or sooner on request |
| Therapy session notes (adults) | 6 years after the end of therapy, in line with BACP good practice and the standard limitation period for personal injury claims |
| Therapy session notes (clients under 18) | Until the client reaches age 25, in line with BACP guidance |
| Contact details (kept separately from notes) | 6 years after the end of therapy |
| Financial and tax records (invoices, payment logs) | 6 years after the end of the tax year (HMRC requirement) |
| Text messages and emails about appointments | Deleted within 1 month of the appointment unless they contain clinically relevant information |
| Website contact form submissions | Held by my website form processor until I respond to your enquiry, then deleted from the inbox within 3 months unless you become a client |
| Website analytics | Up to 12 months, then automatically deleted |
After the retention period, your records are securely destroyed (paper records shredded, digital records permanently deleted).
5. Who I share your data with
I do not sell or rent your data, and I do not share it for marketing. I only share information in the following limited circumstances.
Clinical supervision
BACP requires me to attend regular clinical supervision to maintain the quality of my work. In supervision I may discuss aspects of our work, but I do not identify you by name or share details that could identify you. My supervisor is also a BACP-registered counsellor and is bound by the same confidentiality obligations.
Service providers (data processors)
I use the following third-party services to run my practice. These are contractually bound to handle your data only on my instructions and to protect it.
- Email service provider: for email correspondence. Email content may be stored on the provider's servers.
- Website hosting and form processing service: for hosting my website and capturing contact form submissions.
- Accounting records: I keep accounting records on paper or locally. I do not use a third-party cloud accounting service.
- Video calling service: for online counselling sessions, when agreed with the client. I do not record sessions.
- My UK mobile network provider: for text messages.
Legal and regulatory disclosures
I may have to disclose information to specific third parties without your consent in the following circumstances:
- If a court of law or other lawful authority compels me to do so
- If I am required to safeguard a child or vulnerable adult from serious harm
- If there is a serious and credible risk of harm to you or to another person
- If I become aware of certain very serious crimes (such as terrorism or money laundering) which the law requires me to report
Wherever possible and safe, I will discuss any such disclosure with you before it is made.
International transfers
Some of the service providers above may store data on servers outside the UK, including in the United States. Where this is the case, the providers rely on UK adequacy regulations or Standard Contractual Clauses to protect your data. The UK government has confirmed that the EU is an "adequate" jurisdiction for data transfers; for the United States, providers rely on the UK Extension to the EU-US Data Privacy Framework.
6. How I keep your data secure
I take the security of your data very seriously. The specific measures I take include:
- Paper records (signed therapy agreements, session notes) are kept in a locked cabinet to which only I have access.
- Your contact details are kept separately from your session notes, so that one cannot easily be linked to the other.
- Digital records are stored on encrypted devices protected by strong, unique passwords.
- Email is sent via a mainstream email service that provides encryption in transit. I avoid sending sensitive personal information by email where possible.
- Devices are locked when unattended and protected by automatic screen locks.
- I do not store payment card details on my own systems. Payments are processed via bank transfer.
- I have a clinical will arrangement so that, in the event of my unexpected incapacity or death, your records will be securely managed by a trusted colleague who is also a BACP-registered counsellor.
7. Confidentiality and its limits
Everything you tell me in counselling is treated as confidential. This is a core principle of the BACP Ethical Framework which I follow.
However, confidentiality is not absolute. I will need to break confidentiality and disclose information without your consent in these specific circumstances:
- Where you tell me, or I form a reasonable belief, that a child or vulnerable adult is being abused or is at risk of serious harm
- Where you express an intent to seriously harm yourself or another identified person
- Where I am compelled to disclose information by a court order or other legal authority
- Where the law requires me to report certain offences (for example, suspected terrorism or money laundering)
If I need to break confidentiality, I will, where it is safe and appropriate, discuss this with you first. I will only share what is necessary, with the appropriate authorities, and not more.
We will discuss confidentiality in more depth, including any individual factors relevant to your circumstances, before we begin therapy. The therapy agreement we both sign will set out the confidentiality position in writing.
8. Website and analytics
Contact form
If you submit the contact form on this website, your name, email address, phone number (if you provide one), and message are sent to my email inbox via a third-party form processing service. The data is stored briefly with that service and in my email inbox. It is used only to respond to your enquiry.
Analytics
This website uses a simple, first-party analytics system that records anonymous information about how visitors use the site. Specifically:
- Pages visited and timestamps
- Buttons and links clicked (e.g. "Book a free 20 minute call")
- Browser family (Chrome, Safari, Firefox, etc.)
- Device type (desktop, mobile, tablet)
- Country of origin (country level only, derived from your network connection)
- A randomly generated session identifier, stored only for the duration of your browser tab and discarded when you close the tab
The system does not use cookies, does not store IP addresses, and does not collect any personal information. The data cannot be linked back to you as an individual. The analytics data is held with my hosting provider and is accessible only to me through a private, password-protected interface.
This processing relies on legitimate interests (Article 6(1)(f) UK GDPR) as the lawful basis. The interest is understanding how visitors use the site so that I can improve it. Because no cookies are used and no personal data is stored, I assess the impact on your privacy as minimal.
Cookies
This website does not set any tracking or advertising cookies. The only browser storage used is sessionStorage for the analytics session ID described above, which is automatically cleared when you close the tab.
External links
This website contains links to external sites (the BACP, Counselling Directory, Protectivity, MOE Foundation, Trauma Informed UK, and my social media profiles on Facebook, Instagram and LinkedIn). When you follow these links, the destination sites have their own privacy practices, which I am not responsible for. I encourage you to read their privacy notices.
9. Your rights
Under UK GDPR you have the following rights in relation to your personal data:
- Right to be informed: to know what data I hold about you and how I use it. This notice provides that information.
- Right of access: to ask for a copy of the personal data I hold about you (a "subject access request"). I will respond within one month.
- Right to rectification: to ask me to correct inaccurate or incomplete data.
- Right to erasure: to ask me to delete your data ("right to be forgotten"). This right is not absolute and may not apply where I have a legal obligation or legitimate clinical reason to retain records (for example, the 6-year BACP retention period).
- Right to restrict processing: to ask me to limit how I use your data in some circumstances.
- Right to data portability: to receive your data in a structured, machine-readable format and have it transferred to another organisation, where the processing is based on consent or contract.
- Right to object: to object to my processing of your data on the basis of legitimate interests.
- Rights related to automated decision-making: not relevant in this practice as I do not use any automated decision-making or profiling.
To exercise any of these rights, contact me using the details in section 12. I will not charge a fee unless your request is manifestly unfounded or excessive (for example, repetitive). I will respond within one calendar month.
10. How to make a complaint
If you have a concern about how I have handled your personal data, please contact me first using the details in section 12. I take all complaints seriously and will acknowledge yours within 30 days, keep you informed of progress, and respond without undue delay.
If you are not satisfied with my response, or if you would prefer not to contact me directly, you can complain to the Information Commissioner's Office (ICO), which is the UK's independent regulator for data protection.
If your concern relates to my professional conduct as a counsellor (rather than data protection specifically), you can contact the British Association for Counselling and Psychotherapy (BACP) at bacp.co.uk.
11. Changes to this notice
I may update this privacy notice from time to time, for example to reflect changes in the law or in my practice. The "Last updated" date at the top of the notice will reflect the most recent change.
If I make material changes that affect existing clients, I will notify you directly by email or in our next session.
12. Contact me
For any question about this notice, your data, or to exercise any of your rights, please contact me:
I am happy to discuss any aspect of how I handle your data and welcome any feedback that helps me to improve.