Privacy

Privacy Notice

Last updated: 7 May 2026
Version: 1.0

Your privacy is very important to me. This notice explains, in plain language, what personal information I collect about you, why, how I keep it safe, and what your rights are.

I adhere to current data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003. I also adhere to the ethical guidelines on confidentiality and record-keeping set by the British Association for Counselling and Psychotherapy (BACP).

1. Who is responsible for your data

Under data protection law, the "data controller" is the person or organisation that decides why and how your personal information is used. For this counselling practice, the data controller is me personally.

Controller: Alison Swindin, trading as Step by Step Counselling

Postal address: Available on written request. To exercise any of your rights under UK GDPR (such as requesting access to your data or its deletion), please email or call the contact details above and a postal address will be provided.

Email: [email protected]

Phone: 07459 036603

ICO registration number: ZB564131

BACP membership number: 401434

2. What data I collect

The information I hold depends on the stage of our relationship. The table below summarises this.

Stage Information collected
Initial enquiry (phone, email, contact form) Your name, contact details (phone, email), and the content of your initial message about why you are looking for counselling.
If we agree to work together Date of birth, GP details (if relevant), emergency contact, any health information you choose to share, and a signed therapy agreement.
During counselling Brief session notes (kept separately from your contact details), records of session attendance and dates, and any messages or emails relating to appointments.
Payment Records of fees paid, dates, and payment method (but not card details, which I do not store).
After counselling ends Closed records held in line with BACP retention guidance (see section 4).

Counselling involves discussing personal and sensitive information. Under UK GDPR, this is treated as special category data (data about your physical or mental health), which has extra legal protections.

3. My lawful basis for using your data

UK GDPR requires me to identify a lawful basis for using your personal data. The basis depends on what I am doing with your data and at what stage.

Activity Lawful basis (Article 6) Special category basis (Article 9)
Responding to your initial enquiry Article 6(1)(b): steps taken at your request prior to entering a contract Not applicable at this stage unless you choose to share health information
Providing counselling sessions Article 6(1)(b): performance of our therapy contract Article 9(2)(h): provision of health treatment by a professional bound by an obligation of confidentiality
Keeping records after therapy ends Article 6(1)(f): legitimate interests (defending against potential complaints, complying with BACP ethical framework, providing continuity of care if you return) Article 9(2)(h): provision of health treatment
Financial and tax records Article 6(1)(c): legal obligation (HMRC requires retention of tax records for 6 years) Not applicable
Website analytics Article 6(1)(f): legitimate interests (understanding how visitors use the site to improve it) Not applicable

4. How long I keep your data

I keep different types of data for different lengths of time, depending on what the data is for and what the law and BACP guidance require.

Type of data Retention period
Initial enquiry where you don't proceed to counselling Deleted within 3 months of last contact, or sooner on request
Therapy session notes (adults) 6 years after the end of therapy, in line with BACP good practice and the standard limitation period for personal injury claims
Therapy session notes (clients under 18) Until the client reaches age 25, in line with BACP guidance
Contact details (kept separately from notes) 6 years after the end of therapy
Financial and tax records (invoices, payment logs) 6 years after the end of the tax year (HMRC requirement)
Text messages and emails about appointments Deleted within 1 month of the appointment unless they contain clinically relevant information
Website contact form submissions Held by my website form processor until I respond to your enquiry, then deleted from the inbox within 3 months unless you become a client
Website analytics Up to 12 months, then automatically deleted

After the retention period, your records are securely destroyed (paper records shredded, digital records permanently deleted).

5. Who I share your data with

I do not sell or rent your data, and I do not share it for marketing. I only share information in the following limited circumstances.

Clinical supervision

BACP requires me to attend regular clinical supervision to maintain the quality of my work. In supervision I may discuss aspects of our work, but I do not identify you by name or share details that could identify you. My supervisor is also a BACP-registered counsellor and is bound by the same confidentiality obligations.

Service providers (data processors)

I use the following third-party services to run my practice. These are contractually bound to handle your data only on my instructions and to protect it.

Legal and regulatory disclosures

I may have to disclose information to specific third parties without your consent in the following circumstances:

Wherever possible and safe, I will discuss any such disclosure with you before it is made.

International transfers

Some of the service providers above may store data on servers outside the UK, including in the United States. Where this is the case, the providers rely on UK adequacy regulations or Standard Contractual Clauses to protect your data. The UK government has confirmed that the EU is an "adequate" jurisdiction for data transfers; for the United States, providers rely on the UK Extension to the EU-US Data Privacy Framework.

6. How I keep your data secure

I take the security of your data very seriously. The specific measures I take include:

7. Confidentiality and its limits

Everything you tell me in counselling is treated as confidential. This is a core principle of the BACP Ethical Framework which I follow.

However, confidentiality is not absolute. I will need to break confidentiality and disclose information without your consent in these specific circumstances:

If I need to break confidentiality, I will, where it is safe and appropriate, discuss this with you first. I will only share what is necessary, with the appropriate authorities, and not more.

We will discuss confidentiality in more depth, including any individual factors relevant to your circumstances, before we begin therapy. The therapy agreement we both sign will set out the confidentiality position in writing.

8. Website and analytics

Contact form

If you submit the contact form on this website, your name, email address, phone number (if you provide one), and message are sent to my email inbox via a third-party form processing service. The data is stored briefly with that service and in my email inbox. It is used only to respond to your enquiry.

Analytics

This website uses a simple, first-party analytics system that records anonymous information about how visitors use the site. Specifically:

The system does not use cookies, does not store IP addresses, and does not collect any personal information. The data cannot be linked back to you as an individual. The analytics data is held with my hosting provider and is accessible only to me through a private, password-protected interface.

This processing relies on legitimate interests (Article 6(1)(f) UK GDPR) as the lawful basis. The interest is understanding how visitors use the site so that I can improve it. Because no cookies are used and no personal data is stored, I assess the impact on your privacy as minimal.

Cookies

This website does not set any tracking or advertising cookies. The only browser storage used is sessionStorage for the analytics session ID described above, which is automatically cleared when you close the tab.

External links

This website contains links to external sites (the BACP, Counselling Directory, Protectivity, MOE Foundation, Trauma Informed UK, and my social media profiles on Facebook, Instagram and LinkedIn). When you follow these links, the destination sites have their own privacy practices, which I am not responsible for. I encourage you to read their privacy notices.

9. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

To exercise any of these rights, contact me using the details in section 12. I will not charge a fee unless your request is manifestly unfounded or excessive (for example, repetitive). I will respond within one calendar month.

10. How to make a complaint

If you have a concern about how I have handled your personal data, please contact me first using the details in section 12. I take all complaints seriously and will acknowledge yours within 30 days, keep you informed of progress, and respond without undue delay.

If you are not satisfied with my response, or if you would prefer not to contact me directly, you can complain to the Information Commissioner's Office (ICO), which is the UK's independent regulator for data protection.

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk/make-a-complaint

If your concern relates to my professional conduct as a counsellor (rather than data protection specifically), you can contact the British Association for Counselling and Psychotherapy (BACP) at bacp.co.uk.

11. Changes to this notice

I may update this privacy notice from time to time, for example to reflect changes in the law or in my practice. The "Last updated" date at the top of the notice will reflect the most recent change.

If I make material changes that affect existing clients, I will notify you directly by email or in our next session.

12. Contact me

For any question about this notice, your data, or to exercise any of your rights, please contact me:

Email: [email protected]

Phone: 07459 036603

Postal: Available on written request

I am happy to discuss any aspect of how I handle your data and welcome any feedback that helps me to improve.

Back to home