Privacy Notice

Date approved – January 2026

3. What personal data we collect

We may collect and process the following categories of personal data:

• Contact details (such as name, email address and phone number);

• Emergency contact details (such as GP practice name and address or those of an alternative contact);

• Information provided when making an enquiry;

• Assessment information and clinical data shared during counselling;

• Session notes and records;

• Appointment, attendance and payment information;

• Correspondence (emails, messages or other communications).

This may include special category data, such as information about your mental health.

4. How we use your data

We use your personal data to:

• provide counselling and therapeutic services;

• communicate with you about appointments or changes to services;

• manage administration, invoicing and record keeping;

• and meet our ethical and legal obligations as a counselling practice.

We only use your data for purposes that are relevant to providing and managing our services.

5. Lawful basis for processing

Under UK GDPR, we must have a lawful basis to process your data. This includes:

• Consent - for example, where you consent to counselling and the creation of

  therapy records;

• Contract - where processing is necessary to provide counselling services;

• Legal obligation - where we are required by law to process data; and

• Vital interests - where processing is necessary to protect life.

For special category data, processing is additionally justified on the basis of providing health care alongside explicit consent.

6. Confidentiality and data sharing

Your personal data and therapy records are treated as confidential.

We will only share your data where:
• you have given your explicit consent;
• we are legally required to do so;
• there is a serious risk of harm to you or another person.

Where third-party services are used (such as secure digital systems), appropriate safeguards and agreements are in place.

7. Online and international therapy

We provide online counselling and may work with clients who are based outside the UK. Your data is primarily stored and processed within the UK. Where data is transferred or accessed internationally (for example, through secure online platforms), we take steps to ensure appropriate safeguards are in place in line with UK GDPR requirements.

We store and process personal data using Microsoft 365 services, which are configured to use data centres in the United Kingdom. However, because Microsoft operates globally to support its cloud services, some processing operations (such as system administration or backups) may occur outside the UK. Appropriate safeguards are in place in accordance with UK GDPR.

8. How long we keep your data

We keep personal data only for as long as necessary to meet legal, ethical and professional requirements.

Client records are typically retained for a period of 7 years after the end of therapy, in line with COSCA and BACP guidance, after which they are securely destroyed.

Full details are set out in our Record Retention Schedule, available on request.

9. Your rights

Under data protection law, you have the right to:
• access your personal data;
• request correction of inaccurate information;
• request erasure or restriction of processing (in certain circumstances); • withdraw consent where processing is based on consent; and
• raise a concern with the Information Commissioner’s Office (“ICO”).

Requests can be made in writing using the contact details above.

10. Data security

We take reasonable and appropriate steps to protect your data, including secure digital systems, password protection and restricted access.

11. Changes to this notice

This Privacy Notice may be updated from time to time. The most recent version will always be available on request or via our website.