Privacy policy.

Updated: 2nd August 2025
Controller: Samantha Devlin (Sole trader)
Contact: Contact me | Worthing, West Sussex, UK

1. What personal data I collect and why

I collect and store personal data for the following purposes:

  • Contact details: Name, email, phone number, so I can respond and schedule appointments.

  • Appointment & billing data: Dates, fees, notes, to manage sessions and payments.

  • Clinical information: Presenting issues, coping strategies, session notes, which are essential for providing care.

  • Online communications: Emails, Zoom/Teams logs, only as needed for your therapy.

Legal basis for processing:
Your data is processed under Article 6 GDPR ("contract" – to deliver agreed therapy), Article 9 ("special category data" – client notes and clinical info) under professional and safeguarding obligations under the Data Protection Act 2018.

2. How I use and protect your data

  • Client info and session records are stored securely and access is restricted to me only.

  • Electronic data (e.g., notes, emails) is stored in a password-protected system or encrypted files.

  • Hard copy notes are locked in a secure cabinet or shredded securely after retention period.

  • Teletherapy sessions using Zoom are password-protected and comply with privacy guidance.

3. Data retention & deletion

I do not keep personal data longer than necessary:

  • Clinical notes & session records: Retained for 5 years following therapy ending.

  • Contact and admin data: Usually deleted after 2 years, unless longer contact is clinically or contractually needed.

At the end of the retention period, your data is securely destroyed.

4. Data sharing

No data will be shared with third parties except:

  • If required by law (e.g., court order, safeguarding concern).

  • For professional supervision (ensuring confidentiality) or to collaborate with accountants for bookkeeping, with client identity anonymised where possible.

5. Your rights under GDPR

You have the following rights:

  • Access: Request a copy of the data I hold about you.

  • Rectification: Ask to correct inaccurate or incomplete data.

  • Erasure: Request deletion of your data (unless legal obligations require retention).

  • Restriction or objection to certain processing.

  • Choose not to consent: If processing was based on consent, you can withdraw it.

To exercise any of these rights, contact me via email. I will respond within one month or let you know if I need more time.

6. ICO registration & accountability

  • I am registered with the Information Commissioner’s Office (ICO) and pay the required annual fee.

  • I follow professional guidance on GDPR from BACP and UK regulatory bodies.

7. Complaints and breach notifications

  • In the event of a data breach that risks your rights, I will inform you within 72 hours and report to the ICO if required.

  • You have the right to lodge a complaint directly with the ICO.

8. Using this site

This privacy information applies even if you do not go on to become a client. If you submit this form:

  • I will store your contact details (name/email) at your request to respond.

  • Cookies and analytics on the website may collect anonymous usage data.

9. Updates to this notice

This notice may be updated occasionally to remain compliant. The updated date above reflects the most recent review. Please review it periodically.