Audrey Stephenson / Therapy Geek

This Privacy Policy explains how personal data is collected, used, stored, and protected in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the professional ethical frameworks of the British Association for Counselling and Psychotherapy (BACP), the UK Council for Psychotherapy (UKCP), CNHC, and relevant hypnotherapy registers.

Your privacy and confidentiality are of utmost importance. Personal data is handled lawfully, fairly, transparently, and securely at all times.

1. Data Controller

Audrey Stephenson is the Data Controller for personal data collected in the provision of psychotherapy, hypnotherapy, and coaching services.

Business address:
Audrey Stephenson / Therapy Geek
Newark Works
2 Foundry Way
South Quays
Bath
BA2 3DZ

Email: audrey@audreystephenson.co.uk

 ICO Registration Reference: ZA885167

For data protection queries, please contact the Data Compliance Manager:
Christine Nielsen
christine@audreystephenson.co.uk

2. The Information Collected

Only data necessary for therapeutic, administrative, legal, and ethical purposes is collected.

2.1 Personal Identifying Information

• Full name

• Date of birth

• Address

• Email address

• Telephone number

• Emergency contact details
  
  

2.2 Special Category Data (Health Data)

As a psychotherapy and hypnotherapy practice, health data is processed under Article 9 UK GDPR. This may include:

• Medical history relevant to therapy

• Current medications

• Alcohol and drug use

• Mental health history

• GP details

• Therapy notes, assessments, and session records

2.3 Administrative and Financial Data

• Appointment schedules

• Invoicing history

• Payment records

• Correspondence
  
  

2.4 Website Data

The website is hosted by Squarespace. Data collected may include:

• Cookies and analytics data

• IP address

• Contact form submissions
  
  

3. Lawful Basis for Processing

Personal data is processed under the following lawful bases:

Article 6 UK GDPR

• 6(1)(b) – Processing necessary for the performance of a contract (providing therapy services)

• 6(1)(c) – Compliance with legal obligations (e.g., safeguarding, tax requirements)

• 6(1)(f) – Legitimate interests (practice administration and record-keeping), where these interests do not override your fundamental rights

Article 9 UK GDPR (Special Category Data)

• 9(2)(h) – Provision of health or social care

• 9(2)(a) – Explicit consent, where required (e.g., contacting your GP)

Providing certain personal data is necessary to enter into a therapeutic contract. Without essential information, therapy services may not be possible.

4. How Your Data Is Used

Personal data is used for:

• Providing psychotherapy, hypnotherapy, and coaching services

• Maintaining accurate clinical records

• Communicating regarding appointments

• Responding to enquiries

• Processing payments

• Safeguarding and risk management

• Meeting legal, ethical, and professional obligations

Client data is never sold or used for marketing purposes.

5. Confidentiality and Its Limits

All information shared in therapy is treated as confidential in accordance with professional ethical frameworks.

Confidentiality may be breached only where there is:

• Serious risk of harm to yourself or others

• Safeguarding concerns involving a child or vulnerable adult

• Disclosure of serious criminal activity

• A court order or legal obligation

Where possible, you will be informed before confidentiality is breached unless doing so would increase risk.

Cases may be discussed anonymously in professional supervision. Supervisors are bound by confidentiality and data protection obligations.

6. Clinical Notes

Clinical notes are:

• Factual and minimal

• Kept separately from identifying information where possible

• Maintained in line with BACP/UKCP professional standards

Paper notes are stored in a locked cabinet.

Any audio recordings or written transcripts are securely destroyed on the same day of the appointment unless otherwise agreed.

AI-Assisted Note Support (Plaud)

Plaud may be used to assist with note-taking for coaching and supervision clients. It is used solely to support brief note summaries and not for storing full transcripts.

Appropriate safeguards are in place, including:

• Data processing agreements where required

• No use of client data for AI model training

• Secure deletion protocols

You may request that AI-assisted tools are not used in your sessions.

7. Secure Cloud Storage (Google Workspace)

Intake forms, assessment documents, and administrative records are stored using Google Workspace services under a business account.

A formal Data Processing Agreement (DPA) is in place with Google in accordance with Article 28 UK GDPR. Data is protected through:

• Encryption in transit and at rest

• Two-factor authentication (2FA) on authorised accounts

• Access restricted solely to the Data Controller

• Device-level security and password protection

• Regular security monitoring and updates
  
  

Where personal data is processed outside the United Kingdom, appropriate safeguards are in place, including reliance on UK adequacy regulations or approved International Data Transfer Agreements (IDTAs), as applicable.

Google Workspace services are configured so that client data is not used for advertising purposes.

8. Third-Party Processors

The following third-party services are used:

• Squarespace (Acuity Scheduling) – appointment booking and website hosting

• Stripe – secure payment processing

• Xero – accounting software

• Zapier – secure data transfer automation between services

Data Processing Agreements are in place where required. Each provider is selected for appropriate security and GDPR compliance standards.

9. International Data Transfers

Some third-party providers may process personal data outside the United Kingdom.

Where this occurs, appropriate safeguards are in place, including:

• UK adequacy regulations

• UK International Data Transfer Agreements (IDTAs)

• Standard contractual clauses where applicable
  

These safeguards ensure personal data receives a level of protection equivalent to UK data protection standards.

10. Data Retention

In accordance with professional guidance:

• Adult client records are retained for 7 years after the end of therapy

• Financial records are retained for 6 years for tax purpose

After the relevant retention period, data is securely destroyed.

11. Data Security

Security measures include:

• Encrypted electronic systems

• Password-protected devices

• Two-factor authentication

• Locked filing cabinets

• Restricted access to personal data

• Secure deletion procedures

In the event of a personal data breach, the ICO will be notified within 72 hours where legally required. Affected individuals will be informed where there is a high risk to their rights and freedoms.

12. Automated Decision-Making

No automated decision-making or profiling is carried out in relation to your personal data.

13. Your Rights Under UK GDPR

You have the right to:

• Access your personal data

• Rectify inaccurate or incomplete data

• Request erasure (subject to legal and professional limitations)

• Restrict processing

• Object to processing

• Data portability (where applicable)

• Withdraw consent where processing is based on consent
  
  

Requests will be responded to within one month.

To exercise your rights, contact:
Christine Nielsen, Data Compliance Manager
christine@audreystephenson.co.uk

14. Complaints

If you have concerns about how your data is handled, please contact the Data Controller in the first instance.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline: 0303 123 1113
Website: https://www.ico.org.uk