GDPR/ Privacy

PRIVACY & GDPR/ DUAA

______________________________

 

Are our discussions in hypnotherapy sessions confidential?

Yes, absolutely.  The only time I would share any information that we have discussed is when I need support from my supervisor, or I believe you are about to harm yourself or someone else.

 

What if I see you outside of a hypnotherapy session?

I will not approach you, to maintain confidentiality.  If you choose to approach me then that is up to you!  You choose how to interact – or not – with me if we see each other outside of our sessions. 

 

Will you discuss information about me with other health and social care professionals?

Only with your written consent.

 

What information do you collect?

I may collect:

  • Identity Data – name, date of birth, gender, information shared during consultations.
  • Contact Data – email address, phone number, postal address.
  • Health & Lifestyle Data – relevant background information for therapy (only with your explicit consent).
  • Financial Data – payment details (processed securely by our payment provider; we do not store card numbers).
  • Technical Data – IP address, browser type, operating system, website usage.
  • Marketing Preferences – your choices for receiving updates from us.
    Directly from you via forms, calls, emails, or in person.
  • Automatically via cookies and similar technologies.
  • From third parties such as booking systems or payment processors (if you have consented).

 

Why are you collecting my information?

I need to have as complete a picture as possible in order to help you, support you and be able to contact you or (with your consent) other health or social care providers.  The questions I ask in our initial consultation are designed to achieve this.

I then use/ process your data to:

  • deliver hypnotherapy services (including via online meeting providers, where requested by you);
  • manage bookings, services, payments, and client records.
  • communicate with you about sessions, updates, and services.
  • comply with legal obligations.
  • send marketing (only with your consent).

For the purposes of the GDPR, I use your information on the following bases:: consent, contractual necessity, legal obligation, or legitimate interest.

Any health-related information that you provide to me is only processed with your explicit written consent and is stored securely.
I may provide your personal data to suppliers and service providers (for example online meeting providers) who provide certain business services for me and act as “processors” of your personal data on our behalf. In addition, we may disclose your personal data if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to protect the rights, property, or safety, of you or others. 

In some cases, your personal data may, for the purposes set out above, be transferred outside the European Economic Area (EEA) and such destinations may not have laws which protect your personal data to the same extent as in the EEA. I am required by data protection law to ensure that where we or our “processors” transfer your personal data outside of the EEA, it is treated securely and is protected against unauthorised access, loss or destruction, unlawful processing and any processing which is inconsistent with the purposes set out in this Privacy Policy.

 

How will you store my information?

I will hold it safely and securely, in line with the General Data Protection Regulations (GDPR) and the Data Uses and Accesses Act (DUAA).  Anything on my phone or laptop – like emails, text messages etc – is password protected.  Any paper records – like your signed consent form or my session notes – will be in locked, fireproof storage that only I can access.

 

How long will you hold my information for?

Therapy records are kept for at least 8 years after our last interaction. For children, I will store records until they turn 26.

 

 

What if I would like you to destroy my information before this date?

Due to the sensitive nature of the work I (and other therapists) do, my insurance company and associations do not allow me to delete or destroy therapy records before the minimum time it must be held for.   However you can: 

  • request access to your data.
  • ask me to correct inaccuracies.
  • request deletion (where legally possible).
  • restrict or object to certain processing.
  • withdraw consent at any time.

 

Am I able to see or get a copy of my information held by you?

Yes, within 30 days of you asking for it.  This is in line with the GDPR.

 

General


I may update this policy from time to time. Changes will be posted here with a new “last updated” date.

By using our website or services, you agree to the terms of this policy.

If you have concerns about how your personal information has been used you can complete and return the Privacy Complaint Form via the website and/ or complain to the ICO: www.ico.org.uk

I am the data controller.  I am registered with the ICO with number ZB899548.

 

Last updated: 6 July 2026