Privacy and Data Protection Policy
ICO Registration Reference: ZB300039
Last updated: May 2025
Introduction
Your privacy is very important to me. You can be confident that your personal information will be kept safe, secure, and only used for the purpose for which it was provided. I adhere to current data protection legislation, including the General Data Protection Regulation (EU/2016/679) (GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
This privacy policy outlines:
What personal data I collect and why
The lawful basis for processing your information
How your data is stored and for how long
Who else might access your data
Your data protection rights
How to contact me with any concerns or complaints
I am the data controller responsible for your personal data. If you have any questions, please get in touch via the contact details at the end of this policy.
Lawful Basis for Processing Your Personal Data
Under GDPR, I must have a lawful basis to process your personal data. The basis will depend on the nature of our interaction:
If you are enquiring about therapy/supervision: I will process your data under the lawful basis of contract to respond to your enquiry and manage initial communication.
If you are currently accessing therapy/supervision or coaching with me: I will process your data as necessary for the performance of a contract.
If therapy/supervision has ended: I rely on legitimate interest to retain your data for legal or regulatory purposes.
Special Category Data
If you disclose sensitive information (e.g., mental health), this is classed as special category personal data. I process this under the lawful basis of:
Provision of health treatment (i.e., therapy/counselling), and
Necessity for a contract with a health professional, and
Your explicit consent to provide therapy or supervision services.
How I Use and Store Your Information
Initial Contact
When you contact me via my website, email or other means:
I collect your name, email, phone number, and a brief description of your enquiry.
If someone contacts me on your behalf (e.g., GP, manager, family), I may receive your information from them.
If you decide not to proceed, your information will be deleted within 12 months or sooner upon request.
During Therapy or Supervision
I collect additional details including your address (for online/phone sessions), emergency contact, GP information, and relevant health data (e.g., medications).
Everything shared during sessions is confidential. Confidentiality is only breached under serious safeguarding circumstances (e.g., risk of harm to self/others), and I will try to discuss this with you first, unless legally prevented.
Data Storage & Retention
Session notes are brief, anonymised, and securely stored in a locked filing cabinet or password-protected electronic system.
Your personal data (e.g., name, DOB) is stored separately from session notes.
Text messages are retained for no more than 90 days; emails for up to 12 months unless clinically relevant.
Client information forms are shredded within 6 months of therapy ending.
Contracts and records are kept securely for up to 7 years, in line with professional indemnity requirements, and then deleted.
Third Party Recipients of Data
I do not share your information with any third parties unless:
You have given informed written consent (e.g., employer/EAP-funded therapy).
It is required by law or a court order.
It is necessary to protect a person from serious harm.
If I contract third parties (e.g., payment processors, IT services), I ensure:
They are GDPR-compliant.
A data processing agreement is in place.
They only use your data for the specific task they've been contracted for.
Examples of Third Parties:
Stripe, Inc. – I use Stripe to process online payments. Stripe may collect and process your payment-related information, including credit card details, billing addresses, and transactional data. This information is used to facilitate your payment, prevent fraud, and ensure the security of your transaction. For a detailed explanation of Stripe's data privacy practices, please visit their privacy policy: https://stripe.com/privacy.
Microsoft Cloud Services – used for secure data storage.
Zoom – used for online therapy/supervision sessions.
Please note: While I use secure platforms, I cannot guarantee 100% security for online or telephone sessions.
Visitors to My Website
I use legitimate interest to collect limited data from website visitors (e.g., form submissions). This data is temporarily held by the hosting provider before being delivered to my secure email system and treated in line with this policy.
Your Data Protection Rights
Under GDPR, you have the right to:
Request access to the personal data I hold about you.
Request correction of inaccurate or incomplete data.
Request erasure of your data (in certain circumstances).
Object to or restrict the processing of your data.
Request transfer of your data to another service provider.
To make any of these requests, please email: hello@kimcouttsarttherapy.co.uk or use the contact form at www.kimcouttsarttherapy.co.uk.
If I hold information about you, I will:
Provide a description of the data and its source.
Explain why I’m holding it, how long for, and who it could be shared with.
Provide a copy in an intelligible format.
Complaints and Contact Information
If you have any concerns about how I manage your data:
Please contact me directly via email: hello@kimcouttsarttherapy.co.uk
I welcome suggestions for improving my data protection practices.
If you are not satisfied, you can contact the Information Commissioner’s Office (ICO):
https://ico.org.uk/make-a-complaint
Data Security
I take data security seriously:
Data is stored using encrypted and password-protected systems.
Paper records are kept in locked filing cabinets.
I regularly review security practices to ensure continued compliance.