← Back to Home

Privacy Policy

Your privacy and confidentiality are fundamental to our therapeutic relationship

You & Therapy (trading name of Emily Duckworth, Sole Trader) is committed to protecting your privacy and ensuring the security of your personal information. This privacy policy explains how I collect, use, and protect your data in accordance with UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: Emily Duckworth
ICO Registration: ZB948440
Contact: [email protected]

1. Information I Collect

In the course of providing counselling services, I may collect and process the following types of personal information:

1.1 Contact Information

  • Your name
  • Phone number (for WhatsApp and phone contact)
  • Email address
  • Preferred method of contact

1.2 Therapy-Related Information

  • Initial enquiry details
  • Assessment information
  • Session notes and records
  • Information about your mental health and wellbeing
  • Relevant medical history
  • Emergency contact details (where provided)

1.3 Administrative Information

  • Appointment dates and times
  • Payment records
  • Correspondence between us

2. How I Use Your Information

I process your personal information for the following purposes:

  • Providing counselling services: To deliver effective therapeutic support tailored to your needs
  • Communication: To respond to enquiries, schedule appointments, and maintain contact
  • Professional obligations: To comply with my ethical and legal obligations as a Member of the British Association for Counselling and Psychotherapy
  • Safeguarding: To protect you or others from harm where required by law
  • Administration: To manage appointments, payments, and maintain accurate records
  • Supervision: Anonymous case material may be discussed in professional supervision to ensure quality of service

3. Legal Basis for Processing

Counselling involves processing information about your health and wellbeing, which is "special category" data under UK GDPR. I therefore rely on a lawful basis under Article 6 and an additional condition under Article 9.

3.1 General personal data (Article 6)

  • Contract (Art 6(1)(b)): To provide the counselling service you have engaged me for, including arranging and delivering sessions
  • Consent (Art 6(1)(a)): For your initial enquiry and optional communications, which you may withdraw at any time
  • Legitimate interests (Art 6(1)(f)): For maintaining accurate records, service quality, and bringing or defending legal claims or complaints
  • Legal obligation (Art 6(1)(c)): Where the law requires me to process or disclose information (for example, tax records)
  • Vital interests (Art 6(1)(d)): In emergencies where there is a risk of serious harm

3.2 Special category (health) data (Article 9)

  • Provision of health and social care (Art 9(2)(h)): My main condition for keeping therapy and assessment records, processed by a practitioner bound by professional confidentiality
  • Vital interests (Art 9(2)(c)): Where you are unable to give consent and there is a risk of serious harm
  • Safeguarding (DPA 2018, Schedule 1, paragraph 18): Where processing is necessary to protect children or individuals at risk of harm
  • Legal claims (Art 9(2)(f)): Where needed to establish, exercise, or defend legal claims
  • Explicit consent (Art 9(2)(a)): For your initial enquiry, before a therapeutic contract is in place

I do not use your personal data for automated decision-making or profiling.

4. Data Retention

I retain your personal information in accordance with professional guidelines:

  • Adult client records: Retained for 7 years from the end of therapy
  • Records relating to children: Retained until the person's 25th birthday, or 7 years after therapy ends, whichever is longer
  • Financial records: Retained for 6 years as required by HMRC
  • Enquiries that don't proceed: Deleted after 1 year

After these periods, records are securely destroyed.

5. Third-Party Services

I use the following third-party services in my practice:

  • Cloudflare: Website hosting and content delivery
  • Plausible Analytics: Privacy-first website analytics (collects only anonymous, aggregate data with no cookies or personal data)
  • Gmail (Google): Email communications
  • WhatsApp (Meta): Used only to coordinate booking and administrative matters — not for clinical or therapeutic content
  • Google Meet (Google): Used to conduct online video sessions. Sessions are not recorded

These services have their own privacy policies and data protection measures. I only use services that provide adequate data protection standards.

5.1 Communicating with me

WhatsApp, SMS, and email are used for convenience and are not fully secure or confidential — the platforms that carry them (such as Meta and Google) may collect message metadata. Please use these channels only for booking and general enquiries, and avoid sharing detailed personal or clinical information through them. Anything you wish to discuss in confidence is best raised within your sessions.

6. Your Rights

Under UK data protection law, you have the following rights:

  • Right of access: Request a copy of the personal data I hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to restrict processing: Request that I limit how I use your data
  • Right to data portability: Request your data in a portable format
  • Right to object: Object to certain types of processing
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact me using the details provided below. I will respond to your request without undue delay and within one calendar month, free of charge.

7. Confidentiality and Professional Standards

As a registered member of BACP (MBACP #1023842), I adhere to the BACP Ethical Framework for the Counselling Professions. This means:

  • All information shared in therapy is treated as confidential
  • Confidentiality may only be broken in exceptional circumstances, such as:
    • Risk of serious harm to yourself or others
    • Legal requirements to disclose information
    • Safeguarding concerns involving children or vulnerable adults
  • Any limits to confidentiality will be discussed with you at the start of therapy
  • Case material may be discussed in supervision, but your identity will be protected

8. Data Security

I implement appropriate technical and organisational measures to protect your personal information, including:

  • Secure storage of paper records in locked filing systems
  • Password protection for all electronic devices and files
  • Encryption of sensitive electronic data
  • Regular review of security measures
  • Secure disposal of records when no longer required
  • Limited access to personal data on a need-to-know basis

In the event of a personal data breach, I will assess the risk to those affected, notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to your rights and freedoms, and inform you directly without undue delay where there is a high risk to you.

9. Website Analytics

My website uses Plausible Analytics, a privacy-first analytics service. This service:

  • Does not use cookies or any client-side storage
  • Does not track or identify individual visitors
  • Collects only anonymous, aggregate data (page views, referrers, browser types)

I do not use marketing cookies, tracking pixels, or any form of advertising technology on this website.

10. Children and Young People

When working with clients under 18, I will:

  • Obtain appropriate consent from parents or guardians where required
  • Explain confidentiality and its limits in age-appropriate ways
  • Follow specific safeguarding procedures for children and young people
  • Maintain records in accordance with child protection guidelines

11. International Transfers

Some of my third-party services (such as WhatsApp, Gmail, and Google Meet) may transfer data internationally. I only use services that provide appropriate safeguards for international data transfers in compliance with UK GDPR requirements.

12. Complaints

If you have concerns about how I handle your personal information, you have the right to complain. Please contact me first (by email or text message, marking your message "Data protection complaint") so I have the chance to put things right. When you raise a data protection complaint with me, I will:

  • Acknowledge it within 30 days of receiving it
  • Investigate it fairly and respond without undue delay, normally within one calendar month
  • Tell you when to expect a full response, and keep you updated, if my investigation needs longer

If your concern relates to professional conduct, you may also raise it with the BACP (British Association for Counselling and Psychotherapy) or the NCPS (National Counselling & Psychotherapy Society).

You have the right to complain to the Information Commissioner's Office (ICO) at any time, although I would welcome the opportunity to address your concerns first:

  • Online: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Changes to This Policy

I may update this privacy policy from time to time to reflect changes in my practices or legal requirements. Any significant changes will be communicated to current clients. The latest version will always be available on my website.

Contact Me About Privacy

If you have any questions about this privacy policy or how I handle your personal information, please contact:

Emily Duckworth
Email: [email protected]
Phone/WhatsApp: +44 7486 054975

As a registered data controller with the Information Commissioner's Office (ICO), registration number ZB948440, I am committed to protecting your privacy and handling your data responsibly.

Last updated: June 2026