Privacy Policy

I am registered with the Information Commissioner's Office (ICO) under registration number ZB246428. If you have any questions about how I handle your personal data, please contact me at sam_therapycardiff [at] protonmail.com (the email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing).

I collect and process the following types of personal data:

Contact information

  • Your name, address, telephone number, and email address

  • Emergency contact details

Therapy-related information

  • Details about why you are seeking therapy (presenting issues)

  • Information about your personal history relevant to our work together

  • Session notes recording our therapeutic discussions

  • Relevant medical history where this affects our work

  • Any risk assessments or safety plans

Administrative information

  • Appointment records

  • Financial records relating to payment for sessions

  • Communications between us (emails, telephone calls)

Website enquiries

  • Your name and contact details when you my contact form

Special category data

Health and therapy-related information is classified as "special category data" under Article 9(1) of the UK GDPR. This includes information about your physical or mental health, and details of your therapeutic treatment. Special category data receives enhanced legal protection, and I take additional care to keep this information secure.

I collect personal data directly from you:

  • When you first contact me to enquire about therapy

  • During our initial consultation and intake process

  • Throughout our sessions together as part of the therapeutic work

  • Through emails, telephone calls, or video sessions

  • When you submit enquiries through my website contact form

I do not collect personal data about you from any other sources unless you specifically ask me to contact another professional (such as your GP) and provide your written consent for me to do so.

To process your personal data lawfully, I rely on the following legal bases under UK data protection law:

Article 6 basis (ordinary personal data)

Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. When you engage me as your therapist, we enter into a contract for the provision of therapy services. I need to process your personal data to deliver those services effectively.

Article 9 basis (special category data)

Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional. As a qualified therapist providing therapeutic treatment, I am permitted to process special category health data as part of delivering your care.

The additional condition required under UK law is DPA 2018 Schedule 1, Part 1, paragraph 2 (health or social care). This processing is carried out by a qualified counsellor/psychotherapist subject to the professional obligation of confidentiality under the code of ethics and practice of BACP.

Professional obligations

I am required by BACP to attend regular clinical supervision as part of maintaining safe and effective practice. Supervision allows me to reflect on my therapeutic work with the support of an experienced qualified professional.

When I discuss our therapeutic work in supervision:

  • Any identifying details are NOT shared with my supervisor

  • I use anonymised or pseudonymised case material only

  • My clinical supervisor is a qualified professional bound by the same confidentiality obligations as I am

  • My supervisor is bound by their own professional code of ethics and practice

I take the confidentiality of your personal data seriously. The following parties may have access to your data:

Clinical supervisor

My clinical supervisor may hear anonymised case material only. They do not have access to identifying details.

Third-party service providers

I use the following third-party services which may process your data:

  • Microsoft Teams — for video therapy sessions

Each of these services is bound by a data processing agreement that requires them to protect your data in accordance with UK data protection law.

I never sell your personal data.

International data transfers

The following third-party services I use may transfer personal data outside the United Kingdom:

  • Microsoft Teams (Microsoft Corporation, USA)

Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025. The USA does not currently have a UK adequacy decision.

Record retention periods:

  • Therapy records (including session notes and your therapy agreement) are retained for 7 years after our last session in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.

  • Financial records are retained for 6 years; a legal requirement under HMRC rules.

  • Website enquiries (non-clients) are retained for 12 months; a legitimate interest in responding to enquiries

After the applicable retention period ends, paper records are securely destroyed and electronic records are permanently deleted.

You have the following rights regarding your personal data:

Right to be informed You have the right to clear information about how I use your data. This privacy policy fulfils that right.

Right of access You can ask me for a copy of the personal data I hold about you. This is known as a "subject access request." Under the Data (Use and Access) Act 2025, I will conduct a reasonable and proportionate search for your data and respond within one month.

Right to rectification If any personal data I hold about you is inaccurate or incomplete, you can ask me to correct it.

Right to erasure You can ask me to delete your personal data in certain circumstances. However, this right is not absolute. I may need to retain your records until the end of the applicable retention period where required by professional guidelines, insurance requirements, or law.

Right to restrict processing You can ask me to limit how I use your data while a concern is being resolved.

Right to data portability You can ask me to provide your data in a format that allows you to transfer it to another service, where technically feasible.

Right to object You can object to certain types of processing, though this right is limited where processing is necessary for the performance of our contract.

Rights related to automated decision-making I do not use automated decision-making or profiling in my practice.

Confidentiality exceptions

Everything you share with me in therapy is confidential. However, there are limited circumstances where I may need to share information without your consent:

  • Risk of serious harm — if I believe you or someone else is at serious risk of harm, I may need to share information with appropriate services to help keep people safe

  • Safeguarding concerns — if I become aware of concerns about a child or vulnerable adult being harmed or at risk of harm, I have a duty to report this to the relevant authorities

  • Legal requirement — if a court orders me to disclose information, I am legally required to comply

Wherever possible, I will discuss any disclosure with you first, unless doing so would itself put someone at risk.

Cookie Policy

Cookies are small text files that websites place on your device when you visit them. They help websites remember your preferences and understand how visitors use the site. Most websites use cookies, and they are generally harmless.

I use cookies that are necessary for my website to function properly. Because these cookies are essential to the website's operation, they do not require your consent under UK law. I do not currently use analytics or statistical cookies on this website. I do not use advertising or tracking cookies on this website. I do not use third-party cookies beyond those essential for the website to function. While I offer online therapy sessions via Microsoft Teams, this service operates through its own platform and does not place cookies on our website.

Data protection complaints — your right under the Data (Use and Access) Act 2025

You have the right to make a data protection complaint directly to me. If you are concerned about how I have handled your personal data, please contact me:

  • email me at sam_therapycardiff [at] protonmail.com (the email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing).

  • use the contact form below. You will receive an automatic acknowledgement email.

I take all complaints seriously and will respond as quickly as possible.

If you are not satisfied with my response, you have the right to escalate your complaint to the Information Commissioner's Office (ICO):

Website: ico.org.uk

Telephone: 0303 123 1113

Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AFIf you believe I have not handled your personal data in accordance with UK data protection law, you can submit a formal complaint using this form.

Your complaint will be acknowledged within 30 days as required by the Data (Use and Access) Act 2025. Your contact details will be used only to process this complaint and retained for 6 years in accordance with data protection law.