Privacy policy

General Data Protection Regulation

2018 Privacy Notice incorporating the UK Data (Use and Access) Act 2025

This privacy notice explains how Mindful Consultancy Ltd (“the Company”) processes data to comply with the General Data Protection Regulation (GDPR) 2018. The Company is a Data Controller registered with the Information Commissioner’s Office under reference ZA552004.

The Company is committed to protecting your personal data and collecting only necessary data, processing it in a fair, lawful and transparent manner, keeping it no longer than necessary, and thereafter securely destroying it.

The Company has implemented appropriate physical and procedural measures to protect your personal data from improper access, use, alteration, destruction and loss.

The lawful basis under which the Company processes personal data is called Contract for active clients. You are entering into an agreement for the supply of a service – counselling – and, as a representative of the Company, a counsellor processes your data in order to either provide that service or determine if the service is appropriate.

Some of the information you may disclose is considered Special Category Data. This is sensitive information that might include data about, for example, your health, mental health, sexual orientation, religious, cultural and political beliefs. The Company takes extra care with such information. The lawful basis under which the Company processes Special Category Data is that it is providing a health and/or social care service.

The Company will never sell or share your personal data with other organisations for marketing, promotional, sales or other purposes. It does not use any form of automated profiling or decision-making.

Once therapy ends, the lawful basis switches to Legitimate Interests. This allows the Company to safely retain records for a set period as outlined below.

Data processing is carried out in alignment with the BACP Ethical Framework for the Counselling Professions.

Enquiries That Do Not Convert

If a counsellor is contacted by an individual via the website contact form, but that individual does not proceed to therapy, the counsellor will securely delete their email address and name within 3 months.

What Information Is Collected?

In addition to contact details, a counsellor keeps notes about counselling sessions, which may include sensitive information that has been disclosed. A counsellor may also keep a record of creative work used or produced during a session.

Where Is This Information Kept?

Client contracts and all session notes are stored in a locked filing cabinet. Material from sessions is stored in a way that is not personally identifiable.

Telephone numbers are stored under initials only on a mobile phone secured with a PIN number. Email correspondence is accessed through password-protected accounts, and all computers used are secured with a password.

Who Is This Information Shared With?

Counsellors have regular supervision with supervisors in accordance with BACP guidelines. These are the only people with whom they discuss their work in the normal course of business.

Supervisors are bound by the same terms of confidentiality. Clients are identified by first name only.

In the event of a counsellor becoming incapacitated in some way, a supervisor is able to access only the contact details of clients.

Data may also be shared:

• Where you have given consent, such as when a referring agency is involved and a certain level of reporting has been agreed at the outset.
• Where a counsellor is obliged to break confidentiality because life or safety is seriously threatened (in which case your doctor may be informed with or without your consent).
• Where disclosure is required by law.

How Long Are Records Kept?

Personal data is kept for 7 years from the date of the last counselling session. This is a requirement of the Company’s professional insurers and may also be useful if a client returns to counselling.

After 7 years, documents are securely destroyed by shredding.

What Are Your Rights?

You can:

• Request access to a copy of the personal data held about you.
• Ask for any inaccurate or incomplete personal data held about you to be corrected or completed.
• Ask for your personal data to be deleted where it is no longer necessary for it to be used.
• Ask a counsellor to provide you or a third party with some of the personal data held about you in a commonly used format so it can be easily transferred.
• Ask a counsellor to restrict the use of your personal data where you have requested its erasure or objected to its use.

Please note that some of these rights only apply in certain circumstances, and the Company may not be able to fulfil every request. Searches must be reasonable and proportionate under the DUAA framework.

Please contact a counsellor if you wish to exercise any of these rights or discuss any aspect of these privacy practices.

Personal Data Complaints Procedure

If you have any concerns or wish to raise a complaint about how the Company handles your personal data, in line with the UK Data (Use and Access) Act 2025 (DUAA), please contact me directly at paulsmiththerapy20@gmail.com in the first instance.

I will formally acknowledge your complaint within 30 days, investigate it without undue delay, and keep you informed of the outcome. The 30-day period begins only after I have received any necessary clarifications or proof of identity.

If you remain dissatisfied following my response, you retain the right to escalate your complaint to the Information Commissioner's Office (ICO).

Clinical Will Arrangements

In the event of a counsellor’s sudden death or incapacitation, a trusted Clinical Trustee, who is also an employee or director of the Company and an accredited counsellor, will be granted minimal, secure access to client contact details in order to safely notify or transition clients.