Privacy Statement
Introduction
I take your privacy very seriously. This Privacy Statement describes what I do, and what I don’t do, with the personal information that I collect in the operation of my therapy practice and when you use this web site.
I will update this privacy policy from time to time by posting a new version on this website. Please check this web page periodically in order to ensure that you are familiar with any changes.
It is a legal requirement under the General Data Protection Regulation (GDPR) for me to make my data processing procedures clear to you.
I will be asking you to actively opt in and consent to these arrangements and the handling of your personal information.
I abide by the GDPR and the Data Protection Act 2018 and I, Davina Robertson, am the registered data controller and processor for my therapy practice. More information is available from the Information Commissioner’s Office (ICO) at https://ico.org.uk/
SECTION ONE: the personal data I collect store and process in my psychotherapy practice
Why I collect personal data & information
I collect relevant personal information from clients to enable a working record of contact information, in case of emergencies and for the ongoing work. I do not share any of this information with anyone unless it is necessary to assist your well-being or the safety of others in which case, I will share the minimum necessary in order to mobilise the appropriate support for you. This would most likely be your GP but could be another service. I am also legally required to disclose personal information to the authorities if you are involved in serious crime.
What information do I collect, store and process?
Contact information. Personal information including age, health (mental and physical), gender, sexuality (if relevant to our work), domestic and financial arrangements (where relevant) and other special category data.
Notes on our sessions which give brief details of what the focus of our work is, how you are and perhaps anything I need to remember to revisit in a later session. I do not include any names or identifying information about anyone you might talk about in your sessions.
How is this information stored?
All client contact data, bookings, payment information and sessions notes are stored by my client management provider, Cliniko. Cliniko meet all the requirements and regulations of GDPR. Their servers are located outside the UK. I do not store any client data on my own computer system.
Any paper correspondence will be scanned and uploaded to my Cliniko system and the originals shredded.
I store your first name, sometimes an initial of your second name and your phone number(s) on a dedicated phone that I only use for my practice and which is protected in case of loss so that I can wipe all data with one call.
I store your email address and any email correspondence in my Protonmail secure email account which is end to end encrypted. You can read about this here https://protonmail.com
What about data transfers to Cliniko?
All data is transmitted and stored securely using end to end encryption. You can read more about their data security at https://www.cliniko.com/security/
Who do you share my personal information with? Limits of confidentiality.
We will agree to work with the following limits of confidentiality when we start to work together
I do not share any of your personal information with anyone else unless one of the following situations occurs:
I am concerned about a serious risk to your safety or someone else’s safety in which case I will seek appropriate support for you or for them. To do this I will share the minimum amount of information necessary with a medical or other professional. I will always seek to discuss this with you beforehand where at all possible.
There are some requirements under the law to do with serious crime where I would have to share information with the authorities.
A court of law can require me to show my records of our sessions together. This is a rare occurrence.
How long will you keep my data?
I am required to keep the records of our sessions for 7 years. After that time has elapsed all trace of your data will be erased from Cliniko’s system. If Cliniko stops trading they will give me the opportunity to move my records to another suitably secure provider and I will update this statement to reflect that fact.
When I stop working with you, I will delete your name, phone number and email address from my email and phone systems.
What if something happens to my therapist?
If anything happens to me that prevents me from attending your session and from communication with you directly—such as illness or death—then I have appointed an experienced colleague to act as my Therapeutic Executor and they would be able to access your contact details and inform you if this were to occur.
Using video meeting software
For video sessions I will use one of the following:
Cliniko’s telehealth cliniko.com This is also my practice management system referred to above.
V-See telehealth vsee.com I only use the video meetings at V-see so none of your data is stored here.
Zoom meetings zoom.us There is security information on their website. We may agree to use Zoom if there are compatibility or technical issues with the above services. None of your data is stored at Zoom.
All video calls are secured and meet strict privacy and security standards. No content is stored anywhere. All features meet GDPR regulation standards. I do not record our meetings and request that you do not record them either.
Using email for sessions or otherwise
General email services are not secure. I use Protonmail as they use ‘end to end’ encryption for security. If we are to engage using email, I encourage you to set up a Protonmail or similarly secure email account. Protonmail is free of charge and is very easy to install and use. If you choose to email me from an insecure email address you may like to protect your privacy by limiting your content.
Using telephone for sessions
For phone sessions I use Signal encrypted phone calls or I can use WhatsApp encrypted calls if you prefer. They both use end-to-end encryption, but WhatsApp does collect information about its users whilst Signal do not. If we are to engage using phone calls, I encourage you to set up a Signal account yourself. This is free of charge and straightforward to install and use and will give us the maximum security and privacy options.
WhatsApp privacy policy. Signal privacy policy.
Payment systems
For payment transactions I use BACS bank transfers or Stripe, an approved third-party payment processing service. I do not store your financial details anywhere on my website or on any physical documentation and neither does my practice management service, Cliniko. Visit https://stripe.com/en-gb/privacy for details of their privacy policy. Your privacy within the BACS system and Stripe payment system is beyond my control. You may wish to check out their security arrangements on their websites.
Social Media
I do not engage with my clients, past or present, on social media. I do use social media for promoting my business and networking with colleagues. I will never share anything about our sessions together on social media. My intention in posting articles and mental health information is not to provide therapy by social media but to provide some support for people who might be considering seeking counselling or therapy, or other services, from me or other practitioners
SECTION TWO–The personal data I collect, store and process on my website and on other online apps
This website is hosted by Squarespace. Squarespace collects personal data when you visit this website, including:
Information about your browser, network and device
Web pages you visited prior to coming to this website
Web pages you view while on this website
Your IP address
Squarespace needs the data to run this website, and to protect and improve its platform and services. Squarespace analyses the data in a de-personalised form.
Use of Cookies
This website uses cookies and similar technologies, which are small files or pieces of text that download to a device when a visitor accesses a website or app. For information about viewing the cookies dropped on your device, visit The cookies Squarespace uses.
These functional and required cookies are always used, which allow Squarespace, our hosting platform, to securely serve this website to you.
These analytics and performance cookies are used on this website, as described below, only when you acknowledge our cookie banner. This website uses analytics and performance cookies to view site traffic, activity, and other data.
Enquiring: You will need to provide contact information to me if you choose to submit a question or request to me via email or by using my “contact me” form. The information that you will need to provide will include a name, and an email address;
Subscribing: You will need to provide contact information to me if you choose to receive updates and information periodically. This contact information will include a first name and either an email address, or a username for a particular social networking service (e.g. Twitter, Facebook, Linked In etc);
Commenting: You will need to provide contact information to me if you choose to make a comment in relation to any content. This contact information will include your name, contact details – including email address – and (if they can be used to identify you) the views which you choose to express. Additionally, you may choose to submit personal information in the form of a small photograph, Avatar or Gravatar;
Signing up for my email list: My website provides you with the opportunity to opt-in for receiving marketing communications from me. All email sent from my organisation will clearly state who the email is from and provide clear information on how to contact me. There will also be clear information on how to remove yourself from a mailing list so that you will receive no further communication from the list and your details will be removed from the system.
ConvertKit email marketing:
My email newsletters and blog posts are managed by ConvertKit for marketing purposes. Your contact information of first name and email address are stored by them on my behalf and are only accessed by me. When you subscribe for these you are asked to give your consent to receive emails and to receive relevant marketing communications for services, before being added to the list. If you unsubscribe, using the link provided at the foot of all emails, these will be removed from their system. Their privacy policy is available here: https://convertkit.com/privacy
Accessing Restricted/Members Only Content: Some information I provide is only available to those who register by providing certain contact information (usually a name and email address and sometimes a phone number)
Website links to third party sites
I have no control over the content of external websites that I am linked to, nor the privacy or protection of information you are provided with whilst visiting them. Links to or from these sites not owned or controlled by me do not constitute an endorsement of these sites or their products or information presented in them. You may wish to look at their privacy statements.
Analytics
This website collects personal data to power our site analytics, including:
Information about your browser, network, and device
Web pages you visited prior to coming to this website
Your IP address
This information may also include details about your use of this website, including:
Clicks
Internal links
Pages visited
Scrolling
Searches
Timestamps
We share this information with Squarespace, our website analytics provider, to learn about site traffic and activity.
Other Activities
I may use information for purposes not listed above in the following circumstances: (a) where specifically authorised by you; (b) where the use is related to one of the primary purposes listed above and where it could reasonably be expected; (c) where it is necessary for me to comply with the law.
Your rights under GDPR
You have the right to request access to your client record and receive an explanation of what is held within it.
You have the right to withdraw consent to the storage of your data, to request erasure or correction of your client record, to request portability where it applies in law, and to object to or restrict collection and processing of your data.
You have the right to know the sources of personal data not originating from yourself and the right not to receive unsolicited marketing.
You have the right to be made aware of any company’s automatic decision-making processes (e.g. profiling) and any significance
You will be made aware of any data breaches within 72 hours. You will be compensated for any damage or distress caused by the data breach.
You have the right to complain to the ICO if you are unhappy with the data processing arrangements, and to engage representation from a not-for-profit body in doing so.
You have the right to have information about you deleted, to have any inaccuracies corrected and to have access to all information about you, free of charge, within one month.
Updating your information
If any of your personal information needs updating or correcting please let me know,
Your right to complain to ICO
You have a right to complain if you are unhappy about any of the above by contacting the Information Commissioner’s Office here: https://ico.org.uk/concerns although I trust that you would try to discuss this with me in the first instance.
Any working contract shall be construed and governed in all respects in accordance with the laws of England and Wales and any dispute or differences in relation to this agreement shall be subject to the exclusive jurisdiction of the English Courts.
Your consent
When you book an event you will be asked to give your consent for this Privacy Statement. That action will acknowledge that you fully understand and accept this policy for the storage of records and gives your consent to the use of personal and sensitive data for the purposes stated above.
When you use the website, you are giving your implied consent to the uses related to the website as listed above.
January 2024