Privacy & Data Protection Policy

1. Introduction

At Hope Therapy & Counselling Services, we are deeply committed to protecting and respecting the privacy of every person who contacts us or uses our services. This policy explains how we collect, use, store, and protect your personal information, and sets out your rights under the law.

This policy complies with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018 (DPA 2018)
• The Data (Use and Access) Act 2025 (DUAA)
• The Privacy and Electronic Communications Regulations 2003 (PECR)
• Guidance issued by the Information Commissioner’s Office (ICO)

This policy applies to all individuals who interact with Hope Therapy, including clients, prospective clients, website visitors, and anyone who contacts us by any means.

We may update this policy from time to time to reflect changes in law, ICO guidance, or our own practices. The current version will always be available on our website. We will notify existing clients of any significant changes by email.

2. Who We Are

Hope Therapy & Counselling Services (“Hope Therapy”, “we”, “us”, “our”) is a counselling organisation providing therapeutic support across England. We offer a range of services including individual counselling, couples and family therapy, Cognitive Behavioural Therapy (CBT), EMDR, and hypnotherapy, delivered both online and face-to-face.

For the purposes of UK GDPR and the Data Protection Act 2018, Hope Therapy acts as the Data Controller in respect of the personal data we process. This means we determine the purposes for which, and the manner in which, your personal data is processed.

Ian Stockbridge, Director, has overall responsibility for data protection at Hope Therapy and can be contacted at for any privacy-related queries or complaints. We are also committed to delivering our counselling and therapy services with reasonable skill and care in accordance with the Consumer Rights Act 2015.

3. The Information We Collect

3.1 Personal Data

We collect and process personal data that you provide to us, which may include:

• Full name
• Contact details (email address, telephone number)
• Address or general location (town/city)
• Details of the counsellor you are allocated to
• Any other information you choose to share with us

3.2 Special Category (Sensitive) Data

As a counselling and mental health service, we process special category data as defined under Article 9 of UK GDPR. This includes:

• Information about your mental or physical health
• Details of the issues or presentations you bring to therapy
• Any other sensitive information disclosed during the course of counselling

We treat this data with the highest level of care and confidentiality. It is only accessed by those directly involved in your care.

3.3 Technical & Website Data

When you visit our website, we may automatically collect:

• IP address and browser type
• Pages visited and time spent on the site
• Referring website addresses
• Cookie and analytics data (see Section 9 for full details)

3.4 If You Do Not Provide Information

If you do not provide certain personal information when requested, we may be unable to deliver the services you have requested or to fulfil our agreement with you.

4. Our Lawful Basis for Processing

Under UK GDPR and the Data (Use and Access) Act 2025, we are required to have a lawful basis for processing your personal data. Where we process special category (health) data, we must also identify an additional condition under Article 9.

Where our lawful basis is consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

5. How We Use Your Information

We use the personal information we hold for the following purposes:

• To provide counselling, therapy, and related services to you
• To manage your appointments, including sending reminders
• To communicate with you about your care, invoices, and service changes
• To maintain accurate clinical and administrative records
• To process payments for services
• To respond to enquiries from prospective clients
• To send marketing communications where you have given consent
• To improve and develop our services
• To comply with our legal, regulatory, and professional obligations
• To protect the vital interests of clients or others in safeguarding situations
• To handle and respond to data protection complaints in accordance with the DUAA 2025

We will only use your personal data for the purpose for which it was collected, unless we reasonably consider that we need to use it for another compatible reason. If we need to use your data for an unrelated purpose, we will notify you and explain the legal basis for doing so.

6. Third-Party Services & Data Processors

In order to deliver our services effectively, we use a number of trusted third-party platforms. Each acts as a data processor on our behalf, processing your data only under our instruction and in accordance with UK GDPR and the DUAA 2025.

We require all third-party processors to have appropriate Data Processing Agreements (DPAs) in place and to implement appropriate technical and organisational measures to protect your data. We do not sell, rent, or trade your personal data with any third party for their own marketing purposes.

6.1 Other Disclosures

We may also share your data with:

• Our clinical supervisors, where required for the safe and ethical delivery of therapy (subject to strict confidentiality obligations)
• Relevant authorities (e.g. emergency services, social services) where there is a serious risk of harm to you or others, or where we are required to do so by law
• A successor organisation in the event that Hope Therapy is acquired or its assets transferred (you would be notified in advance)

In all other circumstances, your personal data will not be disclosed to third parties without your explicit consent.

7. International Data Transfers

We aim to store and process all personal data within the United Kingdom. Our primary clinical system (WriteUpp) is UK-hosted.

Some third-party platforms (such as Zoom, Mailchimp, Stripe, and Airtable) may process data on servers located outside the UK. Where this occurs, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:

• Adequacy regulations made by the UK Secretary of State
• Standard contractual clauses approved for use under UK law
• The UK International Data Transfer Agreement (IDTA) framework

If you have any questions about international transfers of your data, please contact us at .

8. How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purpose for which it was collected, and in line with our legal and professional obligations.

We may retain data beyond these periods where required to do so by law, court order, or where necessary to establish, exercise, or defend legal claims.

When data is no longer required, it is securely deleted or permanently anonymised.

9. Cookies & Website Tracking

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device when you visit a website. They help us to understand how our site is used and to improve your experience.

9.1 Types of Cookies We Use

9.2 Your Cookie Choices

When you first visit our website, you will be presented with a cookie consent banner. You can choose to accept or decline non-essential cookies at that point, or at any time thereafter.

Please note that under the Data (Use and Access) Act 2025, some analytics and functionality cookies may be processed on the basis of legitimate interests without requiring explicit consent. We will update our cookie banner to reflect ICO guidance as it is finalised during 2026.

To withdraw your cookie consent or change your preferences at any time, please use the cookie settings tool on our website or contact us at .

10. How We Protect Your Data

We take the security of your personal data very seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or disclosure.

Our security measures include:

• Use of secure, encrypted systems for storing client records (WriteUpp, UK-hosted)
• Password protection and access controls, limiting data access to authorised personnel only
• Encrypted communication channels for online therapy sessions (Zoom)
• Regular review of our security practices and those of our third-party processors
• Data Processing Agreements with all third-party platforms
• Staff awareness and training on data protection responsibilities

Please note that whilst we take every reasonable precaution, the transmission of data over the internet cannot be guaranteed to be completely secure. Any transmission you make to us is at your own risk. Once we receive your data, we apply strict security procedures to prevent unauthorised access.

10.1 Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with UK GDPR Article 34. We will also notify the ICO within 72 hours of becoming aware of any notifiable breach, as required by UK GDPR Article 33.

11. Young People & Children’s Data

Hope Therapy provides services to clients aged 16 and over. We also work with young people aged 16 and 17 where it is appropriate and safe to do so, subject to the additional safeguards set out in this section. As our website is accessible to people under 18, including clients aged 16 and 17, we apply the ICO’s Age Appropriate Design Code (Children’s Code) standards to our online service design. This means we apply high privacy by default for under-18 users, use clear and accessible language, minimise data collection, and do not use techniques that encourage young people to share more personal data than necessary.

11.1 Age of Consent for Data Processing

Under UK GDPR and the Data Protection Act 2018, children under the age of 13 cannot consent to the processing of their personal data for information society services. For therapeutic services, young people aged 16 and 17 may consent to their own therapy and to the associated processing of their personal data where they have sufficient maturity and understanding, in line with the principle of Gillick competence. Hope Therapy does not knowingly provide services to, or collect data from, anyone under the age of 16.

11.2 Young People Aged 16 and 17

Where we work with young people aged 16 and 17, we will:

• Assess whether the young person has sufficient maturity and understanding to provide informed consent to both therapy and the processing of their personal data, in line with the principle of Gillick competence
• Where appropriate, and where the young person has not themselves consented (or lacks capacity to do so), seek the consent of a parent or guardian for the processing of personal data
• Use clear, plain, and age-appropriate language in all communications and consent processes
• Apply the same high standards of confidentiality and data protection as we do for adult clients
• Take particular care when processing sensitive health data relating to young people

11.3 Parental or Guardian Rights

Where a parent or guardian has provided consent for their child’s data to be processed, they retain the right to withdraw that consent, request access to the young person’s data, or request erasure, subject to any overriding professional, legal, or safeguarding obligations. However, where a young person aged 16 or 17 has consented to their own therapy and data processing independently, their own data rights take precedence over parental access requests.

11.4 Complaints Involving Young People

Where a data protection complaint is raised by, or on behalf of, a young person aged 16 or 17, Hope Therapy will:

• Assess whether the young person has sufficient competence and understanding to exercise their data rights directly, in line with the principle of Gillick competence
• Ensure that all communications throughout the complaints process are provided in clear, plain, and age-appropriate language
• Where appropriate, involve a parent or guardian in the complaints process, unless doing so would conflict with the young person’s right to confidentiality or their safety
• Apply the same rigorous complaints-handling standards as for adult clients, with additional sensitivity to the young person’s circumstances
• Keep appropriate records of the complaint and its resolution in line with Section 8 of this policy

12. Marketing Communications

12.1 Email Marketing

We may send you newsletters, service updates, and relevant information by email where you have given your explicit consent. You can unsubscribe at any time by clicking the “Unsubscribe” link in any marketing email, or by contacting us directly at .

12.2 SMS / Text Message Communications

If you have provided your mobile telephone number and given your explicit consent, we may use this to send you:

• Appointment reminders
• Important service updates
• Occasional marketing messages about our services

You can opt out of SMS marketing at any time by replying STOP to any message you receive, or by contacting us at . Please note that even if you opt out of marketing messages, you may still receive essential non-marketing communications about your appointments or care.

12.3 Withdrawal of Consent

Where our basis for processing is consent (including for all marketing), you may withdraw your consent at any time without detriment. Withdrawal does not affect the lawfulness of any processing carried out prior to withdrawal.

13. Your Rights

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month.

To exercise any of these rights, please contact Ian Stockbridge at . We may need to verify your identity before processing your request.

13.1 Automated Decision-Making

Hope Therapy does not use automated decision-making or profiling in respect of your personal data. All decisions relating to your care and services are made by qualified human professionals.

13.2 Our Formal Data Protection Complaints Procedure

We take all data protection complaints seriously and are committed to resolving them promptly, fairly, and transparently. Please note that data protection complaints are subject to the 30-day acknowledgement requirement under the DUAA 2025. General service quality complaints (not relating to data protection) are handled under our separate Client Complaints Procedure and are acknowledged within two working days. You do not need to escalate to the ICO before raising a concern with us — and we encourage you to contact us first so we can try to resolve matters directly.

How to Raise a Complaint With Us

You can submit a data protection complaint to us by any of the following means:

• Email: — please include “Data Protection Complaint” in the subject line
• Post: Ian Stockbridge, Hope Therapy & Counselling Services, Terriers House, Amersham Road, High Wycombe, Buckinghamshire, HP13 5AJ
• Via our website contact form at www.hopefulminds.co.uk
• By telephone or via social media — we will accept complaints regardless of how they are submitted

If you require an alternative format or need support submitting your complaint, please let us know and we will do our best to accommodate you.

What Happens Next

Once we receive your complaint, we will:

1. Acknowledge receipt of your complaint as promptly as possible and in any event within 30 days of receiving it (this is the maximum period permitted by law under the DUAA 2025; we aim to acknowledge much sooner)
2. Investigate your complaint thoroughly and keep you informed of progress
3. Communicate the outcome of our investigation to you without undue delay
4. Maintain a secure record of the complaint, the steps taken, and the outcome (the ICO may request these records)

If You Remain Dissatisfied

If you are not satisfied with our response, or if we have not resolved your complaint within a reasonable timeframe, you retain the right to escalate your complaint to the Information Commissioner’s Office (ICO) at any time. See Section 14 for ICO contact details.

Complaints Involving Young People

Where a complaint is raised on behalf of, or relates to, a young person aged 16 or 17, please also refer to Section 11.4 of this policy, which sets out our specific approach to complaints involving young people, including our use of age-appropriate language and the role of parents or guardians.

14. Your Right to Complain to the ICO

If you are unhappy with how we have handled your personal data, we always encourage you to contact us in the first instance so we can try to resolve the matter (see Section 13.2 above).

However, you also have the right at any time to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority for data protection:

15. Changes to This Policy

We review this policy at least annually and whenever there are changes to relevant law or ICO guidance. Any updates will be published on our website and, where the changes are significant, we will notify existing clients by email.

The date of the most recent review is shown at the top and bottom of this document. We encourage you to check back periodically to ensure you are aware of the current version.

16. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please do not hesitate to get in touch:

Hope Therapy & Counselling Services
Terriers House, Amersham Road, High Wycombe, Buckinghamshire, HP13 5AJ
Privacy & Data Protection Enquiries:
Website: www.hopefulminds.co.uk
ICO Registration Number: ZA605761

We aim to respond to all privacy-related enquiries within 5 working days.