Privacy Policy – Protecting Your Confidentiality and Trust

Privacy Policy
Last Updated: [June 2026]

1. Introduction & Who We Are
Welcome to the privacy notice for [Caladrius Counselling]. As a sole practitioner providing psychotherapy and counselling services in the UK, I am deeply committed to protecting your privacy and managing your personal and sensitive data with the highest standards of security and confidentiality.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, I am the Data Controller of your personal information.
Practitioner Name: [Alyson Kheterpal]
Business Name: [Caladrius Counselling]
Contact Email: [alysonkheterpal@caladriuscounselling.co.uk]
Phone Number: [07368 399383]
ICO Registration Number: [ZC158794]


2. Lawful Basis for Processing Your Data
Under the UK GDPR, I must have a specific legal reason to hold and process your personal data. I rely on the following lawful bases:
Contract: When you fill out the website booking form or attend sessions, I process your basic contact information and scheduling details to fulfill our therapeutic agreement or take steps before entering into it.
Legitimate Interests: I process administrative data and maintain basic communication records to manage my private practice safely, securely, and professionally.
Special Category Data (Health Records): Because psychotherapy involves processing sensitive health data, I must meet an additional legal condition. I process your clinical notes under Article 9(2)(h) of the UK GDPR, which permits the processing of health data for the provision of health or social care treatment.


3. How Your Data is Stored and Secured
I take the security of your personal and sensitive health data very seriously. To prevent your information from being accidentally lost, used, or accessed in an unauthorised way, I employ the following strict security measures:
Digital Records: Any digital information (such as enquiry emails, contact details, and electronic notes) is stored on password-protected, encrypted devices. I use GDPR-compliant, secure cloud storage or specialised practice management software. 
Paper Records: If any physical notes or paper intake forms are used, they are stored in a locked filing cabinet. No identifying personal details (like your name) are kept on the same page as your clinical session notes; instead, an anonymous client ID coding system is used.
Mobile Communication: If we communicate via text message or telephone, my business phone is encrypted, biometrically locked, and dedicated solely to my professional practice.


4. Who Your Data is Shared With (Confidentiality & Exceptions)
Your privacy and what you share in our sessions is strictly confidential. I will never sell, rent, or share your data with third parties for marketing purposes. Your information is only ever shared under the following limited, professional, and legally defined circumstances:
Professional Clinical Supervision: In line with the ethical requirements of my professional body, my work is regularly reviewed with a qualified Clinical Supervisor. This process is entirely anonymous—your full name and identifying details are never disclosed, and my supervisor is bound by the same strict duties of confidentiality.
Duty of Care & Safeguarding (Breaking Confidentiality): By law and professional ethics, I may breach confidentiality and share your information with relevant authorities (such as your GP, emergency services, or social services) if I have reason to believe that you are at imminent risk of serious harm to yourself or someone else, or if a child or vulnerable adult is at risk of abuse or neglect.
Legal & Statutory Requirements: I may be legally required to disclose your information if ordered to do so by a court of law, or under specific UK legislation relating to terrorism, money laundering, or drug trafficking.
Therapeutic Executor (Clinical Will): I have appointed a trusted professional colleague to act as my Therapeutic Executor. In the event of my sudden illness, incapacitation, or death, this individual would be granted secure access to your basic contact details strictly to inform you of the situation and manage your data according to my retention schedule.


5. Data Retention Schedule
In accordance with the UK GDPR storage limitation principle, I only keep data for as long as necessary. My retention periods are governed by professional indemnity insurance and UK legal frameworks:
Initial Website Enquiries (No Booking): Retained for 6 months from the date of last contact, then permanently deleted.
Clinical Records (Adults): Retained for 7 years from the date of the final therapy session to comply with professional insurance requirements, then securely shredded or deleted.
Clinical Records (Minors): Retained until the client's 25th or 26th birthday (depending on insurance policy rules), then securely shredded or deleted.
Administrative & Financial Data: Invoices, payment receipts, and basic calendar records are kept for 5 to 7 years from the end of the relevant financial tax year to satisfy HMRC audit requirements.


6. Your Legal Rights (Accessing Your Data)
Under UK data protection laws, you have specific rights regarding the personal information and clinical notes I hold about you:
The Right of Access (Subject Access Request): You have the right to request a copy of the personal data and clinical session notes I hold about you.
The Right to Rectification: You can ask me to correct or update any personal information that you believe is inaccurate or incomplete.
The Right to Restriction: You can ask me to temporarily suspend or limit how I process your data in certain scenarios (for example, if you are disputing the accuracy of the information).
The Right to Erasure ("Right to be Forgotten"): You can request that I delete your personal data. Please note: This right is not absolute for medical or therapy records. Because I process your clinical notes under a legal duty to provide healthcare and to satisfy my professional insurance requirements, I am legally permitted—and required—to retain your clinical notes for the full duration of the Data Retention Schedule outlined above.

How to Request Access to Your Notes
If you wish to make a Subject Access Request (SAR) to view or receive a copy of your records, please note the following procedures:
Please submit your request in writing via email to the address listed at the top of this policy.
You do not have to pay a fee to access your personal data.
To protect your confidentiality, I may need to request specific information or proof of identity from you to confirm who you are before releasing sensitive clinical data.
In line with UK GDPR rules, I will respond to your request and provide your data within one calendar month of receiving your verified request.
If you remain unsatisfied with how I handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) via their website (www.ico.org.uk).


 

©Copyright. All rights reserved.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.