Data Protection and Privacy Policy

 

This policy explains how I collect, use, store, and protect your personal information in line with both the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

For the purposes of data protection law, I, Dr. Sarah Quinley, am the Data Controller of the personal data you share with me. You can contact me directly at truevoicecounselling@pm.me with any questions or concerns about how your data is handled.

1. Lawful Basis for Processing

Your personal data is processed under the following lawful bases:

  • Contract – to provide and manage our therapeutic relationship

  • Legitimate Interests – to maintain records, ensure ethical and effective practice, and support clinical supervision

  • Consent – for any optional processing, such as contacting third parties (e.g., your GP or emergency contact)

By requesting therapy and providing your personal details, you are consenting to the processing of your data under these terms and entering into a therapeutic contract with me.

2. What Information Do I Collect?

Contact Details

Your name, email address, phone number, and preferred contact method when you first enquire.

Personal Information

Information you provide during therapy, such as:

  • Address and location (for safeguarding and jurisdiction)

  • Date of birth

  • Emergency contact details

  • GP or health provider details

  • Current medication or relevant medical/mental health history

Correspondence

Relevant emails or messages related to therapy.

Session Notes

Brief, pseudonymised notes about session content and progress. These are stored separately from identifying information and are not shared.

Session Materials

With your consent, I may retain or photograph therapeutic materials created during sessions (e.g., art or writing) to support the therapy process.

Technical and Location Data

For online therapy, I may ask where you are located at the time of our sessions to ensure legal compliance across jurisdictions.

3. What Do I Use Your Information For?

  • To arrange and provide therapy sessions

  • To maintain accurate clinical and financial records

  • To contact you regarding scheduling or availability

  • To reflect ethically on clinical work through supervision

  • To comply with legal or ethical obligations (e.g., safeguarding, therapeutic will)

4. When and How Do I Share Your Data?

Your data is never sold or shared for marketing purposes. It may only be disclosed under the following conditions:

  • Clinical Supervision: discussed anonymously for ethical oversight

  • With Your Consent: e.g., sharing with a GP or referring therapist

  • Serious Risk or Legal Obligation: where required by law or to prevent harm

  • Therapeutic Will: in the event of my incapacitation, a trusted colleague may access your contact details to inform you and securely destroy all records

All third parties (e.g., supervisors, digital platforms) are subject to confidentiality agreements and GDPR compliance.

5. Data Security

  • Paper records are stored in a locked cabinet in my home office

  • Electronic records are stored on a password-protected device with secure backup

  • Emails involving sensitive data are sent via encrypted services (e.g., ProtonMail), though security also depends on your email provider

I use encrypted video platforms for online sessions where possible, and take all reasonable steps to protect your information from misuse, loss, or unauthorised access.

6. International Transfers

Some platforms (e.g., video conferencing or cloud storage) may store data outside the EU/UK. I take care to use services that meet GDPR adequacy standards or offer standard contractual clauses to ensure data protection.

If this affects you, I will inform you and offer alternatives if needed.

7. Data Retention

  • Clinical notes: retained for up to 3 years after the end of therapy

  • Financial records: retained for up to 7 years in compliance with tax laws

  • Email and contact details: deleted once no longer clinically or legally required

You may request deletion earlier, unless data must be retained by law or for safeguarding purposes.

8. Your Rights Under UK and EU GDPR

You have the right to:

  • Access the personal data I hold about you

  • Correct inaccurate or incomplete data

  • Request deletion of your data (under certain conditions)

  • Restrict or object to processing

  • Withdraw your consent at any time (where consent is the basis)

  • Lodge a complaint with a relevant authority

Supervisory Authorities:

  • UK: Information Commissioner's Office (ICO) – www.ico.org.uk

  • Spain/EU: Agencia Española de Protección de Datos (AEPD) – www.aepd.es

To exercise any of these rights, contact me at truevoicecounselling@pm.me.

9. Changes to This Policy

This privacy notice may be updated to reflect legal changes or therapeutic practice. Clients currently in therapy will be notified of any significant updates.