Privacy Policy

Last updated: January 2026

Your privacy matters to me, and I am committed to protecting your personal information. Any data you provide will be securely handled and only used for the purpose for which it was given. I comply with all relevant data protection legislation, including the General Data Protection Regulation (GDPR) (EU/2016/679), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. I also adhere to the ethical guidelines regarding protecting client privacy and confidentiality set by the British Association for Counselling and Psychotherapy (BACP).

This notice explains how I collect, use, and store your personal data from the moment we first connect, throughout our therapy sessions, and after your therapy ends. It covers:

  • The lawful reasons I process your data and the purposes for doing so

  • Whether you are required to provide your data

  • How long I retain your information

  • If and when your information might be shared with third parties

  • Whether your data will be transferred outside the UK or EU

  • If I use automated decision-making or profiling

  • Your data protection rights

If you have any questions about how I handle your personal data, feel free to contact me via email or phone.

1.Who is responsible for your data

In this context, I am the ‘data controller’, meaning I am responsible for collecting and storing your personal data. I am registered with the Information Commissioner’s Office, registration number: ZB954676

Contact details:
Simran Janjua
Mobile: 07344 532786
Email: simranjtherapy@gmail.com

2. What personal data is collected

I may collect and process the following categories of personal data in the course of providing therapy services:

  • Basic contact details: Name, phone number, email address, GP information

  • Administrative information: Appointment dates/times, payment information (no card details are stored)

  • Health and personal information: Information shared as part of our therapy sessions (e.g. mental health history, life experiences, notes from sessions)

  • Sensitive data (Special Category Data): As defined under Article 9 of the UK GDPR, including information about your mental health, sexual orientation, ethnicity, and other personal matters shared during sessions

3. How is data collected

I may collect personal data in the following ways:

  • When an individual makes an enquiry or books a session

  • During the initial consultation or in the course of ongoing therapy sessions

  • Via secure forms or email correspondence, if applicable

  • From third-party referrers, with the individual’s explicit permission

4. Legal basis for processing personal data

Under the GDPR, I must have a lawful reason to process your personal data. There are different legal grounds depending on the circumstances, and I outline these below:

  • If you are currently in therapy or considering therapy: I process your data because it is necessary to provide and manage the therapy service as per our agreed contract, this includes maintain appropriate records for clinical supervision, practice development, or professional insurance purposes.

  • If therapy has ended: My legal basis for retaining your information is legitimate interest.

  • I have a legal obligation to comply with legal, tax, accounting, and regulatory requirements

  • Sensitive data (Special Category Personal Data): This includes sensitive information that you might share in therapy. I rely on your consent to process this information initially, and I retain it to defend against potential legal claims if needed.

  • In rare situations I may have a vital interest to support disclosure of information is necessary to protect your life or another individual

5. How personal data is used

I use personal data for the following purposes:

  • To communicate with you about appointments and therapy-related matters

  • To provide, review, and manage the therapy services agreed upon

  • To maintain accurate and up-to-date clinical records

  • To issue invoices and process payments

  • To fulfil professional, ethical, and legal obligations (e.g. supervision, insurance, and record keeping)

Personal data is not used for marketing purposes and will never be shared with third parties without your explicit consent, unless required by law.

6. How data is stored and protected

All personal data is stored securely in accordance with UK GDPR and the Data Protection Act 2018.

I take appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal information. I use encryption for all devices and online platforms, and all of my systems require a password that only I know. This ensures your data is securely stored and protected from unauthorised access.

7. How Personal Data is Retained

Initial Contact: When you first reach out about my services, I may collect personal details like your name, contact information, emergency contact, and your GP's details (or a referral from another health professional or trusted individual). If you decide not to proceed, your data will be deleted within 6 months unless you request an earlier deletion.

During Therapy: All information shared in therapy is confidential, with exceptions only in cases where there is a risk of harm to you or others. In such situations, I will discuss the issue with you beforehand unless there are safeguarding concerns that prevent this. Legal obligations may also require me to break confidentiality in some cases.

I maintain a record of your personal information to manage the therapy process. This information is stored securely in a locked cabinet, with encrypted digital records on a password-protected device and encrypted cloud storage.

After Therapy: Your records will be kept for 7 years after the end of our sessions, then securely destroyed. If you wish for your information to be deleted sooner, just let me know.

8. Sharing Personal Information

I will not share a your personal information without your explicit consent, except in the following situations:

  • Risk of harm: If there is reason to believe that you, or someone else, is at serious risk of harm

  • Legal obligation: If disclosure is required by law or court order (e.g. under legislation relating to safeguarding, terrorism, or criminal activity)

  • Professional requirements: If disclosure is required by my insurer or professional accrediting body

  • Clinical supervision: To ensure ethical and effective practice, I discusses clinical work in supervision. Your identity is anonymised wherever possible, and supervisors are bound by professional confidentiality

I may also share your data with trusted third-party service providers, but only where necessary for operational purposes. I ensure that any third party I work with is transparent in data handling, ensuring they do not use your information for anything other than the contracted purpose.

Third parties that process personal data on my behalf include:

  • HMRC: Government department (tax administration)

  • Lyca Mobile: Telecommunications company (phone, text messages & voicemail)

  • Zoom: Communications technology company (online meeting software)

  • Vodafone: For internet services

  • Squarespace: Website host (cookies)

  • Google: Tech company (email)

  • Apple: Tech company (hardware)

  • Cryptomator: Encryption software (encrypted cloud storage)

9. Client Rights Under UK GDPR

Your rights under UK General Data Protection Regulation (UK GDPR) are listed below.

  • The right to Access: You can request a copy of the data I hold about you.

  • The right to rectify: You can ask me to correct any inaccuracies in your data.

  • The right to request erasure: You can request that I delete your data, in some circumstances.

  • The right to restrict or object: You can ask me to limit how I use your data.

  • The right to data portability

  • The right to withdraw consent: You can object to the processing of your data in some situations where processing is based on consent.

  • The right to lodge a complaint with the Information Commissioner’s Office (ICO).

    For more information on your rights, visit ico.org.uk/your-data-matters.

    To request access or corrections to your personal information, please email simranjtherapy@gmail.com.

10. Complaints

If you have concerns about how I handle your personal data, I encourage you to contact me in the first instance. However, if you feel that your complaint hasn't been resolved, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection.

www.ico.org.uk

ico.org.uk/make-a-complaint

Telephone: 0303 123 1113

11. Changes to this Policy

This privacy policy may be updated periodically to reflect changes in the law, professional guidelines, or the my practice. The most current version will always be available on the my website or provided upon request.

12. Client consent

By engaging in therapy, you will be invited to give your informed consent in writing before any personal or sensitive data is collected, stored, or shared. This includes:

  • Consent for your personal data to be collected, stored, and processed as outlined in this Privacy Policy

  • Consent for data to be shared only in specific circumstances (e.g. risk of harm, legal obligations, supervision, or clinical will execution

  • Optional consent for anonymised material from our work to be used for professional purposes such as supervision, training, or writing

You are free to decline or withdraw your consent at any time. This will not affect the quality or availability of therapy, though it may affect which services I can safely and ethically provide.

A written consent form is provided before therapy begins. You are encouraged to ask questions or request changes if needed.

13. Cookies and Tracking

When you visit my website, I use a third party service, Squarespace to collect anonymous data such as visitor behaviour and site usage patterns. This helps me understand how the site is being used and improve user experience. I do not collect any personally identifiable information, nor does Squarespace attempt to identify visitors (e.g. by tracking IP addresses).

Additionally, I use Google Analytics to track website traffic and improve my services. You can read Google’s privacy policy for more details.

Like most websites, I use cookies to help improve the functionality of my site. Cookies are small text files stored on your device that help the website run smoothly and track site usage. These cookies are categorised as:

  • Necessary Cookies: These enable basic functions like page navigation.

  • Statistics Cookies: These help track website interactions to improve user experience.

No user-specific data is collected by me or any third party in this process.