1. Who we are
This privacy policy explains how Insight Counselling collects, uses, and protects your personal information.
I am Lorraine Davis, a psychotherapist registered with the UK Council for Psychotherapy (UKCP). I am committed to protecting your privacy and handling your data in accordance with UK data protection law.
Contact details:
- Email: rainyayres [at] btinternet.com
- Website: https://www.insight-counselling.org.uk
- ICO registration number: Z2704900
You can verify my registration with the Information Commissioner's Office at ico.org.uk.
2. What personal data we collect
I collect and process the following types of personal data:
Contact and identity information:
- Your name, address, telephone number, and email address
- Emergency contact details
- Your GP's name and contact details (where relevant to your care)
Health and therapy-related information:
- The reason you are seeking therapy (your presenting issues)
- Information about your mental and emotional health
- Relevant medical history and any medication you are taking
- Session notes recording our therapeutic work together
- Risk assessments where appropriate
Important: Information about your health, mental health, and therapy is classified as special category data under Article 9(1) of the UK GDPR. This type of data receives enhanced legal protection because of its sensitive nature. I take additional care to keep this information secure.
Financial information:
- Payment records and invoices for accounting purposes
Website data:
- Technical data collected through cookies when you visit my website (see section 7 below)
3. How we collect your data
I collect your personal data directly from you in the following ways:
- When you first contact me by email, telephone, or through my website
- During our initial assessment and intake process
- Throughout our therapy sessions together
- Through any written communication between us
- When you complete consent forms or questionnaires
I do not collect personal data about you from third parties unless you have given me explicit permission to do so, for example, to contact your GP.
4. Why we process your data — lawful basis
Under UK data protection law, I must have a valid legal reason to process your personal data. I rely on the following lawful bases:
Article 6 basis — ordinary personal data:
Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.
This means I process your contact details and other non-sensitive information because it is necessary to provide you with therapy services. Without this information, I would not be able to offer you appointments, communicate with you, or fulfil my obligations under our agreement.
Article 9 basis — special category data:
Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.
This allows me to process sensitive health information about you because I am providing psychological therapy, which is a form of healthcare.
Additional DPA 2018 condition:
The additional condition under the Data Protection Act 2018 is Schedule 1, Part 1, paragraph 2 — health or social care purposes. Processing is carried out by a registered psychotherapist subject to the professional obligation of confidentiality under the UKCP Code of Ethics and Professional Practice.
5. Professional obligations and clinical supervision
As a UKCP-registered psychotherapist, I am required to attend regular clinical supervision. This is an essential part of maintaining professional standards and ensuring you receive the best possible care.
When I discuss our therapeutic work with my supervisor:
- Your name and any identifying details are NOT shared with my supervisor
- I use anonymised or pseudonymised case material only — this means I remove or change any information that could identify you
- My supervisor is a qualified professional bound by the same confidentiality obligations as I am
- My supervisor is bound by their own professional body's ethical framework
Clinical supervision helps me to reflect on my practice, ensures I am working safely and effectively, and provides a safeguard for your wellbeing.
6. Clinical will — what happens to your records if I am unable to practise
I have appointed a Clinical Executor — a trusted colleague who is also a qualified therapist bound by professional confidentiality obligations.
If I become seriously ill, incapacitated, or die unexpectedly, my Clinical Executor will:
- Contact you promptly to let you know what has happened
- Offer you information about how to access alternative therapeutic support
- Handle your records confidentially and in accordance with data protection law
- Ensure your records are either securely transferred to you, passed to another therapist of your choosing, or securely deleted according to my retention policy
This arrangement ensures that your confidentiality is maintained and that you are not left without information or support in difficult circumstances.
7. Who we share your data with
I take your confidentiality seriously and keep the sharing of your data to a minimum.
Clinical supervision: As explained above, I share anonymised case material with my clinical supervisor. Your identity is not disclosed.
Third-party services: I use the following third-party services which may process some of your data:
- Zoom — for online therapy sessions
- Google Analytics — to understand how visitors use my website
- Facebook Pixel — to measure the effectiveness of advertising
- WebHealer — the platform my website is built on
Each of these services is bound by a data processing agreement that requires them to protect your information. Links to their privacy policies are available on request.
I never sell your personal data to anyone.
8. International data transfers
Some of the third-party services I use may transfer personal data outside the United Kingdom:
- Google Analytics — Google LLC, USA
- Facebook Pixel — Meta Platforms Inc, USA
- Zoom — Zoom Video Communications Inc, USA
- WebHealer — WebHealer Ltd, UK (no international transfer)
The USA does not currently have a UK adequacy decision, which means UK law does not recognise it as providing equivalent data protection standards.
Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025.
You can request a copy of the relevant transfer safeguards by contacting me at rainyayres [at] btinternet.com.
9. How long we keep your data
I keep your data only for as long as necessary. The retention periods are:
| TYPE OF RECORD | RETENTION PERIOD | REASON |
|---|---|---|
| Therapy records | 6 years after our last session | In line with the Limitation Act 1980 and standard professional indemnity insurance requirements |
| Financial records | 6 years | HMRC legal requirement |
| Website enquiries (non-clients) | 12 months | Legitimate interest in responding to enquiries |
After the applicable retention period, your records are securely destroyed. As I maintain digital records only, this means secure deletion using methods that prevent data recovery.
10. Your rights under UK GDPR
You have the following rights regarding your personal data. These are written in plain language so you understand what each one means:
Right to be informed You have the right to know how I collect and use your data. This privacy policy fulfils that right.
Right of access You can ask me for a copy of the personal data I hold about you. This is sometimes called a "subject access request." Under the Data (Use and Access) Act 2025, I will conduct a reasonable and proportionate search to find your information and respond within one month.
Right to rectification If any information I hold about you is inaccurate or incomplete, you can ask me to correct it.
Right to erasure In some circumstances, you can ask me to delete your personal data. However, this right does not apply where I am required to keep records in line with the Limitation Act 1980 and standard professional indemnity insurance requirements. In practice, this means I cannot delete your therapy records until the retention period has ended.
Right to restrict processing You can ask me to limit how I use your data in certain circumstances, for example, if you are disputing its accuracy.
Right to data portability You can ask me to provide your data in a format that can be transferred to another service provider, where technically feasible.
Right to object You can object to processing based on legitimate interests. As I rely on contract and health purposes rather than legitimate interests for therapy data, this right has limited application here.
Rights related to automated decision-making You have the right not to be subject to decisions made solely by automated means. I do not use automated decision-making in my practice.
To exercise any of these rights, please contact me at rainyayres [at] btinternet.com.
11. Data protection complaints — your right under the Data (Use and Access) Act 2025
You have the right to make a data protection complaint directly to me.
How to complain:
- Submit a complaint at https://insightcounselling.policydiary.co.uk (select the "Make a complaint" tab)
- Or email me at rainyayres [at] btinternet.com
I will acknowledge your complaint promptly and aim to resolve it within one month.
If you are not satisfied with my response:
You may escalate your complaint to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
12. Confidentiality exceptions
Everything you share with me in therapy is confidential. However, there are rare circumstances where I may need to share information without your consent:
-
Risk of serious harm: If I believe you or someone else is at immediate risk of serious harm, I may need to contact emergency services or other appropriate professionals.
-
Safeguarding concerns: If I become aware of concerns about a child or vulnerable adult being at risk of abuse or neglect, I have a legal and ethical duty to report this to the appropriate authorities.
-
Court order: If a court orders me to disclose information, I am legally required to comply.
-
Legal requirement: In very rare cases, the law may require disclosure, for example, under terrorism legislation.
Wherever possible, I will discuss any concerns with you first and try to work together on the best way forward — unless doing so would itself put someone at risk.
