Privacy policy.

UK GDPR Statement

This data privacy policy has been compiled according to the UK General Data Protection Regulations (UK GDPR, 2018) and the Data Protection Act (2018). The policy is designed to provide transparency to current and former clients about the personal information Christine Gregory, aka The Loss Therapist, will hold for them and how this information will be stored, processed, and used. It also outlines how long personal data is retained, information about a client’s rights concerning their data, and the circumstances under which data will be deleted or anonymised.

Christine Gregory, also known as The Loss Therapist, serves as the data controller for any personal data collected and processed. Processing includes the organisation, retrieval, consultation, use, and deletion or destruction of information, as well as its disclosure to third parties. The information clients provide will be processed mainly in connection with administering my counselling and therapy services.

Data protection laws permit the processing of data for specific purposes. In this case, the reason provided is legitimate interests. This will enable me to provide the best possible service to my clients by recording relevant health and personal information through my website or information discussed during counselling sessions. Client data is also processed to fulfil my contractual obligations, including confirming or rescheduling appointments, notifying clients of appointment changes, and conducting online counselling sessions. Additionally, certain personal data may be processed with the specific consent of the client. Furthermore, certain data is processed to fulfil legally required duties, such as those mandated by regulatory bodies.

Any personal data held in client files will be processed fairly, lawfully, and in a clear and transparent manner. It will be collected only for valid reasons during treatment and not used in any way that is incompatible with those purposes. Data will only be used in accordance with this policy and will be accurate and kept up to date. Personal data will be kept only for as long as is necessary for the purposes outlined in this policy and will be processed transparently.

Client rights

Under UK GDPR, clients have several rights concerning their personal data.  These include:

  • The right to be informed; clients have a right to be informed about the data I collect and how this is used.

  • The right of access; clients have a right to see any details that I hold on them through a formal request for data access

  • The right to rectification; clients have a right to request that their records be amended if they are inaccurate or incomplete (for instance, a change of name or address).

  • The right to erasure; clients have a right to withdraw consent to process their data and ask that their data be deleted or removed where there is no compelling reason for its continued processing. Where clients have provided consent to the collection, processing and transfer of their data, they have the right to withdraw that consent at any time. There will be no consequences for withdrawing their consent. However, in some cases, I may continue to use the data, provided I have a legitimate legal reason for doing so.

  • The right to restrict processing; clients have the right to prevent processing of their data.

  • The right to data portability; clients have a right to obtain copies of their personal data for re-use with alternative services or organisations.

  • The right to object; clients have a right to object to Christine Gregory, aka The Loss Therapist, using their data for particular purposes, such as direct marketing.

  • The right not to be subject to automated decision-making; Christine Gregory, aka The Loss Therapist, does not use automated decision-making to provide its services.

Please make any requests to view, amend, or delete personal information in writing at christine@thelosstherapist.co.uk. All such requests will be actioned within one month of receipt. If I refuse a client's request under the right of access, a reason will be provided, and the client maintains the right to a legal challenge.

Clients can see more about their rights at:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

How data is collected

Personal data is collected from clients in various ways. Typically, this process begins when a client makes an initial enquiry through my website, via email, or via counselling directories, such as the Counselling Directory, BACP, insurance companies, or Psychology Today. Such enquiries often contain personal information such as a client’s name, email address, and phone number. Such data will be processed for the proper and necessary administration of counselling and therapy services, based on consent. Data will be collected during the initial 15-minute free consultation and at the client’s first and subsequent appointments.

I may receive information about a client from their GP, insurer or other healthcare provider regarding a client referral or, with a client’s permission, additional information that will help me continue with their treatment. I may also hold the results of tests that a client has undertaken as part of the therapeutic process, which are relevant to their treatment.

All client data is stored electronically. In the unlikely event that information is written in paper form, it will be transferred directly to our electronic client record, and the paper copy will be destroyed. 

Personal data collected

Certain personal data is collected to ensure I can work safely and professionally with my clients, in line with the ethical guidelines as set out by the HCPC. Personal data refers to any information that can be used to identify a client. The personal data I will hold on a client may include personal or special categories of data, such as:

  • Full name

  • Home address

  • Date of birth

  • Phone number

  • Email address

  • Emergency contact name and phone number – although it is unlikely that this information would ever be used, it is held in case I believe a client is at risk of harm and I am concerned for their welfare. For instance, if I am unable to get hold of a client

  • GP name, address, and contact details – this information is needed if, through the therapeutic process, a client and I agree that I might contact their GP to discuss their welfare, diagnosis, treatment plan, or appropriate safety procedures. Additionally, if I were to become concerned for a client’s safety, I may decide to contact their GP or the emergency services

  • Payment information

  • Invoices

  • Email correspondence

Special categories data include more sensitive personal information that requires a higher degree of protection, such as:

  • Relevant medical information – including details of any physical or mental health condition

  • Initial assessment information – including information submitted through my website’s contact form, obtained during the initial 15-minute consultation, collated in the “basic medical history, health hygiene & identity” form and during the first few sessions. I will only collect what is relevant and necessary, including details concerning any medication, previous treatment or other health-related issues. 

  • Session notes – these include the date and time of attendance and notes on important themes from the session

  • Preferred gender pronouns

  • Gender, ethnicity, sexuality and marital status – concerning discussions within our therapy sessions. While there are questions relating to intersectional identities within the Medical history questionnaire, this is optional and signposted as freely given, should a client feel that it would be beneficial to incorporate into our session plan. This is not information that I would actively request as compulsory, but will be included in notes where relevant and considered important by the client

Special categories data are collected to ensure an appropriate level of care can be provided, to gain a better understanding of how these aspects of client experience may inform their mental health history, and to determine whether any reasonable adjustments are required during therapy sessions. Data are held securely and not shared with anyone without explicit consent. Any special categories data is processed based on one of the following assumptions:

  • A client has given explicit consent to their processing (for instance, in the therapeutic contract)

  • I must process the data to provide adequate mental health care

  • I must process the data to carry out my legal obligations

  • I must process data for reasons of substantial public interest  

Less commonly, I may process this type of information when it is necessary for legal claims, to protect a client’s interests (or those of another person) when they are unable to give their consent, or when the information has already been made public.

As with all cases of seeking consent from the client, they will have complete control over their decision to give or withhold consent. Similarly, consent, once provided, may be withdrawn at any time. There will be no consequences where consent is withheld or withdrawn. However, in certain circumstances, withdrawal of consent may inhibit the ability to continue with counselling sessions.

Data storage

Personal data is stored in the following ways:


I use a clinic management software system called “Zanda Health” to manage your personal data (including name, address, date of birth, GP information, etc.), session notes, appointment bookings, payments, invoicing, and any letters or communications. Any paper notes are uploaded into Zanda using its inbuilt transcription software (BizzyAI), which summarises the sessions into themes. For further information about Zanda’s privacy policy, please visit this link. Handwritten notes may be taken in the session using a “Remarkable” tablet. These notes summarise the client session and support the continuity of treatment. Any digital notes will be password-protected and stored for as long as is legally necessary (typically six years post treatment completion). Online forms completed by clients are saved directly into Zanda’s software. Microsoft Office products, including Word and Copilot, are used to compile therapy reports and ending letters. Please find details of Microsoft’s data privacy for Copilot here.  Access to this system is available only through individualised password login, and two-factor authentication is in place. Access is limited to me and my Clinical Will Executor. The software management company also have access. Zanda is a GDPR-compliant platform and acts as a data processor. Further information about the platform and how it complies with GDPR can be found here.

Google Meet is used to conduct telehealth appointments and is compliant with the EU-US Privacy Shield Agreement and the GDPR. Zoom, WhatsApp and FaceTime, all of which are also compliant with the EU-US Privacy Shield Agreement, can be considered as alternatives if issues are encountered with this software. Zanda Health can also be used to deliver online therapy through their securely encrypted telehealth portal powered by Zoom. Zanda Health is firewall-protected, and telehealth functionality is end-to-end encrypted. 


My computer systems, including desktop, laptop, and tablet, are username and password-protected, and I have anti-virus and malware protection.

Payment for sessions is collected via Stripe.  Please note that no payment card or bank account details are stored directly within Stripe. Xero online accounting software supports my financial management and is integrated with Zanda. Canva is used for all training and consultancy work.

Zanda Health has an online document management facility, which I use to obtain client signatures for my Therapy Agreement. Once an agreement has been signed, it is stored against your client record in Zanda.

Google Mail is used for all email correspondence. Zanda has access to my Google Mail drive to send automated emails on my behalf. I can also access Google Mail via webmail using a password. Two-factor authentication is in place. You should be aware that any emails we send or receive may not be protected in transit. Similarly, while all online personal data is held in the UK, Google Mail is one of several exceptions which are US Privacy Shield and EU GDPR compliant. Other such services include Mailchimp and Zoom.

My professional executor has all the client’s first names and phone numbers in paper form, kept in a locked filing cabinet in case of emergency. For instance, if I am suddenly incapacitated through poor health or in the case of an emergency, as detailed in my clinical will.

Data Use

Any personal data that I collect is used to:

  • Communicate with clients regarding upcoming or future appointments, cancellations and appointment rescheduling and provide reports or other information concerning their therapy

  • Provide an appropriate level of service to clients as set out in the counselling contract

  • Inform clients of changes to services

  • Personalise and tailor products and services to clients

  • Collect feedback following sessions

  • Process payments and raise invoices

  • Supply emails that a client has opted into

  • Improve our services

Data disclosure & processing

There are several instances in which I may be obligated to share your personal data.  These include:

  • I may share client data with third parties to facilitate a referral to another healthcare practitioner, for investigation, or to keep their GP informed about the progress of their treatment. In such instances, and where possible, I will inform the client before doing so

  • If I am legally obliged to do so, for instance, through court order or governmental authority, or as a legal requirement, such as the risk of harm, safeguarding children or vulnerable adults, terrorism or money laundering

  • In the event of my incapacity or death, my client’s personal contact information will be disclosed to the executor of my clinical will so that they can notify my current client base. In the event of my death, my executor will also destroy any client data

Additionally, several third parties are engaged to process data on my behalf.  These include:

  • Zanda Health

  • Xero

  • Stripe

  • Mailchimp

  • Google Drive

  • Zoom

  • Remarkable

  • WhatsApp

  • FaceTime

  • Canva

Data retention

In accordance with data protection principles, client data is retained only for as long as necessary. Appropriate retention periods for personal data are determined through consideration of the amount, nature and sensitivity of data, any potential risk of harm from unauthorised use, or disclosure of client personal data, the purposes for which I process client data and whether I can achieve those purposes through other means, and the applicable legal requirements. 

On termination of any psychological services, all other data and information relating to clients and their therapy sessions will be held for the duration of treatment for six years following the date of a client’s last therapy session. These timeframes are governed by UK legal requirements, my insurance provider and by the professional regulator.

After six years, and once there is no longer a lawful reason to retain client data, I will securely dispose of any remaining data. In certain circumstances, I may anonymise client personal data (after which point it can no longer be associated with a particular client) for research or statistical purposes. In this case, I may use such information indefinitely without further notice to you.

Right to erasure

Under data protection law, clients have the right to request that any data I hold on them be erased at any time. However, under certain circumstances, this may not be possible. For example, if there is a legal obligation to do so or if the request falls within the period during which there is a professional or regulatory reason to keep any data. In the case of counselling records, Common Law, insurers, ethical bodies and HMRC ask that records be made available for a period of six years. Where a request is made to delete data following a period of therapy provision, I will consult with the appropriate professional and regulatory organisations before making any decision. I will inform my client as soon as possible once a decision has been reached.

Data requests

Clients have the right to request a copy of their personal data. If they want to access such information, they must make a subject access request by contacting me at christine@thelosstherapist.co.uk. Similarly, clients can request that information be transferred to an alternative provider of psychological services. Any requests for data must be made in writing, and I will respond within 30 days.

The client does not have to pay a fee to access their personal information (or exercise any of the other rights). However, I may charge a reasonable fee for a second or subsequent copy of the information, for a summarised version/report or if a client’s request for access is clearly unfounded or excessive.

Additionally, I may need to request specific information from a client to help me confirm their identity and ensure their right to access the information (or exercise any of their other rights). This is a security measure to ensure that personal information is not disclosed to anyone who does not have the right to receive it. When personal data is requested, the following forms of ID will be accepted: a copy of a driving license, passport or birth certificate, and a utility bill not older than three months.

If a client believes the information I hold about them is out of date or inaccurate, I request that they notify me as soon as possible so that I can update my records.

Data breaches

While many procedures are in place to protect client data, my security process may be vulnerable to compromise, potentially leading to a significant breach of client personal data. If this is the case, I have a legal obligation to report the data breach to any affected clients and to the Information Commissioner’s Office (ICO) within 72 hours.

Conclusion

A client’s use and undertaking of the services of Christine Gregory, aka The Loss Therapist, constitutes their approval and acceptance of this data privacy policy and the collection, storage and processing of personal data as laid out herein. Clients have the right to withdraw their consent at any time.

If you have any questions, concerns, or wish to make a complaint about how your data is collected, stored, processed, or handled, please do not hesitate to discuss this with me. If I do not respond within 30 days or you feel that the response has not been adequate, you also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website or by calling its helpline on 0303 123 1113.

This data privacy policy is subject to regular review and will be updated as necessary.  Where any changes are made, clients will be notified of these as soon as possible.