Privacy policy

1. Introduction

This Privacy Notice explains how I collect, use, store and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

I am registered with the Information Commissioner’s Office (ICO) as a data controller. www.ico.org.uk

2. What personal data I collect

I may collect and process the following information:

  • Name, address, email address, phone number

  • Date of birth and emergency contact details

  • GP details (where relevant)

  • Session notes and brief therapy records

  • Relevant health or personal history you choose to share

  • Correspondence by email, text or voicemail

I only collect the data necessary to provide therapy and manage the therapeutic relationship. Providing GP details is optional and will only be used if needed for safeguarding purposes or with your consent.

3. Lawful basis for processing

Under UK GDPR, the lawful bases I rely on for processing your data are:

  • Contract – to provide therapy services

  • Legitimate interests – to maintain appropriate clinical records

  • Legal obligation – where safeguarding or legal duties apply

  • Consent – where explicitly required (e.g. contacting your GP)

4. How your data is stored

  • Paper records are stored securely and locked

  • Electronic records are password‑protected and encrypted where possible

  • Emails and digital documents are stored on secure devices

I take all reasonable steps to protect your data from loss, misuse, or unauthorised access.

5. Confidentiality and its limits

Everything you share in therapy is confidential. However, confidentiality may be broken if:

  • There is a serious risk of harm to you or another person

  • A safeguarding concern arises involving a child or vulnerable adult

  • I am required by law or court order to disclose information

Where possible, I will discuss any disclosure with you before taking action.

6. Supervision

As part of good clinical practice, I attend regular supervision. Client material may be discussed in supervision in an anonymised way, with identifying details removed.

7. How long I keep your data

  • Therapy records are retained for 7 years after the end of therapy

  • After this period, records are securely destroyed

This retention period follows professional and insurance guidance.

8. Sharing your data

Your data will not be shared with third parties without your consent, except where required by law or for safeguarding reasons.

I do not sell or use your data for marketing purposes.

9. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data I hold about you

  • Request correction of inaccurate data

  • Request erasure of your data (where applicable)

  • Restrict or object to processing

  • Make a complaint to the Information Commissioner’s Office (ICO) [www.ico.org.uk](https://www.ico.org.uk/)

Some rights may be limited due to legal and professional obligations.

10. Contact and complaints

If you have any questions about this Privacy Notice or how your data is handled, please contact me directly:

Email: rebeccaobenpepra@gmail.com

If you are not satisfied, you have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office (ICO)
www.ico.org.uk
Telephone: 0303 123 1113

11. Website enquiries

If you contact me via my website or email, your details will be used solely to respond to your enquiry and will not be retained unnecessarily if therapy does not proceed. I aim to respond to enquiries within 2–3 working days.