Privacy & Data Protection Policy

Compliant with UK GDPR, DUAA 2025 , and BACP standards

Version 2.0 | June 2026

1. Introduction

Counselling with Mina (referred to in this policy as "I", "me", or "my practice") is committed to protecting the privacy and confidentiality of all personal information I hold. This policy explains what personal data I collect, why I collect it, how I use it, and the rights you have in relation to it.

This policy applies to all clients, prospective clients, and website visitors. It has been written in accordance with:

  • The UK General Data Protection Regulation (UK GDPR)

  • The Data Use and Access Act 2025 (DUAA 2025)

  • The British Association for Counselling and Psychotherapy (BACP) Ethical Framework

  • The Information Commissioner's Office (ICO) guidance for health and care providers

I am registered with the Information Commissioner's Office (ICO) as required for practitioners processing health data. My ICO registration reference number is ZC099225.

2. Data Controller

The data controller responsible for your personal information is:

Practice name: Counselling with Mina
Email: mail@counsellingwithmina.com
Website: www.counsellingwithmina.com

Please contact me using the details above If you wish to:

  • exercise any of your data protection rights;

  • make a complaint;

  • ask questions about this Privacy Policy;

  • request information about how your data is processed.

3. Personal Data I Collect

3.1 Contact and Identity Information

When you enquire about or engage my services, I collect:

  • Full name

  • Email address

  • Phone number(s)

  • Home address

  • Date of birth

  • Emergency contact name, phone number and relationship

3.2 Health and Sensitive (Special Category) Data

Because I provide psychotherapy and counselling services, I process special category data under Article 9(1) of the UK GDPR. This includes:

  • Mental health history, diagnoses, and current presenting issues

  • Medication and physical health conditions relevant to therapy

  • Safeguarding and risk-related information

  • Session notes, case formulations, and therapeutic records

  • GP and other healthcare provider details

Special category data is given the highest level of protection and is only processed where there is a lawful basis and a relevant Schedule 1 condition under DPA 2018 (see Section 5).

3.3 Financial and Payment Information

To process payment for sessions, I collect:

  • Bank details or card information (processed securely via Mettle by NatWest)

  • Invoicing details and payment history

I do not store full card details on my systems. Payment processing is handled by a PCI-DSS compliant third-party provider.

3.4 Website and Technical Data

If you visit my website, I may collect:

  • IP address and browser type

  • Pages visited and duration of visit

  • Cookie identifiers (see Section 10)

4. How I Collect Your Data

I collect personal data through the following means:

  • Enquiry forms submitted via my website or email

  • Online appointment booking via Calendly (for consultation requests)

  • Telephone and video consultations

  • Paper or electronic intake/assessment forms

  • Session notes made during or after appointments

  • Referrals from GPs, psychiatrists, or other healthcare professionals

  • Payment systems and invoicing platforms

In some circumstances, I may receive personal information about you from:

  • your GP;

  • another healthcare professional;

  • an Employee Assistance Programme (EAP);

  • an insurer;

  • a family member acting on your behalf;

  • another therapist or referring practitioner.

Where required, I will provide information about the personal data received and the purposes for which it is used.

5. Lawful Basis for Processing

To process your personal data lawfully under UK GDPR, I rely on the following legal basis:

Article 6 basis (ordinary personal data): Article 6(1)(b) UK GDPR — processing is necessary for the performance of the theraputic contract between us. When you engage me as your counsellor/therapist, we enter into a contract for theraputic services. I need to process your personal data to deliver those services effectively.

Article 9 basis (special category health data): Article 9(2)(h) UK GDPR — processing is necessary for the provision of health and socail care treatment by a heatlh professional. The additional condition required under DPA 2018 is Schedule 1, Part 1, paragraph 2 (health or social care purposes). This processing is carried out by me as a qualified counsellor subject to a professional obligation of confidentiality under the ethical framework of BACP.

6. How I Use Your Personal Data

I use your personal data for the following purposes:

  • Delivering counselling and psychotherapy services to you

  • Communicating about appointments, cancellations, and session reminders

  • Maintaining clinical records as required by professional ethical standards

  • Processing payment for services rendered

  • Fulfilling mandatory safeguarding obligations

  • Consulting with my supervisor (under professional confidentiality obligations)

  • Complying with legal, regulatory, or court requirements

  • Improving my service and, where consented, contacting you about relevant updates

I will never sell, rent, or share your data for marketing purposes with third parties. I only collect personal information that is necessary for the provision of counselling and psychotherapy services and to meet my legal, professional, and ethical obligations.

My services are intended for adults aged 18 and over. I do not knowingly collect personal data from children except where legally required or where services are specifically provided to young people.

Clinical notes are maintained to ensure continuity of care, support safe and effective therapeutic practice, meet professional requirements, and protect both client and practitioner interests.

7. Sharing Your Personal Data

Your personal data is treated as strictly confidential. I share data only in the following limited circumstances.

7.1 Clinical Supervision

As required by the BACP Ethical Framework, I discuss client work in supervision. Your information will be shared in anonymised or pseudonymised form wherever possible. My supervisor is bound by the same confidentiality obligations.

7.2 Safeguarding and Legal Obligations

I am legally and ethically required to break confidentiality in certain circumstances:

  • Where there is a serious and imminent risk of harm to you or another person

  • Where there is a disclosure or suspicion of child or vulnerable adult abuse

  • Where I am ordered to disclose information by a court of law

  • Where required by the Counter-Terrorism and Security Act 2015 (Prevent duty)

I will, wherever possible, discuss any intended disclosure with you beforehand.

7.3 Third-Party Service Providers

I may share data with carefully selected third parties who provide services on my behalf, including:

  • Calendly (appointment booking platform) — used to process consultation booking requests, including your name, email address, and any information you provide in the booking form. Calendly's Data Processing Addendum is incorporated into their Terms of Use and covers UK GDPR requirements.

  • Google Workspace and Google Meet — used for client email communication and online therapy sessions

  • Squarespace — website hosting platform

  • Mettle by NatWest — payment processing

  • Bookkeeping and accounting purposes (your name and payment information may be visible, not clinical records)

  • Personal document system (password-protected) — used for secure storage of session notes and client records

All third-party processors are required to process data only on my instructions and in accordance with UK GDPR, and have signed appropriate data processing agreements.

7.4 International Transfers

Where I use software services whose servers are located outside the UK or European Economic Area, I ensure adequate safeguards are in place (such as UK adequacy regulations, Standard Contractual Clauses, or equivalent protections) before any data transfer takes place.

8. Data Retention

I retain personal data only for as long as is necessary. My retention periods are as follows:

  • Adult therapy/counselling records — 7 years after the final session after the final session in accordance with professional indemnity, insurance, and professional practice considerations.

  • Financial and invoicing records — 7 years (HMRC requirement)

  • Enquiry / pre-therapy contact — 12 months if therapy does not commence

  • Website analytics data — Up to 26 months

After the retention period has elapsed, records are securely and permanently destroyed. Paper records are shredded using a cross-cut shredder. Electronic records are permanently deleted.

9. Data Security

I take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:

  • Encryption of electronic records and communications containing personal data

  • Password-protected devices with up-to-date antivirus and firewall protection

  • Use of secure, end-to-end encrypted platforms for remote sessions

  • Locked physical storage for any paper records

  • Restricted access — only I can access your records

  • Secure deletion of data when the retention period expires

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, I will notify the ICO within 72 hours and, where required, inform you directly without undue delay.

10. Cookies and Website Tracking

My website (www.counsellingwithmina.com) may use cookies and similar technologies. Cookies are small text files placed on your device to help me understand how the site is used and improve your experience.

I use the following types of cookies:

  • Essential cookies — necessary for the website to function (no consent required)

  • Analytics cookies — to understand visitor behaviour (requires your consent)

  • Preference cookies — to remember your settings (requires your consent)

You can manage or withdraw consent for non-essential cookies at any time through your browser settings or my cookie preference tool. Withdrawing consent will not affect the lawfulness of any processing already carried out.

11. Your Rights Under UK GDPR

Under the UK GDPR and DPA 2018, you have the following rights in relation to your personal data:

  • Right of access — to request a copy of the personal data I hold about you (Subject Access Request)

  • Right to rectification — to ask me to correct inaccurate or incomplete data

  • Right to erasure — to request deletion of your data where there is no legitimate reason for me to continue holding it

  • Right to restrict processing — to ask me to suspend processing of your data in certain circumstances

  • Right to data portability — to request your data in a structured, machine-readable format

  • Right to object — to object to processing based on legitimate interests or for direct marketing

  • Rights related to automated decision-making — I do not carry out solely automated decision-making or profiling

Please note that some of these rights are not absolute and may be limited by my legal and professional obligations (for example, the obligation to retain clinical records). I will always explain if and why a right cannot be fully exercised.

To exercise any of your rights, please contact me in writing using the details in Section 2. Before responding to certain requests, I may need to verify your identity to protect your personal information. I will respond within one calendar month of receiving your request.

12. Complaints

If you have concerns about how I have handled your personal data, please contact me in the first instance using the details provided in Section 2. I will acknowledge your complaint within 7 days, investigate the matter fairly and promptly, and aim to resolve it within 28 days.

If you are not satisfied with my response, you have the right to make a complaint to the Information Commissioner's Office (ICO) at any time. The ICO is the UK's independent authority for data protection and privacy rights.

Website: https://ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Consent and Withdrawal of Consent

Where I rely on your consent as the lawful basis for processing (for example, for certain communications or the processing of special category health data), you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

Prior to commencing therapy, I will ask you to sign a Therapy Contract & Terms of Service document and will ask you to confirm that you have read and understood this Privacy Policy.

14. Changes to This Policy

I review this privacy policy at least annually, or sooner if there are significant changes in the law or my practice. The current version will always be available from me on request and on my website.

If I make significant changes that affect how I handle your personal data, I will inform active clients directly.

Where appropriate, I rely on legitimate interests to maintain accurate clinical records, ensure the safe and effective provision of therapy services, and manage my practice.

15. Professional Membership and Regulatory Body

My practice operates in accordance with the ethical framework of:

  • British Association for Counselling and Psychotherapy (BACP) — www.bacp.co.uk

The BACP sets standards for confidentiality, record-keeping, and data protection within the counselling and psychotherapy profession.

Name: Mina Murat Baldwin
Role: Psychotherapist & Counsellor
Date: June 2026