Privacy & Data Protection Policy

Compliant with UK GDPR, the Data Protection Act 2018, and BACP standards

Version 1.0 | March 2026

1. Introduction

Counselling with Mina (referred to in this policy as "I", "me", or "my practice") is committed to protecting the privacy and confidentiality of all personal information I hold. This policy explains what personal data I collect, why I collect it, how I use it, and the rights you have in relation to it.

This policy applies to all clients, prospective clients, and website visitors. It has been written in accordance with:

  • The UK General Data Protection Regulation (UK GDPR)

  • The Data Protection Act 2018 (DPA 2018)

  • The British Association for Counselling and Psychotherapy (BACP) Ethical Framework

  • The Information Commissioner's Office (ICO) guidance for health and care providers

I am registered with the Information Commissioner's Office (ICO) as required for practitioners processing health data. My ICO registration reference number is ZC099225.

2. Data Controller

The data controller responsible for your personal information is:

Practice name: Counselling with Mina Email: mail@counsellingwithmina.com Website: www.counsellingwithmina.com

If you have any questions about how I handle your personal data, or wish to exercise any of your rights, please contact me using the details above.

3. Personal Data I Collect

3.1 Contact and Identity Information

When you enquire about or engage my services, I collect:

  • Full name

  • Email address

  • Phone number(s)

  • Home address (where required for correspondence)

  • Date of birth

  • Emergency contact name and relationship

3.2 Health and Sensitive (Special Category) Data

Because I provide psychotherapy and counselling services, I process special category data under Article 9 UK GDPR. This includes:

  • Mental health history, diagnoses, and current presenting issues

  • Medication and physical health conditions relevant to therapy

  • Safeguarding and risk-related information

  • Session notes, case formulations, and therapeutic records

  • GP and other healthcare provider details

Special category data is given the highest level of protection and is only processed where there is a lawful basis and a relevant Schedule 1 condition under DPA 2018 (see Section 5).

3.3 Financial and Payment Information

To process payment for sessions, I collect:

  • Bank details or card information (processed securely via Mettle by NatWest)

  • Invoicing details and payment history

I do not store full card details on my systems. Payment processing is handled by a PCI-DSS compliant third-party provider.

3.4 Website and Technical Data

If you visit my website, I may collect:

  • IP address and browser type

  • Pages visited and duration of visit

  • Cookie identifiers (see Section 10)

4. How I Collect Your Data

I collect personal data through the following means:

  • Enquiry forms submitted via my website or email

  • Online appointment booking via Calendly (for consultation requests)

  • Telephone and video consultations

  • Paper or electronic intake/assessment forms

  • Session notes made during or after appointments

  • Referrals from GPs, psychiatrists, or other healthcare professionals

  • Payment systems and invoicing platforms

5. Lawful Basis for Processing

I rely on the following lawful bases under UK GDPR Article 6 and, for special category data, the conditions in Article 9 and Schedule 1 of the DPA 2018:

Contact/identity data — Contract (Art. 6(1)(b)) | N/A Health / therapy records — Vital interests / legal obligation | Health care provision (Sch.1 para.2) Safeguarding / risk data — Legal obligation (Art. 6(1)(c)) | Preventive medicine (Sch.1 para.2) Financial/payment data — Contract (Art. 6(1)(b)) | N/A Consent-based communications — Consent (Art. 6(1)(a)) | Explicit consent (Art. 9(2)(a))

6. How I Use Your Personal Data

I use your personal data for the following purposes:

  • Delivering counselling and psychotherapy services to you

  • Communicating about appointments, cancellations, and session reminders

  • Maintaining clinical records as required by professional ethical standards

  • Processing payment for services rendered

  • Fulfilling mandatory safeguarding obligations

  • Consulting with my supervisor (under professional confidentiality obligations)

  • Complying with legal, regulatory, or court requirements

  • Improving my service and, where consented, contacting you about relevant updates

I will never sell, rent, or share your data for marketing purposes with third parties.

7. Sharing Your Personal Data

Your personal data is treated as strictly confidential. I share data only in the following limited circumstances.

7.1 Clinical Supervision

As required by the BACP Ethical Framework, I discuss client work in supervision. Your information will be shared in anonymised or pseudonymised form wherever possible. My supervisor is bound by the same confidentiality obligations.

7.2 Safeguarding and Legal Obligations

I am legally and ethically required to break confidentiality in certain circumstances:

  • Where there is a serious and imminent risk of harm to you or another person

  • Where there is a disclosure or suspicion of child or vulnerable adult abuse

  • Where I am ordered to disclose information by a court of law

  • Where required by the Counter-Terrorism and Security Act 2015 (Prevent duty)

I will, wherever possible, discuss any intended disclosure with you beforehand.

7.3 Third-Party Service Providers

I may share data with carefully selected third parties who provide services on my behalf, including:

  • Calendly (appointment booking platform) — used to process consultation booking requests, including your name, email address, and any information you provide in the booking form. Calendly's Data Processing Addendum is incorporated into their Terms of Use and covers UK GDPR requirements.

  • Google Workspace and Google Meet — used for client email communication and online therapy sessions

  • Squarespace — website hosting platform

  • Mettle by NatWest — payment processing

  • Personal document system (password-protected) — used for secure storage of session notes and client records

All third-party processors are required to process data only on my instructions and in accordance with UK GDPR, and have signed appropriate data processing agreements.

7.4 International Transfers

Where I use software services whose servers are located outside the UK or European Economic Area, I ensure adequate safeguards are in place (such as UK adequacy regulations, Standard Contractual Clauses, or equivalent protections) before any data transfer takes place.

8. Data Retention

I retain personal data only for as long as is necessary. My retention periods are as follows:

Adult therapy/counselling records — 7 years after the final session Financial and invoicing records — 7 years (HMRC requirement) Enquiry / pre-therapy contact — 12 months if therapy does not commence Website analytics data — Up to 26 months

After the retention period has elapsed, records are securely and permanently destroyed.

9. Data Security

I take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:

  • Encryption of electronic records and communications containing personal data

  • Password-protected devices with up-to-date antivirus and firewall protection

  • Use of secure, end-to-end encrypted platforms for remote sessions

  • Locked physical storage for any paper records

  • Restricted access — only I can access your records

  • Secure deletion of data when the retention period expires

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, I will notify the ICO within 72 hours and, where required, inform you directly without undue delay.

10. Cookies and Website Tracking

My website (www.counsellingwithmina.com) may use cookies and similar technologies. Cookies are small text files placed on your device to help me understand how the site is used and improve your experience.

I use the following types of cookies:

  • Essential cookies — necessary for the website to function (no consent required)

  • Analytics cookies — to understand visitor behaviour (requires your consent)

  • Preference cookies — to remember your settings (requires your consent)

You can manage or withdraw consent for non-essential cookies at any time through your browser settings or my cookie preference tool. Withdrawing consent will not affect the lawfulness of any processing already carried out.

11. Your Rights Under UK GDPR

Under the UK GDPR and DPA 2018, you have the following rights in relation to your personal data:

  • Right of access — to request a copy of the personal data I hold about you (Subject Access Request)

  • Right to rectification — to ask me to correct inaccurate or incomplete data

  • Right to erasure — to request deletion of your data where there is no legitimate reason for me to continue holding it

  • Right to restrict processing — to ask me to suspend processing of your data in certain circumstances

  • Right to data portability — to request your data in a structured, machine-readable format

  • Right to object — to object to processing based on legitimate interests or for direct marketing

  • Rights related to automated decision-making — I do not carry out solely automated decision-making or profiling

Please note that some of these rights are not absolute and may be limited by my legal and professional obligations (for example, the obligation to retain clinical records). I will always explain if and why a right cannot be fully exercised.

To exercise any of your rights, please contact me in writing using the details in Section 2. I will respond within one calendar month of receiving your request.

12. Complaints

If you are unhappy with how I have handled your personal data, please contact me in the first instance so I can try to resolve your concern.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information Commissioner's Office Website: https://ico.org.uk Telephone: 0303 123 1113 Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Consent and Withdrawal of Consent

Where I rely on your consent as the lawful basis for processing (for example, for certain communications or the processing of special category health data), you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

Prior to commencing therapy, I will ask you to sign a Client Agreement and Privacy Notice Acknowledgement which confirms you have read and understood this policy.

14. Changes to This Policy

I review this privacy policy at least annually, or sooner if there are significant changes in the law or my practice. The current version will always be available from me on request and, where applicable, on my website.

If I make material changes, I will notify active clients directly.

15. Professional Membership and Regulatory Body

My practice operates in accordance with the ethical framework of:

  • British Association for Counselling and Psychotherapy (BACP) — www.bacp.co.uk

The BACP sets standards for confidentiality, record-keeping, and data protection within the counselling and psychotherapy profession.

Name: Mina Murat Baldwin Role: Psychotherapist & Counsellor Date: March 2026 Next review date: March 2027