We, Health in Mind Psychology Ltd., (referred to as “we”, “us” or “our” in this privacy policy) take your privacy very seriously and adopt a high standard of compliance and confidentiality when dealing with your data. Our registered data controller is Paula Redmond (Information Commissioner’s Office, Ref: ZA761349). This notice outlines how we collect, use, and store your personal data via the website (drpaularedmond.com) and our services. It does not extend to any websites or social media platforms that can be accessed from our website.
Please read it so that you understand these processes and what your rights are.
What data we collect and why
Contact details – We collect your contact details in order to respond to queries, arrange appointments and to provide services. We collect emergency contact and GP details because we have a duty of care to seek help if you or someone else is at risk of harm.
Your contact details are essential to allow us to complete our contract with you. If you fail to provide necessary data when requested, we may have to cancel a service you have with us but we will notify you if this is the case at the time. Also, we use them to help detect and prevent fraud against you and us. Our legal basis for preventing fraud is public interest (the government has determined that the prevention of fraud is a task in the public interest).
Payment details – Debit/Credit Card details including Security/CVV code – Firstly, rest assured we do not retain this information. We need it to complete your purchase and to help detect and prevent fraud against you and us. We will also use this information to be able to carry out any refunds to you. We use Stripe to process your payments.
Health data – As health professionals we are required to keep records of the work we do together. We only collect and store information that is relevant and necessary for this work.
Audit and evaluation – We routinely audit the effectiveness of the services we offer and for this reason retain anonymised information about the outcomes of therapy and any feedback you give us.
Marketing – If you sign up to receive our newsletter or marketing emails we will collect your email address for this purpose. Our lawful ground of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).
Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However you can still opt out of receiving marketing emails from us at any time.
Company details – We will collect and hold your company name and contact information if you are making a request for organisational consultation or training.
Browsing our website
If you browse our website, we may analyse information about how you use the website, and the content and pages that you interact with, in order to improve the relevance and interest of the content on it. Our legal basis for this processing is legitimate interest.
Every time someone visits our web site, a log file is generated on our computer. The log file records the time and date of your visit, the files that were requested, your IP (Internet Protocol) address, the referrer URL (if provided) and the browser version. We collect this information to help us diagnose problems and administer our systems and to audit the geographical make-up of users and how they have arrived at our site; that is, from what other sites visitors have arrived (this information being obtained from the referrer URL). We do not normally link IP addresses to anything personally identifiable, which means that you remain anonymous throughout your visit even though an IP address is personal data.
We would only attempt to use IP addresses to identify a user when we feel it is necessary to protect our services and other users on the site or are legally required to by law enforcement agencies.
Website cookies – Our website uses a number of cookies to collect data. This data helps us to understand and improve our website traffic and can help you have a better user experience. We have carefully chosen these cookies and have taken steps to ensure that your privacy is protected and respected at all times.
You can decide which cookies to accept or disable when you access the site and via your internet browser. Before the website places cookies on your computer, you will be presented with a message bar requesting your consent to set those cookies. By giving your consent to the placing of cookies, you are enabling me to provide a better experience and service to you. You may, if you wish, deny consent to the placing of cookies; however certain features of the website may not function fully or as intended.
How we store and safeguard your information
We use several secure cloud-based services to store data: PowerDiary, Stripe, Xero, Acuity Scheduling, NovoPsych, ProtonMail, and MailerLite. For the storage of the most sensitive data – summaries of sessions – we use a secure system that is fully GDPR-compliant (PowerDiary). Our use of Stripe, Xero, Acuity Scheduling, NovoPsych, ProtonMail and MailerLite means that certain personal data is stored on servers located outside of the EU. We understand that these companies are GDPR compliant and have subscribed to EU Model Contract Clauses (MCCs, also known as Standard Contractual Clauses or SCCs) which are regulatory implementations designed to guarantee that EU citizens are adequately protected under EU data protection laws as their data passes into and out of the United States and lawful transfer mechanisms for personal data transferred outside of the EU, Switzerland or the UK (as applicable).
Additionally, we may share your personal data with the parties set out below for the purposes set out above (see ‘What data we collect and why’).
- Service providers, acting as processors who provide IT and system administration services.
- Professional advisers, acting as processors or joint controllers, including healthcare professionals, lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities, acting as processors or joint controllers, based who require reporting of processing activities in certain circumstances.
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
How long we will keep your data for
In line with the policies of the British Psychological Society we keep client health records for 7 years following the end of treatment. Following this time your data will be securely destroyed. Unless a longer retention period is required or permitted by law, we will only hold other data on our systems for the period necessary to fulfill the purposes outlined in this privacy policy or until you request that the data be deleted. Even if we delete your data, it may persist on backup or archival media for legal, tax or regulatory purposes.
Due to HMRC requirements, we will store any invoices or other financial data for 7 years.
What are your privacy rights?
You have rights in respect of our processing your data which are:
- to access your personal data and information about our processing of it
- to request a copy of your personal data
- to rectify incorrect personal data that we are processing
- to request that we erase your personal data if:
- we no longer need it
- we are processing data by consent and you withdraw that consent
- we no longer have a legitimate ground to process your personal data
- we are processing your data unlawfully
- to object to our processing if it is by legitimate interest
- to restrict to our processing if it was by legitimate interest
- to request that your personal data be transferred from us to another company if we were processing your data under a contract or with your consent and the processing is carried out by automated means
If you want to exercise any of these rights or have any questions or concerns, please contact us at hello@drpaularedmond.com.
Most matters can be resolved informally in the first instance.
You also have the right to lodge a complaint about our processing to the UK’s Information Commissioners Office.
For more information about your Data Subject Rights, please refer to the ICO website.
Changes to the privacy policy and your duty to inform us of changes
We keep our privacy policy under regular review. This version was last updated in January 2024.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.