1. Data Controller Information

Data Controller: Morven Taylor Slater (Taylored Hypnotherapy)
Business Address: West Lothian, Scotland EH52
Email: morven@tayloredhypnotherapy.com
Phone: Available on request

This privacy policy explains how we collect, use, and protect your personal information when you use our hypnotherapy services or interact with our website. We are committed to protecting your privacy and complying with UK GDPR and Data Protection Act 2018 requirements.

2. Information We Collect

2.1 Personal Information You Provide

• Name, address, email address, and telephone number
• Date of birth and emergency contact details
• GP details and medical history relevant to hypnotherapy
• Mental health information, including current medications
• Lifestyle information (smoking, alcohol, exercise habits)
• Session notes, treatment progress, and therapeutic goals
• Audio recordings of sessions (where consent is given)
• Payment information and billing records
• Insurance details (if applicable)

2.2 Special Category Data (Health Data)

As a hypnotherapy practice, we process special category personal data relating to your physical and mental health. This includes information about your medical conditions, psychological state, treatment history, and therapeutic progress. We process this data only with your explicit consent and as necessary for healthcare purposes.

2.3 Information Collected Automatically

• Website usage analytics (page views, session duration, referral sources)
• IP address, browser type, and device information
• Cookies and similar tracking technologies (see our Cookie Policy)
• Booking system data (appointment times, preferences)

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Healthcare and Treatment

• Providing hypnotherapy services and treatment
• Assessing your suitability for specific therapeutic approaches
• Planning and delivering personalised treatment programmes
• Monitoring treatment progress and outcomes
• Providing aftercare and follow-up support

3.2 Administrative Purposes

• Managing appointments and scheduling
• Processing payments and handling billing enquiries
• Communicating with you about your treatment
• Maintaining accurate client records
• Insurance and liability management

3.3 Legal and Professional Requirements

• Complying with professional body regulations (NCH, AfSFH)
• Meeting insurance requirements
• Safeguarding obligations
• Responding to legal requests or court orders

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal bases:

• Explicit Consent (Article 9): For processing special category health data. You have the right to withdraw consent at any time.
• Contract Performance (Article 6(1)(b)): To provide hypnotherapy services as agreed in our therapeutic contract.
• Legal Obligation (Article 6(1)(c)): To maintain records as required by professional bodies, insurance providers, and HMRC.
• Vital Interests (Article 6(1)(d)): To protect someone's life or physical safety in emergency situations.
• Legitimate Interests (Article 6(1)(f)): For business administration, fraud prevention, and improving our services (where not overridden by your interests).
• Healthcare Purposes (Article 9(2)(h)): For providing healthcare services and treatment.

5. Data Sharing and Recipients

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

5.1 Healthcare Professionals

• Your GP or other healthcare providers (with your explicit consent)
• Clinical supervisors (with anonymised data where possible)
• Other healthcare professionals involved in your care (with your consent)

5.2 Legal Requirements

• Police or courts when legally required
• Social services for safeguarding purposes
• Professional regulatory bodies (e.g., for complaints investigations)
• HMRC for tax compliance

5.3 Service Providers (Data Processors)

• Cal.com (appointment booking system)
• Resend (email communications)
• Google Analytics (website analytics)
• Payment processors (secure payment handling)
• IT support providers (with appropriate data processing agreements)

5.4 Emergency Situations

If there is an immediate risk to your safety or the safety of others, we may need to share information with emergency services, healthcare providers, or other relevant authorities.

6. International Data Transfers

Some of our service providers may be located outside the UK. Where this occurs, we ensure adequate protection through appropriate safeguards such as Standard Contractual Clauses or adequacy decisions. We will inform you of any international transfers during the consent process.

7. Data Security

We implement comprehensive security measures to protect your personal data:

7.1 Technical Measures

• 256-bit SSL encryption for data transmission
• Encrypted storage of all digital records
• Secure, password-protected systems
• Regular software updates and security patches
• Firewall protection and intrusion detection

7.2 Physical Measures

• Locked filing cabinets for paper records
• Secure therapy rooms with privacy controls
• Limited access to client areas
• CCTV monitoring of premises (where appropriate)

7.3 Organisational Measures

• Staff confidentiality agreements
• Regular data protection training
• Clear data handling procedures
• Incident response procedures
• Regular security audits

8. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this policy:

8.1 Client Records

• Active clients: Throughout the therapeutic relationship
• Closed cases: 8 years after the last session (professional indemnity insurance requirement)
• Child clients: Until age 25 or 8 years after last session, whichever is later
• Audio/video recordings: Destroyed after transcription unless specifically consented to longer retention

8.2 Business Records

• Financial records: 6 years after the tax year they relate to (HMRC requirement)
• Insurance records: 6 years after policy expiry
• Marketing consents: Until withdrawn or 3 years of inactivity
• Website analytics: 26 months (Google Analytics default)

8.3 Secure Disposal

At the end of retention periods, we securely delete or destroy all personal data using industry-standard methods including secure digital deletion and confidential paper shredding.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you, including information about how we process it.

9.2 Right to Rectification (Article 16)

You can ask us to correct any inaccurate or incomplete personal data.

9.3 Right to Erasure (Article 17)

You can request deletion of your personal data, subject to certain limitations (e.g., legal retention requirements).

9.4 Right to Restrict Processing (Article 18)

You can ask us to limit how we process your data in certain circumstances.

9.5 Right to Data Portability (Article 20)

You can request your data in a portable format to transfer to another service provider.

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This will not affect previous lawful processing.

9.8 Rights Related to Automated Decision Making

You have the right not to be subject to automated decision-making, including profiling, that produces legal effects.

9.9 How to Exercise Your Rights

To exercise any of these rights, contact us using the details below. We will respond within one month. We may need to verify your identity before processing your request.

10. Children and Young People

10.1 Consent Requirements

• Under 13: Parent/guardian consent required
• 13-15 years: Both young person and parent/guardian consent required
• 16+ years: Can provide their own consent

10.2 Special Protections

We take additional care when processing children's data, including enhanced security measures and longer retention periods to protect against future claims.

11. Data Breach Notification

In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach. We will inform you of:

• The nature of the breach
• Likely consequences
• Measures taken to address the breach
• Recommended actions for you to take

12. Cookies and Online Tracking

Our website uses cookies and similar technologies. Please see our separate Cookie Policy for detailed information about our use of cookies and how to manage your preferences.

13. Changes to This Policy

We may update this privacy policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify existing clients via email
• Post a notice on our website
• Obtain new consent where required

14. Contact Information

For any questions about this privacy policy or to exercise your rights, please contact:

15. Complaints and Regulatory Contact

If you have concerns about how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

Professional Registration: This practice operates in accordance with the standards of the National Council for Hypnotherapy (NCH) and Association for Solution Focused Hypnotherapy (AfSFH). Hypnotherapy is not regulated by statute in the UK.