Privacy Policy

Effective Date: 4th March 2025

1. Introduction

The Tunbridge Wells Psychologist ("we," "us," "our") is committed to protecting and respecting your privacy. This Privacy Policy outlines how we collect, use, store, and disclose your personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

We aim to keep this policy clear, accessible, and legally compliant while ensuring you understand how your personal data is handled.

2. Who is the Data Controller?

The Tunbridge Wells Psychologist is registered with the Information Commissioner's Office (ICO) under the name Dr Rachel Whatmough with registration number ZB861374 .

The Tunbridge Wells Psychologist (TWP) operates an associate model, where each therapist is an independent practitioner and sole trader.

  • Each therapist is individually responsible for the data they collect and process and is separately registered with the Information Commissioner's Office (ICO).

  • If you are receiving therapy from one of our associates, your therapist—not TWP—is the data controller for your personal data.

  • TWP provides administrative and practice management support, but we do not act as a central data controller for all clients.

Shared Access to Client Records

  • All therapists securely store client information in Halaxy, a GDPR-compliant practice management system used for session notes, appointment scheduling, and record-keeping.

  • While individual therapists cannot access each other's client records, the practice owner (Dr Rachel Whatmough) has administrative access to all records for security and operational purposes.

Alternative Practice Management Systems

  • Some therapists may use additional systems, such as Heidi Health. If a therapist chooses to use an alternative system:

    • They will inform you and seek your consent before storing your data there.

    • They are responsible for ensuring the system complies with UK GDPR and confidentiality regulations.

If you have questions about how your personal data is stored, please contact your therapist directly. If you're unsure how to reach them, email us at info@thetunbridgewellspsychologist.co.uk and we'll direct your request accordingly.

3. Information We Collect

We may collect and process the following types of personal data:

A. Personal Data

  • Name, address, phone number, email address

  • Date of birth

  • GP contact details (if provided)

B. Sensitive Personal Data (Special Category Data)

  • Health information relevant to therapy

  • Therapy session notes and assessments

  • Referral details and treatment history

Structured Data Collection & Questionnaires

As part of our assessment and therapy process, we may ask clients (or parents, if the client is a child) to complete questionnaires and forms that help us understand their experiences, difficulties, and background. These may include:

  • For adults: Mood and wellbeing questionnaires.

  • For children and young people: Age-appropriate questionnaires about their mood and wellbeing.

  • For parents of child clients: Questionnaires about their child’s emotional, behavioural, and developmental history.

  • Background information relevant to the presenting problem, such as family relationships, early childhood development, education, and family history.

  • Details about the mental and physical health of family members, including previous mental health support (e.g., from GPs, counsellors, or hospitals) and any relevant medications.

We collect this data only with explicit consent and store it securely within Halaxy or another GDPR-compliant system used by your therapist.

C. Website & Payment Data

  • Website Enquiry Forms: If you complete a web-based enquiry form, we may collect your name, email, and any information you provide.

  • Payments: We use Stripe to process online payments. We do not store card details, and all transactions are processed securely.

  • Website Analytics: We use Google Analytics and Squarespace analytics to monitor website traffic; this data is anonymised and does not track identifiable users.

4. Lawful Basis for Processing Your Data

Under UK GDPR, we must have a lawful basis to process your personal data. The lawful bases relevant to our work include:

  • Consent: When you provide consent for us to process your data for therapy.

  • Contractual Necessity: Processing your data to provide therapy services.

  • Legal Obligation: When required by law (e.g., safeguarding concerns).

  • Legitimate Interests: Processing necessary to manage the practice and ensure high-quality services.

5. How We Use Your Information

We use your data to:

  • Provide therapy and maintain appropriate clinical records.

  • Manage appointments and communicate with you.

  • Process payments via Stripe.

  • Comply with legal and ethical obligations (e.g., safeguarding concerns).

We never sell or share your data for marketing purposes without consent.

6. Data Sharing and Confidentiality

We take confidentiality seriously. However, in some cases, we may need to share information:

  • With Your Consent: If you ask us to share information with another professional (e.g., GP, psychiatrist).

  • Legal or Safeguarding Obligations: If there is a risk of harm to you or others, or when legally required to disclose information.

  • Practice Management: Your records are stored within Halaxy, where administrative access is required for security and operational reasons.

  • Client Referrals to Associates: If you consent to being referred to one of our associates, we will share your contact details (name, phone number, and email) with them. Additionally, we will share relevant information discussed over email, phone, and during the triage process, as well as details of any appointments booked, unless you have stated otherwise.

  • Schools & Referrals: We work with schools and other educational settings to provide psychological support. If a school refers a child for therapy, we will obtain parental consent where required. Any information shared between therapists and schools will be discussed with the child and/or their parents beforehand, except in safeguarding situations. Schools do not have access to therapy session notes unless explicitly agreed upon.

  • Obtaining Data from Other Agencies: With your explicit consent, we may also obtain data from other agencies involved in your or your child’s care, such as GPs, previous mental health workers, or teachers, if this is considered appropriate and useful for your treatment.

7. Data Security and Storage

We use Halaxy, a secure GDPR-compliant system, to store client records electronically. Halaxy provides:

  • Encrypted storage of clinical records.

  • Role-based access (your therapist controls access to your data).

  • Secure communication channels for appointment management.

We also use Google Workspace (Gmail) for professional communication. While we take all reasonable steps to secure emails, clients should be aware that email is not a fully secure method of communication for sensitive information.

Data Retention

Therapy records are retained for 7 years after the last session for adults and until age 25 (or 7 years after therapy ends) for children, whichever is longer. After this period, records are securely deleted.

Online Therapy Platforms

We offer online therapy using Zoom or Microsoft Teams, depending on the therapist. Both platforms provide encrypted communication and comply with GDPR standards for secure video conferencing.

  • We do not record sessions.

  • Therapists ensure sessions are conducted in a private and secure setting.

  • You can review Zoom’s privacy policy here: Zoom Privacy Statement

  • You can review Microsoft Teams' privacy policy here: Microsoft Privacy Statement

8. Cookies and Website Tracking

Our website uses cookies to enhance user experience, analyse website traffic, and support marketing efforts. By using our website, you consent to the use of cookies as outlined in this policy.

Types of Cookies We Use

  • Essential Cookies: Required for website functionality and security.

  • Analytics Cookies: We use Google Analytics and Squarespace analytics to track how visitors use our site. These help us improve functionality and user experience. Data collected is anonymised where possible.

  • Marketing & Tracking Cookies: We use tracking cookies for advertising and marketing purposes, including Google Ads and social media advertising pixels. These cookies help us measure the effectiveness of our campaigns and serve relevant ads to users.

Managing Your Cookie Preferences

  • When you first visit our website, you will be asked to accept or decline cookies.

  • You can change your cookie preferences at any time via your browser settings.

  • You can opt-out of targeted advertising cookies through third-party opt-out tools, such as Google’s Ad Settings and the Network Advertising Initiative.

Please note that restricting cookies may affect website functionality.

Your web browser allows you to delete or restrict cookies at any time. However, some website features may not function properly if cookies are disabled.

9. Third-Party Websites, Plug-Ins, and Services

Our website may contain links to third-party websites, plug-ins, and services (e.g., social media login plug-ins). If you choose to use these, you may disclose your information to those third parties. Please note:

  • Responsibility: We are not responsible for the content or practices of these third parties.

  • Third-Party Privacy Policies: The collection, use, and disclosure of your personal data by these third parties are governed by their respective privacy policies, not ours. We recommend reviewing their privacy and security policies before engaging with them.

10. Use by Children

Our website and online services are not specifically targeted at individuals under the age of 16, and we do not knowingly collect personal data from children through the website without parental consent. However, we do provide therapy to children and young people, with appropriate consent from a parent or legal guardian where required.

Minors must obtain express consent from a parent or legal guardian before providing any personal data through our website or engaging in therapy where parental consent is legally required. If we become aware that a child under 16 has provided personal data through our website without parental consent, we will delete that information promptly.

11. Contact Us

If you have any concerns or questions about this Privacy Policy, you can contact us:

  • Email: info@thetunbridgewellspsychologist.co.uk

  • Phone: 01892 710222

If you are unhappy with how we process your data, you also have the right to complain to the ICO (www.ico.org.uk).

12. Changes to This Policy

We may update this policy periodically. The latest version will always be available on our website. This version was updated 4th March 2025.