Privacy policy

Last updated: 06/08/2025

Welcome to Autistic Women’s Therapy. This privacy policy explains how I collect, use, store, and protect your personal information when you access counselling services through my practice. It’s here to reassure you that your data is handled with care, respect, and in full accordance with UK GDPR and the Data Protection Act 2018.

If you have any questions about this policy or how your information is handled, you’re welcome to get in touch.

Contact Details

Data Controller: Rebecca Handy
Phone: 07507 489 406
Email: autisticwomenstherapy@gmail.com

What Information I Collect and Why

To offer safe, ethical, and appropriate therapy, I need to collect and use some personal information. Here's what I may collect:

To provide therapy:

  • Name, contact details, and date of birth

  • Pronoun preferences

  • Next of kin and emergency contact

  • GP details (optional unless safeguarding risk arises)

  • Health and mental health history (as shared by you)

  • Session notes and therapeutic goals

  • Payment and banking info (for invoicing and refunds)

To comply with legal obligations:

  • Insurance, supervision, and tax records

  • Health and safety documentation

  • Safeguarding information (if required)

For queries or complaints:

  • Correspondence

  • Contracts and consent forms

  • Records of sessions or relevant communication

Lawful Bases for Collecting Your Data

I collect and use personal data based on the following lawful grounds:

  • Consent – you give explicit consent to participate in therapy and for me to store and use your data appropriately.

  • Contract – therapy is a service you enter into voluntarily, and I need to process data to fulfil that agreement.

  • Legal obligation – I am legally required to hold certain records (e.g. for insurance and safeguarding).

  • Vital interests – very rarely, I may process or share data to prevent serious harm or risk to life.

  • Legitimate interests – to manage and respond to any service-related queries or complaints.

Your Rights

You have the right to:

  • Access the personal data I hold about you

  • Correct any inaccurate or incomplete data

  • Request deletion of your data (unless I have a legal reason to keep it)

  • Restrict how your data is used

  • Object to certain uses of your data

  • Request transfer of your data to another provider

  • Withdraw consent at any time (if consent was the basis for data use)

To exercise any of these rights, just contact me using the details at the top.

Where Your Data Comes From

  • Directly from you

  • Occasionally (and only with your consent), from a GP, emergency contact, or other health professional

How Long I Keep Your Data (Retention)

In line with ethical guidelines and legal requirements, I keep client records for 7 years after therapy ends. For clients under 18, records are kept until their 25th birthday.

After this time, all records are securely deleted or shredded.

Who I Share Your Information With

Your information is kept confidential. I will not share your data unless:

  • You give explicit consent

  • There's a legal or safeguarding requirement

  • A serious risk of harm is identified

Trusted Data Processors I Use:

Processor - Google Workspace

What They Do - Email, Google Drive (client notes), Google Calendar

Processor - Microsoft Office

What They Do - Document creation and storage

Processor - Zoom

What They Do - Encrypted video platform for online sessions

Processor - Mettle

What They Do - Banking provider for client payments and invoicing

These services may store data on servers outside the UK, but all are covered by approved international transfer mechanisms (see below).

International Data Transfers

Some services I use store data in the US or outside the UK. I only use platforms that comply with UK GDPR and have valid safeguards in place:

Organisation - Google LLC

Country - USA

Safeguard - Addendum to EU Standard Contractual Clauses

Organisation - Zoom Communications

Country - USA

Safeguard - Addendum to EU Standard Contractual Clauses

Organisation - Microsoft Corporation

Country - USA

Safeguard - International Data Transfer Agreement (IDTA)

If you want more information about these safeguards, just ask.

Your Confidentiality

I work under a professional duty of confidentiality. Everything shared in therapy is private unless:

  • You consent to it being shared

  • I’m required by law or court order

  • There’s a risk of serious harm to you or others

  • There’s a safeguarding concern involving a child or vulnerable adult

Complaints

If you’re unhappy with how I handle your data, I’d encourage you to get in touch so we can discuss it. If you're still not satisfied, you can contact the ICO directly:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk/make-a-complaint