Privacy Policy

Privacy Policy Version 2.1, January 2021

This privacy policy outlines how your data will be gathered, stored, disclosed and destroyed. It is important that you understand this information before you contact me. If we work together, I will ask for your explicit consent that your information is handled in this way.

As a Member of the BACP I abide by their Ethical Framework for the Counselling Professions. This means that I agree to keep accurate records that are adequate, relevant and limited to what is necessary for providing an online counselling service while being able to meet the legitimate reasons for passing information on in exceptional situations.

Who I am

I am William Smith and my website address is:

What personal data I collect and why I collect it

Personal information

I collect two types of personal information from clients. Personal contact details (list 1) allow me to identify you so that I can bill you for my services, contact you to arrange sessions, notify you of any changes to our agreement and for the purposes of meeting any legal obligations.

Session information (list 2) is a brief account of what took place during our contact, though if you choose email or instant messaging therapy, this will be a record of our entire conversation.

Session information (list 2) is stored separately from your personal contact details. This is so I can reduce the potential risk of harm to my clients in the event of a data breech. I do this by providing each client with a randomised pseudonym which links list 1 and list 2. This means that session information does not include any of your personal contact details. Each list is stored on a separate, encrypted, device.

A ‘session’ will usually be a pre-arranged counselling session (by video, voice, text or email). Though if we meet outside a scheduled appointment – such as meeting each other in the supermarket – then I will also record this.

List 1 – Personal Contact & Contract Details

  • name
  • email address
  • address
  • telephone number(s)
  • date of birth
  • registered GP details (their name, address, email, telephone)
  • emergency contact details (their name, address, email, telephone)
  • each session date and time
  • your chosen password/passphrase for encrypting emails or other session documents sent between us
  • the date of your consent to this privacy policy
  • the date of your consent to our therapeutic agreement (which covers details such as price, number of sessions, etc)

List 2 – Session information

  • the number of the session (first, second, fifth, etc.)
  • our mode of communication (email, video, etc.)
  • key themes you discussed
  • any specific recommendations I made or information I requested
  • any safeguarding concerns
  • in the event of email or instant messaging therapy sessions, a copy of your email(s) and/or message(s) and my reply(replies)
  • in the event of an unplanned meeting, any notes that are relevant to that encounter

The following information is stored by Stripe, my chosen payment processor:

  • name
  • address
  • telephone
  • email
  • payment details (date, amount, frequency, payment outcome, payment method)

I do not have access to your payment details as these are encrypted by Stripe. However, Stripe displays the last four digits of your payment method and expiry date, should I need to validate this with you. Find out more from the Stripe Privacy Policy and Privacy Centre.

Session Bookings

If you use the booking functionality on my website, the data collected is your name, email address, telephone number, the type of appointment you have booked and any opt-ins or agreements you have provided (such as accepting terms and conditions). The booking functionality is provided by Book Like a Boss LLC for the purpose of scheduling your appointment. Find out more about their Privacy Policy. Booking online in this way is optional and you can always contact me by email to book a session.

If you provide your email and/or telephone number when booking online, you will receive an email confirmation and a reminder SMS message one hour before your session start time.


When visitors leave comments on the site, it collects the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Contact forms are not used on this website. I utilise an encrypted email service, provided by Tutanota, which can receive emails from any address. However, you are encouraged to use encrypted email to send messages to me and can do so using Tutanota. Learn more about Tutanota’s privacy policy here:


If you leave a comment on my site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit the website login page, it will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, the site will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Cookies are also used for analytical purposes and to track the efficiency of any advertising I perform.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


Visitor behaviour is tracked on this website using cookies. A log of the IP address of any computer or device that visits the website is recorded along with the pages visited. This is so I can understand how visitors are interacting with my website.

I use Google Analytics to track visitor behaviour on my website and to track the effectiveness of advertising through Google. I cannot link this information with the personal information I hold about prospective/current/past clients. Learn more about Google’s privacy policy here:

If you do not want to share your behaviour on this website with Google Analytics, please disable and/or block cookies for this website.

Who I share your data with

Counselling is a confidential service. I will respect the boundaries of this confidentiality for prospective, current and past clients. This means that I will not share contact, contract and session details with another person. I will not tell another person the content of our sessions or the fact that you are receiving counselling. However, there are some limitations that you need to be aware of before we start working together.

As noted earlier, if you become a paying client I will share your personal contact details with financial institutions (currently Stripe and Revolut) so that I can invoice you and process payments online. Please be aware that for the prevention of fraud or in the event of a disputed charge, the financial institutions that I choose to use may ask me to provide the with a copy of the signed counselling agreement, which will include your signature and date of birth.

There are a few other situations where it may be necessary to share information I hold about you with another person or entity. Examples of these situations include:

  • when there is a legal obligation
  • in the event of a complaint, I may need to release details to an insurer, a court or a professional body
  • when you or someone else are at serious or immediate risk of harm
  • when I talk to my professional supervisors about my therapeutic work
  • if I refer you to another professional for help or if I need to share basic information with a health professional involved in your care

I will always seek to speak with you before doing so, though there may be occasions where that is not possible (for instance, if the law forbids me from doing so). This is generally in relation to acts of terrorism, drug trafficking and money laundering. You can always ask me about the limits to confidentiality at any point before, during or after our work together.

How long I retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

The personal information of prospective, current and past clients is handled in a specific manner, in accordance with BACP recommendations. I will retain personal information for ten years after your final therapy session, or for three years after our last communication if you are a prospective client but never book a session.

The retention of data for ten years is for the purpose of complying with French tax laws and also for the purpose of complaints or if you decide to return to therapy. After ten years, these digital records are deleted such that they cannot be restored.

What rights you have over your data

If you have an account on this website, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

If you are a client (prospective, present or past) you have a right to access the information I hold about you. I would provide the information to you in a password protected format (either an encrypted email or a password protected Word document), providing the password to you verbally (either via a voice or video conversation). Please note that if you are provided this information, it is your responsibility to store and dispose of it in a safe and secure manner.

The Information Commissioners Office (ICO) in the UK and the Commission Nationale de l’Informatique et des Libertés (CNIL) in France provide independent and free advice about data protection and your rights to access information held about you. The EU also provides a lot of information about the rights for citizens living in the EU.

Where I send your website data

Visitor comments on the website may be checked through an automated spam detection service.

Additional information

How I protect your data

I take a number of steps to ensure the protection of your data. These are set out below.

Separation of Contact & Contract Details from Session Details.

Contact & Contract Details (List 1) are stored on a separate, removable, encrypted, device from Session Details (List 2). A pseudonym is used to link these two records together.

Use of two-factor security for email, web hosting and payment processing.

Besides using unique, long form, passwords for every login, I use two-factor security which means I must enter a uniquely generated code each time I login to these services. Only I have access to the device which generates these codes.

Encryption of all your data.

I use encryption software, including BitLocker and Cryptomator to encrypt and secure your personal information. The encryption passwords are known only by me and are not stored online or on any digital devices. In addition, I use an end-to-end encrypted email service and encourage clients to do the same.

Use of Encrypted email and video/messaging services

I use an encrypted email service (provided by Tutanota). This means that it is not possible for the email service provider to read the content of any emails on their servers. However, if you do not use an encrypted email service, there is a risk that emails I send to you, and those you send to me, could be accessed. To prevent this, you are advised to create an encrypted email account for the purposes of online counselling. I will send therapeutic emails to you using encryption. If you do not use an encrypted email service (like Tutanota) then you will be directed to a password protected website to read the email.

In addition, I use Zoom or Signal for video, voice and messaging sessions. These services provide end-to-end encryption. You can read the Zoom privacy policy and Signal privacy policy for more information about how they handle your date. If you object to using one of these services, please inform me so we can choose a different provider.

What data breach procedures I have in place

A data breach is a security incident which includes access by an unauthorised third party, sending personal data to an incorrect recipient, digital devices containing personal data being lost of stolen and deliberate or accidental action (or inaction) against personal records.

When I become aware of a breach occurring, I will take steps to investigate. Where necessary I will report the breach to the necessary authorities and to individuals I believe may have been affected by the breach. This information will include a description of the likely consequences of the breach and a description of the measures I propose to deal with the breach. Any breach is documented.

What third parties we receive data from

I do not receive any data from third parties.

What automated decision making and/or profiling I do with user data

I do not perform any decision making or profiling marketing.