Due to the nature of counselling and therapy, you are likely to disclose a significant amount of sensitive personal information. Therefore, it can be helpful to understand exactly how I will treat this information during our time working together and once our work has come to an end.
“Personal data” under EU data protection law (including the EU General Data Protection Regulation 2016/679 (GDPR), the EU Privacy and Electronic Communications Directive 2002/58/EC, and all national implementing legislation) and UK Data Protection Law (including the Data Protection Act 2018) is any information about an individual from which that person can be identified. You can use my website without being required to provide any personal data to me but in order to use my services, you will be asked to consent to my processing and storage of your personal data.
Information I collect and legal basis for doing so
I only collect personal data about you to deliver a service to you. In addition to the information you provide, I collect certain information when you visit my website.
I collect and process some or all of following types of personal data about you:
Identity Data including name and date of birth. This is necessary to perform my service agreement with you.
Contact Data including billing address, email address and telephone numbers. This is necessary to perform my service agreement with you.
Emergency Contact Data including the name, address, email address and telephone number of at least one emergency contact and your GP or primary care doctor. This is necessary to perform my service agreement with you.
Financial Data including bank account and payment card details. This is necessary to perform my service agreement with you.
Transaction Data including details about payments to and from you and other details of services you have purchased from me. This is necessary to perform my service agreement with you.
Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. This is to support my legitimate interests in managing my business.
Service Usage Data including information about how you use services, such as attendance, date, time, method and frequency of sessions. This is to support my legitimate interests in managing my business and to perform my service agreement with you.
Marketing and Communications Data including your preferences in receiving marketing from me and your communication preferences. Currently I do not perform any marketing that uses any personal data, which is why I do not seek your consent for marketing. My use of this data is based on your express consent (when/if I perform marketing, you must opt-in to receive marketing communications) and you can withdraw at any time.
Sensitive Personal Data is data consisting of race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. This is in addition to information you provide about your mental health and personal history during our work together, including any initial contact you make with me. This may include information about your past or present occupations, relationships, lifestyle choices, social circumstances, interpersonal events, medical issues, psychological issues, drug use, alcohol use, self-harm, thoughts and feelings. This is necessary to perform my service agreement with you.
You have a number of rights regarding your data:
Right of access – you have the right to receive a copy of your personal data.
Right to rectification – you have the right to correct any inaccurate or incomplete personal data I hold about you.
Right to erasure – you have the right to ask me to delete your personal data in certain circumstances.
Right to restrict processing – you have the right to ask me to halt the processing of your personal data in certain circumstances.
Right to object – you have the right to object to me processing your personal data on the basis of my legitimate interests (or those of a third party).
Right to data portability – you have the right to request me to give you a copy of the data I hold about you so that you can transmit it to a third party.
If you are an EU citizen or resident and believe that my processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Data Protection Authority in the country of your residence, place of work or place of an alleged infringement.
- EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en
If you are a UK citizen or resident and believe that my processing of your personal data infringes the UK-GDPR, you have a right to lodge a complaint with the Information Commissioner’s Office (ICO).
Security and where I store your personal data
I consider the responsible processing of your personal information one of my highest priorities. Therefore, I am transparent about the services I use to process your personal data and the steps I take to ensure its security.
I use Google Workplace to communicate with you and to store and process your personal data. This includes via video and voice sessions, sending and receiving emails, storing your agreement to work with me and your consent to my processing of your data, capturing and storing personal information from you when you become a client, storing session date/times, and capturing and storing session notes. Under my agreement with Google Workspace, I am the Data Controller of your personal data and it is not used to enhance Google’s advertising or other services. Google Workspace state that your data is encrypted at rest and in transit and Google does not collect, scan, or use the data I store in Google Workspace for advertising services. Access to this data is secured using Google’s Advanced Protection Program. This means your data is only accessible using a secure password and a physical security key, held in my possession. Read more about Google’s Advanced Protection.
- Google Workspace security: https://workspace.google.com/learn-more/security/security-whitepaper/page-1.html
- Google Workspace encryption: https://services.google.com/fh/files/misc/google-workspace-encryption-wp.pdf
- Google Advanced Protection: https://landing.google.com/advancedprotection/.
Google Workplace services adheres to a number of standards for the processing of sensitive personal information. This includes the French Public Health Code (Article L.1111-8) requirements that personal health information (PHI) is hosted with companies that have received HDS (Hébergeur de Données de Santé) certification.
- Google Workspace HDS compliance: https://cloud.google.com/security/compliance/hds
- Google Workspace HDS Certification: https://services.google.com/fh/files/misc/hds_cloud_cert_25june2019.pdf
I use BookLikeABoss LLC for arranging appointments and scheduling of prospective clients. Identity data, contact data and session usage data are captured – specifically name, email, country, telephone and the date/time/mode of initial session. You can choose to book directly with me to avoid using their services.
I use Revolut and Stripe to process payment information, including payment requests, fraud detection, bank transfers and other financial activities. I provide them with your personal data, contact data, financial data, transaction data and service usage data in order to charge you for my services.
I use Zoom, Signal and Google Workspace Meet for communicating with you by video, voice or messaging during a session. I provide Zoom and Signal with your contact data and they are able to infer your usage data.
Although I will do my best to protect your personal data, I cannot guarantee the security of your personal data transmitted to me. If you are ever unsure about the security of personal data you intend to submit to me (such as by email), please speak to me beforehand.
How I share your personal data
As a Member of the British Association for Counselling and Psychotherapy (BACP) I abide by their Ethical Framework for the Counselling Professions. This means that there are occasions where I may need to share some of your personal information with third parties so that I can provide you with an appropriate standard of service.
- BACP’s ethical framework: https://www.bacp.co.uk/events-and-resources/ethics-and-standards/ethical-framework-for-the-counselling-professions/
I actively use supervision to support my clients’ best interests. During individual or group supervision I talk about themes or issue in my work and may share sensitive personal data with my supervisor or peer supervisees, limited to the issue or theme I seek to discuss. However, I will not share identity data or contact data, such that you will not be identifiable.
- BACP’s introduction to supervision: https://www.bacp.co.uk/media/4768/bacp-introduction-to-supervision-caq-gpia064-oct18.pdf
In the event that I think you or someone else is at risk of serious harm, I may share your identity data, contact data and sensitive personal data, limited to managing the risk, with your emergency contact, your GP, emergency services or another appropriate source of urgent care.
In the event that I need to exercise or defend a legal claim, or respond to a complaint to a professional body, or where there is a legal obligation to disclose information you have shared with me, I may need to share identity data, contact data, service usage data and sensitive personal data, with an insurer, a professional body or in court. A legal obligation involves the reporting of serious crime, drug trafficking, money laundering, terrorist activity and when there are child protection or safeguarding issues.
If I refer you to another professional for help, or if I need to share information with a health professional involved in your care, I may share your identity data, contact data, service usage data and sensitive personal data with a professional or an organisation.
Additionally, to provide a reliable service to you, such as the ability to provide video consultations, or to send you billing requests and to process payments, I will provide your identity data, contact data and service usage data to organisations listed in the section above.
How long I store your personal data for
I store your personal data for as long as necessary for the purpose of providing my services to you, in addition to my legal obligations and in order to exercise or defend legal claims.
Data retained for 10 years after we finish working together (basis for retaining: legal retention period of financial transaction data defined by French law)
- Identity data, contact data, financial data and transactional data
Data retained for 7 years after we finish working together (basis for retaining: to perform my work with you should you return as a client, and to exercise or defend legal claims or respond to complaints)
- Sensitive personal data and service usage data
Data retained for 1 year after we finish working together (basis for retaining: to perform my work with you and to support my legitimate business interests in managing my business)
- Emergency contact data, technical data, marketing and communications data
If we do not work together, which means that we do not agree to meet for at least one session of counselling/therapy, then I will retain your personal data for one year (basis for retaining: to perform my work with you should you decide at a later point to work with me following our initial communication).
Once these periods have passed, I will delete your data in a way that it cannot be restored.
William Smith is the Data Protection Officer for the website therapyhub.eu and for the services he provides. Contact William by emailing [email protected].
As a Member of the BACP I abide by their Ethical Framework for the Counselling Professions. This means that I agree to keep accurate records that are adequate, relevant and limited to what is necessary for providing an online counselling service while being able to meet the legitimate reasons for passing information on in exceptional situations.
Who I am
I am William Smith and my website address is: https://www.therapyhub.eu.
What personal data I collect and why I collect it
I collect two types of personal information from clients. Personal contact details (list 1) allow me to identify you so that I can bill you for my services, contact you to arrange sessions, notify you of any changes to our agreement and for the purposes of meeting any legal obligations.
Session information (list 2) is a brief account of what took place during our contact, though if you choose email or instant messaging therapy, this will be a record of our entire conversation.
Session information (list 2) is stored separately from your personal contact details. This is so I can reduce the potential risk of harm to my clients in the event of a data breech. I do this by providing each client with a randomised pseudonym which links list 1 and list 2. This means that session information does not include any of your personal contact details. Each list is stored on a separate, encrypted, device.
A ‘session’ will usually be a pre-arranged counselling session (by video, voice, text or email). Though if we meet outside a scheduled appointment – such as meeting each other in the supermarket – then I will also record this.
List 1 – Personal Contact & Contract Details
- email address
- telephone number(s)
- date of birth
- registered GP details (their name, address, email, telephone)
- emergency contact details (their name, address, email, telephone)
- each session date and time
- your chosen password/passphrase for encrypting emails or other session documents sent between us
- the date of your consent to our therapeutic agreement (which covers details such as price, number of sessions, etc)
List 2 – Session information
- the number of the session (first, second, fifth, etc.)
- our mode of communication (email, video, etc.)
- key themes you discussed
- any specific recommendations I made or information I requested
- any safeguarding concerns
- in the event of email or instant messaging therapy sessions, a copy of your email(s) and/or message(s) and my reply(replies)
- in the event of an unplanned meeting, any notes that are relevant to that encounter
The following information is stored by Stripe, my chosen payment processor:
- payment details (date, amount, frequency, payment outcome, payment method)
If you provide your email and/or telephone number when booking online, you will receive an email confirmation and a reminder SMS message one hour before your session start time.
When visitors leave comments on the site, it collects the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on my site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit the website login page, it will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, the site will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Cookies are also used for analytical purposes and to track the efficiency of any advertising I perform.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Visitor behaviour is tracked on this website using cookies. A log of the IP address of any computer or device that visits the website is recorded along with the pages visited. This is so I can understand how visitors are interacting with my website.
If you do not want to share your behaviour on this website with Google Analytics, please disable and/or block cookies for this website.
Who I share your data with
Counselling is a confidential service. I will respect the boundaries of this confidentiality for prospective, current and past clients. This means that I will not share contact, contract and session details with another person. I will not tell another person the content of our sessions or the fact that you are receiving counselling. However, there are some limitations that you need to be aware of before we start working together.
As noted earlier, if you become a paying client I will share your personal contact details with financial institutions (currently Stripe and Revolut) so that I can invoice you and process payments online. Please be aware that for the prevention of fraud or in the event of a disputed charge, the financial institutions that I choose to use may ask me to provide the with a copy of the signed counselling agreement, which will include your signature and date of birth.
There are a few other situations where it may be necessary to share information I hold about you with another person or entity. Examples of these situations include:
- when there is a legal obligation
- in the event of a complaint, I may need to release details to an insurer, a court or a professional body
- when you or someone else are at serious or immediate risk of harm
- when I talk to my professional supervisors about my therapeutic work
- if I refer you to another professional for help or if I need to share basic information with a health professional involved in your care
I will always seek to speak with you before doing so, though there may be occasions where that is not possible (for instance, if the law forbids me from doing so). This is generally in relation to acts of terrorism, drug trafficking and money laundering. You can always ask me about the limits to confidentiality at any point before, during or after our work together.
How long I retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
The personal information of prospective, current and past clients is handled in a specific manner, in accordance with BACP recommendations. I will retain personal information for ten years after your final therapy session, or for three years after our last communication if you are a prospective client but never book a session.
The retention of data for ten years is for the purpose of complying with French tax laws and also for the purpose of complaints or if you decide to return to therapy. After ten years, these digital records are deleted such that they cannot be restored.
What rights you have over your data
If you have an account on this website, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
If you are a client (prospective, present or past) you have a right to access the information I hold about you. I would provide the information to you in a password protected format (either an encrypted email or a password protected Word document), providing the password to you verbally (either via a voice or video conversation). Please note that if you are provided this information, it is your responsibility to store and dispose of it in a safe and secure manner.
The Information Commissioners Office (ICO) in the UK and the Commission Nationale de l’Informatique et des Libertés (CNIL) in France provide independent and free advice about data protection and your rights to access information held about you. The EU also provides a lot of information about the rights for citizens living in the EU.
Where I send your website data
Visitor comments on the website may be checked through an automated spam detection service.
How I protect your data
I take a number of steps to ensure the protection of your data. These are set out below.
Separation of Contact & Contract Details from Session Details.
Contact & Contract Details (List 1) are stored on a separate, removable, encrypted, device from Session Details (List 2). A pseudonym is used to link these two records together.
Use of two-factor security for email, web hosting and payment processing.
Besides using unique, long form, passwords for every login, I use two-factor security which means I must enter a uniquely generated code each time I login to these services. Only I have access to the device which generates these codes.
Encryption of all your data.
I use encryption software, including BitLocker and Cryptomator to encrypt and secure your personal information. The encryption passwords are known only by me and are not stored online or on any digital devices. In addition, I use an end-to-end encrypted email service and encourage clients to do the same.
Use of Encrypted email and video/messaging services
I use an encrypted email service (provided by Tutanota). This means that it is not possible for the email service provider to read the content of any emails on their servers. However, if you do not use an encrypted email service, there is a risk that emails I send to you, and those you send to me, could be accessed. To prevent this, you are advised to create an encrypted email account for the purposes of online counselling. I will send therapeutic emails to you using encryption. If you do not use an encrypted email service (like Tutanota) then you will be directed to a password protected website to read the email.
What data breach procedures I have in place
A data breach is a security incident which includes access by an unauthorised third party, sending personal data to an incorrect recipient, digital devices containing personal data being lost of stolen and deliberate or accidental action (or inaction) against personal records.
When I become aware of a breach occurring, I will take steps to investigate. Where necessary I will report the breach to the necessary authorities and to individuals I believe may have been affected by the breach. This information will include a description of the likely consequences of the breach and a description of the measures I propose to deal with the breach. Any breach is documented.
What third parties we receive data from
I do not receive any data from third parties.
What automated decision making and/or profiling I do with user data
I do not perform any decision making or profiling marketing.