Privacy Policy

Introduction

As a hypnotherapist and counsellor, I want everyone who comes to me for support to feel comfortable and confident about how the information they share with me will be used and secured. Therefore, I would like to reassure you that I adhere to the laws and procedures relating to UK Data protection laws including the General Data Protection Regulation (GDPR) of 2018.

​

General Data Protection Regulation Statement

The EU General Data Protection Regulation (GDPR) is a privacy and data protection regulation in the European Union effective from May 25, 2018.

​

The GDPR imposes obligations on the control and processing of personal data and introduced new rights and protections for EU citizens.

​

As both a processor and controller of personal data, I am committed to ensuring that your privacy is protected, ensuring all personal data is handled in line with the principles outlined in the regulation that states:

​

Personal data shall be:

• Processed lawfully, fairly and in a transparent manner in relation to the client.

• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

• Accurate and, where necessary, kept up to date.

• Kept in a form which permits identification of clients for no longer than is necessary for the purposes for which the personal data are processed.

• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. I respect my clients’ rights to data privacy and protection and have revised internal policies, procedures, working practices to meet the requirements of the GDPR.

 

The next section explains how I collect, use, store, and protect your personal information in line with UK data protection laws (UK GDPR and the Data Protection Act 2018). 

 

What Personal Data I Collect

I may collect and process the following types of personal information:

​

A. Information you provide directly

• Personal details: name, address, date of birth, telephone number, and email address.

• Health and wellbeing information: information you share through intake forms, assessments, or during therapy sessions relevant to the provision of hypnotherapy or counselling.

• Payment information: Information such as your name, bank account number and sort code may be visible via my bank account if you are paying online. I do not have any control over how long banking records are kept. I have a separate bank account for work, and I ensure your personal details are not linked to any other personal or joint bank accounts I may hold.

• Administrative information: correspondence through email, online forms, or telephone. Whilst I try as far as possible to ensure the security of any information sent to me digitally, I cannot guarantee its security during transmission and so transmission via a digital medium is at your own risk. It is recommended that you ensure any personal information sent either in an email or via an attachment is encrypted and/or password protected. If you choose to password protect a document, please send the attachment in one message and the password in a separate message.

 

B. Information collected automatically

• Website usage data: IP address, browser type, operating system, and how you use our website (via cookies or analytics tools).

• Session notes and records: securely stored information kept as part of your therapeutic record. Brief session notes are anonymised and stored securely in a locked filing cabinet and separate from your contact details.

 

Legal Basis for Processing

I process your personal data lawfully, fairly, and transparently in accordance with the UK GDPR. The legal bases I rely on include:

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​​

This means I handle your sensitive personal information only to deliver therapy, and only in ways that are necessary and appropriate under UK law.

 

How I Collect It

• Through emails, texts and phone conversations. I have a separate encrypted email for work and a separate work phone which is PIN protected.

• During sessions.

• Through feedback and assessment.

 

Why I Collect It (Lawful Bases)

• To provide safe and effective hypnotherapy and counselling services.

• To improve and administer my website and services.

• To comply with legal/ethical obligations (legal obligation).

• For tax records.

• To meet professional standards.

• To communicate with you regarding appointments, services, and follow-up care.

• To manage bookings, billing, and payments.

• To maintain accurate client and session records.

• To meet obligations relating to insurance, supervision, and record keeping.

• To comply with professional, ethical, and legal requirements set out by the National Hypnotherapy Society and the National Counselling and Psychotherapy Society.

​​

I will never use your personal data for direct marketing purposes without your explicit consent.

 

Confidentiality and Therapy Records

All information shared within therapy sessions is treated as strictly confidential. Your information will not be disclosed to any third party without your explicit consent, except where disclosure is required by law or professional duty, including:

​

• Where there is a risk of serious harm to yourself or others.

• Where there is a legal obligation to disclose information (e.g. court order, safeguarding concerns).

• For clinical supervision purposes, where your personal details are anonymised to protect your identity.​

​​

Therapy records are maintained in accordance with the ethical standards of the National Hypnotherapy Society and National Counselling and Psychotherapy Society.

 

How I Keep It Safe

• Paper notes: locked filing cabinet.

• Digital notes: encrypted OneDrive and password protected.

• Laptop: PIN protected, password protected, anonymised notes temporarily stored.

• Backups: password protected data on an external hard drive in a locked cupboard.

• No audio/video recording without explicit consent.

• Separate work mobile phone, PIN protected.

• In the unlikely event of a data breach, you will be notified promptly, and any necessary report will be made to the Information Commissioner’s Office (ICO) in accordance with legal requirements.

 

Data Sharing and Third Parties

I do not sell or rent personal data.
I will only share your information:

• With service providers (such as website hosts, email systems, or payment processors) who are bound by confidentiality and data protection agreements.

• Where required by law or professional regulation.

• With your explicit consent (for example, if you request a referral to another professional).

​​

All third-party processors are carefully vetted and comply with the UK GDPR and Data Protection Act 2018.

Some of the tools I use (like Google, Microsoft, Wix and OneDrive) may use cookies and process data on servers outside the UK. These providers use legally approved safeguards such as Standard Contractual Clauses (SCCs) to ensure your data is protected under UK data protection laws.

 

Retention & Deletion

I retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and in accordance with professional, legal, and insurance requirements.

• Therapeutic records are generally retained for 7 years after your last session (or until the client reaches 18 years of age + 7 years for minors).

• Administrative and financial records (e.g. invoices, correspondence) are retained for up to 6 years for accounting and business purposes.

After this period, records will be securely destroyed.

 

Your Rights are to:

• Access your data. I will respond to such a request within a month.

• Correct/rectify inaccurate data.

• Withdraw consent.

• Request deletion (unless retention is legally required).

• Object to processing in certain circumstances.

• Restrict processing, to limit how data is used.

• Complain to the ICO.

 

Cookies and Website Tracking

My website (https://www.newyouhypnosisandcounselling.com ) may use cookies to enhance your experience and analyse website traffic.

You can manage or disable cookies at any time through your browser settings.
For more information, please refer to the Cookie Policy.

 

International Data Transfers

I store and process data primarily within the United Kingdom.
If data is transferred outside the UK (for example, through secure cloud-based storage or website services), it will be protected under UK-approved adequacy regulations or Standard Contractual Clauses to ensure compliance with UK data protection law.

 

Updates to This Policy

I may update this Privacy Policy periodically to reflect legal or operational changes. The updated version will always be available at:
https://www.newyouhypnosisandcounselling.com/privacy-policy

Please review this policy periodically to stay informed about how I protect your data.

 

Contact Information

For all privacy-related matters or to exercise your data rights, please contact:

New You Hypnosis and Counselling

Data Controller: Melissa White
Email: melissa.newyouhypnosis@gmail.com or melissa.counsellorandtherapist@gmail.com
Address: 10 Athelstan Road, Southbourne, Bournemouth, Dorset. BH6 5LY.
Telephone: 07774 666541
Website: https://www.newyouhypnosisandcounselling.com
ICO Registration Number: ZB577306

 

Queries

If you have questions, please feel free to get in touch.

You can also contact the ICO at: Website: https://www.ico.org.uk
Telephone: 0303 123 1113

 

Disclaimer

This Privacy Policy complies with the requirements of the UK GDPR, Data Protection Act 2018, and professional ethical standards of the National Hypnotherapy Society and National Counselling and Psychotherapy Society. It is intended to ensure transparency, lawful processing, and the protection of clients’ confidentiality and data rights.

 

This Privacy Notice was last updated: November 2025.