Confidentiality & Privacy Statement

This policy outlines how Mend Hypnotherapy collects, uses, and protects your personal information. We operate in full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA).

1. Data Controller

The Data Controller for Mend Hypnotherapy is Sally Nicholls.

• ICO Registration Number: ZB910270

• Contact Information: sally@mendhypnotherapy.com

  2. Why We Process Your Data (Lawful Basis)

Under the UK GDPR and DUAA 2025, we must identify a legal reason for holding your data:

• Contractual Necessity: To provide the hypnotherapy services you have requested and manage your appointments.

• Recognised Legitimate Interests: Under the DUAA 2025, we process data for "recognised" interests including safeguarding and the prevention of harm, which allows for swifter action in emergency situations.

• Special Category Data: As hypnotherapy involves health-related information, we process this under Article 9(2)(h) of the UK GDPR (provision of health or social care).

3. How Your Data is Stored

We use a "privacy by design" approach to ensure your information remains secure:

• Electronic Data: Stored on encrypted, password-protected devices. Any cloud storage used is UK-compliant and utilizes high-level encryption.

• Paper Records: Stored securely in a locked, private location.

• Anonymisation: Session notes are pseudonymised (linked by a code rather than your name) where possible to provide an extra layer of security.

4. Data Retention

In accordance with professional insurance requirements and UK law, records are kept for:

• Adults: 8 years after your final session.

• Children (under 16): Until the individual reaches age 25.

• Young Adults (17–18): Until the individual reaches age 26. Once these periods expire, all data is securely destroyed (via cross-shredding or permanent digital erasure).

5. Confidentiality & Disclosure

Your sessions are strictly confidential. However, we are legally or ethically required to share information without consent in the following circumstances:

• Professional Supervision: Cases are discussed anonymously with a supervisor to ensure clinical excellence. Your identity is never revealed.

• Safeguarding & Risk: If there is a serious risk of harm to yourself or others, or a concern regarding a child or vulnerable adult.

• Legal Obligation: If required by a court order or for the prevention of serious crime (e.g., terrorism or money laundering).

6. Your Rights & The DUAA 2025

You have specific rights regarding your personal data:

• Right of Access: You may request a copy of your records. We will conduct "reasonable and proportionate" searches and provide this within 30 days.

• Right to Rectification: You can request that we correct any inaccurate information.

• Right to Erasure: You may request deletion of your data. This is subject to our legal/insurance obligations to retain health records for the periods stated in Section 4.

7. Internal Complaints Procedure (DUAA Mandatory)

If you have a concern about how your data is being handled, the Data (Use and Access) Act 2025 requires you to contact us directly in the first instance:

1. Please submit your complaint in writing to the Data Controller (Sally Nicholls).

2. We will acknowledge your complaint within 30 days.

3. We will investigate and provide a full response without undue delay.

4. If you remain unsatisfied, you have the right to escalate your complaint to the Information Commission (formerly the ICO).

8. Professional Boundaries

• Public Encounters: To protect your privacy, if we meet outside of a session, I will not initiate contact or acknowledge our professional relationship unless you do so first.

• Communication: While I use secure platforms, please be aware that standard email and SMS may not be fully end-to-end encrypted.