When we work together, I collect personal information from you to help me provide safe and effective therapy. In handling this information, I am bound by the General Data Protection Regulations (GDPR) and The Data Protection Act 2018. 

If you have questions about any of this, please ask me.

Protecting your personal information

• As I am the only person who works for the company, I am both the Data Controller and the Data Protection Officer. My contact details are Sadie Jones, email sadie@circlehypnotherapy.co.uk
• In most cases, the information about you that I collect comes from you, through an email, phone call, online form or during our face-to-face sessions.
  • If you are under 16, I may ask for information from your school or college 
  • If you are referred by someone else (like an employer) I may get some information from them. 
  • If you make a purchase through PayPal, they will send me your contact details so I can send you what you've bought. All PayPal transactions are subject to the PayPal Privacy Policy.
• I use your personal data in the following ways:
  • to provide you with items you have purchased
  • to deliver therapy
  • to reply to you if you contact me with questions about my services
  • to contact you between therapy sessions if necessary
  • to allow me to collect payment from you, and maintain my records and accounts
• You have no legal requirement to share any information with me, but if you do not do so I will not be able to work with you. 
• The categories of data/information I collect include your name and contact details, your medical history, your family situation and support network, the nature of your employment, your hobbies and interests, your lifestyle, and details of the problem you’d like me to help with. These details are necessary to provide you with safe and effective therapy.
• The lawful basis of my collecting and processing data is consent or contract or legitimate interests. You consent to my holding and using your information when you submit an online form. Clicking a PayPal button creates a contract to supply goods or services which I cannot do without using your data. If you undertake therapy with me, you will sign my terms and conditions, which creates a contract. If you email, phone, or contact me via social media with enquiries it is a legitimate interest of my business to use your contact details to reply to you. If I need to release your contact information under track and trace provisions this is considered by the ICO to be a legitimate interest where inclusion in the scheme is voluntary, and a legal requirement where it is compulsory. 
• Sharing information:
  • I am the only person who has access to your information unless
    • there is a legal requirement for me to share the information (for example. a court order or warrant is issued, or I am required to do so for track and trace purposes)
    • you ask me in writing to share your information with someone else
    • the Duty of Care Provision from my Code of Ethics applies - see the notes about this further down
    •  
• I keep the information you give me for seven years, longer if you commenced hypnotherapy as a child.  which is the length of time required by my professional body and my insurance company. After this time, it is shredded and disposed of securely. 
• You have rights over the information I hold about you. These are
  • Portability - you can ask me to send your information to someone else
  • Rectification - if you think my records are wrong you can ask me to change them
  • Erasure - in some circumstances you can ask me to remove your details from my records (this is sometimes called 'the right to be forgotten')
  • Fair profiling - you can ask that any processes I automate are done by a person instead of a computer. I don’t automate any information processing, although I do use online forms to collect information. If you prefer not to complete these, the information can be collected face to face during our first session.
  • Right of access - you can have a copy of the information I hold at any time, by requesting it in writing. If you do this, it will be provided within 30 days and free of charge.
  • Restricting processing - in some circumstances you can request that I stop processing your information
  • Objection - you can object to the way I process information (for example, if it is used to send you direct marketing you don’t want to receive) and you can ask me to stop using it in that way
  • Information - you have the right to understand how I collect and process your information (hence this privacy notice) 
• If you are under 16 years old, I will need permission from a parent or guardian before working with you, and if you are under 13 years old, I will need to verify your date of birth. Information will be held until the 25th birthday for all those under the age of 16 years old age at their last session. And up to the age of 26 years old for all those who were 17 years of age at their last session. In line with National Council for Hypnotherapy Code of Ethical Conduct 2019. 
• Code of Conduct - National Council for Hypnotherapy (hypnotherapists.org.uk)
• You can learn more about these rights on https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/  
• You can withdraw your permission for me to use your information at any time, this means ending your therapy. 
• You have a right to complain to the ICO if you have any problem with the way I store or use your data, or if you do not think your rights are being respected.