Privacy Policy

Last updated: June 2026

Introduction

Your privacy is very important to me. This Privacy Notice explains how I collect, use, store and protect your personal information in accordance with the UK GDPR, the Data Protection Act 2018 and, where relevant, the Privacy and Electronic Communications Regulations.

This notice explains what I will do with personal information that can identify you, such as your name, date of birth, address, telephone number and email address.

It explains:

  • what personal information I collect
  • why I collect it
  • how I use it
  • how long I keep it
  • who it may be shared with
  • how I keep it secure
  • your rights in relation to your personal information

If you have any questions about this Privacy Notice, please contact me using the details below.

Data Controller

“Data controller” is the term used to describe the person or organisation that decides how and why personal information is collected, stored and used.

For my private counselling, supervision, group work and professional training services, I am the data controller responsible for the personal information described in this Privacy Notice.

Phil Mitchell
Counsellor in Leeds
Email: phil@counsellingwithphil.co.uk

Where counselling is provided through an Employee Assistance Programme (EAP), insurer or other third-party organisation, that organisation may also be a data controller for some aspects of the service and may provide its own privacy information.

Where I process information through an EAP, insurer or third-party platform, I do so in accordance with the relevant arrangements for that service.

Information Commissioner’s Office Registration

I am registered with the Information Commissioner’s Office (ICO).

ICO registration number: A8219665

Lawful Basis for Holding and Using Your Personal Information

Under the UK GDPR, I must have a lawful basis for processing your personal information. The lawful basis may vary depending on the stage at which I am processing your information.

Contract

If you are currently receiving counselling or supervision from me, or you are in contact with me to discuss counselling, supervision, group work or professional training, I process your personal information where it is necessary for the performance of our agreement or contract.

Legitimate Interests

I use legitimate interests as my lawful basis for holding and using your personal information where:

  • you have had counselling or supervision with me and it has now ended
  • you have booked or attended group work or professional training
  • I need to manage and administer my practice
  • I need to keep records for professional, ethical, insurance or record-keeping reasons
  • I need to respond to complaints, disputes, safeguarding matters or legal claims
  • I need to monitor and improve the operation, security and usability of my website

Legal Obligation

In some circumstances, I may need to process or disclose personal information to comply with a legal obligation, such as where disclosure is required by law, court order, warrant or relevant safeguarding duties.

Professional and Ethical Obligations

Some responsibilities arise from professional or ethical standards rather than legal requirements.

I may process and retain personal information where necessary to meet professional, ethical, insurance and record-keeping responsibilities connected with the safe and responsible provision of counselling, supervision, training or group work.

Where these responsibilities are not legal obligations, I will normally rely on contract or legitimate interests as the lawful basis for processing.

Special Category Personal Information

Some information disclosed during counselling or supervision may be classed as “special category personal information” under the UK GDPR.

This may include information relating to:

  • physical health
  • mental health
  • ethnicity
  • religious beliefs
  • sexual orientation
  • family circumstances
  • personal history
  • other sensitive matters discussed during counselling or supervision

The lawful basis for processing special category personal information is that it is necessary for the provision of health-related services, in this case counselling, and where relevant for the establishment, exercise or defence of legal claims.

Initial Contact and Enquiries

When you contact me with an enquiry, I may collect information to help me respond to you. This may include:

  • your name
  • telephone number
  • email address
  • details relevant to your enquiry

Your details may also be provided to me by:

  • your GP
  • an Employee Assistance Programme (EAP)
  • a private medical insurer
  • another health professional
  • a parent, carer or trusted individual making an enquiry on your behalf

If you decide not to proceed with counselling, supervision, group work or professional training, I will normally delete your personal information within one month. This includes deleting emails from deleted folders and deleting text messages.

If you would like me to delete this information sooner, please let me know.

Emails received may contain technical information such as IP addresses and email routing information supplied by the sender’s email provider. This information is processed as part of the normal operation and security of email systems.

How I Use Your Information During Counselling or Supervision

Everything you discuss with me during counselling or supervision is treated as confidential.

Confidentiality may only be broken where:

  • I am legally required to disclose information relating to terrorism, money laundering or drug trafficking
  • there is a serious or immediate risk of harm to you or another person
  • safeguarding concerns arise involving a child or vulnerable adult
  • you are a supervisee and I have concerns regarding your welfare or professional practice
  • disclosure is required by law, court order, warrant or other legal obligation
  • disclosure is necessary in connection with a serious professional, ethical or safeguarding concern

Where possible and appropriate, I will discuss any necessary disclosure with you before taking action.

If you are accessing counselling via an EAP provider or another third-party organisation, I may be required to discuss relevant matters with that organisation.

Records and Storage

I keep records to support the safe and effective delivery of counselling, supervision, training and group work.

These may include:

  • contact details
  • administrative records
  • counselling notes
  • supervision notes
  • session attendance records
  • communication records

For my own private clients, counselling notes are stored physically in a locked filing cabinet.

For some EAP or third-party clients, notes and related information may be stored on the relevant EAP or third-party organisation’s secure online platform, depending on that organisation’s requirements.

I may also store or access personal information using:

  • password-protected devices
  • a password-protected laptop
  • a password-protected mobile phone
  • email services provided through IONOS and Microsoft/Outlook
  • secure EAP or third-party portals where required

I may access counselling-related emails through a mail app on my password-protected mobile phone. I take reasonable steps to keep devices secure, including use of passwords, PINs, biometric access or other security controls where available.

For security reasons, I do not routinely store client names and telephone numbers directly in my phone contacts.

I do not retain text messages or emails for longer than necessary unless there is a clear reason to do so, such as in relation to complaints, disputes, safeguarding concerns or payment issues.

Online Sessions

I may use Zoom to provide online counselling or supervision sessions.

I do not use Zoom AI features for counselling or supervision sessions.

Zoom is a third-party service provider and has its own privacy and data protection information. You can read more about Zoom’s privacy practices here:

Zoom Privacy Statement

Retention of Information

Counselling and Supervision

Once counselling or supervision has ended and all relevant matters are resolved, such as payment issues, complaints, disputes, safeguarding matters or concerns regarding practice, your identifiable information will normally be stored securely for up to seven years.

This may include:

  • full name
  • date of birth
  • address
  • telephone number
  • email address
  • counselling or supervision notes
  • relevant contact and communication records

After this time, paper records will be shredded and electronic records, where held, will be securely deleted.

EAP Counselling

Where counselling is provided through an EAP or other third-party organisation, retention periods may vary depending on that organisation’s requirements.

Please ask if you would like further details.

The relevant EAP or third-party organisation may also provide its own privacy information explaining how it stores, uses and retains personal information.

Emails and Text Messages

Emails and text messages will normally be deleted within one month after our final session, unless I consider there is a clear reason to keep them.

Examples of reasons to retain emails or text messages may include:

  • complaints
  • disputes
  • safeguarding concerns
  • payment issues
  • professional or ethical concerns
  • legal or insurance matters

Where retained, they will normally be kept for up to seven years from the date of our final session and then deleted.

Group Work and Professional Training

Once group work or professional training has ended and all relevant matters are resolved, such as disputes or payment issues, identifiable information relating to the person who made the booking will normally be stored for up to seven years on a password-protected device and then deleted.

This may include:

  • full name
  • address
  • telephone number
  • email address
  • booking information
  • payment or attendance information

Records may be retained for longer where required by law, professional or ethical obligations, regulatory requirements, insurance obligations, or the handling of a complaint, dispute, safeguarding matter or legal claim.

Third-Party Recipients of Personal Information

I do not sell your personal information or share it for marketing purposes.

In some circumstances, personal information may be shared with third parties where this is necessary and appropriate.

This may include:

  • professional supervisors, where relevant and usually in anonymised form
  • EAP providers or other third-party organisations where counselling is provided through them
  • private medical insurers where they are involved in a referral or funding arrangement
  • GPs, healthcare professionals, safeguarding services, emergency services or other relevant organisations where necessary
  • legal advisers or insurers
  • regulatory bodies or authorities where required
  • website hosting, email, analytics, video call or IT service providers used to operate the practice and website

Where I use third-party service providers, I take reasonable care in selecting them and rely on their published privacy information, contractual terms and data protection arrangements.

Where counselling is provided through an EAP or other third-party organisation, that organisation may use its own systems and platforms. Their own privacy notice may provide further information about how they process and store personal information.

International Transfers

I do not routinely transfer personal information outside the UK myself.

However, some third-party service providers I use, such as email, website hosting, analytics, video call providers or EAP platforms, may process personal information outside the UK depending on how their systems are set up.

Where this happens, I rely on the provider’s published privacy information, contractual terms and data protection arrangements. Further information may be available directly from the relevant provider.

Data Security

I take the security of your personal information seriously.

I use reasonable measures to protect the information I hold, including:

  • locked filing cabinets for paper records
  • password-protected devices
  • password, PIN or biometric protection on mobile devices where available
  • secure email services
  • secure EAP or third-party portals where required
  • limiting access to personal information to what is necessary
  • deleting or securely destroying records when they are no longer required

I take reasonable steps to protect personal information from loss, misuse, unauthorised access, disclosure or alteration.

Website Visitors

When someone visits my website, I use Umami Analytics to help understand how the website is used and how it can be improved.

Umami Analytics is a privacy-focused analytics platform. Information is used to understand website traffic and visitor behaviour in an aggregated manner and is not used by me to identify individual visitors.

I use legitimate interests as my lawful basis for processing this information in order to monitor and improve the performance, usability and security of the website.

I do not use analytics information to identify individual visitors.

I do not use Google Analytics.

Further information about Umami can be found here:

Umami Privacy Policy

My website is built using WordPress.

Further information about WordPress and privacy can be found here:

WordPress Privacy

If you submit an enquiry form through my website, the information you provide may be temporarily stored by the website host before being securely delivered to me.

Cookies

My website may use essential cookies that are necessary for the operation, functionality and security of the website.

You can control cookies through your browser settings.

Further information about cookies is available from the Information Commissioner’s Office:

ICO guidance on cookies

Automated Decision-Making and Profiling

I do not use automated decision-making or profiling when processing your personal information.

This means I do not use computer systems to make decisions about you without human involvement.

Your Rights

Under the UK GDPR, you have rights in relation to your personal information.

These include the right to:

  • be informed about how your personal information is used
  • request access to the personal information I hold about you
  • request correction of inaccurate information
  • request deletion of personal information where applicable
  • request restriction of processing in certain circumstances
  • object to certain types of processing, such as processing based on legitimate interests
  • request transfer of your information where applicable, for example where information can be provided in a format that can be passed to another practitioner or service
  • withdraw consent where consent is relied upon as the lawful basis for processing

The right to deletion is not absolute. There may be circumstances where I need to retain records because of legal, regulatory, professional, ethical or insurance obligations, or because records are needed in relation to a complaint, dispute, safeguarding matter or legal claim.

Further information about your rights is available from the Information Commissioner’s Office:

ICO: Your data matters

Subject Access Requests

You have the right to request a copy of the personal information I hold about you.

To make a request, please contact me in writing at:

phil@counsellingwithphil.co.uk

If your request is unclear or particularly broad, I may ask you to clarify the information you are seeking before responding.

Any searches undertaken will be reasonable and proportionate to the scope of the request.

I will respond in accordance with my obligations under the UK GDPR and the Data Protection Act 2018.

If I hold information about you, I will:

  • give you a description of it and where it came from
  • explain why I am holding it
  • explain how long I will store it for, or how that decision is made
  • explain who it could be disclosed to
  • provide a copy of the information in an intelligible form, subject to any legal or professional restrictions

You can also ask me to correct any mistakes in the personal information I hold about you.

Data Protection Complaints

If you have concerns about how I have handled your personal information, please contact me in the first instance at:

phil@counsellingwithphil.co.uk

I aim to acknowledge data protection complaints within 30 days and will keep you informed of the outcome without undue delay.

I welcome feedback and suggestions for improving my data protection procedures.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK statutory body responsible for data protection.

Further information is available here:

ICO: Make a complaint

The ICO can also be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Quick Reference Retention Guide

Record type Retention period
Counselling session notes, contact and communication notes, and identifiable information Up to 7 years
EAP counselling session notes, contact and communication notes, and identifiable information Requirements vary depending on the EAP provider
Supervision session notes, contact and communication notes, and identifiable information Up to 7 years
Training booking and identifiable information Up to 7 years
Group work booking and identifiable information Up to 7 years
Enquiries that do not proceed Up to 1 month
Emails and text messages Normally deleted within 1 month after the final session, unless needed for complaints, disputes, safeguarding, payment, professional/ethical, legal or insurance matters

Changes to This Privacy Notice

This Privacy Notice may be updated from time to time to reflect changes in legal requirements, professional obligations, ethical responsibilities or the operation of my practice.