Privacy Policy

Last updated: 18 March 2026

Introduction

Your privacy is very important to me. This privacy policy explains how I collect, use, store and protect your personal data from the initial point of contact (e.g. via my website, a referral or a directory) through to after your counselling has ended.

I adhere to current data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

About me

I am a person-centred counsellor working in private practice with individual clients aged 18 and over. I am a Registered Member of the BACP (British Association for Counselling and Psychotherapy). If you have any questions, I am happy to talk them through. You can contact me at: info@eleanoreyrecounselling.com

Data Controller

The data controller responsible for your personal data is:

Eleanor Eyre
Eleanor Eyre Counselling
Registered with the Information Commissioner’s Office (ICO)
ICO Registration Number: ZB599144

I remain fully responsible for your personal data at all times.

How I use your information

My lawful basis for processing your general personal data, such as contact details, is legitimate interests (to provide counselling services) and legal obligation (for accounting and professional requirements). Much of the personal data I process in my role as a counsellor is classed as special category personal data, as it relates to mental health and wellbeing. This type of data is subject to additional protections under UK GDPR. My lawful basis for processing special category personal data is the provision of health or social care and the management of health or social care systems, in accordance with Article 9(2)(h) UK GDPR.

Initial contact

When you contact me via the website form or email, I will collect basic personal data to respond to your enquiry. This may include your name, email address, and phone number. I use a secure, GDPR-compliant practice management system called Kiku to store client information. Kiku acts as a data processor on my behalf and is specifically designed for therapy services. Data stored within Kiku is encrypted and protected by password and multi-factor authentication. If you choose not to proceed with therapy, your data will be securely deleted within 4 months unless you request earlier deletion.

While accessing counselling

All information shared with me during counselling is treated as strictly confidential, except in the following circumstances where I have a legal or ethical obligation to break confidentiality:

  • If there appears to be a risk of serious harm to yourself or others

  • In cases of safeguarding concerns (children or vulnerable adults)

  • If I am required to do so by law (e.g., terrorism, drug trafficking or money laundering legislation)

  • In a medical emergency

  • If ordered by a court of law

Wherever possible, I will try to speak with you before breaking confidentiality, unless there are safeguarding issues that prevent this.

I keep brief notes relating to our sessions as per the BACP’s recommended guidelines. I use a secure, GDPR-compliant practice management system called Kiku to store client information, including session notes. Kiku acts as a data processor on my behalf and is specifically designed for therapy services. Data stored within Kiku is encrypted and protected by password and multi-factor authentication. Clinical records will be kept for 7 years following the end of counselling for professional and insurance purposes.

As a Registered Member of the BACP, I attend regular clinical supervision. Client information discussed in supervision is shared on a pseudonymised and need-to-know basis, with identifying details minimised.

Online therapy and communication

I offer online therapy using Zoom, a secure video conferencing platform that offers encryption and complies with UK GDPR. I do not record sessions. While no online platform can be guaranteed to be 100% secure, I take reasonable steps to select platforms with appropriate security measures in place. You are responsible for ensuring that you are in a private, secure space during sessions.

If you email me directly or contact me via my website form, your message is sent to my Proton Mail account, which uses end-to-end encryption and zero-access encryption, meaning only the sender and the recipient can read the messages. If we communicate by text message, this will only be to discuss practical details such as appointment dates and times. Text messages are deleted within 28 days unless the content is clinically relevant—in which case, they may be securely stored with your clinical records.

While I take all reasonable steps to ensure digital communication is secure, I cannot guarantee complete confidentiality via email or text message. Please avoid sending sensitive personal information via these channels where possible.

Payments

If you make payments to me, your name and payment reference may appear on my business bank statements and accounting records. These records are kept securely and may be accessed by my accountant for the purposes of financial administration and HMRC compliance. Financial records are retained for the legally required period (currently 6 years).

How I store your information

In order to provide counselling services, to uphold your safety, and to meet the requirements of my insurer, I collect and process your personal data in line with UK GDPR and the Data Protection Act 2018. This includes your name, date of birth, address, phone number, email address and any relevant medical/emergency information you provide. I ask that you gain consent from your named emergency contact to pass their details on to me.

I use a secure, GDPR-compliant practice management system called Kiku to store client information. Kiku acts as a data processor on my behalf and is specifically designed for therapy services. Data stored within Kiku is encrypted and protected by password and multi-factor authentication. Kiku hosts data on secure servers located within the European Economic Area (EEA), typically in Ireland. Kiku staff may have limited access to data only where necessary for technical support or system maintenance, and they are subject to strict confidentiality and data protection obligations. Every effort is made to keep digital records safe.

Your contact details, DOB, medical information and emergency contact, are also saved on a password protected work mobile phone, as an emergency back-up. I will delete these details from my work mobile phone, a month after the agreed end of our contract, or a month after our last session together if no further sessions have been scheduled, or if contact ceases without notice (e.g. repeated unattended sessions without communication).

Data retention

In line with BACP guidance and insurance requirements, I retain client records for 7 years after the end of our work together. After this time, your data will be securely deleted. If you wish to have your records deleted sooner, please make a written request. I will consider your request in line with legal and ethical obligations.

Clinical will

In the event that I am unexpectedly unable to continue providing therapy (for example due to a serious accident, sudden illness, incapacity or death), your data will be accessed by my clinical supervisor in order to inform and support you. In such cases, client records may be securely transferred to a new counsellor, if a referral is requested by the client.

Website visitors & cookies

When you visit my website, Squarespace (the hosting provider) collects standard internet log data such as IP address and pages visited. This is used to understand general website usage patterns and does not identify you personally. My website uses cookies to help the site function and improve your experience. You can control cookies through your browser settings. For more information, see Squarespace’s Privacy Policy.

Third parties

I use a small number of trusted third-party services (such as video-calling platforms or email providers) to support my work. These services are chosen for their compliance with UK GDPR and their approach to data security. They are only given access to personal data where necessary and are required to handle it appropriately. I do not allow third-party providers to use your data for marketing purposes. A primary third-party provider I use is Kiku (practice management system), which securely stores client records on my behalf. Some third-party services I use may process data outside the UK. Where this occurs, appropriate safeguards are in place to ensure your data remains protected in line with UK GDPR.

Your rights

Under the UK GDPR, you have rights regarding your personal data, including:

  • The right to access the information I hold about you

  • The right to request correction of inaccurate data

  • The right to request deletion of your data (under certain circumstances)

  • The right to object to or restrict how your data is processed

  • The right to withdraw your consent (where consent is used as a basis for processing)

  • The right to lodge a complaint with the Information Commissioner’s Office (ICO)

You can learn more about your rights here: ico.org.uk/your-data-matters

Data breach procedure

In the unlikely event of a data breach that may compromise your personal information, I will notify you as soon as possible and report it to the ICO where required.

How to contact me

If you have any questions, concerns, or requests about your data, please contact:

Eleanor Eyre
info@eleanoreyrecounselling.com

Complaints

If you are unhappy with how I handle your data, please contact me in the first instance. If we cannot resolve the issue, you can raise a complaint with the Information Commissioner’s Office:

Website: www.ico.org.uk/make-a-complaint
Tel: 0303 123 1113