Privacy Policy -

Who we are

ISO Therapy (“we”, “us”, “our”) provides integrative counselling, psychotherapy and clinical supervision services.
Data Controller: ISO Therapy
Contact: info@iso-therapy.com

We process personal data in accordance with the UK GDPR and the Data Protection Act 2018

What this policy covers

Clients, prospective clients and supervisees
Website visitors and booking/enquiry form users
People who contact us by email, phone, SMS, WhatsApp, social media or post
People who make payments to us or receive invoices

What data we collect

A) Therapy & supervision

Identity & contact: name, address, email, phone, date of birth, GP details, emergency contact.
Administrative: session dates/times, attendance, invoices, payment status.
Clinical information (special category): presenting concerns, history, goals, risk, notes and reflections, wellbeing questionnaires, supervision material.
Recordings: only with explicit written consent for training/supervision; stored securely and deleted by the agreed date.

B) Website & communications

Enquiries/booking forms: details you submit plus date/time and technical metadata.
Technical data: IP address, device/browser type, pages viewed (via cookies—see §12).
Marketing preferences: opt-in/opt-out records.

Lawful bases for processing

Contract – to schedule and provide therapy/supervision, and to invoice/take payment.
Consent – for optional things (e.g., marketing emails, recordings). You can withdraw at any time.
Legal obligation – accounting and tax records; safeguarding/serious risk reporting.
Vital interests – where there is immediate risk of serious harm.
Legitimate interests – practice administration, service improvement, IT security.
Special category data (Article 9 UK GDPR):
9(2)(h) – provision of health care/therapeutic services;
9(2)(a) – explicit consent (e.g., recordings);
9(2)(f) – establishment, exercise or defence of legal claims.

How we use your data

Arrange sessions, maintain clinical records, provide therapy/supervision
Communicate about appointments, changes, invoices and service updates
Risk assessment and safeguarding where required
Manage the practice (accounts, audits, complaints handling)
Improve the website and user experience (analytics)
Send optional news/availability updates if you’ve opted in

Confidentiality & safeguarding

Your information is confidential. We may need to share limited information without consent if:

there is a serious and imminent risk of harm to you or others;
there is a legal requirement (e.g., court order, terrorism, money-laundering, or safeguarding of a child/vulnerable adult);
we are required to share limited information with our professional indemnity insurer or legal adviser in the event of a complaint/claim.

For clinical supervision, any client material discussed is anonymised wherever possible. Supervision notes are kept separately and securely.

Who we share data with (processors)

We use reputable service providers under Data Processing Agreements. Typical providers include:

Booking / practice management: [SimplyBook.me / Cliniko / other]
Video platform: [Zoom / MS Teams] (end-to-end or waiting-room controls used where possible)
Email & calendar: [Microsoft 365 / Google Workspace]
Website & hosting: [Host, CDN, WordPress plug-ins]
Payments: [Stripe / PayPal / bank]
Accounting: [Xero / QuickBooks / HMRC MTD bridge]
Processors may only act on our instructions and must protect your data.

How long we keep data (retention)

Adult clinical records: 7 years after the last contact.
Children/young people: until age 25 (or 26 if 17 at last contact) or 8 years after last contact, whichever is longer.
Enquiry emails/voicemails: typically 12 months if no contract follows.
Invoices & accounting records: 6 years (plus current year) for HMRC.
Recordings (if any): only for the stated purpose, then securely deleted by the agreed date.
When the retention period ends, data is securely deleted or anonymised.

Security

We use strong passwords, device encryption, MFA where available, secure backups, role-based access, and minimal paper records kept in locked storage. Transmission over the internet can never be 100% secure, but we take appropriate technical and organisational measures to protect your data.

Your rights (UK GDPR)

You have the right to:

access your data;
rectification of inaccuracies;
erasure (where applicable);
restriction or objection to processing;
data portability;
withdraw consent at any time (where consent was the basis);
lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk · 0303 123 1113.

Please email [info@iso-therapy.com] to exercise these rights. We may need to verify your identity and may withhold information that could cause serious harm or reveal third-party data.

Cookies & similar technologies

We use cookies to run the site and understand how it’s used.

Strictly necessary: site security, load balancing, consent storage.
Analytics (optional): e.g., Google Analytics (IP anonymisation where possible).
Marketing (optional): only if you accept.
You can manage preferences via our Cookie banner and your browser settings. See our Cookie Notice for details.

Children & young people

Where therapy is provided to under-18s, we obtain consent from a parent/guardian as appropriate and tailor confidentiality to the young person’s best interests and the law.

Communications

Email/SMS: used for admin only (appointments, links, invoices) unless you opt in to updates.
Social media: please avoid sharing sensitive information via social platforms; use email/phone instead.
Voicemail: do not leave highly sensitive details.

Third-party links

Our website may link to other sites. We’re not responsible for their privacy practices. Please check their policies.

Changes to this policy

We may update this notice from time to time. The latest version will always appear on this page with the “Last updated” date.

How to contact us

Data privacy contact: Tessa Bennett
Email: info@iso-therapy.com
Post: 71-75 Shelton St, London WC2H 9JQ