Privacy Statement

Introduction                                  

I take your privacy very seriously. This Privacy Statement describes what I do, and what I don’t do, with the personal information that I collect in the operation of my therapy practice and when you use this web site.

I will update this privacy policy from time to time by posting a new version on this website. Please check this web page periodically in order to ensure that you are familiar with any changes.

It is a legal requirement under the General Data Protection Regulation (GDPR) for me to make my data processing procedures clear to you.

I will be asking you to actively opt in and consent to these arrangements and the handling of your personal information.

I abide by the GDPR and the Data Protection Act 2018 and I, Davina Robertson, am the registered data controller and processor for my therapy practice. More information is available from the Information Commissioner’s Office (ICO) at https://ico.org.uk/

SECTION ONE:  the personal data I collect store and process in my psychotherapy practice

Why I collect personal data & information

I collect relevant personal information from clients to enable a working record of contact information, in case of emergencies and for the ongoing work. I do not share any of this information with anyone unless it is necessary to assist your well-being or the safety of others in which case, I will share the minimum necessary in order to mobilise the appropriate support for you. This would most likely be your GP but could be another service. I am also legally required to disclose personal information to the authorities if you are involved in serious crime.

What information do I collect, store and process?

Contact information. Personal information including age, health (mental and physical), gender, sexuality (if relevant to our work), domestic and financial arrangements (where relevant) and other special category data.

Notes on our sessions which give brief details of what the focus of our work is, how you are and perhaps anything I need to remember to revisit in a later session. I do not include any names or identifying information about anyone you might talk about in your sessions.

How is this information stored?

All client contact data, bookings, payment information and sessions notes are stored by my client management provider, Cliniko. Cliniko meet all the requirements and regulations of GDPR. Their servers are located outside the UK.  I do not store any client data on my own computer system.

Any paper correspondence will be scanned and uploaded to my Cliniko system and the originals shredded.

I store your first name, sometimes an initial of your second name and your phone number(s) on a dedicated phone that I only use for my practice and which is protected in case of loss so that I can wipe all data with one call.

I store your email address and any email correspondence in my Protonmail secure email account which is end to end encrypted. You can read about this here https://protonmail.com

What about data transfers to Cliniko?

All data is transmitted and stored securely using end to end encryption. You can read more about their data security at https://www.cliniko.com/security/

Who do you share my personal information with? Limits of confidentiality.

We will agree to work with the following limits of confidentiality when we start to work together

I do not share any of your personal information with anyone else unless one of the following situations occurs:

1. I am concerned about a serious risk to your safety or someone else’s safety in which case I will seek appropriate support for you or for them. To do this I will share the minimum amount of information necessary with a medical or other professional. I will always seek to discuss this with you beforehand where at all possible.

2. There are some requirements under the law to do with serious crime where I would have to share information with the authorities.

3. A court of law can require me to show my records of our sessions together. This is a rare occurrence.

How long will you keep my data?

I am required to keep the records of our sessions for 7 years. After that time has elapsed all trace of your data will be erased from Cliniko’s system. If Cliniko stops trading they will give me the opportunity to move my records to another suitably secure provider and I will update this statement to reflect that fact.

When I stop working with you, I will delete your name, phone number and email address from my email and phone systems.

What if something happens to my therapist?

If anything happens to me that prevents me from attending your session and from communication with you directly—such as illness or death—then I have appointed an experienced colleague to act as my Therapeutic Executor and they would be able to access your contact details and inform you if this were to occur.

Using video meeting software

For video sessions I will use one of the following:

Cliniko’s telehealth  cliniko.com  This is also my practice management system referred to above.

V-See telehealth  vsee.com I only use the video meetings at V-see so none of your data is stored here.

Zoom meetings zoom.us There is security information on their website. We may agree to use Zoom if there are compatibility or technical issues with the above services. None of your data is stored at Zoom.

All video calls are secured and meet strict privacy and security standards.  No content is stored anywhere. All features meet GDPR regulation standards. I do not record our meetings and request that you do not record them either.

Using email for sessions or otherwise

General email services are not secure. I use Protonmail as they use ‘end to end’ encryption for security. If we are to engage using email, I encourage you to set up a Protonmail or similarly secure email account. Protonmail is free of charge and is very easy to install and use. If you choose to email me from an insecure email address you may like to protect your privacy by limiting your content.

Using telephone for sessions

For phone sessions I use Signal encrypted phone calls or I can use WhatsApp encrypted calls if you prefer.  They both use end-to-end encryption, but WhatsApp does collect information about its users whilst Signal do not. If we are to engage using phone calls, I encourage you to set up a Signal account yourself. This is free of charge and straightforward to install and use and will give us the maximum security and privacy options.

WhatsApp privacy policy.  Signal privacy policy.

Payment systems

For payment transactions I use BACS bank transfers or Stripe, an approved third-party payment processing service. I do not store your financial details anywhere on my website or on any physical documentation and neither does my practice management service, Cliniko.  Visit https://stripe.com/en-gb/privacy for details of their privacy policy. Your privacy within the BACS system and Stripe payment system is beyond my control. You may wish to check out their security arrangements on their websites.

Social Media

I do not engage with my clients, past or present, on social media. I do use social media for promoting my business and networking with colleagues. I will never share anything about our sessions together on social media. My intention in posting articles and mental health information is not to provide therapy by social media but to provide some support for people who might be considering seeking counselling or therapy, or other services, from me or other practitioners

SECTION TWO––The personal data I collect, store and process in my other services

Story Circles with Davina

Story Circle Participants

What are Story Circles? I facilitate "Differently-wired, Deeply-heard Story Circles" - group sessions where participants come together to share and explore their experiences in a supportive environment.

What information do I collect from Story Circle participants? When you book a ticket for a Story Circle event, I collect your name, email address, and payment information through Ticket Tailor, my event ticketing provider.

How is this information stored? Your booking information and payment details are initially collected and stored by Ticket Tailor. Their servers process and hold this data securely in accordance with GDPR regulations. You can read their full privacy policy at [https://www.tickettailor.com/legal/privacy-policy].

Following your booking, I store your name and email address in my ProtonMail secure email account, which uses end-to-end encryption as described earlier in this statement.

What platforms do we use for Story Circle meetings? We use Zoom for our Story Circle meetings. As noted in the video meeting software section above, Zoom meetings are secured and meet privacy and security standards. You can read their full privacy policy at [https://www.zoom.com/en/trust/privacy/privacy-statement/] No content from our Story Circle sessions is stored at Zoom, and I do not record our meetings.

Marketing communications (with your consent) If you give your informed consent, I will also store your name and email address in my Kit email marketing account. This allows me to send you news and information about future Story Circles, events, and other relevant services. You can withdraw this consent at any time using the unsubscribe link in any email, and your details will be removed from the Kit system. More information about Kit can be found in the Kit email marketing section of this statement.

How long will I keep your Story Circle booking data? Ticket Tailor retains your booking information in accordance with their retention policy. I will retain your name and email address in my ProtonMail account for 12 months following your last Story Circle attendance, unless you have opted in to receive marketing communications, in which case your details will remain until you unsubscribe. If you request deletion of your data, I will remove it from all my systems.

Your Story Circle data Unlike individual therapy sessions, I do not keep detailed session notes from Story Circles. Any data collected is solely for the purpose of facilitating the circles and staying in contact with participants who have consented to receive updates.

SECTION THREE–The personal data I collect, store and process on my website and on other online apps

This website is hosted by Squarespace. Squarespace collects personal data when you visit this website, including:

• Information about your browser, network and device

• Web pages you visited prior to coming to this website

• Web pages you view while on this website

• Your IP address

Squarespace needs the data to run this website, and to protect and improve its platform and services. Squarespace analyses the data in a de-personalised form.

Use of Cookies

This website uses cookies and similar technologies, which are small files or pieces of text that download to a device when a visitor accesses a website or app. For information about viewing the cookies dropped on your device, visit The cookies Squarespace uses.

• These functional and required cookies are always used, which allow Squarespace, our hosting platform, to securely serve this website to you.

• These analytics and performance cookies are used on this website, as described below, only when you acknowledge our cookie banner. This website uses analytics and performance cookies to view site traffic, activity, and other data.

Enquiring: You will need to provide contact information to me if you choose to submit a question or request to me via email or by using my “contact me” form. The information that you will need to provide will include a name, and an email address;

Subscribing: You will need to provide contact information to me if you choose to receive updates and information periodically. This contact information will include a first name and either an email address, or a username for a particular social networking service (e.g. Twitter, Facebook, Linked In etc);

Commenting: You will need to provide contact information to me if you choose to make a comment in relation to any content. This contact information will include your name, contact details – including email address – and (if they can be used to identify you) the views which you choose to express. Additionally, you may choose to submit personal information in the form of a small photograph, Avatar or Gravatar;

Signing up for my email list: My website provides you with the opportunity to opt-in for receiving marketing communications from me. All email sent from my organisation will clearly state who the email is from and provide clear information on how to contact me. There will also be clear information on how to remove yourself from a mailing list so that you will receive no further communication from the list and your details will be removed from the system.

Kit email marketing:

My email newsletters and blog posts are managed by Kit for marketing purposes. Your contact information of first name and email address are stored by them on my behalf and are only accessed by me.  When you subscribe for these you are asked to give your consent to receive emails  and to receive relevant marketing communications for services, before being added to the list. If you unsubscribe, using the link provided at the foot of all emails, these will be removed from their system. Their privacy policy is available here: https://kit.com/privacy

Kit Email Marketing and Communications

What is Kit? I use Kit (formerly ConvertKit) as my email marketing service to manage communications with clients and subscribers. Kit allows me to send newsletters, blog posts, information about events and services, and other relevant communications to those who have opted in to receive them.

What information is stored in Kit? The following personal data may be stored in Kit:

• Your first name

• Your email address

• Information about which emails you've opened and links you've clicked

• The date you subscribed

• Any tags or segments I've assigned to help personalise communications (e.g., "Story Circle participant" or "Newsletter subscriber")

How do you collect this information? Your information may be added to Kit in the following ways:

• When you sign up directly through a form on my website

• When you book an appointment through Calendly (if you consent to receive communications)

• When you book a Story Circle event and opt in to receive updates

• When you manually request to be added to my mailing list

Data storage and security Your personal data is stored securely on Kit's servers, which are located outside the UK. Kit is fully GDPR compliant and has appropriate safeguards in place to protect your data. All data transmission between my systems and Kit uses encryption. You can read more about Kit's security measures and privacy practices at https://kit.com/privacy

How is your data used? I use the information stored in Kit solely for the following purposes:

• Sending you newsletters and blog posts

• Providing information about upcoming events and Story Circles

• Sharing relevant updates about my services

• Communicating with you about topics you've expressed interest in

I do not share, sell, or distribute your email address or personal information to any third parties for their marketing purposes.

Your rights and choices You have full control over your data in Kit:

• You can unsubscribe at any time using the link provided at the bottom of every email

• When you unsubscribe, your data will be removed from Kit's active mailing lists

• You can request a copy of the data I hold about you in Kit

• You can request correction of any inaccurate information

• You can request complete deletion of your data

Data retention If you remain subscribed, your data will be retained in Kit for as long as you continue to receive communications from me. If you unsubscribe, your data will be removed from active lists but may be retained in accordance with Kit's data retention policies for legal and administrative purposes.

Contact To exercise any of your rights regarding your data in Kit, or if you have questions about how your information is used, please contact me at davinarobertson@pm.me

Google Forms Data Collection and Usage:

How I Use Google Forms: I use Google Forms to collect your pre-exploration questions and booking information for our 24-hour educational trauma exploration sessions. This includes your contact details, background information about your educational experiences, and any specific areas you'd like to explore during your session.

Data Storage and Security: Information submitted through Google Forms is stored securely on Google's servers and is subject to Google's privacy and security measures. We access this information solely for the purpose of preparing and conducting your exploration session.

Data Retention: Your Google Forms responses are retained for the duration of our working relationship and for up to 12 months after your session to allow for follow-up support if needed. You may request deletion of your data at any time by contacting us directly.

Data Sharing: We do not share, sell, or distribute your Google Forms responses to any third parties. Your information is used exclusively for providing you with the educational trauma exploration service you've requested.

Your Rights: You have the right to:

• Request access to the information you've provided

• Request correction of any inaccurate information

• Request deletion of your data

• Withdraw consent for data processing at any time

Third-Party Privacy Policies: Please note that Google Forms is governed by Google's Privacy Policy, which you can review at https://policies.google.com/privacy. By submitting a form, you also agree to Google's terms of service regarding data collection and processing.

Online Scheduling with Calendly:

I use Calendly as a scheduling service to allow you to book appointments with me directly through my website. When you interact with the Calendly booking system, the following information is collected:

Information Collected: Your name, email address, appointment preferences, IP address, and browser information when you make a booking.

Data Storage and Security: Information submitted through Calendly is stored securely on Calendly's servers and is subject to their privacy and security measures. I access this information solely for the purpose of managing your appointment bookings and sending appointment reminders.

Data Sharing: When you book an appointment through Calendly, your name, email address, and certain booking details are automatically transferred to Kit (my email marketing service) for client management and communication purposes. This allows me to send you appointment-related emails and, with your consent, relevant updates about my services. Calendly operates as an independent data controller for the information they initially collect. Their use of your data is governed by their own privacy policy, which is available here: https://calendly.com/privacy

Your Rights: You have the same rights regarding your Calendly data as outlined in the "Your rights under GDPR" section of this statement, including the right to request access, correction, or deletion of your information.

Accessing Restricted/Members Only Content: Some information I provide is only available to those who register by providing certain contact information (usually a name and email address and sometimes a phone number)

Website links to third party sites

I have no control over the content of external websites that I am linked to, nor the privacy or protection of information you are provided with whilst visiting them. Links to or from these sites not owned or controlled by me do not constitute an endorsement of these sites or their products or information presented in them. You may wish to look at their privacy statements.

Analytics

This website collects personal data to power our site analytics, including:

• Information about your browser, network, and device

• Web pages you visited prior to coming to this website

• Your IP address

This information may also include details about your use of this website, including:

• Clicks

• Internal links

• Pages visited

• Scrolling

• Searches

• Timestamps

We share this information with Squarespace, our website analytics provider, to learn about site traffic and activity.

Other Activities

I may use information for purposes not listed above in the following circumstances: (a) where specifically authorised by you; (b) where the use is related to one of the primary purposes listed above and where it could reasonably be expected; (c) where it is necessary for me to comply with the law.

Your rights under GDPR

• You have the right to request access to your client record and receive an explanation of what is held within it.

• You have the right to withdraw consent to the storage of your data, to request erasure or correction of your client record, to request portability where it applies in law, and to object to or restrict collection and processing of your data.

• You have the right to know the sources of personal data not originating from yourself and the right not to receive unsolicited marketing.

• You have the right to be made aware of any company’s automatic decision-making processes (e.g. profiling) and any significance

• You will be made aware of any data breaches within 72 hours. You will be compensated for any damage or distress caused by the data breach.

• You have the right to complain to the ICO if you are unhappy with the data processing arrangements, and to engage representation from a not-for-profit body in doing so.

• You have the right to have information about you deleted, to have any inaccuracies corrected and to have access to all information about you, free of charge, within one month.

Updating your information

If any of your personal information needs updating or correcting please let me know,

Your right to complain to ICO

You have a right to complain if you are unhappy about any of the above by contacting the Information Commissioner’s Office here: https://ico.org.uk/concerns although I trust that you would try to discuss this with me in the first instance.

Any working contract shall be construed and governed in all respects in accordance with the laws of England and Wales and any dispute or differences in relation to this agreement shall be subject to the exclusive jurisdiction of the English Courts.

Your consent

When you book an event you will be asked to give your consent for this Privacy Statement. That action will acknowledge that you fully understand and accept this policy for the storage of records and gives your consent to the use of personal and sensitive data for the purposes stated above.

When you use the website, you are giving your implied consent to the uses related to the website as listed above.

January 2024