Privacy Notice

Introduction

Your privacy is important to me, and you can be confident that your personal information will be kept safe and secure and will only be used for the purpose it was given to me. I adhere to current data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), the Data (Use and Access) Act 2025, and, where applicable, the EU General Data Protection Regulation (EU/2016/679).

​

This privacy notice tells you what I will do with your personal information from initial point of contact through to after your therapy has ended, including:

​

• Why I am able to process your information and what purpose I am processing it for

• Whether you have to provide it to me

• How long I store it for

• Whether there are other recipients of your personal information

• Whether I intend to transfer it to another country

• Whether I do automated decision-making or profiling, and

• Your data protection rights

​

I am happy to chat through any questions you might have about my data protection policy, and you can contact me via email.

​

‘Data controller’ is the term used to describe the person/ organisation that collects and stores and has responsibility for people’s personal data. In this instance, the data controller is me.

​

I am registered with the Information Commissioner’s Office [ZB979993].

​

Virtual business address: 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB, Great Britain. This address is used solely for correspondence and regulatory purposes. I do not see clients at this location.

​

My phone number is: +44 7895 093293

​

My email address is: lisa@therapywithlisawastney.com .

​

My lawful basis for holding and using your personal information

The GDPR states that I must have a lawful basis for processing your personal data. These bases vary depending on the stage of our interaction:

If you are currently having therapy, or if you are in contact with me to consider therapy, I will process your personal data where it is necessary for the performance of our contract.

​

If you have had therapy with me and it has now ended, I will rely on legitimate interest as my lawful basis for holding and using your personal information.

​

For any special category personal information (e.g., health-related data), I will initially rely on your explicit consent to process it. I will then retain counselling records under the lawful basis of establishing, exercising, or defending legal claims (UK GDPR Article 9(2)(f)).

​

How I use your information

Initial contact.

When you contact me with an enquiry about my counselling services, I will collect information to help me respond appropriately and determine whether I am the right person to support you. This may include your name, contact details (such as phone number or email address), preferred availability, the type of support you are seeking, and any brief personal context you choose to share. Alternatively, your GP or another health professional may send me your details when making a referral, or a parent or trusted individual may do so on your behalf.

​

If you decide not to proceed, I will delete your personal data within three months from the date of our last communication. If you would like me to delete this information sooner, just let me know.

​

While you are accessing counselling.

Everything you discuss with me is confidential. I will only breach confidentiality if required by law—such as in cases involving terrorism, drug trafficking, or money laundering—or if ordered by a court, or where there is a serious risk of harm to you or others, including child protection concerns. I will always try to speak to you about this first unless safeguarding concerns prevent it.

I will keep a record of your personal details to help the counselling services run smoothly. This record will be kept securely on encrypted and access-controlled platforms, including Microsoft 365 (for email and documentation), Plaud Note (for session voice recordings), and my iPhone (for communication and scheduling). I will not share your data with any third party for marketing or non-essential purposes.

​

I document session content using secure digital audio recordings (‘voice notes’) instead of written notes. I make recordings using a GDPR-compliant device (Plaud Note), encrypted at source, and stored securely with access restricted solely to me.

I do not retain text messages for more than three months. If a text message contains relevant information, I will take a secure screenshot, store it within Microsoft 365 and I will delete the original message. I will delete email correspondence after six months unless important. If necessary, I will securely transfer the email to Microsoft 365, where it will be stored in an encrypted, access-controlled folder.

​

After counselling has ended.

I will keep your record for five years from the end of our contact and then I will destroy it securely. This retention period is based on ethical guidance and professional insurance requirements. If you would like me to delete your information sooner, please let me know. Any records in respect of minors will be retained for a minimum of five years after their 18th birthday.

​

Third party recipients of personal data

I sometimes share personal data with third-party service providers who support the secure operation of my practice. I have selected these providers carefully, and I have reviewed their data processing agreements to ensure they comply with UK GDPR and relevant international standards. They are contractually bound to use your data only for the specific purposes I have authorised. Data is not transferred outside the UK/EEA without appropriate safeguards, such as adequacy decisions or standard contractual clauses. These services include:

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​​

​

​

​

​

​

​

​

​

​

​

​

​​​​​​​​​​​​​​​​​​​​​​​

Your rights

You have rights under data protection law which you can read more about here For the public | ICO . These include:

• To request access to the personal data I hold about you and to receive it in a portable format (where applicable)

• To ask for corrections to inaccurate data

• To request deletion or restriction of your data

• To object to certain types of processing

I do not use automated decision-making or profiling in my practice.

To make a request, please email me at lisa@therapywithlisawastney.com . I will:

• Describe the data I hold and its source

• Explain why I hold it and how long I will retain it

• Identify any recipients

• Provide a copy in an intelligible format

If you have concerns about how I manage your data, I welcome your feedback. You can also make a formal complaint to the ICO: Make a complaint | ICO .

 

Data security

I take data security seriously and use encrypted, password-protected devices (Microsoft Surface, Windows PC, iPhone) secured with biometric authentication and multi-factor login. I update my devices regularly and they are protected by Norton 360 antivirus and firewall software.

​

I store session notes and communications using secure cloud-based services (Microsoft 365, Plaud Note, iCloud, and Namecheap Private Email), all compliant with UK GDPR and DUAA 2025. Audio recordings are encrypted and stored securely via Plaud Note, with access restricted to authorised devices only. I do not store physical records, and I securely destroy temporary paper notes after digitisation.

​

Website visitor data and form submissions are processed via Wix.com Ltd., using secure servers and encrypted transmission protocols. I regularly audit my data protection practices to ensure compliance with current legislation and ethical guidance. I do not share your data with any third party without your explicit consent unless legally required to do so.

​

Additional information for website visitors

When someone visits my website, I use Wix.com Ltd. to host the site and provide integrated analytics (“Wix Analytics”). Wix collects standard internet log information and details of visitor behaviour patterns—such as IP addresses, session durations, and page interactions—through automated technologies including cookies and tracking scripts. This helps me understand how visitors engage with distinct parts of the site and improve its functionality.

​

This information is processed in a way that does not directly identify individuals. I do not make, and do not allow Wix.com Ltd. to make, any attempt to discover the identities of those visiting my website.

​

I rely on legitimate interests as my lawful basis for processing this data, as it enables me to maintain and improve the website and ensure its security and performance.

​

You can read Wix.com Ltd.’s privacy notice here: https://www.wix.com/about/privacy More on cookies and Wix sites: https://support.wix.com/en/article/cookies-and-your-wix-site .

 

Like most websites, mine uses cookies to help the site function efficiently and to understand visitor usage. Essential cookies are placed automatically; non-essential cookies (e.g., for analytics or marketing) are only activated with your consent. You can manage your cookie preferences via the cookie banner on the site. You can view my cookie policy here.

​

No user-specific data is collected by me or any third party unless you choose to submit it. If you fill in a form on my website, the data you provide will be temporarily stored on the web host before being securely transmitted to me. Once received, I will store it securely in my encrypted records and delete it from the web host within a reasonable timeframe.