data privacy statement

Your privacy and confidentiality are of the utmost important to me, as a BACP-registered therapist.

I abide by the terms of the General Data Protection Regulation (GDPR), which forms part of the Data Protection Act (2018). It gives you greater transparency over how your personal data is used and stored.

According to GDPR, the organisation or person that collects and stores personal data is referred to as the “data controller”. In this instance, the data controller is me, Aimee Cliff.

In this data privacy statement, I’ll outline:

How I use clients’ and potential clients’ data
How I store clients’ and potential clients’ data
How I collect and store website visitors’ data

How I use clients’ and potential clients’ data

I collect some information about my clients and potential clients in order to facilitate safe and ethical psychotherapeutic work.

I may collect the following data:

a. Name, preferred name, and pronouns: Used to address you. To protect your confidentiality, I use a code rather than your name when writing session notes.

b. Date of birth: Used to verify your age.

c. Email address: Used to confirm appointments and for general communication.

d. Phone number: Used to confirm appointments and for general communication.

e. Address: Used if needed to contact you in writing.

f. GP and emergency contact details: Used to contact your GP if required, or in an emergency.

g. Session notes: Brief, anonymised notes are made at the end of each session.

h. Mental health/risk information: I gather some brief information about your mental health history and level of risk during our initial consultation. This is to make sure I am supporting you safely.

The lawful basis for me collecting all of the above information from clients and potential clients is to form and enact our contract as therapist and client.

The lawful basis for me holding the above information about former clients is legitimate interest. This data may be necessary for legal compliance and for potential complaints procedures.

How I store clients’ and potential clients’ data

When potential clients first contact me to arrange counselling, I may collect their data via email or my website form (which sends information to my email account). I may also collect some data during an initial consultation call over the phone or Google Meet.

I routinely delete emails containing client data, so data is not held in emails for longer than 14 days. I use the email clients Titan and Gmail which are GDPR-compliant. Read Titan’s privacy policy and Gmail’s privacy policy.

I do not save client phone numbers under names in my phone. However, if we do communicate by phone, my device will contain your number. Though my phone is locked by a passcode, and your number will be anonymised, it is always possible that this device may be lost or stolen. I routinely delete client data and messages from my phone.

I conduct consultations and online therapy using Google Meet. Google Meet is encrypted by default in transit between me, you, and Google.

I store client data using the secure practice management software Kiku. Kiku is the “data processor” (which means it processes data on behalf of the data controller, me), and is fully GDPR-compliant.

I do not keep any handwritten notes.

I delete all client data six years after we finish working together. If you would like me to delete your data sooner than this, I am happy to do so, allowing that I may need to retain some data if it is of legitimate interest (for example, if it is necessary for legal compliance). Please request the deletion of your data in writing by emailing me.

You can also request to correct or change the data I hold about you at any time. (For example, you may want to update your address if you move house.) You can also request to view the data, including a copy of the anonymised session notes, that I hold about you. Please make these requests in writing to my email.

As outlined in our therapy agreement, I have a therapeutic executor who will contact my clients in the event of my incapacity or death. My executor is Adam Mollen, a BACP-registered therapist. Adam will gain access to my clients’ securely stored contact details in Kiku only in the event of my incapacity. He will contact my current clients, and will then be responsible for destroying the data held about them.

If you have any complaints about how I handle your data, I encourage you to discuss this with me either in sessions or in writing via email. I hope we can resolve your complaint, but if you are still not happy, you can make a complaint about data handling to the ICO. My ICO registration reference is ZB861575.

How I collect and store website visitors’ data

The data processor for my website visitors’ data is WordPress. This means that WordPress processes data on my behalf, not for its own benefit or use. I have a Data Processing Agreement in place with WordPress.

Read WordPress’s Data Processing Addendum.

WordPress and Google Analytics automatically collect usage data from my website, such as information about how many users have visited the site, how many have clicked on links, and the location of users. This data is anonymised and does not identify individual users.

You have the right to opt out of being tracked by Google Analytics on my website and other websites.

Opt out of being tracked by Google Analytics.

WordPress uses cookies to enable certain website features. You will be given the option to opt in or out of this when you visit my website. I do not collect any user-specific data relating to cookies, nor does any third party.

I may make amendments to this data privacy statement at any time, and these will come into effect immediately. This statement was last reviewed in April 2025.