Privacy & Data Protection Notice

Last Updated: March 2026

Data Controller: Sebastián Rey Psychotherapy

ICO Registration Number: ZC098854

1. My Commitment to Your Privacy

I am committed to protecting the privacy and confidentiality of my clients. This notice explains how I collect and use your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Use and Access Act 2025.

2. Information I Collect

I collect information necessary to provide safe and professional psychotherapy services:

• Contact Details: Your name, address, phone number, and email.

• Special Category (Sensitive) Data: Your mental health history, my clinical session notes, your GP details, and medication information.

• Emergency Contact: Information for your designated next of kin.

3. Why I Process Your Data (Lawful Basis)

Under UK law, I rely on the following legal bases:

• Contract: To fulfill the therapeutic agreement between you and me.

• Health & Social Care (Art. 9 UK GDPR): For the provision of health treatment (psychotherapy).

• Legal Obligation: To comply with my clinical insurance and professional body requirements.

4. How I Secure Your Data

I protect your information using "Privacy by Design" measures:

• Secure Digital Environment: I use a professional Google Workspace account with a signed Business Associate Agreement (BAA). This ensures clinical-grade encryption for your digital records and intake forms.

• Access Control: I am the only person with access to your records. I use encrypted devices protected by mandatory Two-Step Verification (2SV).

• Anonymisation: I file my clinical session notes using unique Client IDs (e.g., SR-01) to ensure your identity is kept separate from your sensitive clinical history.

5. Website Cookies

This website is hosted on Google Sites.

• Essential Cookies Only: This site uses only "strictly necessary" cookies required for security and basic functionality.

• No Marketing Tracking: I do not use advertising or behavioral tracking cookies.

• Transparency: Under the Data Use and Access Act 2025, these essential cookies do not require a "pop-up" consent box, but I am required to inform you of their presence.

6. Data Retention

I securely retain clinical records for 7 years after our final session, in accordance with UK insurance and professional body guidelines. After this period, your records are permanently deleted.

7. Your Rights

You have the right to access your data, request corrections, or object to certain types of processing.

• Right to Complain: If you have concerns about how I handle your data, please contact me directly. I will acknowledge any complaint within 30 days. You also have the statutory right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.

8. Confidentiality & Disclosure

Everything we discuss is strictly confidential. Exceptions apply only if I am legally compelled by a court, if I believe there is a serious risk of harm to yourself or others, or during my professional supervision.