Privacy Policy

At Strategic Minds Online Brief Therapy, we are committed to protecting your privacy and ensuring that your personal information is handled safely and securely. This Privacy Policy outlines how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable laws. 

1. Data Processing Activities 

As part of our commitment to privacy, we have conducted a Data Protection Impact Assessment (DPIA) to evaluate how we handle your data and mitigate any risks associated with its processing. This DPIA will be regularly reviewed to ensure we are fully compliant with data protection laws and to address any emerging risks or changes in our processing activities. 

2. Information We Collect 

We collect and process the following personal information: 

• Personal Details: Name, date of birth, contact details (email, phone number, address, if applicable). 

• Health Information: Any information you provide related to your mental health, medical history, and therapy sessions. 

• Payment Information: If you are a private client, we may collect billing details for invoicing purposes. 

• Technical Data: IP address, browser type, and other online identifiers when you visit our website. 

3. Purpose of Data Processing and Lawful Basis for Processing

Your personal data is processed for the purpose of delivering therapy services, including: 

• Conducting assessments. 

• Scheduling appointments and sending reminders. 

• Maintaining clinical records for therapy continuity. 

• Complying with legal and regulatory requirements. 

Your data is processed under the following lawful bases defined by the UK GDPR: 

• Contract – to deliver psychological therapy and associated services. 

• Legal obligation – to comply with applicable laws and regulations. 

• Legitimate interest – e.g., secure data handling, appointment reminders, debt recovery. 

• Vital interests – in rare cases where there are serious concerns about your safety. 

• Consent – where you explicitly agree to information sharing or other optional uses of your data. 

4. Data Security Measures 

We have implemented several measures to protect your personal data, including: 

• Encryption: All sensitive data is encrypted during storage and transmission. 

• Access controls: Only authorised individuals have access to your personal data. 

• Regular audits: We conduct regular security audits to identify and address any vulnerabilities.  

5. Data Retention 

We will retain your personal data for as long as is necessary to fulfil the purpose for which it was collected, or for as long as required by law. After this period, your data will be securely deleted or anonymised. 

6. Sharing Your Data 

We will not share your personal data with third parties unless you have provided consent or it is necessary for the fulfilment of our contract with you, or as required by law. If using third-party payment services, necessary billing details may be processed securely (see below). 

We do not sell or share your data for marketing purposes. 

Some of the systems I use may process data outside the UK (e.g., email, video conferencing). In such cases, these services comply with the UK GDPR through appropriate safeguards, such as adequacy decisions or standard contractual clauses. 

In case of a data breach, we will inform you and take necessary steps to mitigate the impact.  

Use of AI Assistant (Heidi) 

• We use Heidi, a secure AI assistant designed for mental health professionals, to support with administrative and clinical documentation tasks—such as structuring session notes, generating treatment summaries, and organising clinical reflections. Heidi is used exclusively by the clinician and operates within a GDPR-compliant framework. 

• To protect client confidentiality, any information processed via Heidi is anonymised or de-identified before entry, and no identifiable client data is stored by the system. Heidi does not retain information beyond the duration of each task and does not use data for training, profiling, or marketing. 

• Use of Heidi is limited to enhancing clinical workflow and is always in line with professional ethical standards. If you have questions about this process or wish to opt out of its use in your care, please get in touch. 

• If you’d like to know more about Heidi’s privacy policy, you can find it here: https://www.heidihealth.com/uk/legal/privacy-policy 

Direct Debit via GoCardless:  

• Clients may be asked to set up a direct debit through GoCardless as a precautionary measure, to be used only in the event of non-payment or breach of the cancellation policy.  

• Your bank details are handled securely by GoCardless and are not stored by me.  

• I will not use this method unless necessary under the above circumstances.  

• Your details will be deleted from my GoCardless account once therapy is completed. 

• If you’d like to know more about how GoCardless handles and stores your data, you can find more information here: https://gocardless.com/privacy/ 

Welfare Checks Following Missed Appointments 

• If you miss a scheduled session (Did Not Attend/DNA) and do not respond to my attempts to contact you within a reasonable period, I may reach out to your designated emergency contact to ensure your wellbeing.  

• This step is taken purely out of concern for your safety.  

• No clinical or sensitive information will be disclosed—only that you have missed a session and have not responded to communication attempts.  

• You have the right to nominate a specific person to be contacted for this purpose; if you wish to do so, please inform me in writing and provide their full name and contact details. 

Debt Recovery 

• In the event of non-payment for services rendered, I reserve the right to take reasonable steps to recover outstanding fees.  

• This may include engaging third-party debt collection agencies or pursuing legal action.  

• If such steps are necessary, only the minimum amount of personal data required to pursue the debt will be shared—this includes non-clinical information such as your name, contact details, appointment dates, the amount owed, and relevant correspondence.  

• No clinical or sensitive health information will ever be disclosed as part of this process. 

7. Your Rights Under GDPR 

Under the GDPR, you have the right to: 

• Access your personal data. 

• Request corrections to inaccurate or incomplete data. 

• Request deletion of your data (subject to legal and ethical record-keeping requirements). 

• Restrict processing of your data. 

• Withdraw consent for processing where applicable. 

• Request data portability. 

• Complaints - if you are concerned about how your data is handled, please contact me first. If you are not satisfied with my response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO): website: www.ico.org.uk  Tel: 0303 123 1113 

 8. Use of Cookies and Online Tracking 

Our website may use cookies to improve your browsing experience. You can manage your cookie preferences through your browser settings. 

9. Updates to This Privacy Policy 

This Privacy Policy will be kept under review to ensure that it reflects the latest practices, technologies, and legal requirements. We will update this policy as necessary, and any significant changes will be communicated to you. 

10. Data Controller 

The data controller responsible for your personal data is Strategic Minds Online Brief Therapy, operated by Susana Lara, based in London (England) 

You can contact me at Strategic Minds Online Brief Therapy if you wish to exercise any of these rights, or if you have any questions or concerns about this Privacy Policy.   

This Privacy Policy ensures that your personal information is handled responsibly and in compliance with applicable privacy laws

Last update: 02.06.25