Privacy Policy & Data Protection

Data Controller

Business Name: The Oast House Therapy Room

Name: Suzy Sleeper

Address: The Oast House, Bagwell Lane, Winchfield, Hampshire, RG27 8DB.

Contact number: 07721 450 858

Contact email: suzy@oasthousetherapy.com

Website: www.oasthousetherapy.com

The Oast House Therapy Room are committed to protecting the privacy and security of your personal information. This policy outlines how I collect, use, store, and protect your data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant data protection laws.

The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to provide therapeutic services, manage our professional relationship, and fulfil our legal and professional obligations.

The data I hold

This includes:

  • Basic information such as name, email address, phone number
  • Information that you give me as part of the work we do together
  • Records of what interventions that I use (or potentially do not use) in our sessions
  • Emails, texts and/or messages that are sent between us
  • Information sent from any third party, e.g. GP

Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation. The condition for processing this special data is “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional”. However, data on any criminal offences (including allegations, proceedings and convictions) is even more tightly controlled and so I need your specific consent in order to hold any such information.

Data Sharing

Data is not shared with anyone, except possibly your GP and my supervisor to ensure your continued care, and for any reasons covered by the Requirements for Disclosure section below. However, if you were to make a complaint about me to my professional body, I would be entitled to share your notes with any investigation procedures.

The data is primarily used to enable me to provide therapy for you. It may also be used scientific research purposes and statistical purposes.

Data storage

Any emails sent between us are held either on my computer’s hard drive or exchange server or if archived in Dropbox which is secure cloud based storage which is itself GDPR compliant. Any that may be held on my mobile phone are code protected.

Any texts/WhatsApp messages/Messenger messages sent between us (See Social Media and Electronic Information section) are held on my mobile phone which is code protected.

Your notes are handwritten and are kept in a locked filing cabinet. A coding system enables the therapist to know whose notes are whose, but a stranger seeing the notes would not be able to identify who they referred to.

Credit card information is shredded as soon as processed.

If you use PayPal or online banking then clearly these systems will hold your data. I will download from these systems for accounting purposes and the resulting spreadsheets are held in Dropbox. When sent to my accountants, they will be password protected.

Any recordings are stored in a secure computer database on a computer which is not connected to the internet and is password protected and accessible only by me

Your data is kept for 7 years. The length of time is based on the requirements of my insurer. After this time any paper records are shredded and computer records permanently deleted.

The Oast House Therapy Room takes the security of data seriously and as such any data transmitted is sent encrypted where possible. However I am not in control of data (including emails and texts) which you send me. Apps such as Facebook routinely access any information held and this is beyond my control.

If there is any breach of data security I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.

Your rights

Under GDPR law you have the following rights:

  1. The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
  2. The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
  3. The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). NB: data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include case notes or data such as address/email/phone
  4. The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure
  5. The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. I would send the data to you.
  6. The right to object to processing. This relates to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).

Psychotherapy does not engage in these things:

  • Direct marketing.
  • Processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.
  • Automated decision making and profiling. The Oast House Therapy Room does not engage in automated decision making or profiling.

Complaints

If you have concerns about how we handle your data, please contact me first. If you are not satisfied with my response, you can lodge a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk.

I am fully insured through Balens Ltd.

Last updated: January 2026

Scroll to Top