Last reviewed: 18 June 2026

​

1. Who I Am
I am Gillian Smith, a registered and accredited counsellor in private practice, operating as a sole trader under the trading name Connect and Talk. I can be contacted at:

Email: connectandtalk121@gmail.com
Website: connectandtalk.co.uk 

I am registered with the Information Commissioner's Office (ICO) as a data controller. My ICO registration number is: ZB709583.
I am accredited by the British Association for Counselling and Psychotherapy (BACP) and the National Counselling and Psychotherapy Society (NCPS), and I process personal data in accordance with their ethical frameworks as well as UK data protection law.

 

2. The Law That Applies
 

This policy reflects my obligations under:

 

• The UK General Data Protection Regulation (UK GDPR)

• The Data Protection Act 2018 (DPA 2018)

• The Data (Use and Access) Act 2025 (DUAA 2025)

• The Privacy and Electronic Communications Regulations (PECR)

​

​

3. What Personal Data I Collect and Why
 

As a counsellor, I collect and hold personal data in two categories under UK GDPR. Standard personal data includes your name, telephone, email address, and appointment information. Special category data includes information about your mental and physical health, which is central to the therapeutic work we do together.

 

I do not collect information about you from third parties without your knowledge, except where you have been referred by a therapy platform such as Betterhelp, in which case I may receive limited referral information as part of that arrangement.

​

I collect this information through the following channels:

 

• My website (hosted on Wix): contact forms and general enquiries, including your name, telephone and email address.

• TidyCal: used to manage appointment bookings. TidyCal collects your name, email, and appointment details, and generates a private, individual Google Meet link for each session that is accessible only to you.

• JotForm: used to collect emergency contact details prior to or at the start of therapy. This form collects the name and contact information of a person you nominate to be contacted in the event of a welfare concern.

• Email (Gmail): client correspondence and enquiries sent to connectandtalk121@gmail.com are processed via Google's servers. I use this account solely for professional practice purposes.

• WhatsApp: some clients use WhatsApp to make brief contact regarding availability. If you choose to contact me via WhatsApp, your name and phone number will be visible to me as a result. No therapeutic content or confidential information should be shared via WhatsApp.

• Google Meet: therapeutic sessions are conducted via Google Meet. Video and audio content is transmitted through Google's infrastructure during the session. Sessions are not recorded.

• Session notes and clinical records: I keep confidential written records of our sessions for the purposes of providing safe, consistent therapeutic care and meeting my professional obligations. Written records are stored in a locked filing cabinet and digital records are stored in a secure password-protected digital file.

• Invoices and receipts: I produce and retain invoices and receipts as part of my business records. These are stored within your individual digital client file and are not shared with third-party accounting software.

• Bank transactions: payments are processed via BACS bank transfer to my Starling Business Account. I do not handle or store your card or bank details; these are managed directly between your bank and Starling Bank.

​

4. The Legal Basis for Processing Your Data
 

• Standard personal data (name, email, telephone, appointments) is processed on the basis of legitimate interests - specifically, the legitimate interest of providing and administering counselling services to you.

• Special category data (health and wellbeing information discussed in sessions) is processed under Article 9(2)(h) UK GDPR - processing necessary for the provision of health or social care - supported by Schedule 1, Part 1 of the Data Protection Act 2018.

• Emergency contact details are held on the basis of vital interests (Article 6(1)(d) and Article 9(2)(c) UK GDPR). This information would only be used if there were a serious and immediate concern for your safety or the safety of others.

• Financial records (invoices and receipts) are retained for 6 years on the basis of legal obligation, in accordance with HMRC requirements for sole traders.

 

5. How Long I Keep Your Data
 

I retain clinical records, including session notes and emergency contact details, for 7 years following the end of therapy, in line with BACP guidance and standard professional practice. After this period, records are securely deleted.

Financial records (invoices and receipts) are retained for 6 years in line with HMRC requirements for sole traders.

Appointment data held within TidyCal is retained in line with TidyCal’s own data retention policy.
 

6. Who I May Share Your Data With
Counselling is a confidential service. I will not share your personal data with any third party without your consent, except in the following circumstances:
 

• Where I am legally required to do so (e.g. by a court order)

• Where there is a serious and immediate risk of harm to you or another person

• Where I am required to act under my professional ethical framework (BACP/NCPS)

• With my professional supervisor, who is bound by the same standards of confidentiality. It helps me reflect on my work and ensures I am providing you with the best possible care. Supervision discussions are focused on the therapeutic process and my professional development, not on identifying individual clients.

​

I do not sell, rent, or share your personal data for marketing purposes.

 

7. Third-Party Data Processors

I use the following third-party services which process personal data on my behalf. Each acts as a data processor under UK GDPR and is contractually or by policy required to handle your data securely.

​

Wix - Website hosting and contact forms - Name, mobile number, email, enquiry content

TidyCal - Appointment booking and session link generation - Name, email, appointment details, individual Google Meet link

JotForm - Emergency contact collection - Your name, number, address and email. Emergency contact name, number. Basic health details. The information is stored in your individual digital file and the form deleted within 24 hours from JofForm.

Gmail (Google) - Business email communication - Email content and contact details

WhatsApp - Optional client availability queries - Name and phone number (where client initiates contact)

Google Meet - Online therapy sessions (via TidyCal-generated link) - Video/audio transmitted during sessions; sessions are not recorded

Starling Bank - Business banking and BACS payment receipt - Transaction amounts and dates; your bank details are not held by me

 

I encourage you to review the individual privacy policies of these services if you wish to understand their wider data practices.

 

8. Your Rights

Under UK GDPR and the DUAA 2025, you have the following rights in relation to your personal data:

​

• The right to access the personal data I hold about you.

• The right to rectification if any data I hold is inaccurate or incomplete.

• The right to delete your personal data in certain circumstances. However, this right does not apply where I need to keep your records to comply with professional guidelines or insurance requirements, or to defend potential legal claims. 

• The right to restrict processing in certain circumstances, for example while a case is being investigated.

• The right to data portability where processing is based on consent or contract. 

• The right to object to processing based on legitimate interests. However, this is unlikely to apply to therapy records processed under the lawful bases I use.

• The right not to be subject to solely automated decision-making that has a significant effect on you. I can confirm that no such automated decision-making takes place in my practice.

​

To exercise any of these rights, please contact me at: connectandtalk121@gmail.com

​

There is no fee for most requests, though I may charge a reasonable fee if a request is manifestly unfounded or excessive.

​

9. How to Make a Data Protection Complaint 
Under the Data (Use and Access) Act 2025, I am required to provide a clear process for handling data protection complaints, with effect from June 2026.
If you have a concern about how I have handled your personal data, please contact me directly in the first instance:

Email: connectandtalk121@gmail.com

Alternatively, you may submit your complaint using the electronic complaints form using this link: https://form.jotform.com/261672930991062

​

I will acknowledge your complaint within 30 days of receiving it and will respond without undue delay, keeping you informed of any steps I take to investigate and resolve the matter.

If you remain dissatisfied following my response, you have the right to complain to the Information Commissioner's Office (ICO):

Website: www.ico.org.uk
Helpline: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
 

10. Data Security
I take appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, or disclosure. This includes:

• Password-protected devices and digital files

• Use of individually generated, private session links via TidyCal and Google Meet

• Secure business email practices

• Third-party services subject to their own security obligations under UK GDPR

11. Cookies and Website Tracking
My website is hosted on Wix, which may use cookies to support its functionality and analyse site traffic. Please refer to Wix’s own cookie policy for further information. Cookie consent is managed through the Wix cookie banner displayed on your first visit to the site.
12. Confidentiality exceptions
Everything you share with me in therapy is treated as confidential. However, there are rare circumstances where I may need to share information without your consent:

• Risk of serious harm: If I believe there is a serious and imminent risk of har to your or another person.

• Safeguarding concerns: If I become aware of concerns about the safety or welfare of a child or vulnerable adult.

• Legal requirements: If I receive a court order requiring disclosure, or in other limited circumstances required by law.

 

In most cases, I will try to discuss any disclosure with you first, unless doing so would itself put someone at risk. 
 

13. Changes to This Policy

I will review this privacy policy at least annually and update it when legislation or my practice changes. The date at the top of this document indicates when it was last reviewed. The current version will always be available on my website.

 

14. Clinical Will 

In the event of the unexpected death or sudden illness of me, your therapist, where I am unable to contact you, I am currently  putting in place looking to appoint a Therapeutic Executor who will take care of contacting you. They will be a qualified therapist who adheres to the same ethical framework and confidentiality rules me, your therapist. They will only access your contact details in an emergency, and discuss with you appropriate onward arrangements. Once the person has been appointed I will add their name here. 

 

Contact

If you have any questions about this privacy policy or your personal data, please contact:

 

Gillian Smith (Connect and Talk): connectandtalk121@gmail.com