Privacy Policy

1. Introduction

Trinity CBT Suffolk is committed to protecting the privacy and confidentiality of all clients referred to the service. This policy outlines our practices concerning the collection, use, and disclosure of personal information in compliance with the General Data Protection Regulation (GDPR) and other relevant UK data protection laws. Joyce Speed is the Data Controller for Trinity CBT Suffolk.

2. Information We Collect

Trinity CBT Suffolk may collect the following types of personal information:

• Personal Identification Information: Name, date of birth, address, email address, phone number.
• Sensitive Personal Data (Special Category Data): Information about your mental and physical health, medical history, therapy session notes, and other information relevant to your therapy. This is collected to provide you with safe and effective therapy and is processed with your explicit consent.
• Contact Information: How you prefer to be contacted, and any information you provide when you contact us.
• Referral Information: Details from your GP or other referring professionals, if applicable and with your consent.
• Financial Information: Payment details for session fees (processed securely by third-party payment processors; full card details are not stored).
• Appointment Scheduling Information: If you use the online appointment scheduling system, personal information necessary to schedule and manage your appointments, will be required to complete your name, contact details (email, phone number), and chosen appointment time if necessary.
• Website Usage and Analytics Data: When you visit our website, we use Vercel Web Analytics (provided by Vercel Inc.) to collect information about your interaction with our site. This is designed to be privacy-focused and, by default, uses aggregated data. The data collected includes:
  • Event Timestamp
  • URL visited (we take measures to configure analytics to avoid collecting personal data within URLs)
  • Referrer URL
  • Query Parameters (filtered to avoid sensitive data)
  • General Geolocation (City, Country, based on IP address, not precise)
  • Device Operating System & Version
  • Browser Name & Version
  • Device Type (e.g., Mobile, Desktop)
  • A Vercel-generated hash of the incoming request to identify a visitor session (this identifier is discarded after 24 hours and is not a third-party cookie).

This information is collected to help us understand website traffic, improve user experience, and ensure the security and performance of our website. We configure our analytics to avoid the collection of personally identifiable information where possible.

This information is typically collected directly from you (e.g., when you fill out forms, schedule an appointment, or during therapy sessions), from referring professionals with your consent, or automatically as you interact with our website (analytics data).

3. How We Use Your Information

Your personal information is used for the following purposes:

• To provide you with Cognitive Behavioural Therapy (CBT) services.
• To schedule, manage, and communicate with you about your appointments (including through our future appointment scheduling system).
• To maintain accurate client records as required by our professional body (e.g., BABCP) and for insurance purposes.
• To process payments for services rendered.
• To understand how our website is used, to improve its functionality, user experience, and to ensure its security and performance (using website analytics data).
• To comply with legal and regulatory obligations (e.g., safeguarding concerns).
• For clinical supervision, where client information is anonymized to protect confidentiality, as per professional ethical guidelines.

4. Lawful Basis for Processing

Your personal data is processed based on the following lawful bases under GDPR:

• Consent: For collecting and processing sensitive personal data (health information) for therapy, and for specific data processing activities where we explicitly ask for your consent (e.g., for certain types of communication or for processing data via an appointment system if specific consent is required by that system). You may withdraw your consent at any time where consent is our lawful basis.
• Contract: Processing is necessary for the performance of a contract with you (i.e., to provide therapy services you have requested, including scheduling and managing appointments).
• Legal Obligation: Processing is necessary to comply with the law (e.g., safeguarding children and vulnerable adults, maintaining legally required records, or if required by a court order).
• Legitimate Interests:
  • For maintaining records, business administration, and professional indemnity purposes.
  • For processing website usage and analytics data to monitor and improve our website performance, security, and user experience.

  We only rely on legitimate interests where these are not overridden by your rights and interests.

5. Data Sharing and Confidentiality

Your information is treated with the utmost confidentiality. Trinity CBT Suffolk will not share your personal information with third parties without your explicit consent, except in the following limited circumstances or as outlined below:

• Safeguarding: If there is a serious risk of harm to yourself or others, particularly children or vulnerable adults, we may be legally or ethically required to disclose information to relevant authorities (e.g., GP, social services, police).
• Clinical Supervision: As a member of a professional accrediting body (BABCP), I am required to undertake regular clinical supervision. During supervision, client cases may be discussed to ensure high standards of practice. All information shared is anonymized to protect your identity.
• Legal Requirements: If required by law, such as by court order.
• Emergency Situations: If there is a medical emergency during a session, we may need to share information with healthcare professionals.

Steps are taken to ensure that any third-party processor used provides sufficient guarantees to implement appropriate technical and organisational measures to protect your data. Where these providers are based outside the UK/EEA, appropriate transfer mechanisms are put in place, such as SCCs.

6. Data Storage and Security

Trinity CBT Suffolk is committed to ensuring that your information is secure, ensuring that appropriate technical and organizational measures are taken to protect your personal data against unauthorized access, loss, or destruction.

• Client notes and personal information are stored securely. Paper records are kept in locked filing cabinets, and electronic records are password-protected and encrypted where appropriate.
• Your personal information is retained for a period of time as recommended by my professional body and insurers (typically 7 years after therapy ends, or 7 years after a child client turns 18). After this period, your data will be securely destroyed.

7. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• The right to be informed: About how your personal data is being used (which this policy aims to do).
• The right of access: You can request a copy of the personal information Trinity CBT Suffolk holds about you.
• The right to rectification: You can request that we correct any inaccurate or incomplete data.
• The right to erasure (the "right to be forgotten"): You can request that your personal data be erased, under certain conditions (e.g., if it's no longer necessary for the purpose it was collected, or if you withdraw consent and there's no other legal ground for processing). Note that this right is not absolute and may be overridden by legal or professional obligations to retain records.
• The right to restrict processing: You can request that we limit the way we use your personal data, under certain conditions.
• The right to data portability: You can request that we transfer your data to another organization, or to you, under certain conditions.
• The right to object: You can object to the processing of your personal data, under certain conditions.
• Rights in relation to automated decision making and profiling: We do not engage in automated decision making or profiling.

To exercise any of these rights, please contact us using the details below. We will respond to your request within one month, as requested by GDPR.

8. Cookies and Website Analytics

Vercel Web Analytics is used to gather anonymous information about visitor behaviour and site usage to improve our services and user experience. Vercel Web Analytics does not use third-party cookies to track individuals across different websites. Instead, it identifies unique visitor sessions using a temporary hash generated from the incoming request, which is discarded after 24 hours.

The data collected by Vercel Web Analytics is aggregated and includes information such as pages visited, referrer, general geolocation (city/country), device type, OS, and browser. We configure Vercel Web Analytics to avoid collecting Personally Identifiable Information (PII) within URLs or custom events. You are responsible for ensuring that any information you might provide in URLs (e.g., by clicking on a specifically crafted link) does not contain PII you do not wish to be processed in this way.

This website may also use essential cookies required for its basic functionality. You can usually control cookies through your browser settings. For general information about cookies, visit aboutcookies.org or the Information Commissioner's Office (ICO) website.

9. Changes to This Privacy Policy

This privacy policy may be updated from time to time. Any changes will be posted on this page with an updated revision date. You are encouraged to review this policy periodically.

10. How to Contact Us / Complaints

If you have any questions about this privacy policy or the data protection practices, or if you wish to exercise any of your rights, please contact:

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. Their website is ico.org.uk.