Privacy Policy

1. Who We Are

Thank you for visiting our website. At The Clinical Psychology Group (‘TCPG’, ‘we’, ‘us’, ‘our’) we take your privacy seriously. We are committed to protecting your personal information and handling it responsibly while you use our website and services.

TCPG is the data controller responsible for your personal data. We are registered with the Health and Care Professions Council (HCPC).

Contact us: info@theclinpsychgroup.com  |  theclinpsychgroup.com

If you have a concern about how we handle your data, please contact us in the first instance. You also have the right to complain to the Information Commissioner’s Office (ICO): ico.org.uk  |  0303 123 1113.

2. What Data We Collect

We may collect, use, store, and share the following types of personal data:

• Identity details — name, date of birth, gender, title
• Contact details — email address, telephone number, postal address
• Technical information — IP address, browser type and version, device information, time zone, pages visited
• Usage information — how you navigate and interact with our website
• Financial information — payment details where you purchase services or digital products
• Communications — enquiries, emails, or messages you send us
• Marketing preferences — your choices about receiving communications from us
• Special category health data — information about your existing or previous physical or mental health conditions, psychiatric history, medication, and other relevant health information needed to provide our services. We do not collect other special category data (such as race, religion, sexual orientation, or biometric data) unless you choose to share it with us in the context of your care.

3. How We Collect Your Data

We collect personal data in the following ways:

• When you submit an enquiry via our website contact form
• When you book an appointment through our online booking system (SelectandBook)
• When you subscribe to our newsletter (via Mailchimp)
• When you purchase a digital product (via Payhip)
• When you contact us by email, telephone, or post
• During client onboarding and the provision of our services
• Automatically, via cookies and analytics tools when you visit our website (see our Cookie Policy)

We may also receive technical data from analytics providers (such as Google Analytics via Squarespace) and from third-party platforms where you interact with our content (such as Facebook or LinkedIn).

If you contact us with an initial enquiry and do not proceed to become a client, we will delete your personal information after four weeks. If you confirm within that period that you do not wish to pursue a service, we will delete it immediately.

4. How We Use Your Data

We use your personal data for the following purposes:

• To register you as a new client and deliver our psychological services
• To manage appointments, payments, and billing
• To communicate with you about your care, changes to our services, or this policy
• To fulfil our professional obligations as HCPC-registered psychologists, including supervision and safeguarding
• To send you marketing communications (newsletter, resources) where you have opted in or where we have a legitimate interest in doing so
• To administer and improve our website and services, including analytics
• To comply with legal and regulatory obligations

5. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR:

• Performance of a contract (Article 6(1)(b)): to register you as a client, manage appointments, and deliver our services.
• Legitimate interests (Article 6(1)(f)): for clinical record-keeping, professional supervision, safeguarding, website analytics, marketing to existing contacts, and AI-assisted transcription (see Section 7). We carry out a balancing test for each use to ensure our interests do not override yours.
• Legal obligation (Article 6(1)(c)): where we are required by law to process or share your data.
• Consent (Article 6(1)(a)): for newsletter sign-up, optional use of anonymised case material for training, and any other processing where we ask for your specific agreement.

For special category health data, we additionally rely on Article 9(2)(h) (health or social care purposes) and, where applicable, Article 9(2)(a) (explicit consent).

You have the right to object to processing based on legitimate interests at any time. Please contact us at info@theclinpsychgroup.com.

6. Marketing

We may send you information about our services, resources, and updates by email where you have subscribed to our newsletter or where we have a legitimate interest in doing so as an existing or prospective client. You can unsubscribe at any time by clicking the ‘unsubscribe’ link in any email or by contacting us directly. We will never sell your contact details to third parties.

7. Use of AI (Heidi)

To support accurate and efficient clinical record-keeping, we use a secure AI transcription tool called Heidi, which converts spoken words into text to create session summaries. Heidi does not make clinical decisions or interpretations. Your data is not used to train AI systems. Data is encrypted and accessible only to your clinician.

Our lawful basis for this processing is legitimate interests (Article 6(1)(f) UK GDPR). We have assessed that accurate record-keeping is a proportionate professional purpose that does not override your rights and interests, particularly given the security measures in place.

You will always be informed when Heidi is in use. You have the right to request manual note-taking at any time. This will not affect your access to our services. You may also object to this processing at any time (see Section 11).

We do not use automated decision-making or profiling that produces significant effects for you.

8. Cookies

Our website uses cookies to help it function and to understand how it is used. Some cookies are essential; others support analytics and improved functionality. For full details of the cookies we use, how long they last, and how to manage your preferences, please read our Cookie Policy.

9. Who We Share Your Data With

We only share your personal data where necessary. Recipients may include:

• Clinical supervisors — as required by our professional registration with the HCPC; clients are referred to by first name only and identifiable information is minimised
• Other health professionals — with your consent, for referrals or continuity of care (for example, your GP or a specialist)
• Technology providers — who support our website and practice systems (Squarespace, SelectandBook, Mailchimp, Payhip, Heidi, WriteUpp); all operate under data processing agreements and are required to protect your data
• Professional advisers — lawyers, accountants, and insurers where necessary for our business operations
• Regulatory bodies and authorities — the HCPC, ICO, HMRC, or courts where we are legally required to share information
• Safeguarding — where we believe you or someone else is at risk of harm, we may share information without your consent as required by law

We do not share your data with third parties for marketing purposes. We do not share your data with AI providers beyond the specific purpose described in Section 7.

All third-party recipients are required to respect the security of your data and process it only in accordance with our instructions.

10. International Transfers

Some of our third-party service providers may operate outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements or adequacy decisions, so your data receives the same level of protection as within the UK.

11. Data Retention

• Adult clients: clinical records are retained for 7 years following the end of service (BPS guidelines).
• Children and young people: records are retained until the young person’s 25th birthday, or 26th birthday if they were aged 17 at the conclusion of treatment (NHS/BPS guidance).
• Enquiries that do not proceed to a service: deleted after four weeks.
• Financial records: retained for 6 years after the end of the client relationship for tax and accounting purposes.
• Website analytics data: retained in accordance with the settings of the relevant analytics provider (typically up to 2 years).

After the applicable retention period, all data is securely deleted or anonymised.

12. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access — to request a copy of the data we hold about you (a Subject Access Request).
• Right to rectification — to ask us to correct inaccurate or incomplete information.
• Right to erasure — to request deletion of your data in certain circumstances (note that legal or professional retention obligations may apply).
• Right to restrict processing — to ask us to limit how we use your data.
• Right to object — to object to processing based on legitimate interests, including the use of Heidi. We will cease that processing unless we have compelling legitimate grounds that override your interests.
• Right to data portability — to receive your data in a structured, commonly used format.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at info@theclinpsychgroup.com with the subject line “Data Rights Request”. We will respond within 30 days. We will not charge a fee unless your request is manifestly unfounded or excessive.

13. Children’s Data

We provide services to children and young people. We are committed to protecting their privacy in line with the Age-Appropriate Design Code and the Data (Use and Access) Act 2025. Where a child is under 16, we require parental or guardian consent for data processing unless the child demonstrates sufficient competence to consent independently (Gillick competence). Parental access to a child’s records may be withheld where it could cause harm to the child or others.

If you are a parent or carer with a query about how we handle your child’s data, please contact us at info@theclinpsychgroup.com.

14. Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted storage, password protection, restricted access, and secure electronic communication. In the event of a personal data breach, we will notify the ICO within 72 hours where required and will inform affected individuals where the breach poses a high risk to their rights and freedoms.

15. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policy of any website you visit.

16. Changes to This Policy

We review this Privacy Policy regularly and update it when our practices change or when required by law. The date at the top of this page indicates when it was last updated. We encourage you to check back periodically.