Healing Attachment (“I”, “me”, “my”) is a therapy practice operated by Katherine Richmond, based in Horsforth, Leeds. This Privacy Policy explains how I collect, use, and protect the personal information you share with me through this website and when enquiring about or attending therapy.
I am registered as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who I am
Data controller: Katherine Richmond, trading as Healing Attachment
Address: [PRACTICE ADDRESS], Horsforth, Leeds
Email: [CONTACT EMAIL]
2. What information I collect
Through the website enquiry form:
- Your name
- Your email address
- Your phone number (if provided)
- The content of your message
If you become a client, I also hold:
- Contact details and emergency contact
- GP details (recommended but optional)
- Relevant personal, medical, and therapeutic history that you choose to share
- Session notes, held securely in line with NCPS ethical guidance
- Payment records (I do not store card details; payments are processed by [PAYMENT PROVIDER])
Website analytics: This site uses [privacy-focused analytics / no analytics — TBC] to understand how visitors use the site. No personally identifiable information is collected through analytics.
3. Why I collect this information (lawful basis)
- To respond to your enquiry — lawful basis: legitimate interest and, where you have submitted the form, consent.
- To provide therapy, if you become a client — lawful basis: contract (the therapy agreement) and, for special category data such as health information, explicit consent and the provision of health or social care.
- To meet professional and legal obligations — lawful basis: legal obligation (e.g. safeguarding duties, tax records).
4. How long I keep your information
- Enquiries that do not become clients: deleted within 12 months.
- Client records:retained for 7 years after the end of therapy, in line with NCPS and professional insurance guidance. Records for clients under 18 are retained until the client’s 25th birthday, or longer if the work continued past that date.
5. Who I share your information with
I do not sell, rent, or share your information with third parties for marketing purposes. I only share information where:
- You have given me explicit consent.
- There is a serious and imminent risk to your safety or the safety of others (safeguarding).
- I am required to by law (e.g. court order).
- It is necessary for supervision, in which case your identity is anonymised.
Essential service providers who process data on my behalf include:
- Website hosting: [e.g. Vercel]
- Email: [e.g. Google Workspace / Fastmail]
- Payment processing: [e.g. Stripe]
- Professional supervision: [supervisor name or “a qualified clinical supervisor”]
All providers are bound by data processing agreements and UK/EU-appropriate safeguards.
6. Your rights
Under UK GDPR you have the right to:
- Access the information I hold about you
- Correct inaccurate information
- Request deletion of your information (subject to legal and professional retention requirements)
- Restrict or object to certain processing
- Withdraw consent at any time
- Complain to the Information Commissioner’s Office (ico.org.uk)
To exercise any of these rights, email me at [CONTACT EMAIL]. I aim to respond within 30 days.
7. Security
Your information is stored securely with encryption at rest and in transit. Paper notes (if any) are kept in a locked filing system. Digital records are held on password-protected, encrypted devices and cloud services with two-factor authentication enabled.
8. Children
This website and practice are intended for adults (18+). I do not knowingly collect information from children through this website.
9. Changes to this policy
I may update this policy from time to time. The “Last updated” date at the top of this page will reflect any changes. Material changes will be communicated to current clients directly.
10. Contact
Questions about this policy or how I handle your data:
Email: [CONTACT EMAIL]