top of page

Privacy Policy

Privacy Notice
I Parminder Sandhu a sole trader psychotherapist, am committed to protecting your privacy and handling your personal data securely in accordance with UK GDPR and the Data Protection Act 2018. This privacy notice explains how I collect, use, store, and protect your information when you contact me, enquire about services, or engage in psychotherapy sessions, whether in-person or online from anywhere in the world. I am registered with the Information Commissioner's Office (ICO) under registration number ZA870552.

 

What information I collect
To safely and appropriately provide therapy (with your agreement), I collect and keep the following personal data to a minimum:  

- Contact details (name, address, email, phone number, date of birth).  

- GP name and address, emergency contacts. 

- Health information (mental health history, presenting issues, current medications, details of current health professionals, relevant test results, family history without names other than yours). 

- Brief anonymised session notes (e.g., initials, dates, key decisions) for therapy outcomes.  

- Communication records (emails, messages, appointment details).  

- Third-party referral or self-referral data. 

This includes special category data (health-related) shared during therapy.

 

How I use your data
I process your data to:  

- Assess suitability and deliver therapy sessions (including online).  

- Manage bookings, payments, and administration. 

- Contact you in emergencies, follow-ups, surveys, or to resolve account issues (via email, phone, text, or post).  

- Comply with professional obligations (e.g., supervision, complaints).  

For international clients, I adhere to UK law and note there are relevant local laws where you are located.

 

Lawful basis for processing
- Contract: To provide and administer therapy.  

- Legitimate interests: Record-keeping, billing, service improvement, and website analytics (with privacy impact assessments).  

- Explicit consent: For special category health data and marketing (which you can withdraw).  

I obtain explicit consent via intake forms before starting therapy.

 

Sharing your data (confidentiality)
Psychotherapy is a confidential process. I do not reveal identifiable personal data or session content to third parties without your express permission. Exceptions:  

- If you threaten your own life, another's life, or pose a safeguarding risk.  

- Involvement in crime outside confidentiality boundaries.  

- With supervisors/professional bodies (anonymised where possible) or as required by law.  

Supervisors follow the same confidentiality controls.

 

Where and how I store your data (security)
- Paper documents: Locked filing cabinet.  

- Digital/third-party referral data: Password-protected devices, encrypted storage, secure platforms.  

- After initial booking and Therapy Agreement, other documentation uses anonymised details or initials only.  

- Online platforms (e.g., secure video tools) are GDPR-compliant; I avoid unencrypted email for sensitive info.  

For clients outside UK/EEA, data transfers use compliant tools.

 

Website tools and providers
- Visitor Analytics/Recordings: Pseudonymised stats on visits, device, location, behaviour (no cookies, fingerprinting tech). Used to improve site usability; not to identify individuals.  

- Wix.com: Hosts site; stores data securely behind firewalls. Payments via PCI-DSS compliant gateways (Visa etc.).

 

Use of Artificial Intelligence (AI) and Automated Processing 
To enhance the quality of your care and maintain efficient clinical records, I may use a secure, professional AI-integrated platform. You are automatically opted-out of AI use in your therapy, AI is only used with your express permission.

  • Purpose: I use specialised AI "agents" to assist with drafting session notes, analysing therapeutic themes, and managing practice logistics.

  • Human Oversight: The AI acts as a digital assistant only. It does not make independent clinical diagnoses or treatment decisions. I personally review, edit, and approve every AI-generated note before it becomes part of your record.

  • Data Security & Processing: Your session data is processed in secure, encrypted data centres. To protect your identity, I use an AI ethics agent in addition to my own checks to pseudonymise or strip personally identifiable information (PII) before it is processed and saved.
     

Your Rights: The use of AI is entirely optional. You have the right to opt-out of AI-assisted note-taking at any time without any impact on your therapy.
 

 

Data retention
I retain all records for a minimum of 7 years after therapy ends (or longer if legally required, e.g., complaints/litigation), then shred paper or securely delete digital files. These are not medical or public records.

 

Data breaches
In a breach risking your rights, I notify you and the ICO within 72 hours.

 

Your rights (Subject Access Requests)
Under UK GDPR, you have rights to: access, rectification, erasure (before 7 years, considered individually after insurer/professional body consultation), restriction, portability, objection. Submit requests in writing to parm.therapy@gmail.com. I do not provide court reports or act as a witness unless legally required. Complain to me first, then ICO (ico.org.uk) or UKCP (Reg# 2011166462).

 

Complaints and jurisdiction
This policy, website, and services are governed by English law. Users submit to the exclusive jurisdiction of England and Wales courts. All notices/communications in English. Contact parm.therapy@gmail.com with questions or complaints.

 

Updates
I may modify this policy; changes take effect on posting. Material updates notified here. Review frequently.

 

​

Last updated: January 2026. Contact: parm.therapy@gmail.com.

bottom of page