Privacy Notice
I Parminder Sandhu a sole trader psychotherapist, am committed to protecting your privacy and handling your personal data securely in accordance with UK GDPR and the Data Protection Act 2018. This privacy notice explains how I collect, use, store, and protect your information when you contact me, enquire about services, or engage in psychotherapy sessions, whether in-person or online from anywhere in the world. I am registered with the Information Commissioner's Office (ICO) under registration number ZA870552.

 

What information I collect
To safely and appropriately provide therapy (with your agreement), I collect and keep the following personal data to a minimum:  

- Contact details (name, address, email, phone number, date of birth).  

- GP name and address, emergency contacts. 

- Health information (mental health history, presenting issues, current medications, details of current health professionals, relevant test results, family history without names other than yours). 

- Brief anonymised session notes (e.g., initials, dates, key decisions) for therapy outcomes.  

- Communication records (emails, messages, appointment details).  

- Third-party referral or self-referral data. 

This includes special category data (health-related) shared during therapy.

 

How I use your data
I process your data to:  

- Assess suitability and deliver therapy sessions (including online).  

- Manage bookings, payments, and administration. 

- Contact you in emergencies, follow-ups, surveys, or to resolve account issues (via email, phone, text, or post).  

- Comply with professional obligations (e.g., supervision, complaints).  

For international clients, I adhere to UK law and note there are relevant local laws where you are located.

 

Lawful basis for processing
- Contract: To provide and administer therapy.  

- Legitimate interests: Record-keeping, billing, service improvement, and website analytics (with privacy impact assessments).  

- Explicit consent: For special category health data and marketing (which you can withdraw).  

I obtain explicit consent via intake forms before starting therapy.

 

Sharing your data (confidentiality)
Psychotherapy is a confidential process. I do not reveal identifiable personal data or session content to third parties without your express permission. Exceptions:  

- If you threaten your own life, another's life, or pose a safeguarding risk.  

- Involvement in crime outside confidentiality boundaries.  

- With supervisors/professional bodies (anonymised where possible) or as required by law.  

Supervisors follow the same confidentiality controls.

 

Where and how I store your data (security)
- Paper documents: Locked filing cabinet.  

- Digital/third-party referral data: Password-protected devices, encrypted storage, secure platforms.  

- After initial booking and Therapy Agreement, other documentation uses anonymised details or initials only.  

- Online platforms (e.g., secure video tools) are GDPR-compliant; I avoid unencrypted email for sensitive info.  

For clients outside UK/EEA, data transfers use compliant tools.

 

Website tools and providers
- Visitor Analytics/Recordings: Pseudonymised stats on visits, device, location, behaviour (no cookies, fingerprinting tech). Used to improve site usability; not to identify individuals.  

- Wix.com: Hosts site; stores data securely behind firewalls. Payments via PCI-DSS compliant gateways (Visa etc.).

 

Data retention
I retain all records for a minimum of 7 years after therapy ends (or longer if legally required, e.g., complaints/litigation), then shred paper or securely delete digital files. These are not medical or public records.

 

Data breaches
In a breach risking your rights, I notify you and the ICO within 72 hours.

 

Your rights (Subject Access Requests)
Under UK GDPR, you have rights to: access, rectification, erasure (before 7 years, considered individually after insurer/professional body consultation), restriction, portability, objection. Submit requests in writing to parm.therapy@gmail.com. I do not provide court reports or act as a witness unless legally required. Complain to me first, then ICO (ico.org.uk) or UKCP (Reg# 2011166462).

 

Complaints and jurisdiction
This policy, website, and services are governed by English law. Users submit to the exclusive jurisdiction of England and Wales courts. All notices/communications in English. Contact parm.therapy@gmail.com with questions or complaints.

 

Updates
I may modify this policy; changes take effect on posting. Material updates notified here. Review frequently.

 

​

Last updated: January 2026. Contact: parm.therapy@gmail.com.