Privacy Policy

‍ ‍

1. INTRODUCTION

Profound Psychology Limited (“the Practice”) is committed to protecting your personal data and respecting your privacy.

This Privacy Statement explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. DATA CONTROLLER AND JOINT CONTROLLERS

Profound Psychology Ltd is the primary Data Controller responsible for determining how and why your personal data is processed in the delivery of psychological services.

In certain circumstances, Clinicians working with the Practice, including self-employed associate clinicians, will act as Joint Data Controllers. This means that both the Practice and the Clinician may independently determine aspects of how your personal data is processed in the context of providing clinical care.

Where joint controller arrangements apply, both the Practice and the Clinician are responsible for ensuring that your personal data is handled lawfully, fairly, and securely in accordance with applicable data protection legislation. A joint controller arrangement is in place to define respective responsibilities.

If you have any questions about how your data is managed, you are encouraged to contact the Practice in the first instance, who will coordinate an appropriate response.

3. TYPES OF DATA WE COLLECT

We may collect and process a range of personal data in order to deliver safe and effective psychological services.

This includes personal data such as your name, address, date of birth, contact details, and information about your GP or other professionals involved in your care.

We also process special category (health) data, which may include medical and mental health information, psychological assessments and reports, neurodevelopmental history, and relevant educational or employment information.

In addition, we process administrative and financial data, including appointment records, correspondence, and payment or invoicing information.

4. PURPOSE OF PROCESSING

Your data is processed for the purposes of delivering psychological services, including assessment, therapy, consultation, and report writing.

We also use your data to communicate with you and, where appropriate, with other professionals involved in your care, to manage appointments and administrative processes, and to meet our legal, regulatory, and safeguarding obligations.

5. LEGAL BASIS FOR PROCESSING

The Practice processes personal data in accordance with the lawful bases set out in the UK General Data Protection Regulation (UK GDPR). The specific lawful basis relied upon will depend on the nature of the data and the purpose of processing.

5.1 Personal Data

Personal data is processed under the following lawful bases:

  • Article 6(1)(b) – Contract
    Processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract. This includes delivering psychological services, managing appointments, and communicating with you.

  • Article 6(1)(c) – Legal obligation
    Processing is necessary for compliance with legal and regulatory obligations, including safeguarding responsibilities, record-keeping requirements, and responding to lawful requests from authorities.

  • Article 6(1)(f) – Legitimate interests
    Processing is necessary for the legitimate interests of the Practice in operating and managing services, including administrative functions, quality assurance, and service improvement, provided these interests are not overridden by your rights and freedoms.

5.2 Special Category Data (Health Data)

Special category data, including health information, is processed under the following conditions:

  • Article 9(2)(h) – Provision of health or social care
    Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health or social care or treatment. This is the primary legal basis for processing clinical information within the Practice.

  • Article 9(2)(a) – Explicit consent
    In certain circumstances, explicit consent will be obtained, for example when sharing reports or information with third parties such as schools, GPs, or other professionals, where this is not otherwise covered by legal or clinical obligations.

5.3 Important Note on Consent

Where consent is relied upon, it may be withdrawn at any time. However, most processing of health data within the Practice is carried out under Article 9(2)(h) (provision of healthcare), meaning that consent is not the primary legal basis for core clinical work.

6. SHARING YOUR DATA

The Practice may share your personal data with a range of individuals and organisations where this is necessary for the safe and effective delivery of services.

This includes sharing information with Clinicians working on behalf of the Practice, including associate clinicians, who may act as Joint Data Controllers in the provision of your care.

Your data may also be shared with third-party organisations that provide services to the Practice, such as secure practice management systems, communication platforms, and cloud-based storage providers. These organisations act as Data Processors, meaning they process your data strictly on behalf of the Practice and in accordance with contractual agreements that ensure appropriate security, confidentiality, and compliance with data protection law.

Where appropriate, and usually with your consent, information may also be shared with other professionals involved in your care, such as GPs, schools, or other healthcare providers.

In addition, the Practice may share information where required to do so by law, or where it is necessary to protect your safety or the safety of others, including in safeguarding situations.

In all circumstances, the Practice will ensure that only the minimum necessary information is shared and that this is done in a lawful, proportionate, and secure manner.

7. CONFIDENTIALITY

Your information will be treated as confidential.

However, confidentiality may be breached where there is a risk of serious harm to you or others, where safeguarding concerns arise, where disclosure is required by law (for example, by court order), or where disclosure is otherwise considered to be in the public interest.

8. DATA STORAGE AND SECURITY

We take appropriate technical and organisational measures to ensure your data is secure.

This includes the use of secure electronic record systems, password-protected files and devices, and restricting access to authorised personnel only.

9. DATA RETENTION

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including clinical, legal, and regulatory requirements.

For adults, records are typically retained for 7 years following the end of contact. For children, records are typically retained until the age of 25, or longer where required.

Records may be retained beyond these timeframes where there is a clinical, legal, or safeguarding justification.

10. INTERNATIONAL DATA TRANSFERS

We do not routinely transfer personal data outside the UK.

Where it is necessary to do so (for example, through the use of secure cloud-based systems), appropriate safeguards will be in place to ensure that your data is protected in accordance with UK GDPR.

11. YOUR RIGHTS

Under the UK General Data Protection Regulation (UK GDPR), you have a number of rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions or exemptions, particularly where data is processed for healthcare purposes.

You have the following rights:

Right of access
You have the right to request access to the personal data we hold about you. This is commonly known as a Subject Access Request (SAR).

Right to rectification
You have the right to request that inaccurate or incomplete personal data is corrected or updated.

Right to erasure
You have the right to request that your personal data is deleted. This right applies in certain circumstances and may be limited where we are required to retain data for legal, regulatory, or clinical reasons.

Right to restrict processing
You have the right to request that we limit the way your personal data is used in certain situations, for example while accuracy is being verified.

Right to data portability
Where processing is based on consent or contract and carried out by automated means, you have the right to request that your data is provided to you, or transferred to another provider, in a structured, commonly used, and machine-readable format.

Right to object
You have the right to object to the processing of your personal data where it is based on legitimate interests. We will consider your request and stop processing unless we have compelling legitimate grounds to continue.

Rights in relation to automated decision-making and profiling
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. The Practice does not routinely carry out automated decision-making.

Requests relating to your rights can be made by contacting the Practice using the details provided below. We will respond within the timeframes set out under UK GDPR (usually within one month), although this may be extended where requests are complex.

12. WITHDRAWAL OF CONSENT

Where processing is based on consent, you have the right to withdraw your consent at any time.

Please note that withdrawing consent may affect the Practice’s ability to provide services.

13. COMPLAINTS

If you are unhappy with how your personal data has been handled, you are encouraged to contact the Practice in the first instance so that we have the opportunity to investigate and resolve your concerns promptly and appropriately.

If, following this, you remain dissatisfied with the outcome, you have the right to raise your concerns with the Information Commissioner’s Office (ICO), which is the UK’s independent authority for data protection.

The ICO can be contacted via their website: www.ico.org.uk

14. CHANGES TO THIS POLICY

This Privacy Statement may be updated from time to time.

The most current version will always be available on our website.

15. CONTACT

If you have any questions about this Privacy Statement or how your data is handled, please contact:

Profound Psychology Limited

Trading Address:

Cromwell House, Crusader Road

Off Tritton Road

Lincoln, Lincolnshire

LN6 7YT

Registered Office:

C/O Sothertons Limited

The Business Terrace, Maidstone House

King Street

Maidstone, Kent

England

ME15 6AW

Email: info@profoundpsychology.co.uk

16. WEBSITE USE OF DATA

When you visit the Practice’s website (www.profoundpsychology.co.uk), we may collect certain information about you either automatically through the use of cookies and similar technologies, or where you provide information directly.

Website Enquiries

If you contact the Practice via the website (for example, through a contact form or email link), we will collect the personal information you provide, such as your name, contact details, and the nature of your enquiry. This information will be used to respond to your enquiry and, where appropriate, to take steps towards providing services.

Cookies and Similar Technologies

The website uses cookies and similar technologies to ensure the site functions effectively and to improve user experience.

Cookies are small text files stored on your device when you visit a website. These may include:

  • Strictly necessary cookies – required for the operation and security of the website

  • Performance and analytics cookies – used to understand how visitors use the website and to improve functionality

  • Functionality cookies – used to remember your preferences

Where non-essential cookies (such as analytics cookies) are used, these will only be placed on your device with your consent, obtained via the website’s cookie banner or settings.

You can manage or withdraw your consent for cookies at any time through your browser settings or via the website’s cookie controls.

Analytics

The website may use analytics tools (such as Google Analytics or similar services) to collect information about how the website is used. This may include information such as pages visited, time spent on pages, and general usage patterns.

Where such tools are used, we take steps to minimise the amount of personal data collected (for example, through IP anonymisation where available).

Lawful Basis

Personal data collected through the website is processed on the following lawful bases:

  • Article 6(1)(f) – Legitimate interests, for managing enquiries and improving website performance

  • Article 6(1)(b) – Contract, where enquiries lead to the provision of services

  • Article 6(1)(a) – Consent, where required for non-essential cookies and similar technologies

Data Sharing

Data collected via the website may be processed by third-party providers who support website functionality, hosting, analytics, and communications. These providers act as Data Processors and process data on our behalf in accordance with contractual agreements.

Data Security

Any information submitted via the website is handled securely and in accordance with this Privacy Statement.