This privacy policy explains how Philos Psychology Ltd collects, uses, stores, and protects your personal data when you use our website and services. Please read it alongside any other privacy notices we provide. 

Who is responsible for your data?

The data controller is Philos Psychology Ltd.

Email: helen@philospsychology.co.uk

Website: www.philospsychology.co.uk

Not happy with something?

We take your privacy seriously and are committed to handling your personal data with transparency and care. If you have concerns about how your data is used, please get in touch and we will do our best to resolve things promptly.

Step 1: Email us at helen@philospsychology.co.uk with a brief description of your concern. You do not need to use legal language — just tell us what is worrying you.

Step 2: We will acknowledge your message and respond without undue delay, usually within 10 working days.

Step 3: If you are not satisfied with our response, you can escalate your concern to the Information Commissioner's Office (ICO) at www.ico.org.uk.

What personal data do we collect?

'Personal data' is information that identifies you. We may collect, use, store, and share the following types of personal data:

•       Identity details such as your first and last name, title, date of birth, and gender.

•       Contact details such as your email address, telephone number, and billing address.

•       Technical information such as your IP address, browser type and version, and device information collected when you use our website.

•       Financial information such as payment card details, processed securely via our payment provider.

•       Transaction details including records of payments made to us and services purchased.

•       Usage information about how you interact with our website.

•       Marketing preferences including whether you have opted in to receive communications from us.

•       Special Category Data: This includes information about your physical and mental health, medication, and psychiatric history, which we need in order to provide our services. Where you have given explicit consent, this also includes audio and/or video recordings of EMDR therapy sessions processed solely for clinical supervision purposes.

We do not collect information about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, genetic or biometric data, or criminal convictions and offences.

We require your specific consent to process Special Category Data. When you submit your details, we will ask you to confirm your consent to this.

How do we collect your data?

Most of the information we hold is collected directly from you in the following ways:

•       When you enquire about or apply for our services.

•       When you complete new client onboarding forms.

•       When you complete any forms before or during an appointment.

•       Verbally during discussions and therapy sessions.

•       Via audio and/or video recording of therapy sessions, where you have given explicit prior consent for clinical supervision purposes.

•       Through correspondence with us by post, phone, email, or otherwise.

•       When you subscribe to our newsletter or request marketing communications.

We may also collect limited technical data automatically through our website, including through Google Analytics, which helps us understand how visitors use our site. Please refer to our Cookie Policy for more information.

What do we use your data for?

•       To register you as a new client and provide our services.

•       To process payments and manage any outstanding fees.

•       To manage our relationship with you, including notifying you of changes to our terms or privacy policy.

•       To send you relevant marketing communications about our services, where you have opted in.

•       To administer and maintain our practice and website.

•       To improve our website and services using aggregated, anonymised analytics data.

We rely on one or more of the following lawful bases to process your data: fulfilment of our contract with you; our legitimate interests; or compliance with a legal obligation. For Special Category Data, we rely on your explicit consent.

Legitimate interests

In some circumstances we process your personal data under 'legitimate interests'. This means we use your data in ways that support important organisational aims while respecting your rights. Examples include preventing fraud or misuse of our services, supporting safeguarding and professional standards, and responding to safeguarding concerns. We carry out a balancing test to ensure our interests do not override yours, and you have the right to object to this type of processing at any time.

Do we use cookies?

Our website uses cookies to improve your browsing experience and distinguish you from other users. Please refer to our Cookie Policy for further information:

AI tools

We use AI tools to support the provision of our services, including clinical note-taking and document generation. Any AI tools we use are operated in compliance with applicable data protection law, including the UK General Data Protection Regulation (UK GDPR).

When using AI tools, we ensure:

•       Personal data is processed lawfully, fairly, and transparently.

•       Data minimisation principles are applied — we provide AI tools only with the information strictly necessary for the intended purpose.

•       Robust security measures are in place to protect your personal data.

•       Personal data is retained only for as long as necessary and is securely deleted or anonymised thereafter.

The AI tools we currently use are set out below:

AI Tool: Heidi AI

Purpose: Clinical note-taking and document generation

Types of Data Used: Session content, clinical notes, name

Legal Basis: Legitimate interest / consent

Marketing

If you have opted in to receive marketing communications and no longer wish to do so, you can unsubscribe at any time by contacting us or clicking the unsubscribe link in any marketing email. Our lawful basis for sending marketing communications is your consent.

Third-party links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies when you leave our website.

Who do we share your data with?

We only share your personal data where necessary and with parties who are required to handle it securely and in accordance with our instructions. This may include:

•       IT and system administration service providers acting as data processors.

•       Professional advisers including insurers, accountants, and legal advisers.

•       Our EMDR clinical supervisor, for the purpose of clinical supervision. We refer to clients by first name only and minimise identifying information. Where you have given explicit consent, recordings of EMDR sessions may be shared with our supervisor via encrypted transfer and are accessible only to the therapist and supervisor.

•       Your GP or other health and social care professionals, where relevant and with your prior consent. Where there is a risk of harm to you or another person, we may be required to share information without your consent in order to protect safety.

•       Other healthcare professionals, where you are referred for specialist care or assessment, to ensure continuity of treatment.

•       HM Revenue and Customs, regulators, and other authorities where legally required.

•       Debt collection agencies in the event that payment is not received for services rendered.

•       Courts, legal representatives, or other relevant authorities for medico-legal purposes, where required by law or to protect vital interests.

International data transfers

We do not transfer your personal data outside the United Kingdom.

How do we keep your data secure?

We have appropriate security measures in place to protect your personal data from unauthorised access, loss, or misuse. Access to your data is restricted to authorised individuals who need it to carry out their responsibilities. In the event of a personal data breach, we have procedures in place to notify you and any applicable regulator where we are legally required to do so.

How long do we keep your data?

We retain your data only for as long as necessary for the purposes for which it was collected.

Clinical records: We are required by law to retain medical records for seven years after treatment ends.

EMDR session recordings: Where you have consented to recording of EMDR sessions for clinical supervision purposes, recordings are securely deleted within seven days of our EMDR supervisor viewing them. They are not used for any other purpose.

Discovery calls and initial consultations:

•       Where no clinical judgement was formed and you do not proceed as a client, basic contact details (name, email, telephone number) will be securely deleted within one month of the call.

•       Where a clinical assessment, safeguarding concern, or risk-related decision was made during the call, we will retain a brief record for seven years from the date of the call, in line with professional body guidance and good clinical governance.

Financial and transaction records: Basic client information, including contact, identity, financial, and transaction data, is retained for six years after the end of the client relationship for tax purposes.

Your rights

You have the following rights in relation to your personal data:

•       Access: You can request a copy of the personal data we hold about you (a Subject Access Request). Email us at helen@philospsychology.co.uk with the subject line 'DSAR Request'. We will respond within one calendar month.

•       Correction: You can ask us to correct inaccurate or incomplete data.

•       Erasure: You can ask us to delete your data, subject to any legal obligations we have to retain it.

•       Objection: You can object to certain types of processing, including processing based on legitimate interests.

•       Restriction: You can ask us to restrict the processing of your data in certain circumstances.

•       Portability: You can request that we transfer your data to you or to a third party in a structured, commonly used format.

•       Withdrawal of consent: Where we rely on your consent to process your data, you can withdraw it at any time. This will not affect the lawfulness of any processing carried out before withdrawal.

We do not charge for Subject Access Requests unless a request is clearly unfounded, repetitive, or excessive. We will notify you if this applies and explain our reasons.

If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office at www.ico.org.uk.

Changes to this policy

We review this privacy policy periodically and will update it when our practices change. Please check back from time to time to ensure you are aware of the current version. If you have any questions, please contact us at helen@philospsychology.co.uk.