top of page

Privacy Policy for HER Hypnotherapy

Harriet Roberts trading as HER Hypnotherapy

Last updated: 27 April 2026

 

This Privacy Notice explains how Harriet Roberts trading as HER Hypnotherapy collects, uses, stores, and protects your personal data in accordance with the UK GDPR, the Data Protection Act 2018, and current guidance from the Information Commissioner’s Office (ICO).

1. Who We Are

Data Controller: Harriet Roberts trading as HER Hypnotherapy
Business address: Wits End, Marley Lane, Haslemere, West Sussex, GU27 3RG
Email: harriet@herhypnotherapy.co.uk
Phone: 07947 304717

As a sole trader hypnotherapist, I am the data controller responsible for your personal data.

2. The Information I Collect

I may collect the following personal data:
   •    full name
   •    address
   •    telephone number
   •    email address
   •    date of birth
   •    emergency contact details
   •    GP details (where relevant)
   •    medical history
   •    mental and emotional wellbeing information
   •    presenting issues and therapy goals
   •    session notes and progress records
   •    appointment history
   •    payment and invoice records
   •    communications by email, phone, or text

For hypnotherapy services, this may include special category data, particularly information concerning your physical or mental health.  

3. Why I Collect Your Information

Your information is collected to:
   •    assess whether hypnotherapy is suitable for you
   •    provide safe and effective treatment
   •    keep accurate clinical records
   •    monitor progress
   •    arrange appointments
   •    process payments
   •    comply with legal, insurance, and professional obligations
   •    manage complaints and data protection concerns

4. Lawful Basis for Processing

I process your personal data under:

Article 6 UK GDPR
   •    contract – to provide the therapy service you request
   •    legal obligation – tax, insurance, and record keeping
   •    legitimate interests – safe professional practice and administration

Article 9 UK GDPR (Special Category Data)

Because health and emotional wellbeing information is collected, I also rely on:
   •    explicit consent
   •    provision of health / therapeutic care, where applicable

Special category data is prohibited unless a valid Article 9 condition applies.  

5. Consent for Therapy Records

By engaging in hypnotherapy services, you consent to the recording and secure storage of therapy-related information necessary for your care.

This includes:
   •    health history
   •    therapeutic goals
   •    session notes
   •    progress observations
   •    relevant safeguarding concerns

You may withdraw consent for optional processing at any time, although this may affect my ability to continue treatment safely.

6. How Your Data Is Stored

Your data may be stored:
   •    in secure password-protected digital files
   •    encrypted cloud storage
   •    secure booking or practice management software
   •    password-protected phone and computer devices
   •    locked paper records where used

I take appropriate technical and organisational steps to protect digital records from misuse, unauthorised access, accidental loss, or disclosure.

This is particularly important for therapy notes and health-related data.  

7. Confidentiality and When Information May Be Shared

All therapy sessions are confidential.

Your information will not be shared without your consent unless I am legally or ethically required to do so, including where there is:
   •    risk of serious harm to yourself
   •    risk of harm to another person
   •    safeguarding concerns involving children or vulnerable adults
   •    legal requirement or court order
   •    professional supervision (where anonymised where possible)

If I work with a clinical supervisor, information shared for supervision purposes will be minimised and anonymised where possible.

8. How Long I Keep Records

Hypnotherapy client records and session notes are typically retained for 7 years after the final session.

For clients under 18, records may be kept until age 25.

Financial records are kept for 6 years for HMRC purposes.

Retention periods should also reflect insurer or professional body requirements.

9. Complaints About Misuse of Personal Data

If you have concerns about how your personal data has been collected, used, stored, or handled digitally, you have the right to make a complaint directly to me.

This includes concerns regarding:
   •    therapy notes
   •    health information
   •    email communications
   •    booking systems
   •    cloud-stored records
   •    accidental disclosure
   •    unauthorised access

Complaints should be submitted to:

[Email Address]

Please include:
   •    your full name
   •    details of the issue
   •    relevant dates
   •    information involved
   •    supporting evidence

I will acknowledge and investigate complaints promptly and respond in writing within 30 days.

This section is designed to align with the updated ICO complaints handling expectations.  

10. Data Breaches

If your personal data is lost, accessed improperly, or disclosed in error, please contact me immediately.

Where required by law, any reportable breach involving personal or health-related data will be notified to the ICO without undue delay.

11. Your Rights

You have the right to:
   •    request access to your records
   •    request correction
   •    request erasure where lawful
   •    restrict processing
   •    object to processing
   •    withdraw consent
   •    complain to the ICO

12. ICO Complaint Rights

If you are unhappy with how I deal with your personal data, you may complain to the Information Commissioner’s Office (ICO).  The ICO normally expects you to contact me first.

bottom of page