Privacy Notice

Last updated: July 2026

Your Privacy Matters

Choosing a therapist is a personal decision, and trust is at the heart of that relationship. Alongside providing a safe and confidential space for therapy, I am committed to protecting your personal information and using it responsibly.

This Privacy Notice explains what information I collect, why I collect it, how I keep it safe, and your rights under UK data protection law.

I only collect the information I need to provide my services safely, ethically and professionally. Your personal information is treated with respect, kept confidential, and never sold or shared for marketing purposes.


Privacy at a Glance

  • I only collect information that helps me provide therapy safely and effectively.

  • Your personal information is stored securely and treated confidentially.

  • I only share information where I have your consent, where it is necessary for the safe delivery of therapy, or where I have a legal or professional obligation to do so.

  • As part of my professional practice, I attend regular clinical supervision. If aspects of my work are discussed, all identifying information is removed so that you cannot be identified.

  • You can ask to access, correct or update your personal information at any time.

  • You have the right to raise any concerns about how your information is used, and I will always do my best to resolve them promptly and fairly.


Who I Am

This Privacy Notice explains how Sarah Woodward Hypnotherapy collects, uses, stores and protects your personal information.

For the purposes of UK data protection law, I am the Data Controller responsible for the personal information you provide.

I provide hypnotherapy and solution focused therapeutic support to adults both online across the UK and in person from my therapy room in Edwinstowe, Nottinghamshire.

If you have any questions about this Privacy Notice or how your personal information is handled, you can contact me at:

Email: info@sarahwoodwardhypnotherapy.co.uk

I am committed to handling your personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and other applicable UK data protection legislation.

 

The Information I Collect

The information I collect depends on how you interact with my practice. I only ask for information that is relevant to providing my services safely, professionally and effectively.

If you contact me

If you get in touch by email, telephone or through the contact form on my website, I may collect:

  • Your name

  • Your email address

  • Your telephone number

  • Any information you choose to include in your message

I use this information to respond to your enquiry, answer your questions and, if appropriate, arrange an initial Connection Call or Foundation Session.


If you become a client

If we begin working together, I will collect information that helps me provide therapy safely and tailor sessions to your individual needs. This may include:

  • Your contact details

  • Your date of birth

  • Your emergency contact’s name and telephone number

  • The name of your GP practice

  • Information about your physical and mental health that is relevant to therapy

  • Current medications

  • Previous therapeutic support or treatment

  • Information about your sleep, wellbeing and lifestyle where relevant to your goals

  • Your therapy goals and the reasons you are seeking support

  • Session notes and records relating to our work together

Some of this information is classed as special category personal data under UK GDPR because it relates to your health. I only collect this information where it is necessary to provide therapy safely and professionally.


Payment Information

If you pay for sessions, I may collect information relating to your payment.

Payments may be made by bank transfer, Stripe or, for in-person sessions, SumUp card payments.

I do not store your full payment card details.


Newsletter Subscribers

If you choose to subscribe to my newsletter, I will collect your name (if provided) and email address through Mailchimp.

I will only send you the newsletters or updates you have requested, and you can unsubscribe at any time by clicking the unsubscribe link in any email or by contacting me directly.


Feedback and Testimonials

Towards the end of our work together, I may invite you to complete a feedback questionnaire. Providing feedback is entirely voluntary and helps me continue to improve the support I offer.

If you choose to give permission, your feedback may be used, either in full or in part, on my website or in other marketing materials. You can choose whether your feedback is published anonymously, using your first name only, or with your full name.

You can withdraw your consent for the future use of your testimonial at any time by contacting me.

How I Use Your Information

I use your personal information only where it is necessary to provide safe, ethical and effective therapeutic support.

Depending on how you interact with my services, I may use your information to:

  • Respond to your enquiries and arrange initial calls or appointments

  • Carry out an initial Connection Call and Foundation Session

  • Provide ongoing hypnotherapy or therapeutic support

  • Tailor sessions to your individual needs, goals and circumstances

  • Maintain accurate records of our work together

  • Communicate with you about appointments, session details or agreed follow-up information

  • Send relevant resources between sessions where this has been discussed and agreed

  • Contact you in relation to practical matters such as scheduling, location updates or unexpected disruptions (for example severe weather or changes affecting appointments)

  • Send a feedback request at the end of your therapeutic journey, where this has been agreed

If you choose to subscribe to my newsletter, I will also use your information to send occasional updates and blog posts.

I do not use your personal information for automated decision-making or profiling.

The Lawful Basis for Processing Your Information

Under UK data protection law, I must have a valid reason for collecting and using your personal information. This is known as a “lawful basis”.

Depending on the situation, I rely on the following lawful bases:

Contract

Most of the information I hold is processed because it is necessary to provide my therapeutic services to you.

This includes:

  • arranging and delivering sessions

  • maintaining therapy records

  • communicating with you about your appointments and ongoing support

  • providing agreed follow-up information or resources

Without this information, I would not be able to offer therapy effectively.


Legal obligation

In some cases, I am required by law to retain certain business records, such as invoices and payment records, for tax and accounting purposes.


Legitimate interests

I also process some information because it is in my legitimate interests as a professional therapist to do so, in a way that does not override your rights or interests.

This includes:

  • maintaining secure and appropriate client records

  • using limited website analytics to understand how people use my website

  • ensuring the safe and effective running of my practice

  • attending professional supervision to maintain high standards of care


Consent

In certain situations, I rely on your consent. This includes:

  • subscribing to my newsletter or blog updates

  • agreeing to receive marketing communications

  • allowing your feedback or testimonial to be published

Where I rely on consent, you can withdraw this at any time.

Special Category Health Information

Some of the information I collect is classed as special category personal data under UK data protection law. This includes information relating to your physical and mental health.

I only collect this information where it is necessary to provide safe, appropriate and effective therapeutic support.

This may include information such as:

  • physical health conditions relevant to therapy

  • mental health and emotional wellbeing

  • current medication

  • sleep patterns and lifestyle factors that may affect your wellbeing

  • information shared during sessions that is relevant to your goals and progress

Under UK GDPR, this type of information requires additional protection. I process it on the basis that it is necessary for the provision of health-related therapeutic services, and in line with my professional obligations as a qualified therapist.

All sensitive information is stored securely and treated as strictly confidential.

Access to this information is limited to me, and where necessary, my professional supervisor. When discussed in supervision, all identifying details are removed so that you cannot be identified.

Who I Share Your Information With

I treat your personal information as confidential and only share it where it is necessary for the safe and effective delivery of my services, or where I am legally required to do so.

I may share your information in the following limited circumstances:

Professional supervision

As part of my professional practice, I attend regular supervision. Supervision is a standard and essential part of ethical therapeutic work.

If I discuss aspects of our work in supervision, all identifying information is removed so that you cannot be identified. My supervisor is also bound by strict confidentiality standards.


Health and safeguarding concerns

In very rare circumstances, I may need to share information if I believe there is a serious risk of harm to you or someone else, or if I am required to do so by law.

Where possible and appropriate, I would always aim to discuss this with you first.


Service providers

I use trusted third-party services to support the running of my practice. These providers only process personal data where necessary and are required to handle it securely in line with UK GDPR.

These include:

  • Acuity Scheduling – for booking and appointment management

  • Stripe – for processing online payments

  • SumUp – for in-person card payments

  • IONOS – for email hosting

  • Mailchimp – for newsletter and email communications

  • Zoom – for online sessions where applicable

  • WordPress / CPHT website hosting – for hosting my website and contact forms

These providers may process data on my behalf, but they do not use your information for their own purposes.


Professional requirements

In some cases, I may be required to share information with my professional insurer, regulatory bodies, or legal and financial advisers where necessary for compliance, insurance or legal obligations.


Website analytics

My website may use limited analytics tools (such as Google Site Kit) to understand how visitors use the site. This information is aggregated and does not identify individual visitors.

How Long I Keep Your Information

I only keep your personal information for as long as it is necessary to provide my services, and in line with professional and legal requirements.

Therapy records

In line with professional guidance from my regulatory and professional bodies, I normally keep therapy records for eight years after your final session.

If you are under 18 at the time therapy ends, records are kept until your 25th birthday (or 26th birthday if you were 17 when therapy ended).

This is to ensure appropriate continuity of care, to meet professional insurance requirements, and to comply with best practice standards.

After this period, records are securely destroyed.


Contact and enquiry information

If you contact me but do not go on to become a client, I will keep your information for up to 12 months, after which it is deleted unless there is a clear reason to retain it (for example, ongoing correspondence).


Financial records

Invoices and payment records are kept for 6 years, in line with HMRC requirements.


Newsletter subscriptions

If you subscribe to my newsletter, your details will be kept until you choose to unsubscribe. You can do this at any time using the unsubscribe link in any email or by contacting me directly.

How I Keep Your Information Secure

I take the security of your personal information seriously and use a combination of physical, digital and organisational measures to protect it.

Digital security

Your information is stored securely using password-protected and encrypted devices.

Access to systems and records is restricted to me only.

Where I use third-party service providers (such as Acuity, Stripe, SumUp, IONOS, Mailchimp and Zoom), I choose providers that are widely recognised and compliant with UK GDPR standards.

These systems use secure encryption and access controls to help protect your information.


Paper records

Any paper notes are stored securely in a locked filing cabinet, accessible only to me.

When no longer required, paper records are destroyed securely.


Confidential practice

I maintain strict confidentiality in my practice and take care to ensure that personal information is not shared or discussed outside of appropriate professional contexts.

Where information is discussed in professional supervision, all identifying details are removed so that you cannot be identified.


Practical safeguards

In addition to technical security, I take practical steps to protect your privacy, including:

  • keeping devices updated and password protected

  • limiting access to client information to myself only

  • avoiding unnecessary duplication of sensitive information

  • using secure methods of communication where appropriate

Your Rights

Under UK data protection law, you have a number of rights in relation to your personal information.

These include the right to:

  • Access the personal information I hold about you

  • Request correction of any inaccurate or incomplete information

  • Request deletion of your information, in certain circumstances

  • Request restriction of how your information is used

  • Object to certain types of processing

  • Withdraw consent where I am relying on consent to use your information

  • Request transfer of your information to another service provider (where applicable)

If you would like to exercise any of these rights, you can contact me using the details provided in this Privacy Notice. I will respond to your request in line with UK data protection law.

In some cases, I may need to retain certain information where there is a legal or professional obligation to do so (for example, for insurance or tax purposes).

Cookies and Website Analytics

My website uses cookies to help it function effectively and to understand how visitors use the site.

Cookies are small text files stored on your device when you visit a website. They help the website work properly and provide basic information about how it is being used.

Types of cookies used

  • Essential cookies – These are necessary for the website to function properly (for example, enabling forms or page navigation).

  • Analytics cookies – These may be used through tools such as Google Site Kit to understand how visitors use my website (for example, which pages are most viewed). This information is aggregated and does not identify individual users.

Managing cookies

You can control and/or delete cookies at any time through your browser settings. Most browsers allow you to refuse or accept cookies, or to delete existing cookies.

Please note that disabling some cookies may affect how the website functions.

How to Make a Complaint

If you have any concerns about how I use your personal information, I encourage you to contact me in the first instance so I have the opportunity to address and resolve your concern.

I will acknowledge your complaint within 30 days and aim to respond fully and promptly.

If you are not satisfied with my response, you have the right to raise your concern with the Information Commissioner’s Office (ICO), which is the UK supervisory authority for data protection issues.

You can find more information or make a complaint directly at: www.ico.org.uk

Contact Details

If you have any questions about this Privacy Notice or how your personal information is handled, you can contact me using the details below:

Email: info@sarahwoodwardhypnotherapy.co.uk


Changes to This Privacy Notice

I may update this Privacy Notice from time to time to reflect changes in my practice, technology, or legal requirements.

Any updates will be published on this page with a revised “last updated” date at the top of the document.