Data Controller: Caroline Rothwell, trading as C. Rothwell Therapy, is the Data Controller.

Personal Data Collected: Contact details: name, email, phone number. Health and therapy notes: session records, risk assessments. Payment information: transaction records (no card details stored). Technical data: IP address, log-in times.

Purpose and Legal Basis: To deliver therapy and clinical care (Article 6(1)(b) GDPR). To comply with legal and ethical obligations (Article 6(1)(c) GDPR). To manage business administration and accounting (Article 6(1)(f) GDPR—legitimate interest).

Client Eligibility: Clients must be aged 18 or over; no personal data from minors is collected or processed.

Data Sharing: Your data will not be shared with third parties except if required by law (e.g. safeguarding) or with your explicit consent (e.g. sharing reports with another health professional).

Data Retention: Clinical records are retained for a minimum of 8 years (or until age 25 for minors). Financial records are kept for 7 years for HMRC compliance.

Security Measures: All records are stored on encrypted, password-protected devices or secure cloud systems. All sessions will be recorded as an accurate record of what is discussed and a tangible record of your progress. Each session will then be securely saved as stated above. This applies to Teams sessions, WhatsApp or telephone sessions. If this document is signed, this is a declaration that you permit sessions to be recorded.

Your Rights: Under GDPR, you may access your personal data, request correction, erasure, restriction, objection to processing, data portability, and withdraw consent at any time. To exercise these rights, contact crothwelltherapy.com. If dissatisfied, you may complain to the Information Commissioner’s Office (ICO).

Changes to this Policy: I may update this policy at any time. The latest version will be posted on my website with the revision date.