Privacy policy

Privacy Policy for CBT Therapy 

Therapist Name/Practice: Hansi Khan, Diverse Paths Therapy
Data Controller: Hansi Khan, Diverse Paths Therapy
Contact: Contact form
ICO Registration Number: ZB680204

1. Introduction

This privacy policy explains how I collect, use, store, and protect your personal information in compliance with the General Data Protection Regulation (GDPR) and relevant UK/EU data protection laws.

2. What Information I Collect

I may collect and store the following:

• Name, date of birth, address, phone number, email address

• Emergency contact details

• GP name and contact details (if provided)

• Information shared during therapy sessions

• Clinical notes and assessments

• Appointment history

• Communications (emails, texts)

• Invoices and payment history

3. Purpose of Data Collection

I collect this data in order to:

• Provide safe and effective therapy

• Communicate with you regarding appointments

• Comply with legal and professional requirements

• Respond to emergencies or safeguarding concerns

• Maintain accurate clinical records

4. Lawful Basis for Processing

Under GDPR, I rely on the following lawful bases:

• Contract: Providing therapy under the agreement between us

• Legal Obligation: Complying with law and ethical codes

• Vital Interests: Acting in situations of serious harm or emergency

• Consent: Where specific permissions are required (e.g., contacting your GP)

5. Data Storage and Security

• Records are kept securely, whether in paper or digital form.

• Digital data is encrypted and stored on password-protected devices.

• Physical files are stored in locked cabinets.

• I do not share your data with third parties unless legally required or with your explicit consent.

6. Emergencies / Confidentiality

There is no change in my standard confidentiality policy — the content of therapy sessions remains confidential and will not be shared without your consent, unless I am legally or ethically required to do so.

However, I would need your explicit consent to share your contact information with an emergency healthcare service if I believed your health or safety was at risk (for example, if I were concerned about suicide, serious harm, or a medical emergency during or outside of session time).

By agreeing to this privacy policy, you give consent for the limited sharing of your contact details (e.g., name, phone number, or location) solely for the purpose of safeguarding your wellbeing in an emergency. This would only occur if I reasonably believed that such action was necessary to protect your life or health.

If you have listed an emergency contact on your registration form, they may also be contacted only in exceptional situations where there is a serious concern and no other immediate options for support or response.

7. Your Rights

You have the right to:

• Access your personal data

• Request correction of inaccurate data

• Request deletion (in some cases, subject to professional obligations)

• Withdraw consent where consent has been given

• Lodge a complaint with the ICO

8. Data Retention

Your data will be retained for 7 years after the end of therapy, as recommended by professional bodies and insurers. After this period, it will be securely destroyed.

9. Supervision

To ensure safe and ethical practice, I discuss my work in supervision. Client identities are anonymised and no identifying data is shared.

10. Website and Email

If you use my website or email to contact me, please be aware that no method of communication is 100% secure. I use encrypted email services where possible.

11. Updates

This policy may be updated from time to time. You will be notified of any significant changes.

Contact
If you have any questions about this privacy policy or how your data is handled, please contact me