Calm Breathing Therapies
Compassionate, evidence-based CBT tailored to you.
Compassionate, evidence-based CBT tailored to you.
Calm Breathing Therapies – Privacy Notice
This Privacy Notice explains how Calm Breathing Therapies collects and uses your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all clients and prospective clients of our remote CBT service.
1. Who We Are
Calm Breathing Therapies is a sole practitioner operating in the United Kingdom. We are the data controller for the personal data we collect. You can contact us at info@calmbreathingtherapies.co.uk. If you have any questions or concerns about this notice or your data, please email us.
2. What Data We Collect
We collect and process the following types of data:
• Identification and contact details (name, address, phone number, email, date of birth).
• Health and therapy information (assessment forms, clinical notes, outcome measures such as PHQ‑9, GAD‑7, WSAS, SPIN, PDSS, PCL‑5, formulation and treatment plans, risk and safeguarding information).
• Billing and payment details (invoices, transaction identifiers but not full card details).
• Technical data (IP address, browser type, and usage information when you visit our website) via essential and optional cookies. See our Cookie Policy for details.
• Supervisory information (anonymised case material discussed in supervision).
• Communications with us (emails, messages, telephone records).
3. Lawful Basis for Processing
We rely on the following lawful bases:
• Contract (Article 6(1)(b)) – to provide you with therapy services at your request.
• Legitimate interests (Article 6(1)(f)) – for purposes such as managing our business, maintaining records, and defending legal claims.
• Health or social care provision (Article 9(2)(h)) – for processing special‑category data relating to your mental health. We maintain an Appropriate Policy Document (see below) describing how we meet the conditions and safeguards required by Schedule 1 of the Data Protection Act 2018.
• Consent (Articles 6(1)(a) & 9(2)(a)) – for specific optional activities, such as using non‑essential cookies or sending marketing communications. You can withdraw your consent at any time.
• Legal obligations (Article 6(1)(c)) – for complying with tax, accounting and regulatory obligations.
4. How We Use Your Data
We use your data to:
• Provide remote CBT sessions and monitor clinical progress.
• Administer bookings, payments and our accounts.
• Assess suitability for therapy and manage risk.
• Contact you about appointments, provide agreed session summaries and send outcome measures.
• Carry out anonymised case discussion in clinical supervision.
• Comply with our legal and professional obligations.
• Improve our services and website (for example, through anonymised analytics, subject to your consent).
5. Data Sharing
We do not sell your data. We may share your personal data with:
• Our clinical supervisor (anonymised where possible) to ensure ethical practice.
• Service providers who process data on our behalf (e.g. practice management software, secure video conferencing providers, payment processors) under data processing agreements.
• Your GP or emergency services if there is an imminent risk of harm.
• Regulators, law enforcement or professional bodies where required by law or professional standards.
• HM Revenue & Customs, and accountants for tax and accounting purposes.
6. International Transfers
Where possible, we use UK or EU‑based service providers. If we use a supplier outside the UK/EU, we will ensure that appropriate safeguards are in place, such as UK adequacy regulations, standard contractual clauses or binding corporate rules.
7. Data Retention
We retain your therapy records for a minimum of eight years after your last session if you are an adult, or until you reach your 25th birthday (or 26th if you were 17 at the end of therapy) if you were under 18. Financial records are kept for at least six years to comply with tax law. We may retain anonymised statistical information indefinitely. After the retention period, we securely delete or anonymise your data.
8. Your Rights
You have the right to:
• Access your personal data and obtain a copy.
• Rectify inaccurate or incomplete data.
• Erase your data (in certain circumstances).
• Restrict or object to our processing of your data.
• Withdraw consent where processing is based on consent.
• Data portability (to obtain and reuse your data in a digital format).
• Complain to the Information Commissioner’s Office (ICO) if you believe we have breached data protection law. See ico.org.uk for details.
9. Cookies and Tracking Technologies
Our website uses cookies and similar technologies. Essential cookies are necessary for the site to function. Non‑essential cookies (such as analytics) require your opt‑in consent. See our Cookie Policy for more information.
10. Appropriate Policy Document (APD)
We maintain an Appropriate Policy Document setting out how we comply with the data protection principles, our justification for processing special‑category data, retention periods, and technical and organisational safeguards. A copy of the APD is available on request.
11. Changes to this Notice
We may update this Privacy Notice from time to time to reflect changes in the law or our business practices. The latest version will always be posted on our website.