GDPR Statement

Last updated: 07 July 2026

Our commitment to your privacy

Protecting your privacy is fundamental to the work we do together. The therapeutic relationship is built on trust, and that includes trust that your personal information is handled with care, respect, and professionalism. This statement explains in plain terms how I collect, use, and protect your information at Core Support Therapies.

What information we collect

When you work with me, I may collect and hold the following types of information:

  • Your name and contact details (address, phone number, email)

  • Emergency contact information

  • Details about what brings you to therapy (your presenting issues)

  • Session notes recording our work together

  • Relevant medical or mental health history you share with me

  • Payment and invoicing information

  • Any correspondence between us

Why we collect your information

I need to process your personal information to provide you with therapy. The legal grounds for this are:

For general personal data: Article 6(1)(b) UK GDPR - processing is necessary for the performance of the therapeutic contract between us. When you engage me as your therapist, we enter into a contract, and I need to process your information to fulfil that agreement.

For health-related information: Because therapy involves discussing sensitive personal matters including your mental and physical health, I rely on Article 9(2)(h) UK GDPR - processing is necessary for the provision of health or social care treatment by a health professional. The additional condition under DPA 2018 is Schedule 1, Part 1, paragraph 2 (health or social care). This processing is carried out by a qualified counsellor subject to the professional obligation of confidentiality under the BACP Ethical Framework.

Professional obligations and supervision

As a BACP-registered counsellor, I am required to discuss my clinical work in regular supervision. This is an essential part of maintaining safe, ethical practice and is for your benefit.

Your identity is protected in supervision. I do not share your name or any identifying details with my supervisor. My supervisor receives only anonymised case material and is bound by their own professional body's confidentiality obligations.

Clinical will arrangements

I am currently putting arrangements in place for a clinical will - a plan that ensures your records would be handled confidentially and appropriately by a nominated colleague should I become unable to continue practising due to serious illness or death. Once these arrangements are finalised, I will let you know.

Who else may see your information

Beyond myself, the following people or services may have limited access to certain information:

  • Clinical supervisor - anonymised case material only (no names or identifying details)

  • Google Workspace (including Gmail) – to manage business email and communications with clients.

  • Square Space - the website platform, which may collect basic technical and analytics data

  • Teams or Whatsapp - if we work together online, our video sessions use Teams or Whatsapp

  • Statutory authorities - where I am legally required to share information (see below)

Where these services transfer data outside the UK (for example, to the USA), appropriate safeguards such as Standard Contractual Clauses or International Data Transfer Agreements are in place, in accordance with UK GDPR and the Data (Use and Access) Act 2025.

When confidentiality may be broken

Confidentiality is central to therapy, and I take it seriously. However, there are rare circumstances where I may need to share information without your consent:

  • If I believe there is a serious risk of harm to you or someone else

  • If there are concerns about the safety of a child or vulnerable adult

  • If I receive a court order requiring disclosure

Wherever possible, I will discuss this with you first and explain what I need to do and why.

How long we keep your records

I retain your records for 7 years after our last session, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements. If you were under 18 when we worked together, I keep your records until you reach the age of 25, or for 7 years after our last session — whichever is longer.

Your records are stored securely: electronic records are encrypted and password-protected; paper records are kept in a locked filing cabinet in a secure room. Access is restricted to me. At the end of the retention period, paper records are shredded and electronic records are permanently deleted using secure deletion software.

Your rights

Under UK data protection law, you have the right to:

  • See your records — you can ask me for a copy of the information I hold about you

  • Correct errors — if something is inaccurate, you can ask me to put it right

  • Request deletion — in some circumstances, you can ask me to delete your information, though I may need to keep certain records for legal or professional reasons

  • Object to processing — you can ask me to stop using your information in certain ways

  • Data portability — you can ask for your information in a format that can be transferred elsewhere

  • Withdraw consent — where processing is based on consent, you can withdraw it at any time

If you would like to exercise any of these rights, please get in touch.

Making a complaint

If you have any concerns about how I handle your information, please contact me first so I can try to resolve the issue:

Email: claudia@coresupporttherapies.co.uk
Compliance information: http://coresupporttherapies.co.uk/privacy-policy

Under the Data (Use and Access) Act 2025, you also have the right to complain directly to the Information Commissioner's Office:

Website: ico.org.uk
Telephone: 0303 123 1113

Core Support Therapies

Claudia Gridelli
ICO Registration: ZB879569