GDPR Statement
Last updated: 07 July 2026
Our commitment to your privacy
Protecting your privacy is fundamental to the work we do together. The therapeutic relationship is built on trust, and that includes trust that your personal information is handled with care, respect, and professionalism. This statement explains in plain terms how I collect, use, and protect your information at Core Support Therapies.
What information we collect
When you work with me, I may collect and hold the following types of information:
Your name and contact details (address, phone number, email)
Emergency contact information
Details about what brings you to therapy (your presenting issues)
Session notes recording our work together
Relevant medical or mental health history you share with me
Payment and invoicing information
Any correspondence between us
Why we collect your information
I need to process your personal information to provide you with therapy. The legal grounds for this are:
For general personal data: Article 6(1)(b) UK GDPR - processing is necessary for the performance of the therapeutic contract between us. When you engage me as your therapist, we enter into a contract, and I need to process your information to fulfil that agreement.
For health-related information: Because therapy involves discussing sensitive personal matters including your mental and physical health, I rely on Article 9(2)(h) UK GDPR - processing is necessary for the provision of health or social care treatment by a health professional. The additional condition under DPA 2018 is Schedule 1, Part 1, paragraph 2 (health or social care). This processing is carried out by a qualified counsellor subject to the professional obligation of confidentiality under the BACP Ethical Framework.
Professional obligations and supervision
As a BACP-registered counsellor, I am required to discuss my clinical work in regular supervision. This is an essential part of maintaining safe, ethical practice and is for your benefit.
Your identity is protected in supervision. I do not share your name or any identifying details with my supervisor. My supervisor receives only anonymised case material and is bound by their own professional body's confidentiality obligations.
Clinical will arrangements
I am currently putting arrangements in place for a clinical will - a plan that ensures your records would be handled confidentially and appropriately by a nominated colleague should I become unable to continue practising due to serious illness or death. Once these arrangements are finalised, I will let you know.
Who else may see your information
Beyond myself, the following people or services may have limited access to certain information:
Clinical supervisor - anonymised case material only (no names or identifying details)
Google Workspace (including Gmail) – to manage business email and communications with clients.
Square Space - the website platform, which may collect basic technical and analytics data
Teams or Whatsapp - if we work together online, our video sessions use Teams or Whatsapp
Statutory authorities - where I am legally required to share information (see below)
Where these services transfer data outside the UK (for example, to the USA), appropriate safeguards such as Standard Contractual Clauses or International Data Transfer Agreements are in place, in accordance with UK GDPR and the Data (Use and Access) Act 2025.
When confidentiality may be broken
Confidentiality is central to therapy, and I take it seriously. However, there are rare circumstances where I may need to share information without your consent:
If I believe there is a serious risk of harm to you or someone else
If there are concerns about the safety of a child or vulnerable adult
If I receive a court order requiring disclosure
Wherever possible, I will discuss this with you first and explain what I need to do and why.
How long we keep your records
I retain your records for 7 years after our last session, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements. If you were under 18 when we worked together, I keep your records until you reach the age of 25, or for 7 years after our last session — whichever is longer.
Your records are stored securely: electronic records are encrypted and password-protected; paper records are kept in a locked filing cabinet in a secure room. Access is restricted to me. At the end of the retention period, paper records are shredded and electronic records are permanently deleted using secure deletion software.
Your rights
Under UK data protection law, you have the right to:
See your records — you can ask me for a copy of the information I hold about you
Correct errors — if something is inaccurate, you can ask me to put it right
Request deletion — in some circumstances, you can ask me to delete your information, though I may need to keep certain records for legal or professional reasons
Object to processing — you can ask me to stop using your information in certain ways
Data portability — you can ask for your information in a format that can be transferred elsewhere
Withdraw consent — where processing is based on consent, you can withdraw it at any time
If you would like to exercise any of these rights, please get in touch.
Making a complaint
If you have any concerns about how I handle your information, please contact me first so I can try to resolve the issue:
Email: claudia@coresupporttherapies.co.uk
Compliance information: http://coresupporttherapies.co.uk/privacy-policy
Under the Data (Use and Access) Act 2025, you also have the right to complain directly to the Information Commissioner's Office:
Website: ico.org.uk
Telephone: 0303 123 1113
Core Support Therapies
Claudia Gridelli
ICO Registration: ZB879569