Privacy Policy
Last updated: 07 July 2026
1. Who we are
This is the privacy policy of Core Support Therapies. I am Claudia Gridelli, a qualified counsellor registered with BACP.
My practice is registered with the Information Commissioner's Office (ICO). My registration number is ZB879569.
If you have any questions about how I handle your personal data, please contact me at ask http://coresupporttherapies.co.uk
2. What personal data we collect
I collect and process the following types of personal data:
Contact and identification details:
Your name, address, telephone number, and email address
Emergency contact details
Therapy-related information:
The reasons you are seeking therapy (presenting issues)
Information about your mental and emotional health
Relevant medical history you choose to share
Details of any medications that may be relevant to our work
Session notes recording the themes and progress of our work together
Correspondence between us
Administrative information:
Appointment dates and times
Payment records and invoices
Website enquiries:
Your name, email address and phone number when you submit our contact form
Any details you include in your message
Important: Much of the information I hold about you relates to your health and wellbeing. This is classified as special category data under Article 9(1) of the UK GDPR and receives enhanced legal protection.
3. How we collect your data
I collect personal data directly from you:
When you first contact me to enquire about therapy
When you complete an intake form or assessment questionnaire
During our therapy sessions
Through emails, telephone calls, or other correspondence between us
When you submit an enquiry through the contact form on my website
I do not collect personal data about you from third parties unless you have given explicit consent for this, for example if you ask me to liaise with your GP.
4. Why we process your data — lawful basis
Under UK GDPR, I must have a lawful basis for processing your personal data. I rely on the following:
Article 6 basis (ordinary personal data):
Article 6(1)(b) UK GDPR - Processing is necessary for the performance of the therapeutic contract between us. When you engage me as your therapist, we enter into a contract for me to provide counselling services. Processing your personal data is essential to fulfil that contract.
Article 9 basis (special category health data):
Article 9(2)(h) UK GDPR - Processing is necessary for the provision of health or social care treatment by a health professional.
The additional condition required under DPA 2018 is Schedule 1, Part 1, paragraph 2 (health or social care). Processing is carried out by a qualified counsellor subject to the professional obligation of confidentiality under the BACP Ethical Framework for the Counselling Professions.
5. Professional obligations and CPD
As a BACP-registered practitioner, I am required to attend regular clinical supervision. This is an essential part of maintaining safe and ethical practice.
When I discuss my therapeutic work with my supervisor:
Your name and any identifying details are not shared - I use anonymised or pseudonymised case material only
My supervisor is a qualified professional bound by the same confidentiality obligations as I am
My supervisor is also bound by their own professional body's ethical framework
Supervision helps me reflect on my practice, ensure I am working safely and effectively, and continue my professional development for the benefit of all my clients.
6. Clinical will - what happens to your records if I am unable to practise
I am currently putting arrangements in place to ensure your records are handled appropriately if I become unexpectedly unable to practise due to serious illness, incapacity, or death.
Once these clinical will arrangements are finalised, I will update this policy and inform current clients of the details. The arrangements will ensure that a nominated colleague - who will be a qualified therapist bound by the same confidentiality obligations - can securely manage or destroy records and contact clients as appropriate.
7. Who we share your data with
I take your confidentiality seriously and keep the sharing of your personal data to a minimum. The following parties may have limited access to certain data:
Clinical supervisor
As explained above, I discuss my therapeutic work in supervision using anonymised case material only. Your name and identifying details are not shared.
Third-party service providers
I use trusted third-party service providers to help deliver my services and operate my business. These providers may process personal data on my behalf or as independent data controllers, depending on the service they provide.
The providers I use include:
Squarespace – to host and maintain my website. Squarespace may process information such as your IP address, browser information, device information, and website usage data.
Google Workspace (including Gmail) – to manage business email and communications with clients.
Microsoft Teams and/or WhatsApp – to communicate with clients and, where agreed, to conduct online meetings or video consultations.
I only use service providers that I consider to have appropriate security measures in place to protect personal data and, where required, appropriate safeguards for international transfers.
I do not sell, rent, or trade your personal data to any third parties.
8. International transfers of your personal data
Some of the third-party service providers I use may process or store your personal data outside the United Kingdom.
Where personal data is transferred internationally, I ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR and the Information Commissioner's Office (ICO) guidance.
Depending on the service provider, transfers may be protected by one of the following:
the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge), where the provider is certified;
the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs); or
another lawful transfer mechanism recognised under UK data protection law.
The third-party providers I use may include:
Microsoft 365 (including Microsoft Teams)
Google Workspace
Squarespace
Where required, I assess whether the receiving country provides an adequate level of protection for personal data and implement additional safeguards where appropriate.
You can request further information about the safeguards used for international transfers by contacting me using the details provided in this Privacy Policy.
9. How long we keep your data
I retain your personal data only for as long as necessary. My retention periods are:
Type of record: Therapy records (adult clients)
Retention period: 7 years after our last session
Reason: In line with the Limitation Act 1980 and standard professional indemnity insurance requirements
_______________________________
Type of record: Financial records
Retention period: 6 Years
Reason: HMRC legal requirement
_______________________________
Type of record: Website enquiries (non-clients)
Retention period: 12 Months
Reason: Legitimate interest in responding to enquiries
Secure disposal:
At the end of the applicable retention period, I destroy records securely:
Paper records are shredded
Electronic records are permanently deleted using secure deletion software
10. Your rights under UK GDPR
You have the following rights regarding your personal data. I have explained each in plain language:
Right to be informed You have the right to know how I collect and use your personal data. This privacy policy fulfils that right.
Right of access You can ask me for a copy of the personal data I hold about you. This is sometimes called a "subject access request." Under the Data (Use and Access) Act 2025, I will conduct a reasonable and proportionate search to locate your data and respond within one month.
Right to rectification If any personal data I hold about you is inaccurate or incomplete, you can ask me to correct it.
Right to erasure In some circumstances, you can ask me to delete your personal data. However, this right does not apply where I need to keep records in line with the Limitation Act 1980 or professional indemnity insurance requirements. I will explain if and why I cannot comply with an erasure request.
Right to restrict processing You can ask me to limit how I use your data in certain circumstances, for example while a complaint is being investigated.
Right to data portability Where technically feasible, you can ask me to transfer your data to another organisation in a commonly used electronic format.
Right to object You can object to certain types of processing. As I rely on contract and health care provision rather than legitimate interests for therapy data, this right has limited application to my practice.
Rights related to automated decision-making You have the right not to be subject to decisions based solely on automated processing. I do not use automated decision-making in my practice.
To exercise any of these rights, please contact me at https://coresupporttherapies.co.uk
11. Data protection complaints — your right under the Data (Use and Access) Act 2025
You have the right to make a data protection complaint directly to me if you are concerned about how I have handled your personal data.
How to complain:
Submit a complaint at https://coresupporttherapies.co.uk/complaints (Make a complaint tab)
Or contact me at ask claudia@coresupporttherapies.co.uk
I will acknowledge your complaint promptly and respond fully within one month.
If you are not satisfied:
If you are unhappy with my response, you have the right to escalate your complaint to the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
12. Confidentiality exceptions
Everything you share with me in therapy is confidential. However, there are limited circumstances where I may need to share information without your consent:
Risk of serious harm - If I believe you or someone else is at imminent risk of serious harm, I may need to share information with appropriate services to help keep people safe
Safeguarding concerns - If I become aware of abuse or neglect involving a child or vulnerable adult, I have a duty to report this to the relevant safeguarding authorities
Legal requirement - If a court orders me to disclose information, I am legally obliged to comply
Wherever possible, I will discuss any disclosure with you first, unless doing so would itself put someone at risk.
13. Changes to this policy
I review this privacy policy annually and whenever my practices change significantly. The "last updated" date at the top of this page shows when the policy was most recently revised.
If I make significant changes that affect how I handle your data, I will inform you directly.
Contact
If you have any questions about this privacy policy or how I handle your personal data, please contact me:
Claudia Gridelli
Core Support Therapies
claudia@coresupporttherapies.co.uk
ICO registration: ZB879569