Claire Crampton Counselling

Last updated: [17/06/2026]

This privacy notice explains how I collect, use, store and protect personal information in my therapy practice.

I am Claire Crampton, a psychotherapist working [in person and online. I am the data controller for personal information I collect through clairecramptoncounselling,co.uk.

This means I am responsible for deciding how personal information is used and for keeping it safe.

If you have any questions about this privacy notice, or about how your information is handled, you can contact me at:

Email: clairecramptoncounselling@gmail.com

Website: www.clairecramptoncounselling.co.uk

This privacy notice applies to people who contact me about therapy, current and former clients, and visitors to my website.

Information I collect

I may collect and use the following information.

When you contact me, I may collect:

• your name

• your email address

• your phone number

• the information you choose to share in your enquiry

• any preferences around contact, availability or therapy format

If we arrange an initial call or begin therapy, I may also collect:

• your address

• your date of birth

• your GP details

• emergency contact details, where appropriate

• relevant health, mental health or wellbeing information

• information about your personal history, relationships, work, identity, family, circumstances and reasons for seeking therapy

• brief clinical notes

• attendance, payment and appointment information

• correspondence between us

Some of this information may be classed as special category data under UK data protection law. This includes information about health, mental health, sexuality, ethnicity, religion or other sensitive areas where these are relevant to therapy.

I only collect information that is necessary for providing therapy safely, ethically and professionally.

How I use your information

I use your personal information to:

• respond to enquiries

• arrange initial calls and appointments

• provide therapy

• keep appropriate clinical records

• manage payments, invoices and appointments

• communicate with you about sessions

• meet legal, professional and ethical responsibilities

• manage risk, safeguarding or emergency situations where necessary

• maintain insurance, tax and accounting records

• respond to data protection requests or complaints

I do not sell your personal information.

Lawful basis for using your information

Under UK GDPR, I need a lawful basis for using personal information.

For different parts of my work, I may rely on different lawful bases under Article 6 UK GDPR. For example, I may rely on contract where processing is needed to arrange or provide therapy, legitimate interests where I need to run my practice safely and keep appropriate records, and legal obligation where I need to keep or share information to comply with the law.

• contract: where information is needed to arrange and provide therapy

• legitimate interests: where I need to use information to run my practice safely, respond to enquiries, keep appropriate records and protect both you and me

• legal obligation: where I need to keep or share information to comply with the law

Where I process special category data, such as information about health or mental health, I must also identify a separate condition under Article 9 UK GDPR before I begin that processing and reflect this in my privacy information. Depending on the reason for processing, I may also need to meet additional conditions and safeguards under the Data Protection Act 2018.

Where I ask for your consent for something specific, I will explain what I am asking for and whether you can withdraw that consent. Consent is not the only lawful basis available under data protection law, and I will only rely on it where it is appropriate to do so.

Confidentiality

Therapy is confidential, but confidentiality is not absolute. I will not share what you tell me unless there is a lawful, ethical or safeguarding reason to do so, and where possible I will limit any sharing to the minimum information necessary.

There are some limits to confidentiality. I may need to share information if:

• I believe there is a serious risk of harm to you or someone else

• there is a safeguarding concern involving a child, vulnerable adult or person at risk

• I am required to do so by law, court order or legal process

• disclosure is necessary to prevent or detect a serious crime

• there is a medical emergency and information is needed to protect life

• I need to consult my clinical supervisor, while protecting your identity as far as possible

Where possible and appropriate, I would aim to discuss this with you before sharing information. However, I may not be able to do so if this would increase risk, prejudice safeguarding action, undermine the purpose of the disclosure, or would otherwise not be possible.

Supervision

Like other ethical therapists, I use clinical supervision to support safe and effective practice.

In supervision, I may discuss aspects of client work to support safe and effective practice. I aim to minimise identifying detail where possible and appropriate, and my supervisor is also bound by confidentiality and professional standards.

Clinical notes and records

I keep brief clinical notes to support safe and ethical therapy. These are usually factual, proportionate and relevant to the work.

Clinical records may include:

• session dates

• brief themes discussed

• relevant risk, safeguarding or clinical information

• agreed actions or important decisions

• contact and administrative information

I do not aim to keep a full transcript of sessions.

How long I keep information

I keep information only for as long as necessary for the purpose for which it was collected. Retention periods may vary depending on the type of record, the nature of the work, legal and professional requirements, and whether the work involved a child or young person. As a general guide:

• enquiry information may be deleted if we do not begin therapy, usually within 12 months.

• client records may be kept for 7 years after therapy ends, based on your retention policy and the reasons for keeping them

• if the work involved a child or young person, a different retention period may apply

• financial records may be kept for the period required for tax and accounting purposes

• emails, messages and administrative records are reviewed periodically and deleted when no longer needed

There may be times when I need to keep records for longer, for example where there are safeguarding, legal, insurance, complaint-related or professional-body reasons. I keep my retention periods under review and aim to make sure they remain justified and proportionate.

Where your information is stored

Your information may be stored in the following systems:

• Website / contact form: Webhealer

• Email: Gmail

• Online sessions: Zoom

• Payments / invoicing: Santander banking

• Cloud storage or backup: Google

• Phone / messages: SMS/ WhatsApp

I use appropriate technical and organisational measures to keep information secure. This may include password protection, device security, two-factor authentication, restricted access and secure storage.

Where I use external providers, they may process data on my behalf. I aim to use reputable providers with appropriate data protection and security arrangements.

Online therapy

If we work online, sessions will take place using Zoom. I will take reasonable steps to protect confidentiality from my side, and I ask that you also choose a private space where you cannot easily be overheard or interrupted.

Online platforms may process technical information such as IP address, device information or connection data. Please also check the privacy notice of the platform we use if you would like more detail.

AI tools, transcription and recording

I do not record, transcribe or use AI tools to process therapy sessions.

I may use digital tools for general practice administration, writing, planning or education. Where I do, I aim to avoid putting identifiable client material into tools that are not appropriate for confidential clinical information, and I take data protection and confidentiality into account when choosing how to use those tools.

I may use digital tools for general practice administration, writing, planning or education, but I do not put identifiable client material into public AI tools.

Website visitors and cookies

When you visit www.clairecramptoncounselling.co.uk, some technical information may be collected automatically, such as your IP address, device type, browser type, pages visited and the time of your visit. This may happen through website hosting, security, analytics or cookie tools.

My website is hosted by Webhealer. The website may use cookies or similar technologies to make the site work, improve performance, understand visitor behaviour or support security.

You can usually control cookies through your browser settings. If I use cookies or similar technologies that are not strictly necessary, I will make sure the website provides the level of notice, choice or consent required by law. In some cases, current UK rules may allow limited exemptions for certain analytics or functionality cookies, but only where the legal conditions for those exemptions are met.

Sharing your information

I will not share your personal information unless there is a clear reason to do so. Depending on the circumstances, I may share limited information with the following people or organisations where this is necessary, proportionate and lawful:

• my clinical supervisor

• professional advisers, such as an accountant, insurer or legal adviser

• my professional body, if required in relation to a complaint or ethical matter

• safeguarding services, emergency services or your GP, where there is serious risk or safeguarding concern

• a court or legal authority, if required by law

• an appointed clinical executor if I die or become unable to contact clients myself

• trusted digital service providers who process data on my behalf

Where I share information, I aim to share only what is relevant and necessary for that purpose. If I or one of my providers transfers personal information outside the UK to a separate organisation, I will only do so where the law allows it and an appropriate transfer mechanism or other safeguard is in place where required.

Clinical will

I aim to have arrangements in place so that clients can be contacted if I die or become seriously incapacitated.

This may involve a trusted professional colleague or clinical executor having access to the minimum information needed to contact current clients and manage records appropriately. That person would be bound by confidentiality, would only access information if necessary, and would not take on an ongoing therapeutic role unless separately agreed and appropriate.

Your rights

Under UK data protection law, you have rights over your personal information. These may include the right to:

• be informed about how your data is used

• access a copy of your personal information

• ask for inaccurate information to be corrected

• ask for information to be deleted in some circumstances

• restrict or object to certain processing

• complain about how your information has been handled

Some rights are not absolute and may depend on the circumstances. For example, I may need to keep some information for legal, professional, safeguarding, insurance or complaint-related reasons, and there may be limits on what can be disclosed where information includes third-party data or where a relevant exemption applies.

If you would like to exercise your rights, please contact me using the details above. I will respond to a request about your rights within one month. If a request is particularly complex, or if I need to consider whether any restriction or exemption applies, I may need longer, in which case I will let you know.

Data protection concerns and complaints

If you have a concern about how I have handled your personal information, you can make a data protection complaint by contacting me using the details in this notice. I will acknowledge your complaint within 30 days and take appropriate steps to look into it without undue delay.

Please include:

• your name

• what your concern is about

• what you would like me to look into

• how you would prefer me to respond

I will investigate your complaint as appropriate, keep you informed where necessary, and tell you the outcome without undue delay.

If you are not satisfied with my response, or if you would prefer to contact the UK regulator directly, you can contact the Information Commissioner’s Office:

Information Commissioner’s Office

Website: www.ico.org.uk

Telephone: 0303 123 1113

Changes to this privacy notice

I may update this privacy notice from time to time to reflect changes in my practice, legal requirements, professional guidance or the systems I use.

The latest version will be available on my website.