top of page
Clear Water Ripples

Privacy Policy
Effective from 1.6.26

1. Introduction

This Privacy Policy explains how The Croft CBT Clinic /Alison Croft collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018*.

As a Practitioner Psychologist registered with the Health & Care Professionals Council (HCPC) and a CBT therapist accredited by the British Association of Behavioural & Cognitive Psychotherapy (BABCP), I am bound by these organisations’ professional codes of conduct and am committed to maintaining the confidentiality, integrity, and security of your personal information.

2. Data Controller

Name: Alison Croft
Practice Name: The Croft CBT Clinic
ICO registration reference: ZC130096
Contact Email: alison@croftcbt.com

3. Lawful Bases and purposes of Processing

I process your personal data for the purposes of providing you with a therapy service, or clinical supervision, to manage appointments and payments and to fulfill legal, professional regulatory body and insurance obligations. I do not sell personal data.

Please see below the specific purposes and lawful bases under which I process your information according to the UK GDPR & Data Protection Act (2018). 

  • Communication and appointment management, safeguarding             

Article 6(1)(f)  Legitimate interests

  • Delivery of therapy services 

Article 6(1)(b) Performance of a contract

  • Record keeping for clinical/legal purposes                                               

Article 6(1)(c)  Legal obligation

  • Provision of health or social care-psychological therapy                         

Article 9(2)(h) Processing special category data (health data)                                                                                                                      

​4. Personal Data I Collect

I may collect and process the following categories of personal data:

a. Identity and Contact Information

Name, address, telephone number, email address, date of birth, emergency contact details and General Practitioner (GP) details.

b. Health and Wellbeing Information

Details about your mental health history, current psychological concerns, treatment notes, and any information relevant to therapy.

c. Administrative and Financial Information

Records of payments, invoices, and correspondence related to appointments and billing.

d. Website or Digital Data

​The Croft CBT Clinic website uses 'cookies' (small text files that are stored on your device) and similar technologies, if you consent to this. These are widely used to make websites work efficiently and provide information to the site owners. 

These are provided by third parties, such as the website host.

Cookies fall into different categories (essential, functional, analytical & marketing).

A pop up message is displayed to all visitors to the website giving details of all such technologies used and of the third parties. You can select and save your preferences for each category, apart from those that are 'essential'.

You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you choose to block cookies, please note that you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work properly.

5. How I Collect Your Data

Personal data is primarily collected directly from you:

  • When you complete a contact form via my website or a consent form on commencing therapy.

  • During therapy sessions (in person, online, or by phone).

  • Through email, text message, or other communication channels.

Some information may also be obtained from third parties:

  • Referrals from other healthcare professionals (with your consent only).

  • Emergency contacts or next of kin (if relevant, e.g. in case of an emergency concerning your safety or that of others).

6. Data Retention

I retain your personal data only as long as necessary for the purposes for which it was collected and to comply with professional, legal, and regulatory obligations.

  • Therapy records: kept for a minimum of 7 years after the end of treatment.

  • Administrative data: retained for up to 7 years for tax and accounting purposes.
     

After the retention period, all records are securely destroyed.

7. Data Storage and Security

Your data is stored securely through a combination of:

  • Password-protected systems and encrypted files.

  • Locked cabinets for paper records.

  • Encrypted digital communication (e.g., secure email).

8. Sharing of Personal Data

Your personal data will only be shared when necessary and appropriate, such as:

  • With other healthcare professionals, only with your explicit consent (unless required by law).

  • With emergency services and your GP if there is an immediate risk of serious harm to yourself or others.

  • As a condition of their accreditation status, all accredited therapists are required to have regular clinical supervision of their practice, including periodic review of recorded therapy sessions. This is designed to safeguard the public by ensuring therapists are delivering therapy in an appropriate and professional manner. Clinical information will be shared with my supervisor for this purpose, using only initials. My clinical supervisor is also an accredited therapist and therefore bound by the same professional standards, including the requirement to maintain confidentiality of client information.

  • With legal or regulatory authorities if required by law or court order.

  • With data processors (e.g. website host, secure storage providers) who operate under strict data protection agreements.

  • I have a ‘clinical will’, to be initiated in the event of incapacity or my death. The executor of this will is an accredited therapist who would ensure the safe transfer and storage of your personal data, and its disposal following the usual retention period.

 

9. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data.

  • Rectify inaccurate or incomplete information.

  • Request erasure (“right to be forgotten”) in certain circumstances.

  • Restrict or object to processing.

  • Data portability (receive your data in a usable electronic format).

  • Withdraw consent (where processing is based on consent).

To exercise any of these rights, contact me at alison@croftcbt.com. I will respond no later than one calendar month of receipt of your request.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.

 

10. Updates to This Policy

I may update this Privacy Policy periodically to reflect legal or practice changes. The latest version will always be available on my website or upon request.

Contact Information

For any questions about this Privacy Policy or how your data is handled, please contact:

Alison Croft, The Croft CBT Clinic.
Email: alison@croftcbt.com

*Data Protection Act 2018. Available at: https://www.legislation.gov.uk/ukpga/2018/12/contents  (Accessed: 12.5.26).

Alison Croft

Accredited CBT Therapist , Supervisor & Trainer

Chartered Clinical Psychologist

British Association of Behavioural & Cognitive Psychotherapy accredited logo
Health Professionals Council Registered logo
Quality-Mark-logo
British Psychological Society Chartered logo
bottom of page