Contact
Contact

Privacy Notice
Amy Butlin Counselling

Your privacy is very important to me. You can be confident that your personal information will be kept safe and secure and will only be used for the purpose for which it was given. I adhere to data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

This privacy notice explains how I collect, use, store and protect your personal information from the initial point of contact through the period of our work together and after our counselling relationship ends.

If you have any questions about how I handle your personal data, please contact me at:
amybutlin.counselling@gmail.com

‘Data controller’ is the term used to describe the person/ organisation that collects and stores and has responsibility for people’s personal data. In this instance, the data controller is me. I am registered with the Information Commissioner’s Office. My registration number is ZC025112 

My Lawful Bases for Processing

Under data protection law, I must have a lawful basis for collecting and using your information.

  • If you are currently in therapy with me, or are in contact with me about starting therapy, I rely on “contract” as my lawful basis for processing your personal data. This is because I need to use this information to provide counselling.

  • After therapy has ended, I rely on “legitimate interests” to keep your records for the minimum required time. My legitimate interest is the need to retain records for the required insurance, legal and professional purposes.

The GDPR also requires that I handle any sensitive personal information you may disclose to me appropriately. This type of information is referred to as ‘special category personal information’. The lawful basis is Article 9(2)(h) – the provision of health treatment by a professional bound by confidentiality.

How I Use Your Information

Initial contact/enquiry:
When you contact me, I process the information you choose to share (such as your name, contact details, and a brief outline of your enquiry) so that I can respond and assess suitability. If you decide not to proceed, I will delete this information within 3 months, unless there is a safeguarding reason to keep a record.

If you decide to begin counselling, I will ask you to complete a new client form, which includes your contact details, emergency contact, and (optional) GP details or relevant health information. Providing your personal data is necessary for me to deliver counselling safely and effectively. Without this information, I may be unable to offer therapy.

During counselling:
I keep brief pseudonymised session notes, in addition to your contact and administrative information. All information is stored securely. This information is used only to support our therapeutic work, manage appointments, ensure continuity of care, and meet professional requirements such as supervision.

Everything you share with me in counselling is treated as confidential. I will not share your personal information with others unless one of the following situations applies:

  • If I believe there is a risk of serious harm to you or to someone else.

  • If I have safeguarding concerns about the safety or welfare of a child or vulnerable adult.

  • If I am required by a court of law to disclose information.

  • If I have a legal duty to report certain serious offences (such as terrorism, money laundering, or serious crime).

Wherever possible, I will discuss this with you before sharing any information.

After counselling ends:
Your records will be kept for 7 years in line with insurance and professional guidelines, after which they will be securely destroyed. If you request earlier deletion, I will consider this, provided there is no legal or safeguarding requirement to retain the information.

Third-Party Recipients

I only share your personal information where it is necessary, proportionate, and in line with data protection law. The third parties I use fall into the categories below:

IT and data storage services
These services securely store or transmit information but do not have routine access to your data:

  • Gmail – for email communication

  • Google Drive – for secure storage of notes and administrative records

  • Google Meet / Zoom – for video sessions
    These services operate under their own privacy and security policies and comply with UK-GDPR standards for data security.

Some third-party services (e.g., Google and Zoom) may process data outside the UK or EEA. These transfers are protected through UK-approved safeguards such as Standard Contractual Clauses.

Professional supervision
I receive regular supervision to ensure my work remains safe, ethical and effective. I may discuss aspects of our work in supervision, but I do not disclose any information that could identify you. My supervisor is bound by professional confidentiality and data protection law.

Legal or regulatory obligations
I may be required to share information if:

  • ordered by a court

  • required by law (e.g., safeguarding, serious crime, terrorism)

  • necessary to prevent serious harm

Tax and accounting
I keep financial records for HMRC purposes. These records typically contain payment dates and amounts only. They do not include identifiable therapeutic information.

I do not sell or pass your information to any other organisations for marketing or any non-essential purposes.

Data Security

I take the security of your personal information very seriously. To protect your data, I maintain appropriate safeguards, including:

  • Secure, password-protected devices and encrypted storage for electronic records

  • Locked filing cabinets for any paper notes

  • Restricted access to my systems

  • Regular review of security procedures to ensure ongoing protection

Your Rights

You have the following rights under data protection laws:

  • the right to access the personal information I hold about you;

  • the right to ask me to correct any inaccurate data;

  • the right to ask for the deletion of data in certain circumstances;

  • the right to request restriction of processing;

  • the right to object to my use of your data where I rely on legitimate interests, such as the retention of records after therapy ends;

  • the right to data portability (where applicable);

  • the right to withdraw consent where I rely on consent.

If you wish to exercise any of these rights, please contact me using the details above.

You can read more about your rights at ico.org.uk/your-data-matters

How to complain

If you have any concerns about my use of your personal data, you can make a complaint to me using the contact details at the top of this privacy notice.

If you remain unhappy with how I’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Version: 1.0. Updated: Nov 2025.


© Amy Butlin 2025. All rights reserved.

Get in touch:

Privacy Notice