top of page

Privacy Policy

Last updated 29 May 2026

This policy applies to the work of Amanda Bradley Psychotherapy, c/o Oxford House Therapy, Oxford House, Upper Ground, 24 Oxford Road North, London, W4 4DH, 07552 204440.

1.  Introduction

This privacy policy explains how I collect, use, store, and protect your personal information when you engage with my psychotherapy services. I am registered with the UK Council for Psychotherapy (UKCP) and am committed to maintaining the confidentiality and security of your data in accordance with UK data protection law.

2. Data Controller

I, Amanda Bradley, am the data controller responsible for your personal data.

3. Information I Collect

I may collect and process the following categories of personal data:

  • Contact details — name, address, email, telephone number

  • Health and medical information — details relevant to your therapy, including GP details, mental health history, diagnoses, and treatment notes

  • Emergency contact details — name and contact information for someone I can reach in a crisis

  • Financial information — payment details and invoicing records

  • Session records — clinical notes, assessments, and correspondence

Health-related data is classified as special category data under UK GDPR, meaning that, unless an exception applies, holding it is strictly prohibited.  I confirm that, as a healthcare provider, I am granted permission to hold this data without explicit consent under article 9(2)(h) of the UK Data Protection Act (2018) which provides an exception to hold special category data specifically for health or social care purposes (Schedule 1, Part 1, Paragraph 2).   I also confirm that my UKCP registration binds me to an official obligation of professional secrecy (Article ((3)) and that your data is held due to legitimate interest (Article 6(1)(f)) and performance of contract (Article 6(1)(b)).

4. Legal Basis for Processing

I process your personal data based on:

 

  • legitimate interests (Article 6(1)(f)) for the purpose of providing safe and effective psychotherapy;

  • Performance of Contract (Article 6(1)(b), particularly managing payments and accounts; and

  • Provision of health or social care (Article 9(2)(h)), including safeguarding, legal obligations and vital interests.

5. How I Use Your Information

Your data is used to:

  • Assess suitability for therapy and deliver treatment

  • Maintain accurate clinical records

  • Communicate with you about appointments 

  • Process payments and manage invoices

  • Comply with legal, regulatory, and professional obligations

  • Protect your vital interests or those of others in safeguarding situations

 

6. Confidentiality

Confidentiality is central to the therapeutic relationship. I will not share your information without your consent except where:

  • There is a serious risk of harm to you or others

  • I am required to do so by law (e.g., court order, statutory safeguarding duties)

  • It is necessary for safeguarding children or vulnerable adults

  • Professional supervision requires anonymised discussion of clinical material

 

Where possible, I will discuss any disclosure with you beforehand.

7. Data Sharing

I do not routinely share your data with third parties. In limited circumstances, I may share information with:

  • Your GP or other healthcare professionals — only with your explicit consent

  • Supervisors — in anonymised or de-identified form

  • Regulators or legal authorities — where required by law

  • Payment processors — to process transactions securely

 

8. Data Retention

I retain your records in accordance with UKCP guidelines and professional best practice.  Your client records are retained for 7 years after the end of therapy.  Financial records for 6 years, as required by HMRC.  After the retention period, records are securely destroyed.

 

9. Data Security

I take appropriate technical and organisational measures to protect your data, including:

  • Encrypted electronic storage

  • Password-protected devices and systems

  • Secure, locked storage for paper records

  • Limiting access to your data to myself (and any authorised processors)

 

10. Your Rights

 

Under UK GDPR, you have the right to:

  • Access your personal data (subject access request)

  • Rectify inaccurate or incomplete data

  • Erase your data in certain circumstances ("right to be forgotten")

  • Restrict processing in certain circumstances

  • Object to processing based on legitimate interests

  • Data portability — receive your data in a structured, commonly used format

  • Withdraw consent at any time

  • Complain to the Information Commissioner's Office (ICO)

 

To exercise any of these rights, please contact me using the details above.

 

11. Online and Remote Sessions

If we work together via video, phone, or messaging platforms, I use services with appropriate security measures. However, please be aware that no online communication is entirely risk-free. I recommend you access sessions from a private, secure location.

 

12. Complaints

 

If you have concerns about how I handle your data, please contact me directly. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

 

13. Changes to This Policy

I may update this policy from time to time. Any significant changes will be communicated to you directly.

 

14. Contact

If you have any questions about this policy or your personal data, please contact me using the information above.

bottom of page