Who I am

Helen Jack Therapy is a private psychotherapy practice run by Helen Jack. I am registered with the Information Commissioner's Office (ICO) under registration number ZB489471.

If you have any questions about how I handle your personal data, please contact me at helen [at] helenjacktherapy.com (please replace [at] with @ when emailing).

What personal data I collect

I collect and process the following types of personal data:

• Contact details — your name, email address, telephone number, and postal address


• Appointment information — dates and times of sessions, and any changes or cancellations


• Health and therapy-related information — presenting issues, relevant medical history, mental health history, current medications, GP details, and emergency contact information


• Session notes — a brief factual record of some of the material discussed in our therapeutic work together



• Financial records — payment details and invoices


Health and therapy-related information is classified as special category data under Article 9(1) of the UK GDPR. This means it receives enhanced legal protection because of its sensitive nature.

How I collect your data

I collect personal data directly from you:

• When you first contact me to enquire about therapy


• During our initial consultation and intake process


• Throughout our sessions together


• Via email or telephone communication between sessions


I do not collect personal data about you from any other source.

Why I process your data — lawful basis

Under UK GDPR, I must have a lawful basis to process your personal data. For therapy services, I rely on two separate legal grounds:

Article 6 basis (ordinary personal data)

Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. When you engage me as your therapist, we enter into a contract for the provision of therapy services. I need to process your personal data to fulfil that contract.

Article 9 basis (special category data)

Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.

The additional condition required by UK law is DPA 2018 Schedule 1, Part 1, paragraph 2 (health or social care). Processing is carried out by a registered psychotherapist subject to the professional obligation of confidentiality under the UKCP Code of Ethics and Professional Practice.

Professional obligations and CPD

I am required by the UK Council for Psychotherapy (UKCP) and British Association of Counsellors and Psychotherapists (BACP) to attend regular clinical supervision. This is an essential part of maintaining safe and ethical practice. I may discuss our therapeutic work with my supervisor. When I do so:

• Your name and any identifying details are not shared with my supervisor


• I use anonymised or pseudonymised case material only


• My clinical supervisor is a qualified professional bound by the same confidentiality obligations as I am


• My supervisor is bound by their own professional code of ethics and practice


Clinical will — what happens to your records if we are unable to practise

I have appointed a Clinical Executor who will act on my behalf if I become unable to practise due to serious illness, incapacity, or death.

If this happens, my Clinical Executor will:

• Contact you to let you know what has happened


• Offer information about accessing another therapist if appropriate


• Handle your records confidentially and securely


My Clinical Executor is a fellow therapist bound by the same professional confidentiality obligations as I am. They will retain your records securely until the end of the applicable retention period (6 years after our last session) and will securely destroy them only after that period ends.

Who I share your data with

I use the following third-party services which may process your personal data:

• Squarespace — this website is hosted on Squarespace (Squarespace Inc, USA). Squarespace collects certain technical information about visitors including IP addresses and browser information.


• Google Meet — I use Google Meet for online therapy sessions. Session connection data is processed by Google LLC, USA.


Each of these services is bound by a data processing agreement. Links to their privacy policies are available on request.

I never sell your personal data.

International data transfers

The following third-party services I use may transfer personal data outside the United Kingdom:

• Squarespace (Squarespace Inc, USA)


• Google Meet (Google LLC, USA)


Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025. The USA does not currently have a UK adequacy decision.

You can request a copy of the relevant transfer safeguards by contacting me.

How long I keep your data

I retain your data for the following periods:

Type of record: Therapy records (including session notes and therapy agreement)
Retention period: 6 years after our last session
Reason: In line with the Limitation Act 1980 and standard professional indemnity insurance requirements

Type of record: Financial records
Retention period: 6 years
Reason: HMRC legal requirement

Type of record: Website enquiries (non-clients)
Retention period: 12 months
Reason: Legitimate interest in responding to enquiries

After the applicable retention period ends, paper records are securely destroyed and electronic records are permanently deleted.

Your rights under UK GDPR

You have the following rights regarding your personal data:

Right to be informed — to know how I collect and use your personal data (this privacy policy fulfils that right)

Right of access — to request a copy of the personal data I hold about you (known as a subject access request)

Right to rectification — to ask me to correct any inaccurate or incomplete personal data

Right to erasure — to ask me to delete your personal data. However, this right is not absolute. I may need to retain your records until the end of the applicable retention period where required by professional guidelines, insurance requirements, or law.

Right to restrict processing — to ask me to limit how I use your data in certain circumstances

Right to data portability — to receive your personal data in a structured, commonly used format

Right to object — to object to certain types of processing

Rights related to automated decision-making — I do not use automated decision-making or profiling in my practice

If you make a subject access request, I will conduct a reasonable and proportionate search for your data in accordance with the Data (Use and Access) Act 2025.

To exercise any of these rights, please contact me at helen [at] helenjacktherapy.com (please replace [at] with @ when emailing).

Data protection complaints — your right under the Data (Use and Access) Act 2025

You have the right to make a data protection complaint directly to me. If you are concerned about how I have handled your personal data, please:

Submit a complaint at https://helenjacktherapy.policydiary.co.uk (Make a complaint tab), or

Contact me at helen [at] helenjacktherapy.com

I take all complaints seriously and will respond promptly.

If you are not satisfied with my response, you may escalate your complaint to the Information Commissioner's Office (ICO):

Website: ico.org.uk

Telephone: 0303 123 1113

Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Confidentiality exceptions

Everything you share with me in therapy is treated as confidential. However, there are specific circumstances where I may need to share information without your consent:

Risk of serious harm — if I believe there is a serious risk of harm to you or to another person

Safeguarding concerns — if I become aware of concerns about a child or vulnerable adult being at risk of abuse or neglect

Legal requirement — if I receive a court order requiring me to disclose information

In these situations, I will always try to discuss this with you first, unless doing so would itself put someone at risk.

Changes to this policy

I review this privacy policy annually and whenever my practices change. If I make any significant changes that affect how your personal data is handled, I will inform you directly.