- 123 Stevenage, Hertfordshire
- momiah@talktomecbt.com
- 123 Stevenage, Hertfordshire
- momiah@talktomecbt.com
Your data stays safe with me. Read this policy. It is written for you, not for lawyers.
Effective from: 15th April 2026
I take your privacy seriously. This policy explains what information I collect, why I collect it, and how I keep it safe. It also explains your legal rights under UK data protection laws.
I am the data controller for your personal information. That means I decide how and why your data is processed. I am responsible for protecting it.
Please read this policy carefully. If anything is unclear, ask me. I am happy to explain in plain English.
I collect only what I need to provide safe and effective therapy. This includes:
Your full name, date of birth, address, phone number, and email address.
Emergency contact information. Your GP name and surgery address where appropriate.
Information about your mental health and wellbeing. Session notes and treatment records. Relevant personal history.
Emails, text messages, and any other correspondence between us.
Payment receipts and session booking history.
I do not collect unnecessary information. If you share something I do not need, I will tell you. You can choose what to share within clinical limits.
I collect information directly from you. This happens when you:
I do not collect information from third parties without your consent. The only exception is in an emergency where you cannot consent. That is extremely rare.
I collect your information for these reasons:
I need to understand your situation. I need to keep accurate clinical records. This is essential for your safety and mine.
I need to confirm appointments. I need to respond to your messages. I need to send you information you have asked for.
I am required to keep certain records by law and by BABCP guidelines. I may need to share information in specific legal situations like safeguarding or court orders.
I need to track payments and appointments. I need to manage cancellations and refunds fairly.
Under UK GDPR, I must have a legal reason to process your data. I rely on these bases:
You give me permission to contact you and hold your information. You can withdraw consent at any time.
Processing is necessary to provide the therapy you have booked.
I am required by law to share information in certain situations like safeguarding or court orders.
I need certain information to run my business effectively and safely. This never overrides your rights.
I take security seriously. Your information is stored as follows:
Stored on password protected devices. Encrypted where possible. Cloud storage uses strong security and UK or EU servers only.
Stored in locked filing cabinets. Only I have access. Paper records are minimised wherever possible.
Emails are stored securely. Text messages are kept on a locked phone.
I do not use public wifi for client work. My devices have up to date security software. Backups are encrypted.
Only I have routine access to your information. I do not share your data with anyone unless:
For example, sharing information with your GP or another professional.
For example, safeguarding concerns or court orders. This is rare and always taken seriously.
Supervision is required for BABCP registration. I discuss anonymised cases only. No identifying details are ever shared.
I currently work alone. If this changes, any assistant will sign a confidentiality agreement and receive GDPR training.
I keep your information only as long as necessary. My retention schedule follows BABCP guidelines:
Kept for 7 years after the end of therapy. This is standard industry practice.
Kept for 6 months, then deleted securely.
Kept for 6 years for tax purposes, as required by HMRC.
After the retention period ends, all data is deleted securely. Paper records are shredded. Electronic records are permanently deleted.
Under UK GDPR, you have the following rights:
You can ask for a copy of the information I hold about you. I will respond within 30 days. There is no fee.
You can ask me to correct inaccurate or incomplete information.
You can ask me to delete your information in some circumstances. This does not apply to records I am legally required to keep.
You can ask me to stop using your data in certain ways while we resolve an issue.
You can ask for your data in a format you can transfer elsewhere. This applies to automated data only.
You can object to processing based on legitimate interests.
To exercise any of these rights, contact me in writing. I will never charge a fee unless your request is excessive or repetitive.
I take data breaches extremely seriously. If a breach occurs:
Breaches are rare. But I have a plan in case one happens.
I do not transfer your data outside the UK or European Economic Area. All my storage and processing uses UK or EU servers. If this changes in the future, I will update this policy and notify you.
I only work with adults aged 17 and over. If I have concerns about a child or vulnerable adult, I have a legal duty to act. This is explained in my confidentiality policy.
I may update this policy occasionally. Changes will be posted on my website. If changes are significant, I will notify you directly. Continued work with me after changes means you accept the updated policy.
If you believe your data has been mishandled, please tell me first. Most issues can be resolved by talking.
If you are not satisfied with my response, you can complain to the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Website: ico.org.uk
Phone: 0303 123 1113
I would appreciate the chance to resolve any issue before you contact the ICO.
For any questions about this privacy policy or to exercise your rights, please contact me directly.
Mohibul Miah (Mo)
Talk to Me – CBT
Tel: 07885616004
Email: talktomecbt@gmail.com
