POLICIES & GDPR 

Privacy Policy

Last updated: 9 July 2026

Who we are

Sarah Bosence psychotherapy is a private psychotherapy practice run by Sarah Louise Bosence. I am registered with the Information Commissioner's Office (ICO) under registration number ZB548598.

If you have any questions about how I handle your personal data, you can contact me at sarahbosencetherapy [at] gmail.com (please replace [at] with @ when emailing).


What personal data we collect

I collect and process the following types of personal data:

  • Contact details — your name, address, telephone number, and email address
  • Emergency contact details — name and contact number for someone I can reach in an emergency
  • Health and therapy-related information — your presenting issues, relevant medical history, current medications, GP details, and information about your mental and emotional wellbeing
  • Session notes — my professional notes about our therapy sessions together
  • Contract and consent records — signed therapy agreements and consent forms
  • Financial records — invoices and payment information
  • Enquiry details — information you submit via the contact form on my website

Important: Health and therapy-related information is classified as "special category data" under Article 9(1) of the UK GDPR. This type of data receives enhanced legal protection because of its sensitive nature, and I take additional care to keep it secure.


How we collect your data

I collect your personal data directly from you:

  • When you first contact me to enquire about therapy
  • During our initial assessment or intake session
  • Throughout our therapeutic work together
  • Via email, telephone, or video call communications
  • When you submit the contact form on my website

I do not collect personal data about you from other sources without your knowledge.


Why we process your data — lawful basis

Under UK GDPR, I must have a valid legal reason (a "lawful basis") to process your personal data. Because therapy involves health-related information, I rely on two separate legal bases:

Article 6 basis (general personal data): Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. This means I need to process your data to provide the therapy service you have engaged me for.

Article 9 basis (special category health data): Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional. The additional condition required under the Data Protection Act 2018 is Schedule 1, Part 1, paragraph 2 (health or social care purposes). This processing is carried out by a qualified psychotherapist subject to the professional obligation of confidentiality under the BACP Ethical Framework for the Counselling Professions.


Professional obligations and CPD

I am required by BACP to attend regular clinical supervision as part of maintaining safe and ethical practice. I may discuss our therapeutic work with my supervisor. When I do so:

  • Your name and any identifying details are not shared with my supervisor
  • I use anonymised or pseudonymised case material only
  • My clinical supervisor is a qualified professional bound by the same confidentiality obligations as I am
  • My supervisor is bound by their own professional code of ethics and practice

I also share limited financial information (invoice data only) with an external accountant or bookkeeper for the purposes of managing my practice accounts. They do not have access to your therapy notes, health information, or any clinical details.


Clinical will — what happens to your records if I am unable to practise

I have appointed a Clinical Executor — a trusted fellow therapist — who will act on my behalf if I become seriously ill, incapacitated, or die unexpectedly.

If this happens, my Clinical Executor will:

  • Contact you (or your emergency contact) to let you know what has happened
  • Offer information about continuing therapy with another practitioner if appropriate
  • Ensure all client records remain secure and confidential
  • Retain records securely until the end of the applicable retention period
  • Securely destroy records only after the retention period has ended

My Clinical Executor is bound by the same professional confidentiality obligations as I am and will not access the content of your records beyond what is necessary to fulfil these duties.


Who we share your data with

I do not sell your personal data to anyone, and I never will.

Beyond the limited sharing described above (anonymised material with my clinical supervisor; invoice data with my external accountant or bookkeeper), I use the following third-party services which may process some of your data:

  • Zoom (Zoom Video Communications Inc, USA) — for online therapy sessions
  • Google reCAPTCHA (Google LLC, USA) — to protect the contact form on my website from spam
  • Google Maps (Google LLC, USA) — embedded map showing my practice location
  • Mapbox (Mapbox Inc, USA) — embedded mapping on my website
  • Vimeo (Vimeo Inc, USA) — embedded video content on my website

Each of these services operates under its own privacy policy and data processing agreements. I choose services that take data protection seriously, but I encourage you to review their privacy policies if you would like more detail.


International data transfers

The following third-party services I use may transfer personal data outside the United Kingdom:

  • Google Maps (Google LLC, USA)
  • Mapbox (Mapbox Inc, USA)
  • Google reCAPTCHA (Google LLC, USA)
  • Zoom (Zoom Video Communications Inc, USA)

Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025. The USA does not currently have a UK adequacy decision.

Details of these safeguards are set out in each provider's own privacy documentation.


How long we keep your data

I keep your personal data only for as long as necessary. My retention periods are:

  • Therapy records (adult clients): 7 years after our last session, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements
  • Therapy records (clients under 18 at the time of therapy): until the client reaches the age of 25
  • Financial records: 6 years, as required by HMRC
  • Website enquiries (non-clients): 12 months

After the applicable retention period ends, paper records are securely destroyed and electronic records are permanently deleted.


Your rights under UK GDPR

You have the following rights regarding your personal data:

  1. The right to be informed — to know how I collect and use your data (this privacy policy fulfils that right)

  2. The right of access — to request a copy of the personal data I hold about you. Under the Data (Use and Access) Act 2025, I will conduct a reasonable and proportionate search when responding to your request.

  3. The right to rectification — to ask me to correct any inaccurate or incomplete data

  4. The right to erasure — to ask me to delete your data. However, this right is not absolute. I may need to retain your records until the end of the applicable retention period where required by professional guidelines, insurance obligations, or law.

  5. The right to restrict processing — to ask me to limit how I use your data in certain circumstances

  6. The right to data portability — to receive your data in a commonly used format so you can transfer it elsewhere

  7. The right to object — to object to certain types of processing (though this is unlikely to apply to therapy records held under contract)

  8. Rights related to automated decision-making — I do not use automated decision-making or profiling in my practice

To exercise any of these rights, please contact me at sarahbosencetherapy [at] gmail.com (please replace [at] with @ when emailing). I will respond within one month.


Data protection complaints — your right under the Data (Use and Access) Act 2025

You have the right to make a data protection complaint directly to me. I take all complaints seriously and will do my best to resolve any concerns.

To make a complaint, you can:

If you are not satisfied with my response, you have the right to escalate your complaint to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Confidentiality exceptions

Everything you share in therapy is confidential. However, there are limited circumstances where I may need to share information without your consent:

  • Risk of serious harm — if I believe you or someone else is at serious risk of harm
  • Safeguarding concerns — if there are concerns about the safety of a child or vulnerable adult
  • Legal requirement — if ordered to disclose information by a court of law

In these rare situations, I will always try to discuss this with you first, unless doing so would itself put someone at risk.


Changes to this policy

I review this privacy policy annually and whenever my practices change. If I make significant changes that affect how I handle your data, I will let you know.

You can always find the current version of this policy on my compliance page at https://sarahbosencepsychotherapy.policydiary.co.uk.

Cookie policy

Cookie Policy

Last updated: 9 July 2026

What Are Cookies

Cookies are small text files that websites place on your device when you visit them. They help websites remember your preferences and understand how visitors use the site. Some cookies are essential for the website to function, while others are used by third-party services we embed on our pages.

Cookies We Use

Essential Cookies (No Consent Required)

These cookies are strictly necessary for the website to function properly. They do not collect personal data for marketing purposes and cannot be switched off.

Cookie NamePurposeDurationpolicydiary_consentRemembers your cookie consent choice so you are not asked repeatedly12 months

Non-Essential Cookies and Embedded Content (Activated Only With Your Consent)

The following third-party services may set cookies or collect data when you interact with embedded content on our website. These are only activated after you click "Accept" on our consent banner.

Vimeo

We embed Vimeo videos on our website. Vimeo (Vimeo Inc, USA) sets cookies when embedded video content loads on a page. This requires your consent under PECR. We recommend Vimeo's "Do Not Track" embed option where possible.

Mapbox

We embed Mapbox maps on our website. Mapbox Inc (USA) may collect technical information when you interact with the map.

How Consent Works on This Website

When you first visit our website, you will see a consent banner with two options: "Accept" and "Reject non-essential".

  • If you click Accept, non-essential cookies and embedded content from Vimeo and Mapbox will be activated.
  • If you click Reject non-essential, these cookies and embedded content will remain switched off. The website will continue to work normally.

Your choice is remembered for 12 months in the essential preference cookie (policydiary_consent).

I take a consent-first approach on this website. No non-essential cookie is set without your prior consent.

How to Change Your Choice or Manage Cookies

Changing your consent choice on this website

If you want to change your cookie preferences for this website, simply delete this site's cookies in your browser settings. The next time you visit, the consent banner will appear again and you can make a different choice.

Managing cookies in your browser

You can also control cookies through your browser settings. Most browsers allow you to:

  • See what cookies are stored on your device
  • Delete cookies individually or all at once
  • Block cookies from specific websites
  • Block all cookies (though this may affect how some websites work)

For detailed instructions on managing cookies in different browsers, visit aboutcookies.org.

Your Rights

Your consent is freely given. You may refuse or withdraw consent at any time without it affecting your ability to use this website. The website will continue to function normally if you reject non-essential cookies.

Updates to This Policy

I will update this cookie policy if our use of cookies changes. Any significant changes will be reflected on this page.


Contact

If you have any questions about cookies on this website, please contact me:

Sarah Louise Bosence sarahbosencetherapy [at] gmail.com

Sarah Bosence psychotherapy is registered with the Information Commissioner's Office (ICO), registration number ZB548598.

Data Retention Policy

Last updated: 9 July 2026

Sarah Bosence Psychotherapy

This policy explains how long I keep your personal information, why I keep it, and what happens to it when it is no longer needed.


1. Why I Retain Your Data

I am required to keep records of our therapeutic work for several important reasons:

  • Legal obligations — The Limitation Act 1980 sets time limits during which legal claims can be brought, meaning records may be needed to respond to any future claims
  • Professional standards — As a BACP member, I am bound by ethical guidelines requiring me to maintain accurate records of the therapy I provide
  • Insurance requirements — My professional indemnity insurance requires me to retain records for a specified period in case a claim is made
  • Tax compliance — HMRC requires financial records to be kept for at least six years

2. Retention Periods

Type of RecordRetention PeriodReasonClient therapy records (adults)7 years after our last sessionIn line with the Limitation Act 1980 and standard professional indemnity insurance requirementsClient therapy records (clients under 18 at time of therapy)Until the client reaches the age of 25In line with the Limitation Act 1980 and standard professional indemnity insurance requirementsEnquiry and contact data (non-clients)12 monthsTo respond to your enquiry and follow up if appropriateFinancial records and invoices6 yearsHMRC requirementInsurance records7 yearsTo evidence cover in the event of a claimWebsite contact form submissions12 monthsUnless they become part of an ongoing client relationship


3. What I Retain

The records I keep may include:

  • Session notes — A record of our therapeutic work together
  • Contact details — Your name, address, telephone number, and email address
  • Payment records — Invoices, receipts, and records of payments made
  • Correspondence — Emails, letters, and other communications between us
  • Assessment and consent forms — Information gathered at the start of therapy
  • Emergency contact details — Details of someone to contact in an emergency, if provided

4. How Your Data is Stored

I take the security of your personal information seriously:

  • Electronic records are held on password-protected devices with access restricted to me alone
  • Paper records are kept in a locked filing cabinet in a secure room, with access restricted to me alone
  • Clinical Executor access — In the event of my death or incapacity, my appointed Clinical Executor will have access to records solely for the purpose of contacting clients and managing records securely until the end of the applicable retention period

My clinical supervisor receives anonymised case material only, meaning no information that could identify you is shared. My external accountant or bookkeeper has access to invoice data only for the purpose of managing my accounts.


5. Your Right to Erasure

Under UK GDPR, you have the right to request that I delete your personal data. However, this right is not absolute. I may need to retain your records until the end of the applicable retention period where this is required by:

  • Professional guidelines
  • Insurance requirements
  • Legal obligations

If you ask me to delete your data and I am unable to do so, I will explain clearly why the information must be retained and for how long.


6. Secure Disposal

Once the retention period has ended:

  • Paper records are securely destroyed
  • Electronic records are permanently deleted

I do not keep any records longer than necessary. When records are due for disposal, I ensure this is carried out securely and confidentially.


7. Questions or Concerns

If you have any questions about this policy or how I handle your data, please contact me:

Email: sarahbosencetherapy [at] gmail.com
(The email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing)

You can also view my full compliance documentation at: https://sarahbosencepsychotherapy.policydiary.co.uk

If you are unhappy with how I have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO). However, I would appreciate the opportunity to address your concerns first.

ICO registration number: ZB548598

GDPR

GDPR Statement

Last updated: 9 July 2026

Our commitment to your privacy

Your privacy matters deeply to me. Protecting your personal information isn't just a legal requirement — it's a fundamental part of the trust we build together in therapy. I want you to feel completely safe knowing that what you share with me is treated with the utmost care and confidentiality.

This statement explains, in plain terms, what information I collect, why I need it, and how I look after it.

What information I collect

When you work with me, I collect and keep:

  • Your name and contact details (address, phone number, email)
  • Details about what brings you to therapy (your presenting issues)
  • Notes from our sessions
  • Relevant medical or health history that helps me support you
  • Emergency contact information
  • Payment and invoicing details

Why I collect this information

I need to collect and use your information for two main reasons:

To provide therapy to you: Under Article 6(1)(b) UK GDPR, processing your information is necessary for the performance of the therapeutic contract between us. Put simply, I cannot offer you therapy without knowing who you are and keeping appropriate records of our work together.

Because therapy involves health information: Some of what you share with me counts as "special category" health data, which has extra protection under the law. I process this under Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional. The additional DPA 2018 Schedule 1 condition is Part 1, paragraph 2 (health or social care).

Professional obligations and supervision

As a practitioner registered with BACP, I am required to discuss my clinical work in supervision. This is an essential part of maintaining safe, effective practice and is for your benefit.

Your identity is protected: I do not share your name or any identifying details with my supervisor. My clinical supervisor receives anonymised case material only and is bound by their own professional confidentiality obligations.

Clinical will arrangements

I have appointed a Clinical Executor — a trusted fellow therapist — who would step in if I were ever unable to continue practising due to serious illness or death. In such circumstances, my Clinical Executor would:

  • Contact you to let you know what has happened
  • Handle your records with complete confidentiality
  • Retain your records securely until the end of the applicable retention period
  • Securely destroy your records only after the retention period has ended

This arrangement ensures you would be informed and supported, and that your records remain protected.

Who else may see your information

Beyond myself, the following people or services may have limited access to your information:

  • Clinical supervisor — anonymised case material only, with no identifying details
  • External accountant or bookkeeper — invoice data only, for accounting purposes
  • Service providers — I use several third-party tools to run my practice:
    • Vimeo (for video content on my website)
    • Google Maps and Mapbox (for location information on my website)
    • Google reCAPTCHA (to protect my contact form from spam)
    • Zoom (for online therapy sessions)
  • Statutory authorities — only where I am legally required to share information

When I might need to break confidentiality

Confidentiality is central to our work together, and I take it very seriously. However, there are rare circumstances where I may need to share information without your consent:

  • If there is a serious risk of harm to you or someone else
  • If there are safeguarding concerns involving a child or vulnerable adult
  • If I receive a court order requiring disclosure

Wherever possible, I will always try to discuss this with you first.

How long I keep your records

I keep your records for 7 years after our last session. If you were under 18 when we worked together, I keep your records until you reach the age of 25, or for 7 years after our last session — whichever is longer.

This retention period is in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.

Your rights

You have several rights regarding your personal information:

  • See your records — you can ask me for a copy of the information I hold about you
  • Correct errors — if anything is inaccurate, you can ask me to put it right
  • Request deletion — you can ask me to delete your information, though this right is not absolute. I may need to retain your records until the end of the retention period where required by professional guidelines, insurance requirements, or law
  • Make a complaint — if you're unhappy with how I've handled your information

Making a complaint

Under the Data (Use and Access) Act 2025, you have the right to raise concerns about how your data is handled.

You can contact me directly at sarahbosencetherapy [at] gmail.com or visit my compliance page at https://sarahbosencepsychotherapy.policydiary.co.uk

You also have the right to complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113

I would always welcome the opportunity to address any concerns you have directly before you contact the ICO.