Legal

Privacy Policy

Last updated: March 2026

Your privacy matters. This policy explains how I collect, use, and protect your personal information when you use this website or engage with my therapy services. I am committed to handling your data with care, in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who I Am

The data controller for this website and therapy practice is:

Name: Roy Lam (Ka Yiu Lam), trading as Therapy with Roy
Email: roy@therapywithroy.co.uk
Phone / WhatsApp: 07824 426000
Website: therapywithroy.co.uk
ICO Registration Number: ZC100652

2. What Personal Data I Collect

Category	Examples	How Collected
Contact details	Name, email address, phone number	Acuity booking form; Google Forms intake form
Booking information	Appointment type, date, time	Acuity Scheduling
Payment information	Transaction records (no card data stored by me)	Stripe via Acuity
Health and wellbeing information	Reason for seeking therapy, relevant background shared in sessions	Google Forms intake form, sessions
Session notes	Brief notes to support continuity of care	Recorded by me during/after sessions
Session recordings	Google Meet video recording of a therapy session	Only where you have given explicit prior consent via your Client Agreement; for clinical supervision purposes only
Communication records	Emails or messages relating to bookings	Email, WhatsApp
Website usage data	Pages visited, time on site (anonymised)	Google Analytics 4 (with your consent)

I do not collect any data from children. My services are for adults only.

3. Legal Basis for Processing

Contract: To deliver therapy services you have booked and paid for.
Legal obligation: To comply with BACP ethical requirements and applicable law.
Legitimate interests: To manage bookings, respond to enquiries, and maintain appropriate clinical records.
Explicit consent: For website analytics cookies (you may accept or decline via the cookie banner); and for any session recording (you may grant or withhold this separately via your Client Agreement — it is entirely optional and will never affect your access to therapy).

4. How I Use Your Data

To schedule, manage, and deliver your therapy sessions
To process payments securely
To send appointment confirmations and reminders
To maintain clinical records as required by BACP guidance
To respond to your enquiries
To support clinical supervision (session recordings only, where explicit consent has been given)
To understand how visitors use this website (analytics, with consent only)

I do not use your personal data for marketing purposes and will never sell or share your data with third parties for commercial gain.

5. Confidentiality and Supervision

Everything discussed in your sessions is confidential. As a BACP Registered Member, I am required to attend regular clinical supervision. Aspects of our work may be discussed with my supervisor in an anonymised form — your full name and any identifying details will never be disclosed. My supervisor is bound by the same professional standards of confidentiality.

Where you have consented to session recording, recordings shared with my supervisor for supervision purposes are treated with the same strict confidentiality and deleted promptly after use (see Section 9).

There are limited circumstances in which I may be required to break confidentiality:

If I have serious concerns that you or someone else is at risk of significant harm
Where disclosure is required by law, including safeguarding duties, prevention of serious crime, or acts of terrorism

Where possible, I will discuss any need to break confidentiality with you before taking action.

6. Third-Party Processors

I use the following trusted third-party services to deliver my practice. Each is bound by its own data protection obligations.

Service	Purpose	Data Shared	Privacy Policy
Acuity Scheduling	Appointment booking and reminders	Name, email, phone, appointment details	acuityscheduling.com
Stripe	Payment processing	Transaction data (card data not stored by me)	stripe.com
Google Forms	Client intake form (sent by Roy after the initial consultation, prior to first therapy session)	Name, contact details, reason for seeking therapy, relevant health and personal background	policies.google.com
Google Workspace & Google Meet	Email, calendar, video sessions, and temporary storage of session recordings (where consent given)	Communication content, meeting data, session recordings (consent-only)	policies.google.com
WhatsApp (Meta)	Booking-related communication (if you initiate contact via WhatsApp)	Name, phone number, message content	whatsapp.com
Netlify	Website hosting	Standard server logs (IP address, browser type)	netlify.com
Google Analytics 4	Website analytics (consent-gated)	Anonymised usage data (only if you accept cookies)	policies.google.com
DocuSeal	Electronic signing of client agreement	Name, signature, date	docuseal.com

7. International Data Transfers

Some of the third-party services listed above (including Google, Stripe, Acuity Scheduling, and Meta/WhatsApp) may process your data outside the UK. Where this occurs, I rely on those providers operating under appropriate safeguards recognised under UK data protection law, including UK adequacy regulations or Standard Contractual Clauses (SCCs). Each provider’s privacy policy (linked above) sets out the specific transfer mechanisms they rely upon.

8. How Your Data is Stored

Session notes are recorded on paper during sessions and transferred to a fully encrypted, password-protected personal laptop (FileVault/BitLocker enabled). Paper notes are securely destroyed by cross-cut shredding once digitised.
Emails and booking information are held within Google Workspace and Acuity Scheduling respectively, both of which operate with appropriate security standards.
Intake form responses are submitted via Google Forms and stored within Google Workspace, accessible only by me.
Session recordings (where consent has been given) are stored temporarily in an encrypted, access-restricted Google Drive folder. Recordings are never shared beyond my clinical supervisor and are deleted promptly after the relevant supervision session.
I do not store payment card details. All payments are processed securely by Stripe.

9. Retention Period

Client records (including session notes and the signed client agreement) are retained for 7 years from the date of our last session, in line with BACP guidance. After this period, records are securely destroyed.

Session recordings are subject to a separate, shorter retention period: they are permanently deleted within 30 days of the supervision session for which they were used, and no later than 30 days after the recording was made if not used in supervision.

10. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

Access: You may request a copy of the personal data I hold about you.
Rectification: You may ask me to correct any inaccurate data.
Erasure: You may ask me to delete your data, subject to any legal or ethical retention obligations.
Restriction: You may ask me to restrict how I process your data in certain circumstances.
Portability: You may request your data in a portable, machine-readable format where applicable.
Objection: You may object to processing based on legitimate interests.
Withdraw consent: Where processing is based on your consent — including consent to session recording — you may withdraw that consent at any time by contacting me at roy@therapywithroy.co.uk. Withdrawal will not affect the lawfulness of any processing carried out before withdrawal, and will never affect your access to therapy.

To exercise any of these rights, please contact me at roy@therapywithroy.co.uk. I will respond within one calendar month.

11. Cookies

This website uses two types of cookies:

Functional cookies: Used by Acuity Scheduling to enable the booking system to work correctly. These are strictly necessary and cannot be declined.
Analytics cookies: Used by Google Analytics 4 to help me understand how visitors use this site. These are only placed on your device if you click Accept on the cookie banner. If you decline, no analytics data is collected. IP anonymisation is enabled, meaning your full IP address is never stored by Google.

You can withdraw consent for analytics cookies at any time by clearing your browser cookies and declining again on your next visit.

12. Complaints

If you have a concern about how I handle your personal data, please contact me first at roy@therapywithroy.co.uk so I can try to resolve it.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113

13. Changes to This Policy

I may update this policy from time to time to reflect changes in the law or my practice. Any material changes will be noted at the top of this page with an updated date. I encourage you to review this policy periodically.