Privacy Policy
Last updated: March 2026
1. Who We Are
The data controller responsible for your personal information is:
- Name: Roy Lam
- Trading name: Therapy with Roy
- Website: therapywithroy.co.uk
- Email: roy@therapywithroy.co.uk
- Phone: 07824 426000
- ICO Registration Number: [TO BE ADDED]
2. What Information We Collect
We collect and process the following categories of personal information:
| Category | Examples | How Collected |
|---|---|---|
| Contact details | Name, email address, phone number | Booking form (Acuity Scheduling) |
| Appointment information | Date, time, session type booked | Booking system |
| Payment information | Payment confirmation, transaction reference | Stripe (card details never seen by us) |
| Health & wellbeing information | Reason for seeking therapy, mental health history, session notes | Intake form and during therapy sessions |
| Communication records | Emails, WhatsApp messages between client and therapist | Direct communication |
Health and wellbeing information is classified as special category data under UK GDPR and is handled with the highest level of care and confidentiality.
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Contract performance — to provide therapy services you have booked and paid for
- Legal obligation — to comply with professional and regulatory requirements (BACP ethical framework, ICO registration)
- Legitimate interests — to manage appointments, process payments, and maintain client records
- Explicit consent — for special category health data, obtained via the client agreement prior to commencing therapy
4. How We Use Your Information
Your personal information is used solely to:
- Manage your bookings, appointments, and session reminders
- Process payments securely via Stripe
- Maintain confidential session notes as required by professional practice
- Communicate with you about your appointments (email or phone)
- Meet our legal and professional obligations as an MBACP registered practitioner
We do not use your information for marketing, share it with third parties for commercial purposes, or send unsolicited communications.
5. Confidentiality & Supervision
Everything you share in therapy is treated as strictly confidential. As required by the BACP ethical framework, Roy Lam engages in regular clinical supervision to maintain professional standards. During supervision, anonymised case material may be discussed. No identifying information is ever shared with a supervisor.
There are limited circumstances in which confidentiality may need to be broken — for example, if there is a serious risk of harm to yourself or others, or if required by law. This will always be discussed with you first where possible and is explained fully in the client agreement.
6. Third-Party Services
We use the following third-party services to operate this practice. Each acts as a data processor on our behalf:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Acuity Scheduling | Appointment booking, reminders, intake forms | squarespace.com/privacy |
| Stripe | Secure payment processing | stripe.com/gb/privacy |
| Google (Workspace & Meet) | Email, calendar, and online session delivery | policies.google.com/privacy |
| Google Analytics 4 | Anonymised website usage analytics (consent required) | policies.google.com/privacy |
| Netlify | Website hosting | netlify.com/privacy |
Google Meet is used for the delivery of all online sessions. Sessions are never recorded without explicit written consent from the client.
7. How We Store Your Data
Your personal data is stored securely using the following measures:
- Digital records — stored on a password-protected, fully encrypted personal laptop (FileVault/BitLocker encryption). Access is restricted to Roy Lam only.
- Paper notes — any handwritten notes made during sessions are stored in a locked, secure location and transferred to encrypted digital storage promptly. Paper notes are securely destroyed (cross-cut shredded) once digitised.
- Booking and payment data — held securely by Acuity Scheduling and Stripe respectively, under their own GDPR-compliant frameworks.
- Email communications — stored within Google Workspace, which is encrypted in transit and at rest.
8. Retention Period
Client records are retained for 7 years from the date of the last session, in line with BACP guidance and standard professional practice. After this period, all records are securely and permanently deleted or destroyed.
If you withdraw from therapy before completing a course of sessions, records will still be retained for the full 7-year period from your last contact with us.
9. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — you may request a copy of the personal data we hold about you
- Right to rectification — you may ask us to correct inaccurate information
- Right to erasure — in certain circumstances, you may request deletion of your data (note: professional retention obligations may limit this right)
- Right to restriction — you may ask us to limit how we use your data
- Right to data portability — you may request your data in a portable format
- Right to object — you may object to processing based on legitimate interests
To exercise any of these rights, please contact us at roy@therapywithroy.co.uk. We will respond within 30 days.
10. Cookies
This website uses Google Analytics 4 to collect anonymised data about how visitors use the site (pages visited, time on site, approximate location by country). This helps us improve the website experience. Google Analytics only loads if you give your consent via the cookie banner when you first visit the site.
If you decline, no analytics cookies are set and no data is sent to Google. You can change your preference at any time by clearing your browser's local storage for this site.
The Acuity Scheduling booking widget may also set functional cookies strictly necessary for the booking process to operate. These do not track you for marketing purposes and are not subject to consent.
We use IP anonymisation within Google Analytics so your full IP address is never stored by Google.
11. Complaints
If you have a concern about how your personal data has been handled, please contact us in the first instance at roy@therapywithroy.co.uk.
If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
12. Changes to This Policy
This privacy policy may be updated from time to time to reflect changes in our practice or legal requirements. The date at the top of this page indicates when it was last revised. Continued use of our services after any changes constitutes acceptance of the updated policy.