Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

Andreea Horhocea
Trading as Next Generation Therapy
Colchester Business Centre
1 George Williams Way
Colchester CO1 2JS

Email: andreeatherapytoday@gmail.com

ICO Registration Number: ZB877923

I am a registered member of the British Association for Counselling and Psychotherapy (BACP) and hold professional indemnity insurance as required for practice.

2. Information I Collect

Website Enquiries

When you submit the contact form on this website, I collect:

• Your name
• Email address
• Telephone number (if provided)
• Your preferred contact method
• Who the enquiry relates to (yourself, a child, teenager, or other)
• The content of your message

Therapy Clients

If you become a therapy client, I will also collect:

• Contact details for you and, where relevant, a parent or guardian
• Emergency contact details
• GP details (for safety purposes)
• Information about your mental health, wellbeing, and personal circumstances discussed during sessions
• Clinical notes and records
• Payment information

Website Analytics

With your consent, I collect anonymised data about how you use this website through Google Analytics and Vercel Analytics. This includes pages visited, time on site, and general geographic location. This data cannot identify you personally. See the Cookie Policy for details.

3. Special Category Data

Psychotherapy inherently involves processing special category data under Article 9 of UK GDPR. This includes information concerning your mental and physical health.

Legal basis for processing:

• Article 9(2)(a) — Your explicit consent, obtained before therapy begins through the therapy agreement
• Article 9(2)(h) — Processing is necessary for the provision of health care by a health professional bound by professional confidentiality obligations

I am bound by the BACP Ethical Framework for the Counselling Professions, which imposes strict confidentiality obligations.

4. Legal Basis for Processing

I process your personal data on the following legal grounds:

• Website enquiries: Legitimate interests in responding to your enquiry (Article 6(1)(f))
• Therapy services: Performance of the therapy contract between us (Article 6(1)(b))
• Clinical records: Legal obligation to maintain adequate records (Article 6(1)(c)) and legitimate interests in defending potential claims (Article 6(1)(f))
• Analytics cookies: Your consent (Article 6(1)(a))
• Safeguarding disclosures: Vital interests (Article 6(1)(d)) or legal obligation (Article 6(1)(c))

5. How I Use Your Information

• To respond to your enquiries and arrange appointments
• To provide psychotherapy services
• To maintain clinical records as required by professional guidelines
• To process payments for services
• To comply with legal, regulatory, and professional obligations
• To improve this website through anonymised analytics
• To protect your vital interests or those of another person in emergencies

6. Limits of Confidentiality

Confidentiality is fundamental to the therapeutic relationship. However, there are limited circumstances where I may be required or permitted to share information without your consent:

• Safeguarding: If I believe you or another person (particularly a child or vulnerable adult) is at serious risk of harm, I have a duty to share relevant information with appropriate authorities
• Legal requirements: If required by a court order or where there is a legal duty to disclose (e.g., terrorism-related offences, money laundering)
• Serious crime: In rare circumstances where disclosure may prevent a serious crime
• Your explicit consent: Where you have given written consent for information to be shared with a named third party

These limits are explained in the therapy agreement and discussed at the start of therapy.

7. Clinical Supervision

As a BACP registered therapist, I receive regular clinical supervision. This is a professional requirement that ensures the quality and safety of the therapy I provide.

During supervision, I may discuss clinical work using anonymised information that does not identify you. My supervisor is also bound by professional confidentiality obligations.

8. Children and Young People

I work with children aged 4 and above and teenagers. For clients under 16, a parent or person with parental responsibility must consent to therapy and sign the therapy agreement.

Online therapy: Is only available for clients aged 16 and over. This is a safeguarding measure to ensure confidentiality cannot be compromised by family members overhearing sessions.

Confidentiality with young people: I encourage trust and openness by maintaining appropriate confidentiality with young clients, while keeping parents informed of general progress. The limits of confidentiality, including safeguarding duties, are explained to both the young person and their parent/guardian.

9. Safeguarding and Background Checks

As part of my commitment to safeguarding, I hold an Enhanced DBS (Disclosure and Barring Service) check, which is renewed in accordance with BACP professional requirements. This is standard practice for therapists working with children and young people.

DBS checks help ensure that practitioners working with vulnerable groups have been appropriately vetted. My current Enhanced DBS certificate is valid and available for verification upon request.

10. Data Retention

• Website enquiries: Deleted within 6 months if you do not become a client
• Adult client records: Retained for 7 years after therapy ends, in accordance with BACP guidance and professional indemnity insurance requirements
• Records for clients who were children: Retained until 7 years after the client turns 18, or 7 years after therapy ends, whichever is longer
• Analytics data: Retained according to Google Analytics and Vercel policies (typically 14-26 months)

After the retention period, records are securely destroyed in accordance with data protection requirements.

11. Data Security

I take appropriate technical and organisational measures to protect your data:

• Paper records are stored in a locked cabinet in a secure location
• Electronic records are password-protected and encrypted where possible
• I use secure, password-protected devices
• Online sessions use encrypted video platforms
• Email communications are not fully secure; sensitive information should not be sent by email

12. International Data Transfers

Some third-party services I use are based outside the UK. Where data is transferred internationally, it is protected by:

• Vercel & Google: UK-US Data Bridge certification and Standard Contractual Clauses
• Resend (email service): Standard Contractual Clauses and appropriate safeguards

These mechanisms ensure your data receives equivalent protection to UK GDPR standards.

13. Third-Party Processors

I use the following third-party services:

• Resend: Email delivery for contact form submissions
• Google Analytics: Website analytics (with your consent, IP anonymised)
• Vercel: Website hosting and performance analytics (with your consent)

Each processor is contractually bound to process data only on my instructions and to maintain appropriate security measures.

14. Your Rights

Under UK GDPR, you have the following rights:

• Access: Request a copy of your personal data (Subject Access Request)
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data (subject to legal retention requirements)
• Restriction: Request that processing be limited in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any right, contact me at andreeatherapytoday@gmail.com. I will respond within one month. There is no fee for most requests.

Note: Some rights may be limited where I have a legal obligation to retain data or where erasure would prevent me from defending legal claims.

15. Data Breaches

In the unlikely event of a data breach that poses a risk to your rights and freedoms, I will notify the ICO within 72 hours and inform you without undue delay if the breach is likely to result in a high risk to you.

16. Cookies

This website uses cookies. For full details, see the Cookie Policy.

17. Data Protection Complaints Procedure

Under the Data (Use and Access) Act 2025, I maintain a documented data protection complaints procedure. If you have concerns about how your personal data is handled:

1. Submit your complaint: Contact me by email at andreeatherapytoday@gmail.com or by post at the address above. Please describe your concern and, if relevant, the specific data involved.
2. Acknowledgement: I will acknowledge your complaint within 5 working days of receipt.
3. Investigation: I will investigate your complaint thoroughly, which may involve reviewing the data processing in question and any relevant records.
4. Response: I will provide a substantive written response within 28 days. If the matter is complex and requires additional time, I will inform you of the revised timeframe.
5. Resolution: If I find that your complaint is justified, I will take appropriate action to remedy the issue and prevent recurrence.

18. Information Commissioner's Office

If you are not satisfied with my response, or at any time, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

The ICO recommends that you raise concerns with me first, as I may be able to resolve the matter more quickly.

19. BACP Complaints

For complaints about therapy services (as opposed to data handling), you may contact the BACP:

• Website: BACP Complaints Procedure
• My BACP Profile: View my registration

20. Changes to This Policy

I may update this Privacy Policy from time to time. Material changes will be communicated to current clients directly. The date at the top indicates when the policy was last revised.

21. Contact

For any questions about this Privacy Policy or your personal data, contact:

Andreea Horhocea
Email: andreeatherapytoday@gmail.com
Telephone: 07448 036017