Tim Maude Hypnotherapy

Data Policy

Introduction

I operate under the trade name Tim Maude Hypnotherapy. This policy explains how I collect, use, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data (Use and Access) Act 2025.

The Data I Collect

I collect information necessary to provide hypnotherapy services to you:

  • Identity Data: Name
  • Contact Data: Address, email, phone number
  • Special Category Data: My notes collected during sessions and other communication with you, including medical and mental health details where appropriate
  • Financial Data: Payment details (processed securely via Square and Starling Bank)
  • Appointment Data: Time and date of past and future appointments
  • Third Party Data: Parents or legal guardian’s name and contact details, if the client is under 16. Attorneys’ name and contact details, if the client has a Lasting Power of Attorney (Health and Welfare). Payer’s name and contact details, if the services are being paid for by a third party.

Lawful Basis for Processing

Under UK law, I must have a lawful basis to process your data. These are:

  • Contract: I need the data I collect in order to provide hypnotherapy services to you.
  • Legitimate Interests: For administrative purposes (e.g. scheduling, invoicing, recording income).
  • Consent: For marketing communications (if you opt-in).
  • Legal Obligation: I have to store financial data for tax purposes.

How I Store and Protect Your Data

  • Digital Records: Digital records are stored on encrypted, password-protected devices and cloud based storage.
  • Paper records: I take notes on paper, which are shredded shortly after they have been transferred to digital records. I keep a paper appointments diary, which contains first names only. This is also shredded after use.

Children and Vulnerable Adults

For the purpose of protecting the wellbeing of children and vulnerable adults, I rely on the “Recognised Legitimate Interest for Safeguarding” (as defined by the Data (Use and Access) Act 2025) to share necessary information with parents, legal guardians or Attorneys.

  • Parents and Guardians: For clients under the age of 16, I will discuss needs, progress, and administrative matters with parents or legal guardians, unless there is a specific legal or safeguarding reason not to do so.
  • Attorneys (Health and Welfare): For clients who have a registered Lasting Power of Attorney for Health and Welfare, which I have seen: I will discuss needs, progress, and administrative matters with your attorney(s), unless there is a specific legal or safeguarding reason not to do so. I will only do this at times when you lack the capacity to do so yourself.

Your Data Rights

You have the following rights:

  • Access: You can request a copy of the data I hold about you.
  • Correction: You can ask me to correct inaccurate information.
  • Erasure: You can ask me to delete your data (subject to legal retention requirements).
  • Withdrawal of Consent: You can stop receiving marketing communication from me at any time.
  • Right to Complain Directly: You have a statutory right to complain directly to me. I will acknowledge any data-related complaint within 30 days and aim to resolve it without undue delay.

If you make a Subject Access Request, I will provide data that is reasonable and proportionate to your request.

Data Retention

For adult clients, I keep client records for 7 years following the last session. For clients under the age of 18, I retain records until the client reaches the age of 25. This is in accordance with legal limitation periods and insurance requirements.

For administrative efficiency, I conduct a periodic data purge, deleting data that has exceeded these data retention limits.

Sharing Your Data

All sessions with you are confidential. I do not sell or lease your data. I do not transfer your data outside of the UK. I may share minimal data with:

  • Professional Supervisors: To ensure I can deliver best practice services (your identity is kept anonymous).
  • Regulators/Insurance: If required for legal or professional audits.
  • Parents/Guardians: For clients under the age of 16, to support parents/guardians’ ability to make better health and welfare decisions for their child.
  • Legal Attorneys: Specifically, those holding a registered Lasting Power of Attorney for Health and Welfare, to support the Attorneys’ ability to make better health and welfare decisions on behalf of the client.
  • Third Party Payers: Where the services are being paid for by a third party, I will provide them with data regarding your bookings, attendance and/or non-attendance, for the purposes of invoicing.
  • Appropriate Authorities: If I am legally compelled to do so, such as by court order.
  • Anyone else: Only if you provide your written consent.

Contact Me

If you have questions about this policy or wish to exercise your rights (including making a complaint), please contact me at:

Tim Maude Hypnotherapy
tim@timmaudehypnotherapy.co.uk
07730 315503

If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at http://www.ico.org.uk.

Tim Maude

Last Updated: 28 April 2026