Banbury Therapy Group – Client Privacy Policy

Banbury Therapy Group are committed to keeping your personal data secure and this privacy policy sets out how we use and protect any information you give to us.

Registered name: PB&H Ltd – Trading as Banbury Therapy Group 

ICO Registration Number: Z1273191

This privacy notice explains how we (the “controller”) collect, use, share and keep your personal information when you enquire about or receive therapy with us. We aim to write in clear, plain language.
If anything is unclear, please contact us using the details below.

About Us

Controller: PB&H Ltd – Trading as Banbury Therapy Group
Postal address: Darwin House, 19 Parsons Street, Banbury, Oxfordshire, OX16 5LY
Telephone: 01295 231320
Email: info@banburytherapygroup.com

Banbury Therapy Group provide counselling and training services to individuals and organisations.

What information we collect and why

We collect only the information needed to provide safe, effective therapy and to run our service lawfully. This may include:
• Identification and contact details (name, address, phone, email)
• Demographics and preferences (date of birth, pronouns)
• Health and wellbeing information relevant to therapy (presenting issues, history, medication, risk or safeguarding concerns)
• Session notes and attendance records
• Emergency contact details
• GP/health professional details (where relevant)
• Payment and booking information (invoices, receipts; we do not store full card numbers)

Purposes:
• To respond to your enquiry and arrange appointments
• To deliver therapy and supervise the quality and safety of our work
• To manage our relationship with you (bookings, reminders, changes)
• To meet legal, regulatory and insurance obligations (for example, safeguarding or tax records)
• To maintain the security and integrity of our systems

Our lawful bases for using your information

Under Article 6 UK GDPR we rely on the following lawful bases:
• Contract – to provide therapy as agreed with you and manage your appointments.
• Legitimate interests – to run our service efficiently and safely (for example, diary management and supervision).
• Legal obligation – to meet our legal duties (for example, safeguarding, accounting and HMRC record‑keeping).
• Vital interests – where there is a serious and immediate risk to life or safety.

Special category data (health information):
Under Article 9 UK GDPR, we usually rely on your explicit consent to process health information shared in therapy. We may retain counselling records after therapy to establish, exercise or defend legal claims. In rare emergencies we may also rely on the vital interests condition.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. 

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website to tailor it to customer needs. We only use this information for statistical analysis, and then the data is removed from the system. 

Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you other than the data you choose to share with us. 

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Who we share information with

We treat your information as confidential. We only share it when necessary and lawful:
• Clinical supervision – we discuss our work in supervision to ensure safe, ethical practice. Material is anonymised wherever possible.
• GPs/other health professionals – normally with your permission. We may share without consent if there is a serious risk of harm or a legal requirement.
• Professional bodies/complaints – we may seek anonymised guidance from bodies such as BACP. If you make a formal complaint, we may need to share identifiable information to respond.
• Payment processing – card payments are processed securely by Stripe. We do not store full card details; Stripe stores them and we can only see a limited view.
• Legal and regulatory – we may share information where required by law (for example, a court order) or to HMRC for accounting records.

We have contracts in place with our service providers where required, and we ensure they only use your data for our purposes and keep it secure.

International transfers

Some providers (for example, payment processors) may process personal data outside the UK. Where this happens, we ensure appropriate safeguards approved under UK data protection law (for example, the UK International Data Transfer Agreement or the UK Addendum to EU Standard Contractual Clauses, or an adequate decision) are in place.

How we keep information secure

We are committed to ensuring your information is secure.  In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we hold about you.

• Paper notes are kept in a locked filing cabinet.
• Digital notes and assessments are stored in a password‑protected system with access restricted to authorised staff.
• We limit access to your information to those who need it and train our staff in confidentiality and data protection.
• We review our security measures regularly.

How long we keep information (retention)

• Therapy records (including session notes): 7 years from the end of your contact with us, then securely destroyed.
• Records for clients under 18: retained until their 25th birthday, or 8 years after therapy ends (whichever is later), then securely destroyed.

Where we get information from

• Directly from you (enquiry, assessment, therapy sessions)
• From a referrer such as your GP or another health professional (if applicable). If we receive your details from a third party, we will provide you with this privacy notice within one month.

Your data protection rights

You have rights over your information, including the right to access, correct or erase your personal data; to object to or restrict certain processing; and to data portability in some circumstances. Where we rely on consent, you can withdraw it at any time. These rights may be limited by legal or professional obligations (for example, where disclosure could cause serious harm or reveal another person’s information).

To make a request, contact us using the details above. We will respond without undue delay and within one month. You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we use your data (see below).

Do you have to provide your data?

You are not legally required to provide personal data to us. However, if you choose not to provide information we reasonably need to deliver therapy safely, we may not be able to offer or continue therapy.

Automated decision‑making

We do not use your personal data for automated decision‑making or profiling.

How to complain

Please contact us first so we can try to resolve your concern.

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Online: https://ico.org.uk/make-a-complaint

Last updated

20 August 2025

2