Data Protection Information

Debbie Waller Hypnotherapy and Debbie Waller Therapies are trading names of my company, Yorkshire Therapies & Training Ltd, which is registered with the ICO – https://ico.org.uk/ESDWebPages/Entry/ZA230146.

Yorkshire Therapies & Training Ltd (“we”, “our”, “us”) are committed to protecting and respecting your privacy. This privacy notice explains how we collect, use, and protect your personal data when you visit our website, sign up for our newsletter, or book a ticket for one of our events.

The nominated Data Controller and Data Protection Officer is Debbie Waller who can be contacted via debbie.waller@btinternet.com or via the contact form on this website

1. The Personal Data We Collect from Therapy Clients

We collect and process personal data when you interact with our website or services:

  • Contact Form Data: Your name, email address, and any message you type when you use our website contact form.
  • Booking Information: Your name, email, phone number and any message you choose to send when you book a free Discovery call.
  • Payment: name, email and payment history.
  • Client intake forms and records: your name, contact details, emergency contact, your GP’s name and address, medical history including mental health information, medications, lifestyle information. Notes are kept of each treatment session and form part of my client records. These details are necessary to provide you with safe and effective therapy.
  • Technical Data: IP addresses and cookies when you browse our website.

2. Who Has Access To Your Data?

2A. I am the only person who has access to your information unless:

  • you ask me in writing to share your information with someone else,
  • we are working with you as part of a care team, or you have been referred to us by someone else (e.g. an employer), in which case pre-arranged levels of information will be shared with these relevant parties
  • Debbie Waller is temporarily or permanently rendered incapable of acting (e.g., by ill health or death) in which case her therapeutic executor (David Waller) will be given access to your contact details. David Waller will only use this information to notify clients, arrange for the secure transfer or destruction of records, and otherwise administer the closure of the practice.

2B Third party services:

We rely on trusted third-party providers to manage some services. These platforms act as “Data Processors.” Your data is handled according to their respective privacy policies:

  • Stripe to process payments for website purchases such as audio downloads, and therapy fee payments made by credit/debit card. Their privacy policy is HERE.
  • Our online forms are powered by Jotform and your form submissions are processed through their servers. Read their privacy policy HERE
  • Our online calendar is powered by ZCal and they collect and store your name and contact details when you book an appointment. Read their privacy information HERE.
  • If you contact us on social media your messages will be stored on their servers.
  • Our accounts are kept on Zoho books, which stores your name, email address and payment history. Their privacy policy is HERE.

2C. Safeguarding and exceptions to confidentiality

Exceptions to the confidentiality rules are set out by hypnotherapy professional bodies under a provision called the ‘Duty of Care’. We may choose to reveal information about you to the appropriate person or authority if:

  • there is a legal requirement to share information (for example, a court order or warrant is issued),
  • there is good cause to believe that not disclosing information will expose you or others to a serious risk of harm (for example, if you are at risk from suicide or abuse, or taking part in serious law-breaking).

The Code of Ethics also allows us to share anonymous case histories verbally or in hypnotherapy publications for the purposes of supervision or training. Anonymous means your personal details are removed and small details about your situation are changed so that you cannot be recognised.

The Duty of Care provision applies to everyone, but you can opt out of the use of anonymised case material by dropping me an email.

3. Lawful Basis (How and Why We Use Your Data)

You are not obliged to provide us with personal information, but if you do not, we will not be able to communicate with you or provide any therapy services.

We only use your information for specific reasons, relying on the following lawful bases under UK GDPR.

  • Contractual Necessity: We process your personal information to assess your suitability for therapy, arrange appointments, maintain clinical records, and provide the therapeutic services you have requested.
  • Explicit Consent: Where we process special category data, such as information about your physical or mental health, we do so with your explicit consent, which is obtained separately through our client intake process.
  • Legitimate Interest (GDPR Article 6(1)(f)): If you contact us by phone, or through our website or social media, it is in our legitimate interest to use your contact details to reply. This is so that we can provide efficient customer service, manage client relations and handle incoming queries about our activities.

4. Data Retention (How Long We Keep It)

Therapy records: Clinical records are retained for seven years after the end of therapy (or, in the case of children, until the client reaches age 25 or for seven years after the end of therapy, whichever is longer), after which they are securely destroyed.

5. Your Rights

Under UK GDPR, you have the following rights. You can read more about your rights on the ICO Website.

  • To know what data we collect, how we use it and how long we keep it,
  • To look at the data we hold about you,
  • To ask us to correct mistakes,
  • To ask us to delete your information, although there may be circumstances where we are legally entitled or professionally required to retain some records,
  • To ask us to limit some of the ways we use your data,
  • To ask us to share your data with another organisation,
  • To object to us using your data is some ways, e.g. for direct marketing,
  • Not to be subject to decisions based solely on automated processing.

To make a request, or if you have any questions about this privacy notice, please contact me.

6. Data Protection Complaints

If you have any concerns about the way we use your data, you may make a complaint.

The law is changing on 16th June, 2026. Until then, please contact https://ico.org.uk. 

After June 16th 2026, the following applies.

Company Name: Yorkshire Therapies & Training Ltd

This policy explains how you can submit a complaint to us if you believe we have mishandled your personal data or breached UK data protection laws (including the UK GDPR and Data Protection Act).

 

How to Make a Complaint

We want to make it as simple as possible for you to voice your concerns. You do not need to use formal legal language to file a complaint. You can reach out to us directly through either of the following channels:

 

Our Mandatory Response Timeline

Once we receive your data protection complaint, we will follow a strict, legally mandated response framework:

  • Acknowledgement (Within 30 Days): We will formally acknowledge receipt of your complaint within 30 days of receiving it.
  • Investigation: We will launch an internal enquiry into the matter without undue delay to understand what occurred and how to rectify it.
  • Progress Updates: If the investigation takes time (for example, due to technical complexity), we will provide you with regular, timely updates on our progress.
  • Final Outcome: We will write to you to explain the final outcome of our investigation, including any corrective actions taken, without undue delay.

 

Your Right to Escalate to the ICO

We are committed to working with you to resolve any data privacy complaints amicably. However, if you remain dissatisfied with our final decision, or if we fail to respond to you within the legal timeframes, you have the statutory right to escalate your complaint directly to the UK supervisory authority:

  • Authority: Information Commissioner's Office (ICO)
  • Website: ico.org.uk
  • Helpline: 0303 123 1113

This policy was updated on:

  • 6.6.26 to reflect the change in regulations due to take place on 16.6.26
  • 16.9.25 to include the use of Zoho Books for accounting.
  • 13.11.23 to include the use of ZCal booking calendar and Google Analytics.
  • 5.5.23 to remove COVID test and trace provisions.

Related Posts: