Last updated: 30th April 2026
This privacy notice explains how Paula Reynolds Counselling collects, uses, and protects your personal information when you visit this website, contact me through it, or engage me as your counsellor. It is written in plain English and is designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If anything below is unclear, please contact me — I am happy to explain.
1. Who I am (the data controller)
I, Paula Reynolds, trading as Paula Reynolds Counselling, am the data controller for the personal information collected through this website and through my counselling practice. I am a sole trader based in Shrewsbury, Shropshire, and I am a Registered Member of the British Association for Counselling and Psychotherapy (MBACP Reg).
You can contact me about anything in this notice using the details in section 11.
2. What information I collect
I only collect information I genuinely need. The information I hold falls into three groups.
Information you give me through the website contact form or by phone or email:
- Your name
- Your email address
- Your phone number
- The subject and content of your message
Information I collect automatically when you visit the website:
- Standard web log data such as your IP address, browser type, device type, the pages you visit, and the date and time of your visit
- Cookies and similar technologies (see section 8)
Information I collect if you become a client:
If we go on to work together, I will collect additional information necessary to provide counselling. This may include:
- Contact details and emergency contact details
- Your GP’s name and surgery, if relevant
- Information about your physical and mental health, history, circumstances, and the issues you bring to therapy
- Session notes, kept in line with BACP ethical guidance
- Records of fees paid and dates of sessions
This second group is special category data under UK GDPR (data concerning health) and is treated with the additional protections required by law.
3. Why I use your information and the lawful basis for doing so
I will only use your information for the reasons listed below, and only where the law allows me to.
| Why I use it | Lawful basis |
|---|---|
| To respond to your enquiry sent through the website, by phone, or by email | UK GDPR Article 6(1)(a) — your consent in making contact |
| To arrange and deliver counselling sessions if you become a client | UK GDPR Article 6(1)(b) — performance of our contract |
| To keep clinical records relating to your therapy | UK GDPR Article 9(2)(h) — provision of health care, supplemented by the BACP Ethical Framework |
| To meet my legal and professional obligations (e.g. tax records, safeguarding duties) | UK GDPR Article 6(1)(c) — legal obligation |
| To send you appointment reminders or practical updates about your sessions | UK GDPR Article 6(1)(b) — performance of our contract |
| To keep this website running, secure, and reliable | UK GDPR Article 6(1)(f) — legitimate interests |
I do not use your information for marketing. I do not sell or share your information with anyone for advertising purposes.
4. Confidentiality and the limits of confidentiality
Counselling is confidential. I follow the BACP Ethical Framework, which means I will not share what you tell me in sessions with anyone outside the practice unless one of the following applies:
- You give me your explicit consent
- I am required to disclose by law (for example, a court order)
- There is a serious risk of harm to you or to someone else, including a child or vulnerable adult
- Disclosure is required to prevent or report acts of terrorism, money laundering, or certain other criminal offences
I discuss my work in clinical supervision, as required by BACP. Supervision uses anonymised information — your identity is not shared.
If I ever need to break confidentiality, I will, wherever possible, talk to you about it first.
5. Who I share your information with
I share your information only when I need to, and only with people or services that have appropriate safeguards in place.
- My clinical supervisor — for the purposes of supervision required by BACP. Information shared is anonymised wherever possible.
- My email and website hosting providers — they process limited information on my behalf in order to deliver email and run the website. They act as data processors under written agreements.
- My professional indemnity insurer — only if there is a need to notify them of a circumstance that could give rise to a claim.
- HMRC and other regulators — where the law requires.
- Other healthcare professionals — only with your explicit consent (for example, if you ask me to liaise with your GP).
I do not transfer your data outside the UK except where my email or hosting providers do so under standard UK GDPR safeguards.
6. How long I keep your information
I keep your information only for as long as I need it.
- Enquiries that do not become clients: up to 12 months from the date of contact, then deleted.
- Client records (contact details, session notes, financial records): in line with BACP guidance and my professional indemnity insurer’s requirements, I keep clinical records for seven years from the end of our work together. For clients who were under 18 when we worked together, I keep records until they reach the age of 25.
- Financial and tax records: retained for six years as required by HMRC.
- Website log data: retained for up to 12 months for security and troubleshooting.
After these periods, records are securely destroyed.
7. How I keep your information secure
I take the security of your information seriously.
- Paper records (where any exist) are stored in a locked cabinet.
- Digital records are stored on password-protected, encrypted devices.
- I use reputable, GDPR-compliant providers for email and website hosting.
- Access to your information is limited to me. My supervisor sees anonymised material only.
- I review my data security arrangements regularly.
No system is completely secure, but I take all reasonable steps to protect your data and to detect and respond to any breach. If a breach occurs that is likely to risk your rights and freedoms, I will notify the Information Commissioner’s Office within 72 hours and contact you directly where required.
8. Cookies
This website uses a small number of cookies to function correctly and to help me understand how visitors use the site.
- Please read our Cookies Policy to learn more.
You can control cookies through your browser settings. Blocking strictly necessary cookies may stop parts of the site from working.
9. Your rights
Under UK GDPR you have the following rights in relation to your personal information.
- The right to be informed about how your data is used — this notice is part of meeting that right.
- The right of access to a copy of the personal information I hold about you.
- The right to rectification if any information I hold is inaccurate or incomplete.
- The right to erasure (“the right to be forgotten”) in certain circumstances. This right is limited where I am required to retain records for clinical, legal, or insurance reasons.
- The right to restrict processing of your data in certain circumstances.
- The right to data portability for information you have provided to me, where processing is based on consent or contract.
- The right to object to processing based on legitimate interests.
- The right to withdraw consent at any time, where consent is the lawful basis for processing.
To exercise any of these rights, please contact me using the details in section 11. I will respond within one calendar month.
10. Complaints to the Information Commissioner’s Office
If you are unhappy with how I have handled your personal information, please contact me first so I can try to put it right.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK’s data protection regulator.
- Website: https://ico.org.uk/make-a-complaint/
- Helpline: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
11. How to contact me
For any question about this notice, or to make a request about your personal information, please contact me:
- Paula Reynolds — Data Controller
- Paula Reynolds Counselling
- Phone: 07443 594396
- Email: paula.reynoldscounselling@gmail.com
12. Changes to this notice
I may update this notice from time to time, for example if the law changes or I change how the practice operates. The “Last updated” date at the top of this page shows when it was most recently reviewed. Material changes will be flagged on the homepage for at least 30 days.