• Counselling
  • Rewind Therapy for Trauma
  • Counselling Insights
  • Counsellor Training/CPD
  • More
    • Counselling
    • Rewind Therapy for Trauma
    • Counselling Insights
    • Counsellor Training/CPD
  • Counselling
  • Rewind Therapy for Trauma
  • Counselling Insights
  • Counsellor Training/CPD
Inner Insight Counselling

Privacy Policy

Last Updated: May 2026


As a registered member of the BACP and NCPS, and a Data Controller registered with the Information Commissioner’s Office (ICO), I am committed to the highest standards of confidentiality. 


Counselling clients


1. Why I Collect Your Information (Lawful Basis)


To provide you with ethical and professional counselling, I process your data under the following legal frameworks:

  • Contract: Processing is necessary to fulfil our Counselling Agreement.
  • Health and Social Care: For clinical notes, I process special category data (health information) under Article 9(2)(h) of the UK GDPR.
  • Legitimate Interests: To maintain records for insurance and legal defence purposes.



2. What Information I Collect (Stored via Kiku)


I use a specialist, UK-based practice management system called Kiku, designed specifically for counsellors to meet the highest standards of data security. The following is held within Kiku:

  • Personal Details: Your name, date of birth, contact information and details about medications.
  • Emergency Contact: Your GP’s details.
  • Clinical Notes: Notes from our sessions to help me track our therapeutic progress.
  • Financial Records: A history of appointments and payments.



3. Financial Data and Account Keeping


To meet my professional and legal obligations for financial record-keeping and tax purposes, I process relevant financial data (such as invoice details and payment histories). These are managed using either strictly GDPR-compliant accounting software or an encrypted, password-protected spreadsheet. Credit/debit card transactions are processed securely via third-party payment gateways; your raw card details are never visible to me or stored on my systems.



4. How Your Data is Kept Secure


I employ robust technical and organisational security measures to protect your information:

  • System Protection (Kiku): Kiku utilizes bank-grade encryption. Access is restricted exclusively to me via a secure password and Two-Factor Authentication (2FA). Data is protected by secure-by-design architecture and ISO 27001-certified infrastructure.  
  • Document Encryption: Any auxiliary digital documents (such as referral letters or assessment forms) are stored within an encrypted environment both at rest and in transit.
  • Secure Messaging (WhatsApp Business): For administrative contact and scheduling, I utilise WhatsApp Business, which benefits from end-to-end encryption. Privacy settings ensure no client names or message previews appear on my device’s lock screen notifications.  
  • International Data Transfers: Because platforms like WhatsApp, Stripe, and PayPal are operated globally by Meta, some administrative metadata may technically be processed outside the UK/EEA. This processing is legally protected by strict corporate safeguards, including Standard Contractual Clauses (SCCs), ensuring a level of protection identical to UK GDPR standards. 
  • Encrypted Vault Backups: To safeguard against technical failure, offline backups of clinical data are stored on a separate, dedicated device within a secure digital container requiring a unique, secondary password to open. 



5. Artificial Intelligence (AI) and Your Privacy


I use modern technology and AI tools to help run my practice efficiently. This allows me to focus more of my energy on our therapeutic work while ensuring your data remains protected to the highest UK standards. I use AI tools to enhance administrative efficiency, governed by strict ethical rules. Any AI tools utilised operate within a closed, secure loop and do not use client data for public model training. To ensure your privacy remains protected to the highest UK standards: 

  • No Live Recording or Streaming: I do not use AI tools to record, listen to, transcribe, or stream live audio or video during our therapy sessions.
  • Closed-Loop Data Protection: Any AI systems utilised operate strictly under enterprise-grade Data Processing Addendums (DPAs). Your data is entirely isolated, is never visible to human reviewers outside our practice, and is contractually barred from being used to train public machine learning models.
  • Strict Human Oversight: I maintain 100% clinical control. AI is never used to make clinical interpretations or therapeutic decisions. All outputs are thoroughly reviewed, audited, and verified by me before integration into my secure admin workflow.
  • Marketing: Client data is never input into marketing AI tools. Any educational content or examples shared online are entirely fictional, or based on summaries which couldn’t identify any individual. 



6. Clinical Supervision


In line with the ethical frameworks of my professional bodies, I routinely discuss my clinical work with a qualified, professional Clinical Supervisor. The supervisor is bound by the same strict legal and professional duties of confidentiality. The focus of supervision is to maintain my ongoing ethical practice.



7. Confidentiality and Its Limits


Our work is confidential, with exceptions in rare circumstances:

  • Safety: If I believe there is a serious risk of harm to you or others, including child protection concerns.
  • Legal Duty: If compelled by a court of law or UK legislation regarding serious crime.
  • Clinical Will: Clinical Executors are appointed to contact you only in the event of my sudden death or incapacity to ensure continuity of care.



8. Retention and Deletion


Your records are not kept for longer than is legally and professionally necessary:

  • Archiving: I archive records when contact is lost with a client, normally after 3 months. I also archive your records once therapy comes to a planned end.
  • 7-Year Rule: I retain clinical notes and appointment history for 7 years for adults, as required by professional insurance and the Statute of Limitations.
  • Minors: Records for children and young people are kept until the individual's 25th birthday, or 26th if they were 17 at the end of treatment.



9. Your Rights


Under the UK GDPR, you hold specific statutory rights regarding your personal information. You have the right to:

  • Access your data: You can request a copy of the personal info and clinical notes I hold about you (a Subject Access Request).
  • Rectify inaccuracies: You can ask me to correct any information you believe is inaccurate or incomplete.
  • Request erasure: You can ask me to delete your personal data. Please note: Legal and insurance obligations (the 7-year retention rule) mean I am legally permitted to decline erasure requests for clinical session notes until the retention period has passed.
  • Restrict processing: You can ask me to limit how your data is used under certain circumstances.
  • Object to processing: You have the right to object to the processing of your data based on my legitimate interests.
  • Data portability: You can request that I transfer your personal data to another service provider in a structured, machine-readable format.



10. How to Lodge a Complaint


If you have any concerns about my use of your personal information, you can make a complaint to me directly at james@innerinsightcounselling.co.uk so we can resolve the issue together.


You also have the statutory right to complain to the ICO if you are unhappy with how I have used your data.

  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline number: 0303 123 1113
  • Website: www.ico.org.uk

Copyright © 2026 Inner Insight Counselling - All Rights Reserved.

  • Privacy Policy

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept