Privacy Policy

Lee Payton Counselling & Psychotherapy

Privacy Policy:

Last updated: 20 June 2026

Who we are:

Lee Payton Counselling & Psychotherapy is a private therapy practice based in the United Kingdom. I am Mr. Lee Payton, a qualified counsellor and psychotherapist.

You can contact me at: lee [at] leepayton.co.uk

(The email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing.)

Lee Payton Counselling & Psychotherapy is registered with the Information Commissioner's Office (ICO). Our registration number is ZA883086.


What personal data we collect:

When you work with me, I collect and process the following types of personal data:

Contact and identification details:

  • Your name, address, telephone number, and email address
  • Emergency contact details

Health and therapy-related information:

  • Your reason for seeking therapy (presenting issues)
  • Information about your mental and emotional wellbeing
  • Relevant medical history you choose to share
  • Session notes recording our therapeutic work together
  • Any assessments or clinical observations


Special category data:

Health and therapy-related information is classified as "special category data" under Article 9(1) of the UK GDPR. This type of data receives enhanced legal protection because of its sensitive nature. I take additional care to protect this information and only process it where I have a valid legal basis to do so.


Website enquiries:

If you contact me through the website contact form, I collect your name and email address along with any information you include in your message.

How we collect your data:

I collect personal data directly from you:

  • When you first contact me to enquire about therapy
  • During our initial consultation and intake process
  • Throughout our therapy sessions together
  • Through email, telephone, or other communications between us
  • When you submit an enquiry through my website contact form

I do not collect personal data about you from third parties unless you have given explicit consent for this (for example, if a GP or other professional provides a referral letter with your knowledge and agreement).


Why we process your data — lawful basis:

To process your personal data lawfully, I must have a valid legal basis under UK GDPR. For the therapy services I provide, I rely on the following:

Article 6 basis (ordinary personal data):

Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.

When you engage me as your therapist, we enter into a contract for the provision of therapy services. Processing your contact details, session scheduling information, and payment records is necessary to fulfil that contract.

Article 9 basis (special category data)

Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.

The additional condition required under the Data Protection Act 2018 is Schedule 1, Part 1, paragraph 2 (health or social care). This condition applies because the processing is carried out by a qualified counsellor and psychotherapist who is subject to the professional obligation of confidentiality under the BACP Ethical Framework for the Counselling Professions.

Professional obligations and CPD:

I am required by BACP to attend regular clinical supervision. Clinical supervision is a professional requirement that helps me maintain the quality of care I provide to clients.


I may discuss our therapeutic work with my supervisor. When I do so:

  • Your name and any identifying details are not shared with my supervisor
  • I use anonymised or pseudonymised case material only
  • My clinical supervision is provided by a qualified professional bound by the same confidentiality obligations as I am
  • My supervisor is bound by their own professional code of ethics and practice


Clinical will- what happens to your records if I am unable to practise:

I am currently putting arrangements in place to appoint a clinical executor — a trusted fellow professional who would take responsibility for my client records if I were to become seriously ill, incapacitated, or die unexpectedly.

Once these arrangements are complete, I will inform you of the details. The clinical executor would be bound by the same professional and legal confidentiality obligations as I am.


Who we share your data with:

I do not share your personal data with anyone except where necessary for the purposes described in this policy or where required by law.


Clinical supervision:

As described above, I discuss anonymised case material with my clinical supervisor. No identifying information about you is shared.


Third-party service providers:

I use the following third-party services which may process your data:

  • WordPress — the platform my website runs on. Any installed plugins may process personal data.
  • WebHealer — my website is built on WebHealer, which may collect certain technical data about visitors including basic analytics.
  • Zoom — I use Zoom for online therapy sessions where applicable.

Each of these services is bound by a data processing agreement. Links to their privacy policies are available on request.

I never sell your personal data.

International data transfers:

The following third-party services I use may transfer personal data outside the United Kingdom:

  • WordPress (Automattic Inc, USA)
  • WebHealer (WebHealer Ltd, UK — no international transfer)
  • Zoom (Zoom Video Communications Inc, USA)

Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025.

The USA does not currently have a UK adequacy decision.

You can request a copy of the relevant transfer safeguards by contacting me.


How long we keep your data:

I retain your personal data for the following periods:


TYPE OF RECORD RETENTION PERIOD REASON: Therapy records (session notes, assessment information, correspondence)- 7 years after our last session. In line with the Limitation Act 1980 and standard professional indemnity insurance requirements. Financial records (invoices, payment records)- 6 years HMRC legal requirement. Website enquiries (where you do not become a client)- 12 months Legitimate interest in responding to potential client enquiries

After the applicable retention period ends, paper records are securely destroyed, and electronic records are permanently deleted.


Your rights under UK GDPR:

You have the following rights regarding your personal data:

Right to be informed You have the right to clear, transparent information about how I use your data. This privacy policy fulfils that right.

Right of access You can ask me for a copy of the personal data I hold about you. This is sometimes called a "subject access request." Under the Data (Use and Access) Act 2025, I will conduct a reasonable and proportionate search to locate your data and respond within one month.

Right to rectification If any personal data I hold about you is inaccurate or incomplete, you can ask me to correct it.

Right to erasure In certain circumstances, you can ask me to delete your personal data. However, this right is not absolute. I may need to retain your records until the end of the applicable retention period where this is required by professional guidelines, insurance, or law. In such cases, I will explain why I cannot comply with your request.

Right to restrict processing You can ask me to limit how I use your data in certain circumstances, for example while a complaint is being investigated.

Right to data portability Where technically feasible, you can ask me to transfer your data to another service provider in a commonly used electronic format.

Right to object You can object to certain types of processing, although this right is limited where processing is necessary for the performance of our contract or for compliance with legal obligations.

Rights related to automated decision-making I do not use automated decision-making or profiling in my practice.

To exercise any of these rights, please contact me at: lee [at] leepayton.co.uk

(The email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing.)

I will respond to your request within one month. There is no fee for making a request in most circumstances.

Data protection complaints — your right under the Data (Use and Access) Act 2025

You have the right to make a data protection complaint directly to me.


To submit a complaint, you can:

  • Visit https://leepaytoncounsellingpsychotherapy.policydiary.co.uk and use the "Make a complaint" tab
  • Contact me at: lee [at] leepayton.co.uk

I take all complaints seriously and will respond promptly.

If you are not satisfied with my response, you have the right to escalate your complaint to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF


Confidentiality exceptions:

Everything you share with me in therapy is confidential. However, there are limited circumstances where I may need to share information without your consent:

  • Risk of serious harm — if I believe there is an immediate risk of serious harm to you or to another person
  • Safeguarding concerns — if I become aware of concerns about the safety of a child or vulnerable adult
  • Court order — if I am legally compelled to disclose information by a court of law

Wherever possible, I will discuss any potential disclosure with you first, unless doing so would itself put someone at risk.


Changes to this policy:

I review this privacy policy annually and whenever my practices change significantly.

If I make substantial changes that affect how your personal data is processed, I will inform you directly.

The current version of this policy is always available on my website at https://leepayton.co.uk and at https://leepaytoncounsellingpsychotherapy.policydiary.co.uk.

----------

Cookie Policy:

Last updated: 20 June 2026

What are cookies:

Cookies are small text files that websites place on your device when you visit. They help websites remember your preferences and understand how visitors use the site. Most websites use cookies, and they are generally harmless.

Cookies we use:

Essential cookies

These cookies are necessary for the website to function properly. They enable basic features such as page navigation and access to secure areas. The website cannot function properly without these cookies, and they do not require your consent.

Essential cookies on this website may include:

  • Session cookies that keep you logged in while you browse
  • Security cookies that help protect against fraudulent activity
  • Cookies that remember your cookie preferences

Statistical and analytics cookies

We do not currently use analytics or statistical cookies on this website.

Advertising and tracking cookies

We do not use advertising or tracking cookies on this website.

Cookie consent tool

We do not currently use a cookie consent tool on this website. If our cookie use changes in future to include non-essential cookies that require consent, we will implement an appropriate consent mechanism.

Third-party cookies

This website uses third-party services that may set their own cookies:

WordPress

This website runs on WordPress. WordPress and any installed plugins may place cookies on your device to enable website functionality, remember preferences, or collect technical information about your visit.

WebHealer

This website is built on the WebHealer platform. WebHealer may place cookies to enable the website to function correctly and to collect basic technical data about visitors.

These third parties have their own privacy and cookie policies. I encourage you to review their policies if you would like more information about how they use cookies.

How to manage or opt out of cookies

You can control and delete cookies through your browser settings. Most browsers allow you to:

  • See what cookies are stored and delete them individually
  • Block third-party cookies
  • Block cookies from particular websites
  • Block all cookies
  • Delete all cookies when you close your browser

Please be aware that blocking all cookies may affect how this website functions.

For detailed instructions on managing cookies in your browser, visit www.aboutcookies.org, which provides guidance for all major browsers.

Your rights

You have the right to opt out of statistical cookies at any time without affecting the core functionality of this website. As noted above, we do not currently use statistical cookies, but should this change, you will be able to manage your preferences through your browser settings or any consent tool we implement.

Updates to this policy

I will update this cookie policy if my use of cookies changes. Any significant changes will be reflected here, and the date at the top of this page will be updated accordingly. I encourage you to check this policy periodically.

Contact

If you have any questions about this cookie policy or how I use cookies, please contact me:

Mr. Lee Payton

Lee Payton Counselling & Psychotherapy

Email: lee [at] leepayton.co.uk

You can also view my full compliance documentation at https://leepaytoncounsellingpsychotherapy.policydiary.co.uk

----------

Data Retention Policy:

Last updated: 20 June 2026

Lee Payton Counselling & Psychotherapy

This policy explains how long I retain your personal information, why I need to keep it, and what happens to it afterwards.

Why I Retain Your Data:

As a counsellor and psychotherapist in private practice, I am required to keep records for several important reasons:

  • Legal obligations — UK GDPR and the Data Protection Act 2018 require me to retain records only for as long as necessary, but other laws require minimum retention periods
  • Professional standards — The ethical framework I work within requires me to maintain appropriate records of our therapeutic work
  • Insurance requirements — My professional indemnity insurance requires me to retain records in case a claim is made after therapy ends
  • Limitation Act 1980 — This sets out time limits during which legal claims can be brought, which influences how long records must be kept


Retention Periods:

TYPE OF RECORD RETENTION PERIOD REASON:

Client therapy records (session notes, assessments, correspondence)- 7 years after our last sessionIn line with the Limitation Act 1980 and standard professional indemnity insurance requirements. Enquiry and contact data (people who contact me but do not become clients)- 12 months from last contact. To respond to your enquiry and follow up if appropriate. Financial records and invoices- 6 years from the end of the financial year. HMRC legal requirement/Insurance records- 7 years. To evidence cover in the event of a claim. Website contact form submissions- 12 months. Unless the enquiry leads to a client relationship, in which case the client retention period applies.

What I Retain:

The records I keep may include:

  • Session notes — Brief notes about our therapeutic work together
  • Contact details — Your name, email address, phone number, and address
  • Correspondence — Emails and letters between us
  • Payment records — Invoices and records of payments received
  • Consent and agreement records — Your signed therapy agreement and any consent forms
  • Risk assessments — Any assessments relating to safety or risk

How Your Data is Stored:

I take the security of your information seriously:

  • Electronic records are held on password-protected devices with access restricted to me only
  • Paper records are kept in a locked filing cabinet in a secure room with access restricted to me only
  • Supervision — I discuss my clinical work with a clinical supervisor using anonymised case material only, meaning your identity is not disclosed


Your Right to Erasure:

Under UK GDPR, you have the right to request that your personal data be erased. However, this right is not absolute. Where I am required to retain your records by professional guidelines, insurance requirements, or law, I must keep them until the end of the applicable retention period.

If you ask me to delete your data before the retention period ends, I will explain clearly why I need to continue holding it and for how long. Once the retention period has passed, I will securely dispose of your records as described below.

Secure Disposal:

At the end of the relevant retention period:

  • Paper records are securely destroyed
  • Electronic records are permanently deleted

I maintain a disposal log to record when records have been destroyed.

Clinical Will Arrangements

I am currently putting arrangements in place with a trusted colleague (a clinical executor) who would manage client records securely in the event I become incapacitated or pass away. I will inform clients when these arrangements are complete.

Questions or Concerns

If you have any questions about how long I keep your data, or if you wish to make a complaint about how your information has been handled, please contact me:

Email: lee [at] leepayton.co.uk (The email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing)

You can also use the complaints form at:https://leepaytoncounsellingpsychotherapy.policydiary.co.uk

If you are not satisfied with my response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Mr. Lee Payton Lee Payton Counselling & Psychotherapy ICO Registration: ZA883086