Privacy Policy

Introduction

Your privacy is very important to us at Yc Thérapies Ltd, and you can be confident that your personal information will be kept safe and secure and will only be used for the purpose it was given to us. We adhere to current data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

This privacy notice explains how we will process your personal information from initial point of contact through to after your therapy has ended, including:

• Why we are able to process your information and what purpose we are processing it for
• Whether you have to provide it to us
• How long we store it for
• Whether there are other recipients of your personal information
• Whether we intend to transfer it to another country
• Whether we do automated decision-making or profiling
• Your data protection rights

We are happy to discuss any questions you might have about our data protection policy. Please contact us via jean@paintherapycoaching.co.uk.

Data Controller Information

'Data controller' is the term used to describe the person/organisation that collects, stores, and has responsibility for people's personal data. In this instance, the data controller is Yc Thérapies Ltd.

We are registered with the Information Commissioner's Office, registration number ZB498995.

Our contact details:
Yc Thérapies Ltd
12 Pankhurst Place
East Kilbride
G74 4BH

Phone: 07985528839
Email: jean@paintherapycoaching.co.uk

As a small practice, we are not required to appoint a Data Protection Officer under UK GDPR. All data protection queries are handled directly by the data controller. If you have any concerns about how your data is being used, please contact us at jean@paintherapycoaching.co.uk.

Our Lawful Basis for Processing Your Data

The UK GDPR requires that we have a lawful basis for processing your personal data. There are different lawful bases depending on the stage at which we are processing your data:

If you are currently having therapy or if you are in contact with us to consider therapy, we will process your personal data where it is necessary for the performance of our contract.

If you have had therapy with us and it has now ended, we will use legitimate interest as our lawful basis for holding and using your personal information. We retain records after therapy has ended on the basis of legitimate interest — specifically, our professional obligation to maintain adequate clinical records and to be able to respond to any future queries or complaints. We have assessed that this interest is not outweighed by your right to have your data deleted immediately, given the nature of the therapeutic relationship and applicable professional guidance. You retain the right to object to this processing at any time.

The UK GDPR also requires us to handle any sensitive personal information that you may disclose to us appropriately. This type of information is called 'special category personal information'. The lawful basis for processing any special categories of personal information is that it is necessary for the provision of health treatment and carried out by a health professional — specifically, Pain Reprocessing Therapy and associated integrative therapeutic services provided by Yc Thérapies Ltd under Article 9(2)(h) of the UK GDPR.

How We Use Your Information

Email Newsletter & Marketing Communications

When you sign up for our newsletter, we collect your name and email address in order to send you occasional updates, resources, offers, and insights related to chronic pain recovery, mind-body tools, and our work.

Your information is stored securely through Substack and Mailerlite and will never be shared with third parties.

You can unsubscribe at any time using the link at the bottom of any email.

We will retain your contact details for newsletter and marketing purposes for as long as you remain subscribed. If you unsubscribe, your details will be removed from our mailing list within 30 days. Enquiry data from individuals who do not proceed to therapy will be deleted within 12 months of the initial contact.

Educational Content & Reader Submissions

From time to time, readers may choose to submit questions or reflections in response to educational content published via Substack or similar platforms. Any personal information shared in this context is treated with care and confidentiality and is used solely for the purpose of responding, reflecting publicly in anonymised form, or improving our educational content.

Submitting a question or engaging with published content does not create a therapist–client relationship. If content is shared publicly, all identifying details are removed or altered to protect privacy.

Initial Contact

When you contact us with an enquiry about our services, we will collect information to help us satisfy your inquiry. This will include your name, address, contact details and information you give us about your situation.

Use of Online Forms (Google Forms & Google Drive)

As part of our onboarding process, we may use secure online forms (Google Forms) to collect information such as therapy agreements, consent forms, and registration or intake details.

Information submitted via these forms may include personal data and, where relevant, special category health information. This data is collected solely for the purpose of providing therapy services and managing our professional relationship with you.

Responses submitted through Google Forms are stored securely within Google Drive and are accessible only to the Therapist. Appropriate security measures are in place, including password protection and two-factor authentication.

Google acts as a data processor for this information. Google may store data on servers located outside the UK, including in the United States. Google relies on standard contractual clauses approved under UK GDPR as the mechanism for ensuring your data is protected in those transfers. For more information about how Google handles your data, please see Google's privacy policy at policies.google.com/privacy

We do not use Google Forms for ongoing clinical notes. Core therapy records and session notes are stored securely within WriteUpp, our GDPR-compliant practice management system.

If you have any questions or concerns about how your data is collected or stored using online forms, you are welcome to discuss this with us at any time.

While You Are Accessing Therapy

That confidentiality will only be broken in the following circumstances: where a court order requires disclosure, including coroners' courts and fatal accident inquiries in Scotland; where there is genuine and reasonable cause to believe that non-disclosure would pose a serious risk of harm to you or others; where there are safeguarding concerns involving vulnerable individuals; or where you have given your explicit consent for specific information to be shared. We will always try to speak to you about this first, unless doing so would increase the risk of harm.

We keep a record of your personal details to help the therapy process run smoothly. These details are kept securely on WriteUpp and are not shared with any third party. WriteUpp is ISO27001 certified practice management software for therapists and is UK GDPR compliant. It uses two-factor authentication login and encrypted data replication across different servers to keep your information safe. We also keep written notes of each session, which are stored on WriteUpp.

AI-Assisted Transcription During Online Sessions

For some online sessions conducted via Zoom, AI-assisted transcription may be enabled to support accurate note-taking and clinical reflection. Where this feature is used, your explicit consent will be sought in advance as part of your Client Service Agreement. Zoom will also notify you at the start of any session where transcription is active.

You are under no obligation to consent to AI-assisted transcription, and it will never be enabled without your prior agreement. Any transcripts generated are treated as confidential therapeutic records. They are used solely for clinical purposes, such as supporting session summaries or record-keeping, and are not shared with third parties. Transcripts are stored securely and will be reviewed and either anonymised or deleted within 30 days of the session.

You may withdraw your consent for transcription at any time by letting us know, without it affecting your access to therapy or the support you receive

Communication Tools

We may use WhatsApp as a communication tool for the purpose of providing therapy services and related administrative tasks. WhatsApp uses end-to-end encryption, which means the content of messages is protected. However, WhatsApp is owned by Meta, which may process information about your account and activity in accordance with its own privacy policy. For this reason, we recommend keeping sensitive personal or clinical information for scheduled sessions rather than WhatsApp messages. If you would prefer to use a different communication channel at any time, please let us know and an alternative can be arranged.

We recommend limiting the sharing of sensitive information through this platform and encourage you to review WhatsApp's privacy policy here: https://www.whatsapp.com/legal/privacy-policy to further understand their data handling practices.

For security reasons, we do not retain text messages for more than the duration of the therapy. If there is relevant information contained in a text message, we will copy this information into our notes on WriteUpp. Likewise, any email correspondence will be deleted after the therapy has ended if it is not important. If necessary, we will copy the information into our notes on WriteUpp.

After Therapy Has Ended

Once the support has ended, your records will be kept for 7 years from the end of our contact with each other and are then securely destroyed. If you want us to delete your information sooner than this, please inform us.

Your Rights

We try to be as open as we can in terms of giving people access to their personal information. You have a right to ask us to:

  • Delete your personal information

  • Limit how we use your personal information

  • Stop processing your personal information

  • Provide a copy of any information that we hold about you

  • Object to the use of your personal data in some circumstances

You can read more about your rights at ico.org.uk/your-data-matters

If we do hold information about you, we will:

  • Give you a description of it and where it came from

  • Tell you why we are holding it

  • Tell you how long we will store your data and how we made this decision

  • Tell you who it could be disclosed to

  • Let you have a copy of the information in an intelligible form

You can also ask us at any time to correct any mistakes there may be in the personal information we hold about you.

Making a Request or Complaint

To make a request for any personal information we may hold about you, please put the request in writing to jean@paintherapycoaching.co.uk.

If you have any complaint about how we handle your personal data, please do not hesitate to contact us using the details provided above. We welcome any suggestions for improving our data protection procedures.

If you want to make a formal complaint about the way we have processed your personal information, you can contact the Information Commissioner's Office (ICO), which is the statutory body that oversees data protection law in the UK. For more information, visit ico.org.uk/make-a-complaint.

Data Security

We take the security of the data we hold about you very seriously. As such, we take every effort to make sure it is kept secure:

  • All electronic data is stored on encrypted drives

  • Our systems are password protected with multi-factor authentication where available

  • We use specialized practice management software (WriteUpp) that meets healthcare data security standards

  • Our staff are trained in data protection requirements

  • We regularly review our data protection procedures

In the event of a personal data breach, we will assess the risk to you promptly. Where required by law, we will notify the Information Commissioner's Office within 72 hours and will inform you directly if the breach is likely to result in a high risk to your rights or freedoms. We will always take swift action to contain any breach and to prevent recurrence.

In the event of a data breach, our liability for any loss or damage arising will be subject to the limitations set out in our Client Service Agreement.

Updates to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. The updated policy will be posted on our website, and the date of the latest revision will be indicated at the bottom of the page.

Last Updated: 17.03.2026

© 2025 Yc Thérapies Ltd. All Rights Reserved.