Website Privacy Notice

Review Date: 29 January 2026
Practice Name: Mike Lawrey CBT
Data Controller: Michael Lawrey ZB363343
ICO Registration Number: Review Date : 29 January 2026 Practice Name: Mike Lawrey CBT Data Controller: Michael Lawrey ICO Registration Number: Contact Email: mike@mikelawreycbt.co.uk

1. Introduction Your privacy is important to us. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK GDPR and the Data Protection Act 2018. By using our website and therapy services, you agree to the practices described here. We are committed to handling your data securely and transparently.

2. Data We Collect We may collect the following personal data from clients: • Identification and Contact Data: name, date of birth, email, telephone number, postal address. • Health Data (Special Category): psychological history, session notes, medical history, assessments, and any information disclosed during therapy. • Financial Data: payment information necessary for invoicing and accounting. • Website Data: IP address, cookies, browsing data for site performance and analytics. Personal data may be collected directly from you or via third parties, such as GP referrals or other health professionals.

3. How We Collect Data • Online forms and booking systems on our website. • Email or telephone communications. • Notes recorded in therapy sessions (paper or electronic). • Referrals from third parties with your consent.

4. Legal Basis for Processing We process your data under the following lawful bases: • Contractual Necessity: to provide therapy services and manage appointments. • Legal Obligations: to maintain compliance with accounting, tax, and regulatory requirements. • Legitimate Interests: managing the practice and improving services, provided this does not override your privacy rights. • Consent: where processing special category data (e.g., health data not strictly required for therapy) requires explicit consent. Special category data processing is lawful where necessary for the provision of healthcare or treatment, or with your explicit consent.

5. How We Use Your Data Your personal data will be used to: • Provide, monitor, and improve therapy services. • Schedule appointments and send reminders. • Communicate important practice information. • Maintain invoices, accounting, and records of sessions. • Comply with legal, regulatory, and ethical obligations. We will not use your data for marketing purposes without your explicit consent.

6. Data Sharing We may share your data with third parties under strict confidentiality and GDPR-compliant agreements, including but not limited to: • Clinical supervisors or supervision groups (anonymized where possible). • Accountants, tax authorities, or payroll providers. • IT service providers and cloud storage providers. • Regulatory or safeguarding authorities if required by law. We do not sell your personal data to third parties.

7. Data Storage and Security • Paper records are stored securely in locked cabinets. • Electronic data is stored on encrypted devices or secure cloud services with strong password protection. • Access is restricted to authorised personnel only. • Emails and text messages are retained securely and deleted when no longer required, or anonymized where appropriate. • Data is securely deleted or destroyed after the retention period.

8. Data Retention • Client records are retained for 7 years following the end of therapy (longer if legally required). • Records for minors are retained until the client reaches 25 years old or 7 years after end of therapy, whichever is longer. • Website cookies and analytics data are retained as per our consent-based cookie policy.

9. Your Rights under GDPR You have the right to: • Access your personal data (Subject Access Request). • Obtain corrections or updates to your data. • Request erasure of your data where lawful. • Restrict or object to processing in certain circumstances. • Withdraw consent for any processing requiring it. • Lodge a complaint with the ICO if you believe your data is mismanaged (ico.org.uk). Requests should be sent to [Insert Email Address]. We will respond within the statutory timeframe of 1 month.

10. Data Breach Management We have procedures to detect, report, and investigate personal data breaches. • Breaches likely to result in high risk to individuals’ rights will be reported to the ICO within 72 hours. • Clients at risk will be notified promptly. • All breaches are documented, assessed for severity, and mitigated.

11. Website and Cookies We use essential cookies to ensure website functionality. Optional cookies (analytics, performance) require opt-in consent. Third-party services may collect anonymised usage data. • No personally identifiable data from website tracking is used without consent. • Cookie preferences can be managed at any time via the website interface.

12. Professional Replacement and Continuity In the event of incapacitation or unavailability: • A nominated colleague may contact clients to ensure continuity of care. • Personal data will be handled securely, with confidentiality obligations maintained. • If contact is permanent or practice closure occurs, records are securely transferred or destroyed per retention policy.

13. Changes to this Policy We may update this Privacy Policy periodically to reflect legal, regulatory, or operational changes. Updated versions will be posted on our website with the effective date clearly indicated. Clients will be informed of material changes.

14. Contact Information For any questions, requests, or complaints regarding your personal data, contact: Data Controller: [Insert Name] Email: [Insert Email] Phone: [Insert Number] Address: [Insert Address] For formal complaints, contact the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint/ Conclusion This Privacy Policy ensures that Mike Lawrey CBT complies with UK GDPR, protects client data, and maintains trust in therapeutic relationships. Clients are encouraged to review it and contact us with any queries or concerns.

Contact Email: mike@mikelawreycbt.co.uk

1. Introduction

This Website Privacy Notice explains how Mike Lawrey CBT collects, uses, and protects personal data through its website in accordance with the UK GDPR and the Data Protection Act 2018. By using our website, you agree to the practices outlined below.

2. Data We Collect via Website

We may collect the following data:

• Contact Information: name, email address, telephone number (via contact forms).

• Website Usage Data: IP address, browser type, device information, pages visited, time spent on site.

• Cookies: essential and optional cookies for functionality and analytics.

3. How We Collect Data

• Through contact forms and booking systems.

• Via cookies and analytics tools.

• Through email or phone communications initiated via the website.

4. Legal Basis for Processing

We process website data under the following lawful bases:

• Consent: for optional cookies and marketing communications.

• Legitimate Interests: to improve website functionality and user experience.

• Contractual Necessity: when you request services via the website.

5. Use of Website Data

Website data is used to:

• Respond to enquiries and manage bookings.

• Improve website performance and user experience.

• Monitor site traffic and usage patterns.

• Ensure website security and integrity.

6. Cookies

Our website uses:

• Essential Cookies: required for basic site functionality.

• Optional Cookies: for analytics and performance, activated only with your consent.

• Cookie preferences can be managed via the website interface.

7. Data Sharing

We may share website data with:

• IT and hosting service providers.

• Analytics providers (e.g., Google Analytics) under GDPR-compliant agreements. We do not sell personal data to third parties.

8. Data Storage and Security

• Data is stored on secure servers with encryption and access controls.

• Website data is retained only as long as necessary for its purpose.

9. Your Rights

You have the right to:

• Access your personal data.

• Request corrections or deletions.

• Withdraw consent for optional cookies.

• Lodge a complaint with the ICO: https://ico.org.uk/make-a-complaint/

10. Changes to This Notice

We may update this notice periodically. Changes will be posted on our website with the effective date.

11. Contact Information

For questions or concerns about this notice:

• Data Controller: Michael Lawrey

• Email: mike@mikelawreycbt.co.uk