Privacy policy

I, Dr Magdalena Marczak, am committed to protecting your personal data. This policy explains how I handle information collected via Anchor Point Psychotherapy in accordance with UK data protection laws (UK GDPR).

I am a sole practitioner and the Data Controller for all personal data processed through Anchor Point Psychotherapy.

I am registered with the UK’s Information Commissioner’s Office (ICO), registration number ZC073565.

1. What data do I collect about you, for what purposes and on what grounds do I process it (for all clients accessing my services)?

I collect information that you provide via the contact form, email, or telephone.

Personal data means any information capable of identifying an individual. It does not include anonymised data. I may process the following categories of personal data about you:

  • Communication data includes any communication that you send to me, whether through the contact form on my website, email, telephone, or other direct communication. When you submit an enquiry via the contact form, your information is processed securely to record and manage your enquiry, notify me of your message, and send you an automated confirmation email. Enquiry data is stored securely within my private Google Workspace account and may also be sent to me by email so that I can respond to you.
    Lawful basis: Taking steps at your request prior to entering into a contract and legitimate interests (secure and efficient management of enquiries).
  • Customer data includes data relating to psychotherapy services, such as your name, contact details, and billing information. I process this data to provide psychotherapy services and to maintain appropriate professional and financial records.
    Lawful basis: Performance of a contract between you and me.
  • User data includes data about how you use my website. I process this data to operate and secure my website, ensure relevant content is provided, maintain backups, and administer my online services and business.
    Lawful basis: Legitimate interests, namely the proper administration and security of my website and business.

2. How do I measure website traffic?

To improve the user experience and ensure the security of this website, I use Cloudflare Web Analytics and Cloudflare Pages Analytics. These services provide aggregated information about website usage.

  • Privacy-first: Unlike traditional tracking (such as Google Analytics), the analytics used on this site do not use cookies to track your behaviour across other websites or create a persistent profile.
  • De-identified & aggregated data: While Cloudflare processes technical connection data (such as IP addresses) to defend against bots and determine general location, I only have access to anonymised, aggregated statistics.
  • Security & functionality (strictly necessary cookies): Cloudflare may place essential technical cookies on your device to protect the website from malicious activity and manage traffic during high-load periods. These cookies are required for the secure operation of the site and are exempt from consent requirements under UK privacy law.

Lawful ground for processing: Legitimate interests, namely monitoring website performance, protecting the site from security threats, and ensuring reliable service.

3. How do I collect and manage sensitive data (for clients accessing my services)?

In order to deliver psychotherapy services, I need to collect special category personal data, including:

  • Special personal data such as information about your difficulties, relationships, life events, and relevant personal history.
  • Health data such as therapy notes, GP details (where relevant), and other health or social care information.

My lawful ground for processing this type of sensitive data is:

  • Article 6: Performance of a contract.
  • Article 9: Explicit consent and the provision of health or social care.

This data is processed so that I can:

  • Respond to your enquiries and assess whether my services are appropriate for you.
  • Provide psychotherapy services (online or in person).
  • Maintain professional records required by UK law and professional bodies (including the BABCP).
  • Invoice for services rendered.
  • Communicate, where necessary and agreed, with relevant third parties to support treatment and manage risk.

I do not disclose confidential information to third parties without your consent unless required by law.

4. How do I store and secure data?

  • Enquiry data: Stored securely within my private Google Workspace account. Access is restricted and normally limited to me as a sole practitioner. On rare occasions, trusted technical support may be granted limited access solely for the purpose of maintaining or updating website systems, under appropriate confidentiality and data protection obligations.
  • Clinical records: Stored securely using encrypted, password-protected systems.
  • Access controls: Accounts are protected using strong passwords and two-factor authentication.
  • Payments: Handled via direct bank transfer; I do not store bank card details on this website.

5. How long do I keep your data?

  • Enquiries not taken forward: Retained for a limited period (typically 3–6 months) and then securely deleted.
  • Clinical records: Retained for seven years after therapy ends, in line with professional, legal, and insurance requirements, before secure destruction.

Data may be retained for longer where required by law.

6. Data sharing and third-party processors

I use trusted third-party service providers to support my website and practice operations, including:

  • Website infrastructure, security, and analytics providers (such as Cloudflare).
  • Cloud-based email, data storage, and productivity services (Google Workspace).

All third parties act under GDPR-compliant data processing agreements. Personal data is not sold or used for marketing purposes.

7. International data transfers

Some technical or enquiry data may be processed outside the UK by service providers such as Cloudflare or Google. Where this occurs, appropriate safeguards are in place, including UK adequacy regulations and standard contractual clauses, to ensure your data is protected in accordance with UK GDPR.

8. What are your rights?

Under the UK GDPR, you have the right to:

  • Access your personal data.
  • Rectify inaccurate or incomplete data.
  • Request erasure of your data (where applicable).
  • Restrict processing.
  • Object to processing based on legitimate interests.
  • Request data portability.
  • Withdraw consent at any time (where processing is based on consent).

Please note that withdrawing consent may affect my ability to provide psychotherapy services.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

9. How can you contact me?

If you have any questions about this privacy policy or how your data is handled, please get in touch with me through my contact form.