Last updated: April 2026

This privacy policy explains how I collect, use, and protect any personal information you give me. As an HCPC-registered Art Psychotherapist, I am committed to protecting your privacy and being transparent about the data I hold.

1. Data Controller

I am the Data Controller for Works of Heart. I am registered with the Information Commissioner’s Office (ICO).

2. Why I collect your data

I collect your data to:

• Respond to your enquiries about therapy.

• Provide safe and professional art psychotherapy services.

• Meet my professional and legal obligations as an HCPC registrant.

3. What information I collect

• Enquiry stage: Name, email address, phone number, and basic information you provide in relation to what you would like support for.

• Therapy stage: Clinical notes (which are kept pseudonymized and secure).

4. How I store your data

• Digital Records: I use Google Workspace Business, which is a GDPR-compliant, encrypted platform. I have a signed Business Associate Addendum (BAA) with Google to ensure your health information is treated with the highest security.

• Security: My accounts are protected by Two-Factor Authentication (2FA), and clinical notes are stored separately from contact details.

5. Sharing your data

I do not sell or share your information with third parties for marketing. I only share information when:

• Legal requirement: To comply with a court order or tax laws (HMRC).

• Safety: If I am concerned about your safety or the safety of others (I would discuss this with you first where possible).

• Supervision: I discuss my clinical work with a supervisor (your identity remains anonymous).

6. Your Rights

Under the UK GDPR, you have the right to access the data I hold about you, request corrections, or ask for your data to be deleted.

7. Contact

If you have any questions, please contact me at ally@worksofhearttherapy.co.uk.