Privacy Policy

Welcome to the privacy policy for Expand Psychology. We value your privacy and are dedicated to safeguarding any personal information you share with us. In this document, we explain how we protect and process your personal data when you visit our website, as well as outline your rights under the law. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (collectively "Data Protection Law").

Information About Us and This Policy

The purpose of this Privacy Policy

This policy describes how Expand Psychology collects and processes your personal data. This may include information gathered:

  • Through use of this website, including data provided when registering for our services.
  • From your interactions with us during consultations.
  • During online sessions if we offer support or services to you.

This site is not intended for individuals under 18, and we do not knowingly collect their data. If we learn that we have inadvertently collected personal data from a user under 18, we will delete it promptly. However, in the event a minor does access or use our services, we will make every reasonable effort to explain how we process their data in a clear and age-appropriate way, in line with the Children's Code.

Controller

Expand Psychology (referred to as "we," "us," or "our" in this document) is responsible for your personal data.

Contact Details

Full name of legal entity: Expand Psychology Limited

Email address: info@expandpsychology.co.uk

Postal address:Goldwells, 15/17 High Street, Kingussie, PH21 1HS

Changes to the Privacy Policy

We review this policy regularly and any updates are reflected here with the latest revision dated 04.02.2025. It is crucial that your personal data remains accurate and up to date, so please keep us informed about any changes.

Third-Party Links

Our site may contain links to external websites. We do not control these third-party sites or their privacy practices. Once you leave our site, we encourage you to review the privacy policies of the websites you visit.

What Data We Collect About You

"Personal data" refers to information that can identify an individual. It does not include data where identifying details have been removed (anonymous data). We may gather, use, store, and transfer various types of personal data, such as:

  • Identity Data: first name, last name, title, and date of birth.
  • Contact Data: country, email address, phone number, and postal address.
  • Payment Data: billing address, payment method details.
  • Marketing and Communications Data: preferences for how you receive our marketing materials and other communications.
  • Special Categories of Personal Data: We may collect health information (e.g. psychological data, session notes) if necessary for providing our services. We handle such data with extra care and in compliance with Data Protection Law.
  • We may collect health-related information if a healthcare professional refers you to us. In this instance we may also communicate with your GP or other health professionals.
  • Where we need to collect personal data by law or under the terms of a contract with you, and you do not provide it when requested, we may be unable to perform the contract we have with you. In that situation, we may have to cancel a product or service you have with us, but we will inform you if this becomes necessary.
  • Health-Related Data: Information about your physical or mental health.

If you believe we have collected any special category data about you that you did not intend to share, please let us know immediately.

How Your Personal Data Is Collected

We collect data through various methods, including:

  • Direct Interactions: You may provide Identity or Contact Data by filling out forms, emailing us, or calling us.
  • Information from Third Parties: We may obtain your data from healthcare professionals, educational provisions, or social care services with your explicit consent.
  • Payment Providers: If you pay for our services, we may receive necessary payment or transaction data from third-party payment processors.
  • Healthcare Professionals: e.g. your GP or others, but only if you have explicitly granted them permission to share your information with us.
  • School and other educational provisions: but only if you have explicitly granted us permission to gather information from them.
  • Social Care: but only if you have explicitly granted us permission to gather information from them.

Cookies

We only use Google Analytics cookies to help us understand how visitors interact with our website and to improve our services. You can configure your browser to reject certain cookies; however, doing so may limit some functionality on our site.

How We Use Your Personal Information

We only use your personal data as permitted by law. Typically, we rely on it when:

  • We need to perform or prepare for a contract with you.
  • It aligns with our legitimate interests and does not override your fundamental rights.
  • We must comply with legal obligations.
  • We process your data under your consent (e.g., where relevant for certain health-related data or marketing). You can withdraw consent at any time.
  • We act in your vital interests if your physical or mental wellbeing is at serious or urgent risk.
  • Information you disclose during courses or sessions remains confidential and is not shared with third parties without your approval, unless we believe urgent medical or safety concerns require us to alert healthcare professionals. If you participate in one-to-one sessions, we may consult with your GP or another professional but only with your explicit consent, unless an immediate emergency arises.

Change of Purpose

We will use your personal data for the specific purposes for which it was collected unless we reasonably determine we need it for another compatible reason. If we need to use your data for an unrelated purpose, we will notify you and explain the lawful basis for doing so.

Automated Decision-Making or Profiling

We do not use any automated decision-making or profiling methods in connection with your personal data.

Disclosures of Your Personal Data

We may share your personal data with healthcare professionals if urgent action is needed for your health or if there are safety concerns involving a child or vulnerable adult. We also have a common law duty of confidentiality regarding any health information you provide. However, there are circumstances where we may disclose data without your consent:

  • When we are required to do so by law or a valid court order.
  • Where it is in the substantial public interest (e.g., to prevent serious crime).
  • When sharing is necessary to protect your vital interests or those of another person (e.g., serious and imminent risks).

Safeguarding Your Personal Data

We have enacted appropriate measures to prevent accidental loss or unauthorised access to your data. We use HTTPS encryption to protect your data in transit.

Our Data Retention Practices

We keep your data only as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. We keep your personal data for 6 years after your final session, in line with professional guidelines.

International Data Transfer

We do not transfer your personal data outside the United Kingdom.

Lawful Bases and Your Data Protection Rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
  • Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
  • Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.
  • Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
  • Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.

You can read more about your rights here.

You can exercise these rights at any time by contacting us. We will respond to any valid request without undue delay and in any event within one month. Please use our email address or postal address for these requests.

Duty of confidentiality

We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where: you’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);

  • We have a legal requirement (including court orders) to collect, share or use the data;
  • On a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);
  • The requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Glossary of Terms

Comply with a Legal Obligation: Processing your data where necessary to satisfy legal or regulatory requirements.

Legitimate Interest: The interests of our business in operating effectively while considering any potential impact on your rights.

Consent: We may process your data with your clear and explicit consent, especially in relation to certain special category data (e.g., health data) or marketing materials.

Vital Interests: We may process data when someone’s physical or mental health or wellbeing is at urgent or serious risk.


Reviewed: 4th Feb 2025

Next review: 4th Feb 2026