We care about your data

Privacy Policy

Effective Date: 19/11/22. Last checked 29/2/2024

This policy covers how we collect, store, process and communicate personal data relevant to the assessment and treatment of our clients. The following explains how your data is securely managed and your rights when your data is being processed by us.

Our privacy policy is compliant with the principles of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). We are registered with the Information Commissioner’s Office (ICO) under the Data Protection Register, our registration number is ZA506246

This privacy notice is issued by myself so when I mention ‘I’ or ‘myself’ or ‘me’ or ‘we’ or ‘my’ or ‘our’ I am referring to Creatives in Mind and myself Kirstie Wright ( founder) and my responsibility for processing your data.

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact myself.

Contact details

Full name of legal entity: Kirstie Wright

Email address: KirstieWright@CreativesinMind.org

Postal address: Unit 117588, PO Box 6945, London, W1A 6US

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). I would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact me in the first instance.

GDPR Guiding Principles

I comply with GDPR and the 6 guiding principles which are:

Lawfulness, transparency and fairness- Processing data must meet the criteria of lawful processing set out by GDPR. The reason for processing data must be clear.

Purpose Limitation- The data that I collect is for a particular purpose that is set out below and will not be used for a different purpose that is incompatible with the initial intended purpose.

Data minimisation- The data I keep must be limited to the data necessary to fulfil the service.

Accuracy- I take reasonable steps to ensure your data is accurate and up to date.

Storage Limitation- I do not keep any data for longer than necessary and have processes in place to delete data after this time.

Confidentiality and Integrity- I ensure data is kept securely in a secure electric storage system. Any paper notes only leave clinic when they do not have identifiable information on.

This policy may change from time to time and is revised to ensure protection of your data.

If you provide us with your email address, we may use it to send confidential information, unless you have instructed us not to do so. Please read the following before providing us with your email address.

Email Encryption

For the purpose of sending sensitive and confidential information such as referrals, appointment confirmations and test results we use HTTPS encryption. Written assessment reports are also password protected to provide additional data security.

Important Information About Email Usage

Email contact provides a quick and convenient means of communication. Whilst information sent by email or submitted by clients using our website contact forms is encrypted to industry standards, email and web forms not a completely secure method of communication. Whilst you can use email to contact our main office or your designated therapist, you should not:

Provide more personal information than we need to process your request.
Ask us to send you personal details that you would not want seen by other people.
Share highly confidential or sensitive data that could be intercepted or viewed by other people.

The Data We Keep.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We have many patients with similar names so it is important for all patients to be properly identified as individuals.

I may collect, use, store and transfer different kinds of personal data about you which I have grouped together as follows:

Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth, gender and next of kin name.
Contact Data which includes email address, home address, telephone numbers, GP address and contact details, Next of kin address and contact details.
Marketing and Communications Data includes your preferences in receiving marketing from me and your communication preferences.
Brief notes on therapy including date, location and time therapy took place
Brief notes on what is discussed in therapy including the nature and history of current difficulty, thoughts and behaviour related of this problem, family history and any other information deemed necessary to make an informed judgment around what the problem is and the best treatment plan.
Copies of Therapy worksheets
Psychological questionnaires
Email correspondence
Notes on any contact made to me including telephone calls, texts etc
Any reports or letters requested and paid for by yourself.
Financial Information
Relevant information from referrals or other healthcare professionals or people involved in your care.
Recordings of therapy where you have consented to this.
Notes on supervision received during your therapy.
Enquiries regarding the therapy we provide
Automatically collected Technical Data about your equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar technologies.
Copies of any consent form e.g. consent to share data, consent to record sessions etc

I collect Special Categories of Personal Data about you (this includes details about your health) as this is necessary for me to provide therapy.

If you fail to provide personal data where I need to collect personal data by law, or under the terms of a contract I have with you and you fail to provide that data when requested, I may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel the service you have with me, but we will notify you if this is the case at the time.

Personal Data collection

I use different methods to collect data from and about you including through:

Direct interactions. You may give me data by filling in webforms or by corresponding with us by post, phone, email, face to face or otherwise. This includes personal data you provide when you:

Request to see myself
Have therapy sessions with myself
Sign up to request marketing information be sent to you;
Employ us for workshops
Give me some feedback.
Enquire about therapy
Technical Data may include your, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access this site.
Usage Data may include information about how you use our website
Cookie Data information gathered by the use of cookies in your web browser.

How Your Records are Used

We use your records to:

Use your data to perform the contract I am about to enter or have entered with you. Note that, in this context, a contract does not have to be a formal signed document, or even written down, if there is an agreement which meets the requirements of contract law. Broadly speaking, this refers to your request to access therapy services, consultation and wellbeing services via myself and need to be contacted as part of this service that you require and for which there is a fee payable.
Ensure that any treatment or advisory services we provide to you are based on accurate information.
Send a letter about your care to your GP or other health professional unless you tell us not to do so.
Work effectively with other services providing you with treatment or advice.
Monitor the quality of our care and help us to understand the outcomes of therapy.
Investigate any relevant concerns or complaints you or your family have.
Provide information that is needed for financial transactions in relation to payment for treatment, such as billing. For private patients this may include details shared with your insurance company. If you have any concerns about this, please contact your insurance provider.
I also use personal data where I need to comply with a legal or regulatory obligation.
Ensure SPAM protection and ensure smooth use of website through analytics.
Recordings of session where consented to are used in the therapist supervision for training and monitoring purposes.

Purposes for which we will use your personal data:

We have set out below, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal grounds, we are relying on to process your personal data where more than one ground has been set out below:

Purpose/Activity Type of Data Lawful basis for processing

To register you as a new customer.

Identity
Contact

Performance of a contract with you.

To process your request to have therapy

Identity
Contact
Medical
Demographic
Legal and payment information

Performance of a contract with you, your employer or insurance.
Necessary for our legitimate interest (to support our business model)

To Carry out therapy and write any associated reports.

Identity
Contact
Health Information

Performance of a Contract with you

To manage our relationship with you which include:

Notifying you about changes to our terms and conditions, services or subscription.

Identity
Contact
Marketing and communications

Performance of a contract with you, your employer or community manager.
Necessary to comply with a legal obligation

To enable you to complete a survey

Identity
Contact
Usage
Marketing communications

Necessary for our legitimate interest (to study how customers use our products/services, to develop them, improve them and grow our business)

To administer and protect my business (including system maintenance, support and hosting data)

Technical

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security and to prevent fraud)
Necessary to comply with a legal obligation

To use data analytics to improve our products/services, marketing, customer relationships and experiences

Technical
Usage

Usage Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about goods or services that may be of interest to you

Identity
Contact
Technical
Usage

Necessary for our legitimate interests (to develop our products/services and grow our business)

Your duty to inform me of changes

It is important that the personal data I hold about you is accurate and current. Please keep me informed if your personal data changes during your relationship with me.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you in our marketing activities.

You will receive marketing communications from us if you have requested information from us or purchased services from us.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

Special circumstances

We may have to share your personal data with the parties set out below for the purposes set out in the table.

Service providers acting as processors who provide IT and system administration services.
HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom
We may discuss your personal data in supervision, including recordings of session. This is to ensure quality therapy. Everyone discussed in supervision is given a pseudonym and supervision is bound by confidentiality.
Information may also be disclosed in situations where there is a risk of harm to yourself or others.
If required under a court of law subpoena.
If you give permission to share information by verbal consent or by completing a written consent form
We routinely send updates to your GP unless you request for us not to (although we may have to break this request in certain circumstances including if I was concerned about your safety or the safety of someone else),

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Contacting the User

Contact form (this Website)

By filling in the contact form with their Data, the User authorizes this Website to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header. The webform is linked to the kirstiewright@creativesinmind.org email address and the email address receives your messages to its inbox. Privacy Policy https://www.wix.com/about/privacy

Personal Data processed: email address.

Mailing list or newsletter (this Website)

By registering on the mailing list or for the newsletter, the User’s email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning this Website. Your email address might also be added to this list as a result of signing up to this Website or after making a purchase. Privacy Policy https://www.wix.com/about/privacy

Personal Data processed: email address; first name; last name.

This website

This website use cookies and may collect your usage data. See cookies policy below for more details.

Displaying content from external platforms

This type of service allows you to view content hosted on external platforms directly from the pages of this Website and interact with them.
This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.

Instagram widget (Instagram, Inc.)

Instagram is an image visualization service provided by Instagram, Inc. that allows this Website to incorporate content of this kind on its pages.

Personal Data processed: Cookies; Usage Data.

Place of processing: United States – Privacy Policy.

Interaction with external social networks and platforms

This type of service allows interaction with social networks or other external platforms directly from the pages of this Website.
The interaction and information obtained through this Website are always subject to the User’s privacy settings for each social network.
This type of service might still collect traffic data for the pages where the service is installed, even when Users do not use it.
It is recommended to log out from the respective services in order to make sure that the processed data on this Website isn’t being connected back to the User’s profile.

The pinterest icon allows interaction to Pinterest

Personal Data Processed: Cookies, Usage data

Place of processing- United States - Privacy Policy

Facebook Like button and social widgets (Facebook, Inc.)

The Facebook Like button and social widgets are services allowing interaction with the Facebook social network provided by Facebook, Inc.

Personal Data processed: Cookies; Usage Data.

Place of processing: United States – Privacy Policy.

Youtube

Youtube may save any comments. Personal Data Processed: Cookies, Usage data, comments, likes

Gmail and GSuite- used for email and sharing documents.

They may store email address, content in emails, when emails were sent and when messages were open

Place of processing - Data centres across the world Privacy Policy:

Clinix

They store your details securely to ensure your personal details needed for therapy are stored securely. They also provide secure online video calls for online therapy. This includes notes for your sessions and payments details if you choose to pay via their platform using stripe https://stripe.com/gb/privacy

https://www.clinix.digital/privacy-notice

Virtual landline

They may store contact details including name and phone number to allow me to contact customers.

This allows secure telephone calls to Creatives in Mind. Any voice mail messages are also sent to kirstiewright@creativesinmind.org by virtual landline.

UKPostbox

This ensures an address for the company to be registered to.

They may open any post sent here so they can securely scan this post to me.

Data security

We limit access to your personal data to those who have a business need to know. Anyone processing your personal data on my instructions are subject to a duty of confidentiality. I have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Personal information is stored electronically on devices that are password and/or fingerprint I.D. protected, and in files that are further password protected and only accessible by me/ the associate therapist. The documents are also stored in a folder that is subject to 2 factor verification. Names and contact details are stored separately to other personal information (anonymised format). Information is stored physically using paper records held securely in locked storage in an anonymised format. These records are also only accessible by the therapist. If you have online appointments the sessions are carried out by clinix and your details are stored on this platform. Clinix privacy policy https://www.clinix.digital/privacy-notice . Your data is backed up using one drive. One drive Privacy Policy. https://privacy.microsoft.com/en-gb/privacystatement

Data retention

I will only retain your personal data for as long as necessary to fulfil the purposes I collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We keep all information about our clients for 7 years after they cease being customers, for tax and legal purposes. In some circumstances you can ask us to delete your data: see “Request erasure” below for further information. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. If you do not go ahead with entering a contract with us after enquiring we will delete your details within 3 months of the last contact.

Where your personal data may be processed

The data storage systems I currently use keep data within the UK.

At times we will need to share your Personal Data with third parties and suppliers outside the European Economic Area (EEA). If we do this, we ensure your Data receives the same protection as if it were being processed inside the EEA.

Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield, which requires them to provide similar protection to personal data shared between the Europe and the US.

Passing Your Intake Information to Your Designated Therapist

Creatives in mind associate therapists are members of our wider team and are checked for relevant training, experience, qualifications, accreditation status and professional indemnity. Our associate therapists are self-employed, however they are required to strictly comply with our service conditions and practice standards.

When your personal intake data is passed to your designated therapist, direct responsibility for the secure maintenance of your personal information is transferred to this therapist. Once your data has been transferred, your therapist takes direct responsibility for all data control matters relating to your treatment and communication with you. This helps to ensure that your information is not shared more widely within our team and that only your designated therapist has access to your personal data.

We may retain your contact information to assist in future enquiries, however any personal or sensitive data will be deleted or redacted from our database within four weeks of your transfer to a member of our associate therapist team.

The designated associate therapist is required to comply with the standards laid out in the GDPR and maintain the principles outlined in this privacy statement.

We may also share information that identifies you where:

You ask us to do so.
We ask for specific permission and you agree to this.
We are required to do this by law.
We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality (e.g. to prevent someone from being seriously harmed).

Sharing information with Other Healthcare Professionals and Family

You must specifically name other people, with whom you would like us to share information about you. We make best efforts to ensure that information provided over the telephone is restricted to those you have named and we share on a need-to-know basis. Sometimes this means refusing to disclose information about you to someone who feels they should know about your treatment and progress. Please make your family and friends aware of this.

Legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please see below for details on these rights.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

All requests must be in writing. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Handling payment

Payment processing services enable this application to process payments by credit card, bank transfer or other means. To ensure greater security, this application shares only the information necessary to execute the transaction with the financial intermediaries handling the transaction. Some of these services may also enable the sending of timed messages to you, such as emails containing invoices or notifications concerning the payment. CreativesinMind uses starling bank.https://www.starlingbank.com/legal/privacy-notice/

Changes to privacy Policy

The owner reserves the right to make changes to this privacy policy at any time by notifying users via this page and as far as legally and technically possible sending notice to users via any contact information held by the owner. It is recommended to check this page frequently.

YOUR LEGAL RIGHTS

You have the right to:

Be Informed about the collection and use of your personal data. To know how I use your personal data.

Request access to your personal data. This enables you to receive a copy of the personal data I hold about you and to check that I am lawfully processing it.

Request correction of the personal data I hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of processing carried out before consent is withdrawn. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Glossary

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and most secure experience. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Cookies Policy

When someone visits my website, I use a third party service, google analytics to collect standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of the site. This helps us to develop and improve our website as well as products and / or services in response to what you might need or want. This information is only processed in a way that does not identify anyone. I do not make, and do not allow google analytics to make, any attempt to find out the identities of those visiting my website. I use legitimate interests as my lawful basis for holding and using your personal information in this way when you visit my website. I use google analytics so that I can continually improve my service to you, You can read google analytics privacy notice here https://policies.google.com/technologies/partner-sites . I use Wix as the content management system for our website - find out about https://support.wix.com/en/article/general-data-protection-regulation-gdpr and data protection. Like most websites we use cookies and data usage to help the site work more efficiently. If you fill in a form on my website, that data will be temporarily stored on the web before being sent to me.

What’s a cookie?

A “cookie” is a piece of information that is stored on your computer’s hard drive and which records how you move your way around a website so that, when you revisit that website, it can present tailored options based on the information stored about your last visit. Cookies can also be used to analyse traffic and for advertising and marketing purposes.

Cookies are used by nearly all websites and do not harm your system.

If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings. You can block cookies at any time by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

Locating Cookie Settings

Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

Users may also manage certain categories of Cookies used on mobile apps by opting out through relevant device settings such as the device advertising settings for mobile devices, or tracking settings in general (Users may open the device settings and look for the relevant setting).

How to opt out of interest-based advertising

Users may follow the instructions provided by YourOnlineChoices (EU), the Network Advertising Initiative (US) and the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan) or other similar services. Such initiatives allow Users to select their tracking preferences for most of the advertising tools. The Owner thus recommends that Users make use of these resources in addition to the information provided in this document.

The Digital Advertising Alliance offers an application called AppChoices that helps Users to control interest-based advertising on mobile apps.

Owner and Data Controller

Kirstie Wright

Owner contact email: kirstiewright@creativesinmind.org

Since the use of third-party cookies through this Website cannot be fully controlled by the Owner, any specific references to third-party cookies are to be considered indicative. In order to obtain complete information, Users are kindly requested to consult the privacy policies of the respective third-party services listed in this document.

Given the objective complexity surrounding tracking technologies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of such technologies by this Website.