LEGAL

Privacy Policy

Last updated: 11 May 2026

1. Who I am

I am Dr Francesca Mantia-Conaty, a Clinical Psychologist registered with the Health and Care Professions Council (HCPC) and a practitioner member of the British Association for Behavioural and Cognitive Psychotherapies (BABCP). I operate as a sole practitioner under the trading name Dr Francesca, providing psychological therapy and assessment services from my private practice in the United Kingdom.

Website: drfrancesca.co.uk

Email: available via the contact form on this website

As a sole practitioner, I am the Data Controller for all personal data I collect and process. I am registered with the Information Commissioner’s Office (ICO) in line with my obligations under UK data protection law.

This policy is written in accordance with:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018
  • The Privacy and Electronic Communications Regulations 2003 (PECR)
  • Guidance from the Information Commissioner’s Office (ICO)
  • Professional standards set by the HCPC and BABCP

3. What personal data I collect and why

3.1 Website enquiries (contact form)

When you submit an enquiry via the contact form on this website, I collect your name, email address, and the content of your message. This data is used solely to respond to your enquiry and assess whether my services are suitable for your needs. The legal basis for this processing is legitimate interests (Article 6(1)(f) UK GDPR) — specifically, my legitimate interest in responding to prospective client enquiries — balanced against your rights and interests.

3.2 Client data collected during therapy and assessment

When you become a client, I collect and process personal data that may include:

  • Full name, date of birth, and contact details
  • GP and/or referring clinician details
  • Clinical history, presenting concerns, and risk information
  • Session notes and clinical observations
  • Psychometric test results and psychological assessment reports (where relevant)
  • Correspondence relating to your care

This information is special category data under Article 9 UK GDPR (health data). I process it under the following lawful bases:

  • Contract (Article 6(1)(b)): to provide the psychological services you have engaged me for
  • Legal obligation (Article 6(1)(c)): to comply with my professional regulatory and legal obligations
  • Vital interests (Article 6(1)(d)): in situations where there is a risk to life
  • Health care provision (Article 9(2)(h)): as a registered health professional providing health care

3.3 Referral data

Most of my clients are self-referred. However, where I receive a referral from a medical professional (e.g. a psychiatrist, dermatologist, cosmetic surgeon, or GP), I may receive your personal data from that professional prior to our first contact. This is processed on the basis of health care provision and, where applicable, with your consent as obtained by the referring clinician.

4. How I store your data

4.1 Clinical records

Clinical records are stored securely in digital form within my Google Workspace Business Starter account. Google Workspace provides enterprise-grade security, encryption at rest and in transit, and is operated under terms compatible with UK GDPR. Access to this account is restricted solely to me as the sole practitioner.

A trusted technical expert may occasionally be granted limited, supervised access to my Google Workspace account for the sole purpose of resolving technical issues, implementing performance improvements, or carrying out system updates. Any such access is strictly time-limited, governed by a confidentiality agreement, and does not extend to reading, copying, or processing clinical records beyond what is technically incidental to the task.

4.2 Physical records

Any paper records are kept securely at my home practice address and are not accessible to third parties.

4.3 Contact form submissions

Enquiries submitted via this website’s contact form are routed through Cloudflare’s infrastructure and delivered to my secure Google Workspace email account. Cloudflare acts as a data processor on my behalf. Submissions are protected by Cloudflare Turnstile (an anti-spam and bot-detection service) which processes minimal technical data (see Section 5).

5. Cookies and analytics

This website is designed to be cookieless. I do not use advertising cookies, tracking cookies, or any cookies that require your consent under PECR. I use Cloudflare Web Analytics to monitor the technical performance of this website. This service does not use cookies, does not fingerprint individual users, and collects only aggregated, anonymised traffic data. For full details, please see my Cookie Policy.

6. Third-party processors

I use the following third-party services to operate this website and my practice. Each acts as a data processor under a data processing agreement:

  • Google Workspace (Google LLC) — email, document storage, and clinical record-keeping. Google operates Standard Contractual Clauses for international transfers and is UK GDPR compliant.
  • Cloudflare, Inc. — website hosting infrastructure, security, contact form delivery, Turnstile bot protection, and Web Analytics. Cloudflare processes only the data necessary for these services.
  • GitHub (Microsoft Corporation) — this website’s source code is stored in a private GitHub repository. GitHub does not process visitor personal data.

I do not sell, rent, or share your personal data with any other third parties, advertisers, or marketing organisations.

7. Data retention

In accordance with the UK GDPR and my professional indemnity insurance obligations as an independent practitioner:

  • Adult client records are retained for a minimum of 7 years from the date of last treatment.
  • Records relating to children and young people are retained until the individual reaches the age of 25, or for 7 years from last contact, whichever is longer.
  • Pre-enquiry contact data (where no therapeutic relationship is established) is deleted within 12 months of last contact, unless there is an ongoing legitimate reason to retain it.

After the applicable retention period, records are securely and permanently deleted.

8. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access — you may request a copy of the personal data I hold about you.
  • Right to rectification — you may ask me to correct inaccurate data.
  • Right to erasure — in certain circumstances, you may ask me to delete your data. Note that as a regulated health professional I have legal obligations to retain clinical records for minimum periods; this right may therefore be limited in a clinical context.
  • Right to restriction — you may ask me to restrict processing of your data in certain circumstances.
  • Right to data portability — where processing is based on consent or contract and carried out by automated means, you may request a copy of your data in a portable format.
  • Right to object — you may object to processing based on legitimate interests.
  • Rights related to automated decision-making — I do not use automated decision-making or profiling.

To exercise any of these rights, please contact me using the contact form on this website. I will respond within one calendar month in accordance with UK GDPR requirements.

9. Confidentiality in a clinical context

All clinical information you share with me is treated as strictly confidential. In accordance with HCPC standards of proficiency and BABCP professional conduct guidelines, I will not disclose information about you to a third party without your consent, except in the following limited circumstances:

  • Where there is a serious and imminent risk of harm to you or to another person
  • Where I am required to do so by a court order or other legal obligation
  • Where disclosure is necessary to safeguard a child or vulnerable adult
  • Where you have given explicit consent for me to liaise with another professional involved in your care

Where possible, I will discuss any disclosure with you in advance. Where disclosure is made in the interest of safeguarding or legal compliance, I am not required to obtain your consent beforehand, but I will generally inform you unless doing so would itself create a risk.

10. Clinical supervision

As required by the HCPC and BABCP, I engage in regular clinical supervision. During supervision, I may discuss clinical material to ensure I am providing safe and effective care. Any information shared in supervision is anonymised or pseudonymised to the greatest extent possible and is subject to the same professional duty of confidentiality that applies to my direct clinical work.

11. Security

I take reasonable and appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These measures include password-protected accounts with two-factor authentication on all relevant services, encryption of data in transit and at rest via Google Workspace and Cloudflare, locked physical storage for any paper records, and limited access to systems as described in Section 4.1. In the event of a data breach that is likely to result in risk to your rights and freedoms, I will notify the ICO within 72 hours and will inform you directly where required.

12. Children

Where I provide services to children and young people, a parent or legal guardian provides consent and is involved in data-related decisions where appropriate. I follow HCPC and BABCP guidance on working with minors throughout.

13. Complaints

If you have a concern about how I handle your personal data, please contact me directly in the first instance using the contact form on this website. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

ICO Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113 Website: ico.org.uk

14. Changes to this policy

I may update this Privacy Policy from time to time. Where changes are material, I will update the “Last updated” date at the top of this page.