August 01, 2025

Privacy Policy

Therachange Ltd (“Therachange”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy.

This policy (together with our Website Terms of Use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read it carefully to understand our practices regarding your personal data and how we will treat it. By visiting www.therachange.co.uk (the “Site”) or using our services, you accept and consent to the practices described in this policy.

Data Controller. For the purposes of the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and any other applicable data protection law, the data controller is:

Therachange Ltd
Company number: 16570556
Registered office: 1st Floor, 1–9 Castle Street, Hinckley, England, LE10 1DA
Contact: dataprotection@therachange.co.uk

ICO Registration. If applicable, our ICO registration number is: [insert ICO registration number].

Links to third-party sites. Our Site may contain links to external websites. Those websites are not covered by this policy. Please check their privacy policies before submitting any personal information. We’re not responsible for the content, function or data practices of those external sites.

Information We Collect

“Personal data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect and process the following categories of personal data:

1) Information you give us

Information you provide by filling in forms on our Site or by corresponding with us by phone, email, video, chat or otherwise. This includes when you create an account, complete our online questionnaire/screeners, book or attend sessions, subscribe to updates, take surveys, or report a problem.

Examples: name, contact details (email, telephone), date of birth, address, your goals for therapy, preferences, feedback, and any other information you voluntarily provide.

2) Special category data (health information)

In order to provide therapy/counselling, we may collect special category data that you share with us, such as information regarding your mental health history, current symptoms, medication (if any), relevant medical information, lifestyle factors, relationships and goals for therapy. We process this information with additional safeguards (see “Special Category Data & Legal Basis” below).

3) Information we collect automatically

When you visit the Site we may automatically collect certain technical information for performance, security and analytics:

IP address, browser type and version, device identifiers, time zone, operating system and platform;
information about your visit (URL, pages viewed, page response times, download errors, length of visits, page interactions such as clicks and scrolling); and
diagnostics and crash logs.

4) Information we receive from third parties

We may receive information about you from service providers that support our operations (e.g., payment processors, analytics providers, video meeting tools, booking systems, identity verification tools), advertising or social platforms (where you consented), or referrers (e.g., a GP or other clinician) where appropriate and lawful.

Accuracy. It is important that your personal data is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Cookies

Our Site uses cookies and similar technologies to distinguish you from other users, help the Site function, improve performance and personalise content.

Strictly necessary cookies enable core functionality (e.g., secure login, booking).
Analytics/performance cookies help us understand how visitors use the Site.
Functionality cookies remember choices (e.g., language, preferences).
Targeting/advertising cookies (if used) help deliver more relevant ads.

You can control cookies through your browser settings. Blocking some cookies may impact your experience or limit parts of the Site. See our Cookie Notice (if separate) for details.

How We Use Your Information (Purposes & Legal Bases)

We only use your personal data when the law allows us to. We rely on one or more of the following legal bases:

Contract (Art. 6(1)(b) UK GDPR)

to register you as a client, provide therapy sessions, take payments, manage bookings, and deliver customer support.

Consent (Art. 6(1)(a) & Art. 9(2)(a)):

for certain activities like marketing communications and processing special category data where explicit consent is required. You can withdraw consent at any time.

Legitimate interests (Art. 6(1)(f)):

to run and improve our services (e.g., analytics, safeguarding our systems, client support), provided your rights do not override those interests.

Legal obligation (Art. 6(1)(c)):

to comply with applicable laws and regulatory requirements (e.g., maintaining clinical records, responding to lawful requests).

Vital interests (Art. 6(1)(d)):

in rare cases, to protect you or another person from serious harm.

We use your data to:

provide, schedule and deliver online therapy/counselling services;
assess your needs, create session notes and maintain clinical records;
manage your account, payments and billing;
communicate with you about appointments, service updates and administrative matters;
personalise your experience (e.g., remembering preferences);
monitor and improve Site performance and our services;
send marketing communications where you have opted in (you can opt out any time);
ensure security, detect fraud and keep our Site safe; and
comply with legal, regulatory and insurance/clinical governance obligations.

Quality assurance & supervision. With your knowledge, anonymised or minimally necessary case information may be discussed in clinical supervision (a professional standard in therapy) to ensure quality of care.

Special Category Data & Legal Basis

Because we provide therapy, we may process health-related information you share with us. We generally rely on:

Your explicit consent (Art. 9(2)(a)) to process special category data you choose to provide; and/or
Provision of health care/management (Art. 9(2)(h)) by professionals subject to confidentiality obligations.

We only collect the minimum relevant information needed to provide care and safeguard you and others. You may withdraw consent, but doing so may affect our ability to provide services.

Session recordings. We do not routinely record sessions. If a session is ever recorded (e.g., for training/quality purposes), this will only occur with your explicit, prior consent, and the recording will be handled as part of your confidential record with strict access controls.

Automated Decisions & Profiling

We may use light-touch automation (e.g., our online questionnaire) to suggest suitable therapy approaches. Any such suggestions do not replace clinical judgement. We do not make solely automated decisions that produce legal or similarly significant effects about you without human involvement.

Disclosure of Your Information (Who We Share With)

We only share your personal data with trusted recipients and only to the extent necessary:

Therapists/clinical supervisors working with Therachange (all bound by confidentiality).
Service providers acting on our behalf (e.g., secure practice management software, booking platform, video platform, analytics, payment processor, cloud hosting, email/SMS tools). These parties act as processors under written contracts requiring confidentiality, security and limited use.
Professional advisors (lawyers, accountants, insurers) where necessary.
Regulators and authorities where required by law or to protect rights, safety or security.
Business transfers (e.g., merger or acquisition) — your data would be transferred under equivalent protections and you would be notified where appropriate.

We do not sell your personal data.

International transfers

Where we transfer data outside the UK, we ensure appropriate safeguards are in place (e.g., UK IDTA/Addendum, adequacy decisions or equivalent contractual protections).

Data Security

We use technical and organisational measures to protect your data against unauthorised access, alteration, disclosure or destruction. While no system is 100% secure, we implement industry-standard safeguards, restrict access to those with a need to know, encrypt transmissions where appropriate, and train our team on data protection.

Data Retention

We keep personal data only as long as necessary for the purposes set out in this policy or as required by law, regulation, professional or insurance obligations.

Clinical/therapy records: typically retained for a minimum of 7 years after your last contact with us (and longer where required for legal or safeguarding reasons, or where you were under 18 at the time of treatment).
Administrative/booking/payment data: retained as required for tax/audit and business records.
Marketing preferences: retained until you opt out or request deletion.
Website analytics: retained per our analytics providers’ default retention windows or as configured to the minimum necessary.

We may anonymise data (so it can no longer identify you) for research/statistical purposes, in which case we may use this information indefinitely without further notice.

Your Rights

Under data protection law you have rights, including to:

Access your personal data and obtain a copy;
Rectification of inaccurate or incomplete data;
Erasure (“right to be forgotten”) in certain circumstances;
Restriction of processing in certain circumstances;
Data portability to another provider where technically feasible;
Object to processing based on legitimate interests and to direct marketing; and
Withdraw consent where processing is based on consent (without affecting lawfulness prior to withdrawal).

To exercise these rights, please contact dataprotection@therachange.co.uk. We may need to verify your identity. There is no fee for most requests, and we aim to respond within one month.

Children

Our services are primarily for adults. Where we provide therapy to young people, we will obtain appropriate consent/authority and apply additional safeguards.

Changes to this Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. Please check back regularly.

Contact & Complaints

Data Controller: Therachange Ltd 
Registered office: 1st Floor, 1–9 Castle Street, Hinckley, England, LE10 1DA
Email: dataprotection@therachange.co.uk
Postal: FAO: Data Protection Lead, Therachange Ltd, 1st Floor, 1–9 Castle Street, Hinckley, England, LE10 1DA

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. See ic o.org.uk for details.