At Bright Star Hypnotherapy, we are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store and protect your personal information when you use our services, contact us, or visit our website.

We process personal data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Data (Use and Access) Act 2025

By using our services or website, you agree to the terms of this Privacy Policy.

1. Who We Are

Bright Star Hypnotherapy is the data controller responsible for your personal data.

If you have any questions regarding this policy or your personal data, you can contact us using the details provided on our website.

2. Information We Collect

When you contact us, book appointments, complete consultation forms, or use our website, we may collect the following information:

• Name
• Address
• Telephone number
• Email address
• Emergency contact details
• Information relating to your wellbeing, lifestyle, goals and therapy needs
• Appointment history and session notes
• Payment information where relevant
• Technical website information such as IP address, browser type and cookie data

We only collect information that is necessary for the provision of our hypnotherapy services and the operation of our business.

3. How We Use Your Information

We use your information to:

• Arrange and manage appointments
• Provide hypnotherapy services
• Respond to enquiries
• Maintain client records
• Improve our services and website
• Meet legal, professional and insurance obligations
• Send information you have requested
• Send marketing communications where you have given consent

We will never sell your personal information to third parties.

4. Lawful Bases for Processing

Under UK GDPR, we rely on the following lawful bases for processing your information:

• Contract – where processing is necessary to provide therapy services you have requested
• Legitimate Interests – to manage our business effectively and maintain appropriate records
• Legal Obligation – where we are required to retain certain information for legal, regulatory, insurance or tax purposes
• Consent – where you have specifically agreed to receive marketing communications or where special category data requires explicit consent

Where we process special category data relating to health or wellbeing, we do so only where permitted under Article 9 UK GDPR and with appropriate safeguards in place.

5. Confidentiality

All information shared during therapy sessions is treated confidentially.

However, confidentiality may be breached where:

• there is a legal obligation to do so;
• there are serious concerns regarding your safety or the safety of others;
• disclosure is required by a court order or safeguarding requirement.

Where possible, this would be discussed with you first.

6. How We Store and Protect Your Data

We take appropriate technical and organisational measures to protect your information from unauthorised access, loss, misuse or disclosure.

Your data may be stored electronically, in secure cloud-based systems, or in locked physical storage.

We ensure that any third-party service providers we use also comply with UK data protection laws.

7. Data Retention

We retain client records only for as long as reasonably necessary.

In most cases, therapy records are retained for 7 years following the end of therapy services, in line with professional insurance and legal requirements. Records relating to children may be retained longer where legally required.

After this period, records are securely deleted or destroyed.

8. Your Rights Under UK GDPR

Under data protection law, you have the right to:

1. The right to be informed
   You have the right to know how your personal data is collected and used.
2. The right of access
   You may request a copy of the personal data we hold about you.
3. The right to rectification
   You may request correction of inaccurate or incomplete information.
4. The right to erasure
   In certain circumstances, you may request deletion of your personal data.
5. The right to restrict processing
   You may request that we limit how we use your data.
6. The right to data portability
   You may request transfer of your data to another service provider where applicable.
7. The right to object
   You may object to certain types of processing, including direct marketing.
8. Rights relating to automated decision-making and profiling
   We do not use automated decision-making or profiling processes.

To exercise any of these rights, please contact us in writing. We will normally respond within one calendar month.

9. Marketing Communications

We will only send marketing emails or newsletters where you have explicitly consented to receive them.

You may withdraw your consent or unsubscribe at any time.

10. Cookies and Website Analytics

Our website uses cookies to help improve website functionality and analyse website traffic.

Cookies are small text files placed on your device when you visit a website.

We may use:

• Essential cookies required for website functionality
• Analytics cookies to understand how visitors use our website
• Preference cookies where applicable

Where legally required, we will request your consent before placing non-essential cookies on your device.

You can control or disable cookies through your browser settings. Please note that some website functions may not operate correctly if cookies are disabled.

11. Third-Party Services

Our website or business systems may use third-party providers such as:

• Website hosting providers
• Email providers
• Online booking systems
• Video consultation platforms
• Payment processors

These providers only process your data on our instructions and must comply with applicable data protection laws.

12. International Transfers

Where any data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

13. Children’s Privacy

We take additional care when processing information relating to children and young people and will obtain appropriate consent from a parent or guardian where required.

We are committed to handling your personal information responsibly and transparently. If you have any concerns about how your data has been collected, stored or used, we encourage you to contact us first so that we can try to resolve the issue informally and as quickly as possible.

Please contact:

Email: claire@brightstarhypnotherapy.com

Once a complaint or concern is received:

• We will acknowledge your complaint within 5 working days
• We may contact you to request further information or clarification if required
• We will investigate your concern fairly and confidentially
• We aim to provide a full written response within 30 calendar days

Where a request or complaint is particularly complex, we may extend this period in accordance with UK GDPR rules. If this applies, we will inform you of the reason for the delay and keep you updated.

If you submit a:

• Subject Access Request
• Request for deletion
• Rectification request
• Restriction request
• Data portability request
• Objection to processing

we will respond within the statutory timeframe of one calendar month, unless an extension is legally permitted.

We may ask for proof of identity before processing certain requests in order to protect your personal data.

If you remain dissatisfied with how your complaint has been handled, you have the right to lodge a complaint with the:

Information Commissioner's Office

You can contact the ICO via:

ICO Website

The ICO recommends that concerns are raised with the organisation first before escalating a complaint formally.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical or operational changes. The latest version will always be available on our website.

Last updated: May 2026