Privacy Policy

1. Introduction

Illuminated Thinking Ltd is committed to protecting the privacy, confidentiality, and security of personal data. We recognise the sensitive nature of the information entrusted to us, particularly health-related data, and we handle it with the utmost care.

This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as our professional and ethical obligations as psychological practitioners.

2. Data Controller and Data Protection Lead

Illuminated Thinking Ltd is the Data Controller for all personal data processed in connection with our services.

Data Protection Lead:
Dr Aisha Tariq
Clinical Director, Illuminated Thinking Ltd

Contact details:
Email: in**@********************co.uk
Address: Illuminated Thinking Ltd,
Mearns Castle Golf Academy,
Waterfoot Road,
Glasgow, G77 5RR

Illuminated Thinking Ltd is not legally required to appoint a separate Data Protection Officer; however, Dr Aisha Tariq acts as the designated lead for data protection matters.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

a) Personal and Contact Information

• Name
• Address
• Email address
• Telephone number

b) Special Category Data (Health Data)

• Therapy session notes
• Psychological assessment reports
• Referral letters
• Outcome measures and clinical formulations

This information constitutes special category personal data under UK GDPR.

c) Financial Information

• Payment records and invoices (no card details are stored directly by us)

d) Correspondence

• Emails or messages sent to us regarding appointments, care, or administration

4. Lawful Basis for Processing

a) Article 6 UK GDPR – Lawful Bases

We process personal data under the following lawful bases:

• Contract: To provide psychological therapy and assessment services
• Legal Obligation: To meet regulatory, safeguarding, and record-keeping requirements
• Legitimate Interests: For necessary practice administration and service delivery
• Consent: Where explicit consent is required (e.g. specific disclosures)

b) Article 9 UK GDPR – Special Category (Health) Data

We process health-related data under:

• Article 9(2)(h): Provision of health or social care and treatment
• Article 9(2)(c): Protection of vital interests where applicable

These bases operate alongside our professional duties of confidentiality and care.

5. How We Use Personal Data

Personal data is used to:

• Provide psychological assessment and therapy services
• Maintain accurate clinical records
• Manage appointments and communications
• Process payments and invoices
• Meet legal, ethical, and professional obligations
• Ensure quality of care, including clinical supervision where appropriate

6. Use of Third-Party and Digital Systems

We use carefully selected systems to support secure and effective service delivery.

a) Halaxy (Practice Management System)

Halaxy is used for:

• Appointment scheduling
• Secure storage of clinical records
• Invoicing and payment management

Halaxy complies with GDPR requirements and uses encryption, access controls, and secure hosting.

b) ProtonMail

ProtonMail is used for secure email communication where sensitive information is shared. It provides end-to-end encryption to enhance confidentiality.

c) Illuminated Notes (AI-Assisted Clinical Documentation)

Illuminated Notes is an AI-assisted tool used to support clinicians in drafting clinical notes.

Key safeguards include:

• No audio recordings are stored
• Any transcription occurs locally on clinic devices only
• No data is processed on remote servers
• Data never leaves clinic premises
• Data is not used to train AI models
• No automated clinical decisions are made
• All outputs are reviewed, edited, and approved by a qualified clinician before being stored in Halaxy
• Use of this tool is subject to explicit client consent, and clients may opt out without any impact on their care

7. Data Retention

We retain personal data only for as long as necessary and in line with legal and professional guidance:

• Contact information: Deleted within six months after therapy ends
• Clinical records: Retained for a minimum of seven years post-therapy, or longer where required by professional, legal, safeguarding, or medico-legal obligations
• Financial records: Retained for six years in line with accounting requirements

All data is securely deleted or destroyed at the end of the retention period.

8. Data Sharing and Confidentiality

Personal data is treated as confidential and is not shared without consent except where:

• Disclosure is required by law (e.g. safeguarding concerns, court orders)
• Information is shared with health insurers with prior consent
• Anonymised information is discussed in clinical supervision to ensure quality of care

Any disclosure is limited to what is necessary and proportionate.

9. Data Security Measures

We take appropriate technical and organisational measures to protect personal data, including:

• Encrypted storage of electronic records
• Password-protected and access-restricted systems
• Two-factor authentication (2FA) where available
• Secure email systems for sensitive communications
• Role-based access to data
• Secure disposal of paper and electronic records

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: Request a copy of your data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion, subject to legal and professional obligations
• Right to restriction: Request limits on processing
• Right to object: Object to processing in certain circumstances
• Right to data portability: Receive your data in a structured, commonly used format
• Right to withdraw consent: Where processing is based on consent

Some rights may be limited where we are legally or professionally required to retain records.

11. Complaints and Regulatory Oversight

If you have concerns about how your data is handled, please contact us at:

in**@********************co.uk

If you remain dissatisfied, you may complain to the Information Commissioner’s Office (ICO):

Website: www.ico.org.uk
Telephone: 0303 123 1113

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The most current version will always be available on our website. Significant changes will be communicated where appropriate.

13. Cookies

Our website uses cookies to ensure basic functionality and improve user experience.

Types of Cookies

• Essential cookies: Required for website functionality and security

We do not use Google Analytics or other third-party analytics or marketing cookies.

Managing Cookies

Essential cookies are necessary for the website to function. You can manage or disable cookies through your browser settings, although this may affect site functionality.