Privacy Policy

1. Introduction

Illuminated Thinking Ltd is committed to protecting the privacy, confidentiality, and security of personal data. We recognise the sensitive nature of the information entrusted to us, particularly health-related data, and we handle it with the utmost care.

This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as our professional and ethical obligations as psychological practitioners.

2. Data Controller and Data Protection Lead

Illuminated Thinking Ltd is the Data Controller for all personal data processed in connection with our services.

Data Protection Lead:
Dr Aisha Tariq
Clinical Director, Illuminated Thinking Ltd

Data protection contact:
Email: da************@********************co.uk

Contact details:
Email: in**@********************co.uk
Address: Illuminated Thinking Ltd,
Mearns Castle Golf Academy,
Waterfoot Road,
Glasgow, G77 5RR

Illuminated Thinking Ltd is not legally required to appoint a separate Data Protection Officer; however, Dr Aisha Tariq acts as the designated lead for data protection matters.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

a) Personal and Contact Information

• Name
• Address
• Email address
• Telephone number

b) Special Category Data (Health Data)

• Therapy session notes
• Psychological assessment reports
• Referral letters
• Outcome measures and clinical formulations

This information constitutes special category personal data under UK GDPR.

c) Financial Information

• Payment records and invoices (no card details are stored directly by us)

d) Correspondence

• Emails or messages sent to us regarding appointments, care, or administration

3A. If You Do Not Provide Personal Data

Some personal data is necessary for us to provide clinical services safely and effectively. In particular, we usually need your contact information and relevant health information in order to provide therapy or assessment services, keep accurate clinical records, and meet our professional and legal obligations.

If you choose not to provide essential information, we may be unable to offer or continue services, or we may have to limit the support we can provide.

4. Lawful Basis for Processing

a) Article 6 UK GDPR – Lawful Bases

We process personal data under the following lawful bases:

• Contract: To provide psychological therapy and assessment services
• Legal Obligation: To meet regulatory, safeguarding, and record-keeping requirements
• Legitimate Interests: For necessary practice administration and service delivery
• Consent: Where explicit consent is required (e.g. specific disclosures)

b) Article 9 UK GDPR – Special Category (Health) Data

We process health-related data under:

• Article 9(2)(h): Provision of health or social care and treatment
• Article 9(2)(c): Protection of vital interests where applicable

These bases operate alongside our professional duties of confidentiality and care.

5. How We Use Personal Data

Personal data is used to:

• Provide psychological assessment and therapy services
• Maintain accurate clinical records
• Manage appointments and communications
• Process payments and invoices
• Meet legal, ethical, and professional obligations
• Ensure quality of care, including clinical supervision where appropriate

6. Use of Third-Party and Digital Systems

We use carefully selected systems to support secure and effective service delivery.

a) Halaxy (Practice Management System)

Halaxy is used for:

• Appointment scheduling
• Secure storage of clinical records
• Invoicing and payment management

Halaxy complies with GDPR requirements and uses encryption, access controls, and secure hosting.

b) ProtonMail

Zoho is used for secure email communication where sensitive information is shared. It provides end-to-end encryption to enhance confidentiality.

c) Illuminated Notes (AI-Assisted Clinical Documentation)

Illuminated Notes is an AI-assisted tool used to support clinicians in drafting clinical notes.

Key safeguards include:

• No audio recordings are stored
• Any transcription occurs locally on clinic devices only
• No data is processed on remote servers
• Data never leaves clinic premises
• Data is not used to train AI models
• No automated clinical decisions are made
• All outputs are reviewed, edited, and approved by a qualified clinician before being stored in Halaxy
• Use of this tool is subject to explicit client consent, and clients may opt out without any impact on their care

Opting out of AI tools: Clients may refuse or withdraw consent for AI-assisted documentation at any time without affecting their access to therapy. To withdraw consent, email da************@********************co.uk.

6A. Who We Share Personal Data With (Recipients)

We share personal data only when lawful, necessary, and proportionate. Depending on the circumstances, data may be shared with:

• Practice systems and service providers: providers that help us deliver services securely (e.g. practice management, email, IT support)
• Clinical supervision: supervisors may receive anonymised or minimised information where possible, to support safe and effective practice
• Health insurers: where you have requested insurer-funded sessions or reimbursement, and where you have given explicit consent
• Safeguarding bodies and emergency services: where necessary to protect you or others from serious harm
• Courts, legal representatives, and statutory authorities: where required by law, court order, or legal process
• Regulators and supervisory bodies: where required (including the ICO where relevant)
• Professional advisers: such as accountants or legal advisers, where necessary and subject to confidentiality obligations

Where possible, we share only the minimum amount of personal data needed for the purpose.

6B. International Data Transfers

We aim to use systems that process and store personal data in the UK and/or the European Economic Area (EEA). However, some service providers may process or store personal data outside the UK/EEA.

Where personal data is transferred outside the UK/EEA, we will ensure appropriate safeguards are in place. These safeguards may include UK adequacy regulations, EU/UK adequacy decisions, and/or Standard Contractual Clauses (SCCs) or equivalent contractual protections.

7. Data Retention

We retain personal data only for as long as necessary and in line with legal and professional guidance:

• Contact information: Deleted within six months after therapy ends
• Clinical records: Retained for a minimum of seven years post-therapy, or longer where required by professional, legal, safeguarding, or medico-legal obligations
• Financial records: Retained for six years in line with accounting requirements

All data is securely deleted or destroyed at the end of the retention period.

8. Data Sharing and Confidentiality

Personal data is treated as confidential and is not shared without consent except where:

• Disclosure is required by law (e.g. safeguarding concerns, court orders)
• Information is shared with health insurers with prior consent
• Anonymised information is discussed in clinical supervision to ensure quality of care

Any disclosure is limited to what is necessary and proportionate.

8A. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Some administrative features may be automated (for example, appointment confirmations or reminders) but these do not affect your access to care or clinical decision-making.

9. Data Security Measures

We take appropriate technical and organisational measures to protect personal data, including:

• Encrypted storage of electronic records
• Password-protected and access-restricted systems
• Two-factor authentication (2FA) where available
• Secure email systems for sensitive communications
• Role-based access to data
• Secure disposal of paper and electronic records

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: Request a copy of your data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion, subject to legal and professional obligations
• Right to restriction: Request limits on processing
• Right to object: Object to processing in certain circumstances
• Right to data portability: Receive your data in a structured, commonly used format
• Right to withdraw consent: Where processing is based on consent

Some rights may be limited where we are legally or professionally required to retain records.

How to withdraw consent: If we rely on your consent for any processing (for example, specific disclosures or AI-assisted documentation), you can withdraw that consent at any time by emailing da************@********************co.uk. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.

11. Complaints and Regulatory Oversight

If you have concerns about how your data is handled, please contact us at:

in**@********************co.uk

If you remain dissatisfied, you may complain to the Information Commissioner’s Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

You have the right to complain to the ICO if you believe your data protection rights have been violated. We would, however, appreciate the opportunity to address your concerns first.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The most current version will always be available on our website. Significant changes will be communicated where appropriate.

13. Cookies

Our website uses cookies to ensure basic functionality and improve user experience.

Types of Cookies

• Essential cookies: Required for website functionality and security

We do not use Google Analytics or other third-party analytics or marketing cookies.

Managing Cookies

Essential cookies are necessary for the website to function. You can manage or disable cookies through your browser settings, although this may affect site functionality.