Privacy Policy

1. Introduction

Illuminated Thinking Ltd is committed to protecting the privacy, confidentiality, and security of personal data. We recognise the sensitive nature of the information entrusted to us, particularly health-related data, and we handle it with the utmost care.

This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as our professional and ethical obligations as psychological practitioners.

This policy applies to two groups of people: website visitors (anyone who browses our website) and clients (anyone who uses our clinical services, including therapy and assessment). Where a section applies only to one group, this is stated. Otherwise, the section applies to both.

2. Data Controller and Data Protection Lead

Illuminated Thinking Ltd (company number SC825635) is the Data Controller for personal data processed through our website and central practice systems.

We are registered with the Information Commissioner's Office (ICO). Our registration number is ZB859542. You can verify this at ico.org.uk.

Data Protection Lead:
Dr Aisha Tariq
Clinical Director, Illuminated Thinking Ltd

Data protection contact:
Email: dataprotection@illuminatedthinking.co.uk

Contact details:
Email: info@illuminatedthinking.co.uk
Phone: 0141 471 3632
Address: Illuminated Thinking Ltd, Mearns Castle Golf Academy, Waterfoot Road, Glasgow, G77 5RR

Illuminated Thinking Ltd is not legally required to appoint a separate Data Protection Officer; however, Dr Aisha Tariq acts as the designated lead for data protection matters.

Independent clinicians

All of our psychologists practise as independent clinicians rather than employees. Each clinician is an independent data controller in their own right for the clinical data they generate during your therapy or assessment. Illuminated Thinking Ltd remains the data controller for central practice systems (appointments, billing, and the website).

In practice this means that if you wish to exercise your data rights in relation to clinical records created by an associate psychologist, we will help coordinate your request. You can always contact us at dataprotection@illuminatedthinking.co.uk and we will ensure your request reaches the right person.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

a) Website visitors

• IP address and browser metadata (collected automatically by our hosting provider)
• Pages visited, time on site, and referral source (if you accept analytics cookies)
• Name, email address, phone number, and message content (if you submit our contact form)

b) Clients — personal and contact information

• Name
• Date of birth
• Address
• Email address
• Telephone number
• Emergency contact details
• GP details (where relevant)

c) Clients — special category data (health data)

• Therapy session notes
• Psychological assessment reports
• Referral letters
• Outcome measures and clinical formulations
• Relevant medical and psychiatric history

This information constitutes special category personal data under UK GDPR.

d) Financial information

• Payment records and invoices (no card details are stored directly by us)

e) Correspondence

• Emails or messages sent to us regarding appointments, care, or administration

How we collect personal data

We collect personal data:

• Directly from you — when you contact us, complete forms, book appointments, or attend sessions
• From referrers — such as your GP, another clinician, or an insurer, where you have given them permission to share information with us
• Automatically via our website — through hosting infrastructure, embedded content, and analytics (see sections 6 and 13)

4. If You Do Not Provide Personal Data

Some personal data is necessary for us to provide clinical services safely and effectively. In particular, we usually need your contact information and relevant health information in order to provide therapy or assessment services, keep accurate clinical records, and meet our professional and legal obligations.

If you choose not to provide essential information, we may be unable to offer or continue services, or we may have to limit the support we can provide.

5. Lawful Basis for Processing

UK GDPR requires us to have a lawful basis for each type of processing we carry out. The table below sets out which basis applies to each activity.

a) Article 6 UK GDPR — general personal data

b) Article 9 UK GDPR — special category (health) data

We process health-related data under:

• Article 9(2)(h): Processing is necessary for the provision of health or social care and treatment, carried out by or under the responsibility of a health professional subject to a duty of confidentiality
• Article 9(2)(a): Explicit consent — for AI-assisted documentation and specific disclosures where consent is the appropriate basis
• Article 9(2)(c): Protection of vital interests — where applicable (e.g. safeguarding)

6. How We Use Personal Data

Personal data is used to:

• Provide psychological assessment and therapy services
• Maintain accurate clinical records
• Manage appointments and communications
• Process payments and invoices
• Meet legal, ethical, and professional obligations
• Ensure quality of care, including clinical supervision where appropriate

7. Third-Party Systems and Data Processors

We use carefully selected systems to support secure and effective service delivery. Each system is listed below with an explanation of how it processes personal data.

a) Halaxy (practice management system)

Halaxy is used for appointment scheduling, secure storage of clinical records, and invoicing. Client data is stored on Halaxy's EU-hosted infrastructure (eu-api.halaxy.com). Halaxy acts as a data processor on our behalf and maintains appropriate technical and organisational safeguards including encryption and access controls.

A Halaxy booking widget is also embedded on our website. When you interact with this widget, Halaxy may receive your IP address and booking information. Halaxy's own privacy policy applies to data collected through the widget.

b) Clinical Dashboard (practice-owned software)

We operate a clinical dashboard at dash.illuminated.pro for appointment management and practice administration. This is practice-owned software. All clinical and personal data accessed through the dashboard is stored in Halaxy — the dashboard does not maintain a separate database of patient information.

c) Cloudflare (website hosting and security)

Our website is hosted on Cloudflare Pages. Cloudflare processes visitor IP addresses, TLS connection metadata, and page requests as part of delivering and securing the website. Cloudflare acts as a data processor and processes this data in accordance with its privacy policy. Data may be processed in Cloudflare's global network, including locations outside the UK; Cloudflare relies on Standard Contractual Clauses and other approved transfer mechanisms.

d) Google Analytics 4

If you accept analytics cookies, we use Google Analytics 4 (measurement ID: G-PSGV7FQWXY) to understand how visitors use our website in aggregate. Google Analytics processes your IP address (which is anonymised), pages visited, session duration, and referral source. Google acts as a data processor and may transfer data to the United States under the UK extension to the EU-US Data Privacy Framework. No analytics data is collected unless you actively consent via our cookie banner.

e) Vimeo (embedded video)

Our homepage includes an embedded video hosted by Vimeo. When the page loads, your browser connects to Vimeo's servers, which may receive your IP address and set cookies. Vimeo's privacy policy applies to data collected through the embed. We load the video with privacy-enhanced settings (dnt=1) to minimise tracking.

f) Secure email

Secure email is used for communication where sensitive information is shared, providing end-to-end encryption to enhance confidentiality.

g) AI-assisted clinical documentation

Some clinicians use AI-assisted tools to support transcription and the drafting of clinical notes. Because clinicians at Illuminated Thinking practise as independent data controllers (see Section 2), each clinician selects, contracts with, and is responsible for the AI tools they use in their own practice.

Illuminated Thinking Ltd officially supports Cogent Clinic as the practice's endorsed tool for transcription and note drafting. Cogent Clinic is operated by Cogent Clinic Ltd, a separate legal entity, which acts as a data processor for the clinicians who use it. Other clinicians may use alternative tools (for example, Heidi Health) provided those tools meet the minimum standards set out in our AI Ethical Use Policy.

Minimum standards for any AI tool used in clinical work:

• The vendor is UK GDPR and Data Protection Act 2018 compliant, with a signed data processing agreement (DPA) in place
• Client data is not used to train AI models
• All AI-generated outputs are reviewed, edited, and approved by a qualified clinician before being stored in the clinical record
• No automated clinical decisions are made; AI does not replace clinical judgement
• The clinician has completed their own Data Protection Impact Assessment (DPIA) for the tool
• Use is subject to explicit client consent, with the right to opt out at any time and without any impact on care

Knowing which tool is in use: You have the right to ask your clinician which AI tools (if any) they use in your sessions, and to receive information about the relevant safeguards before consenting. You can also contact us at dataprotection@illuminatedthinking.co.uk if you would like help with this.

Opting out: Clients may refuse or withdraw consent for AI-assisted documentation at any time without affecting their access to therapy. To withdraw consent, speak directly to your clinician, or email dataprotection@illuminatedthinking.co.uk and we will coordinate with your clinician on your behalf.

Full details of our approach to AI — including our principles, governance, and the standards we expect of clinicians and vendors — are set out in our AI Ethical Use Policy.

8. Who We Share Personal Data With

We share personal data only when there is a lawful basis to do so and the sharing is necessary and proportionate. Depending on the circumstances, data may be shared with:

• Data processors: third-party service providers that process data on our behalf to deliver our services (listed in section 7 above), bound by data processing agreements
• Clinical supervision: supervisors may receive anonymised or minimised information where possible, to support safe and effective practice
• Health insurers: only where you have explicitly consented to sharing information for reimbursement or insurer-funded sessions
• Safeguarding bodies and emergency services: where necessary to protect you or others from serious harm
• Courts, legal representatives, and statutory authorities: where required by law, court order, or legal process
• Regulators and supervisory bodies: where required (including the ICO and HCPC where relevant)
• Professional advisers: such as accountants or legal advisers, where necessary and subject to confidentiality obligations

Where possible, we share only the minimum amount of personal data needed for the purpose.

9. International Data Transfers

We aim to use systems that process and store personal data in the UK and/or the European Economic Area (EEA). However, some service providers may process or store personal data outside the UK/EEA:

• Cloudflare: global network — relies on Standard Contractual Clauses
• Google Analytics: United States — covered by the UK extension to the EU-US Data Privacy Framework
• Vimeo: United States — covered by the EU-US Data Privacy Framework

Clinical data stored in Halaxy is held on EU-hosted infrastructure. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including UK adequacy regulations, adequacy decisions, and/or Standard Contractual Clauses (SCCs).

Where a clinician uses an AI tool that processes data internationally, the specific transfer mechanism depends on the vendor selected by that clinician. Clinicians are required to satisfy themselves that any vendor they use applies an appropriate UK GDPR-compliant transfer mechanism. You can ask your clinician for details of the tool they use and how it handles your data.

10. Data Retention

We retain personal data only for as long as necessary and in line with legal and professional guidance:

• Client contact information: Retained for the same period as the associated clinical records, so that we can contact you about your records if needed (e.g. subject access requests, safeguarding matters, or court orders)
• Clinical records (adults): Retained for a minimum of seven years post-therapy, or longer where required by professional, legal, safeguarding, or medico-legal obligations
• Clinical records (children and young people): Retained until the patient's 25th birthday, or 26th birthday if they were 17 at the end of treatment, in line with BPS and NHS guidance — or longer where required by law or professional obligation
• Financial records: Retained for six years in line with HMRC accounting requirements
• Website analytics data: Retained by Google Analytics for 14 months, after which it is automatically deleted
• Contact form submissions: Deleted within six months after the enquiry is resolved. If the enquiry leads to clinical services, the submission is covered by the client retention schedule above

All data is securely deleted or destroyed at the end of the retention period.

11. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Some administrative features may be automated (for example, appointment confirmations or reminders) but these do not affect your access to care or clinical decision-making.

12. Data Security Measures

We take appropriate technical and organisational measures to protect personal data, including:

• Encrypted storage of electronic records
• Password-protected and access-restricted systems
• Two-factor authentication (2FA) where available
• Secure email systems for sensitive communications
• Role-based access to data
• Secure disposal of paper and electronic records
• Regular review of security practices and access permissions

13. Data Breach Procedures

We have procedures in place to detect, investigate, and respond to personal data breaches. In the event of a breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware of the breach, where required
• Notify affected individuals without undue delay, explaining what happened, what data was involved, and what steps we are taking
• Record all breaches (including those not reportable to the ICO) in an internal breach log, documenting the facts, effects, and remedial action taken

If you believe your personal data has been compromised, please contact us immediately at dataprotection@illuminatedthinking.co.uk.

14. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: Request a copy of your data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion, subject to legal and professional obligations
• Right to restriction: Request limits on processing
• Right to object: Object to processing based on legitimate interests
• Right to data portability: Receive your data in a structured, commonly used format
• Right to withdraw consent: Where processing is based on consent

Some rights may be limited where we are legally or professionally required to retain records (for example, clinical records that must be kept for a minimum period).

How to exercise your rights: Contact us at dataprotection@illuminatedthinking.co.uk. We will respond within one month. If your request is complex, we may extend this by a further two months and will let you know.

How to withdraw consent: If we rely on your consent for any processing (for example, analytics cookies, specific disclosures, or AI-assisted documentation), you can withdraw that consent at any time by emailing dataprotection@illuminatedthinking.co.uk or by updating your cookie preferences using the "Cookie Settings" link in the website footer. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.

15. Complaints and Regulatory Oversight

If you have concerns about how your data is handled, please contact us at:

dataprotection@illuminatedthinking.co.uk

If you remain dissatisfied, you have the right to complain to the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO, but you are not required to do so.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The most current version will always be available on our website with the effective date and version number shown at the top. Significant changes will be communicated where appropriate.

17. Cookies

Types of Cookies

• Essential cookies: Required for website functionality and security
• Analytics cookies (optional): Google Analytics 4 cookies used to understand aggregated website usage and improve our website

We only set Google Analytics cookies if you explicitly accept analytics cookies through our cookie banner. We do not use advertising or marketing cookies.

Third-party embeds (such as the Vimeo video player and Halaxy booking widget) may also set their own cookies. These are governed by the respective third party's cookie and privacy policies.

Managing Cookies

You can accept or reject analytics cookies when prompted, and you can update your choice at any time using the "Cookie Settings" link in the website footer. Essential cookies are necessary for core website functionality. You can also manage cookies through your browser settings, although this may affect site functionality.