top of page
PRIVACY POLICY

Data Controller: Sarah Hopton trading as Life on Dreams Ltd
ICO Registration: ZA190743
Email: sarah@sarahhopton.com
Website: www.sarahhopton.com
Last updated: 10 October 2025

This page explains what data I collect, why I collect it, how I keep it safe, and the choices you have.


It applies to therapy clients, supervisees, and anyone who contacts me through my website or email.
I keep it plain-spoken and psychobabble-free.

1) What I Collect

If you enquire or work with me (client or supervisee)

  • Identity & contact details: name, home address, email, phone number, emergency contact.

  • Admin & billing: appointment history, invoices, payments (no card details stored).

  • Professional details (for supervisees): training status, accrediting body, insurance, placement/employer details.

  • Clinical or supervision content:

    • Clients: brief session/process notes, not transcripts.

    • Supervisees: supervision notes relevant to your professional practice (client material must be anonymised).

  • Website or platform data: IP address or device information collected through standard logs when using my website or online forms.

If we meet online

  • Zoom meeting details (date, time, ID).

  • Recordings are not made unless we both give explicit written consent for a specific, time-bound purpose.

 

2) Why I Collect It

I only collect what’s needed to deliver safe, ethical, and professional services.

Purpose

Examples

Legal basis (UK GDPR)

Consent-based extras

Testimonials, recordings, newsletters

Consent (you can withdraw anytime)

Communication

Scheduling, rescheduling, updates

Contract

Business administration

Invoicing, accounting, insurance, HMRC compliance

Legal obligation & Legitimate interests

Handle risk / safeguarding

Serious risk to you or others, child/vulnerable-adult protection

Legal obligation & Vital interests

Provide therapy or supervision

Assessment, sessions, contact, brief notes

Contract & Legitimate interests

Special category (sensitive) data — e.g. health, sexuality, or ethnicity — is processed only where necessary for therapeutic or supervisory purposes under Article 9(2)(h) (health/social care) of the UK GDPR and the Data Protection Act 2018.

 

3) How I Keep Data Safe

  • Zanda: encrypted practice-management platform with two-step authentication.

  • Devices & email: password-protected, encrypted where possible, two-factor authentication enabled.

  • Paper: rarely used; if I jot anything down, it’s scanned securely then shredded.

  • Access: limited to me and, for continuity only, my Clinical Will contact (see below).

  • Least-data principle: I keep only what’s needed, for as long as needed.

 

4) Who Has Access

I don’t sell or trade your data.
Access is limited and purposeful:

  • Accountant: has access to names and payment records only for bookkeeping. No clinical, session, or sensitive data is shared.

  • Clinical Will contact: Danielle Mills, BACP-Accredited Psychotherapist. She may access my client/supervisee register solely to inform you if I become incapacitated and to support safe transfer.

  • Supervision of my practice: I discuss aspects of work anonymously to maintain standards.

  • Third-party processors:

    • Zanda (secure records & scheduling)

    • Zoom (encrypted online sessions)

    • Secure cloud/email providers (Microsoft/Google)

    • Bank/payment services (no card details stored)

Some processors may store data outside the UK/EEA. Where they do, they must use approved Standard Contractual Clauses or equivalent safeguards.

 

5) How Long I Keep It

  • Clinical & supervision notes: up to 7 years after our final session (required by insurers and professional bodies).

  • Invoices & financial records: 6 years (legal requirement).

  • Texts, app messages, and emails: deleted 6 months after our work ends.

  • Recordings: only with written consent; deleted immediately after use.

 

6) Sharing Information

I only share information when legally, ethically, or clinically necessary:

  • Risk or safeguarding: serious risk to you or others, or legal duty (e.g., child protection, terrorism, court order). I’ll try to speak with you first whenever possible.

  • With your consent: for example, sharing updates with your GP or another professional.

  • Clinical Will: if I’m incapacitated, Danielle Mills will contact you and advise on next steps.

  • Supervision: anonymised discussion for professional reflection.

 

7) Your Rights

Under UK GDPR you have the right to:

  • Access your data (within one month).

  • Rectify anything inaccurate.

  • Request deletion in certain circumstances.

  • Restrict or object to processing.

  • Port your data to another provider (where technically possible).

  • Withdraw consent at any time.

Some rights may be limited by insurance, legal, or safeguarding obligations.

 

8) Online Sessions (Zoom)

  • Password-protected, waiting rooms enabled, end-to-end encryption.

  • Please join from a private, secure space.

  • Sessions are not recorded without written consent, and any recording is deleted immediately after its agreed use.

 

9) Supervision-Specific Notes

  • Supervisees must anonymise client data before sharing.

  • Don’t email identifiable details or send documents containing full client identifiers.

  • I keep brief supervision notes for accountability and ethical record-keeping.

  • You are your own Data Controller for your clinical work and must maintain GDPR compliance within your practice.

 

10) Children & Young People

If you’re under 18, a parent or guardian usually needs to consent alongside you, unless you’re considered Gillick competent. Each case is handled individually with safeguarding in mind.

 

11) Cookies & Website

This site uses only essential cookies and basic analytics to see how the website performs. You can block cookies in your browser at any time. No identifying personal data is collected through cookies.

 

12) Questions or Complaints

If you’re concerned about how your data is handled, contact:
Sarah Hopton – sarah@sarahhopton.com

If unresolved, you can contact the Information Commissioner’s Office (ICO):
www.ico.org.uk

 

13) Updates

If I change how I use or store data, I’ll update this page. Major changes will be highlighted on the website or by email if relevant.

 

14) In Summary

  • I keep only what’s necessary, securely.

  • Your data is never shared for marketing.

  • My accountant sees names and payments only, never clinical notes.

  • My clinical will protects you if I can’t continue contact.

  • You can see, correct, or ask me to delete your data.

Your privacy matters. Your story stays yours.

bottom of page