Privacy Policy December 2023

1. Introduction

1.1 I am committed to safeguarding the privacy of my website visitors and clients.

1.2 This policy applies where I am acting as a data controller with respect to the personal data of my website visitors and clients; in other words, where I determine the purposes and means of the processing of that personal data.

1.3 In this policy, "I", "me" and "my" refer to Cassie-Joseph (CJ) Smith owner of Rain or Shine Psychotherapy and Counselling.

2. Credit

2.1 This document was created using a template from SEQ Legal (https://seqlegal.com/free-legal-documents/privacy-policy).

3. How I use your personal data

3.1 In Section 3 I have set out:

(a) the general categories of personal data that I may process;

(b) the purposes for which I may process personal data; and

(d) the legal bases of the processing.

3.2. Offline data

I may process personal data. This includes your name, email address, phone number and an emergency contact (“personal data”). The source of this data is the information that you supply to me on the client information sheet which you will fill in if/ when we first start working together. This data may only be processed for the purposes of providing you with counselling and therapy service, including contacting you about appointments. I will not contact you nor use your personal data for any other purpose. If we decide not to begin working together or decide to stop working together this data will be deleted immediately. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

3.3. Online Data

I process online data which I receive through the usage of my website, through you contacting me via email, my website and through directories I am listed in, and through the online processing of payments.

3.3.1 I may process data about your use of my website and services ("usage data"). My website is hosted by Squarespace. Squarespace uses cookies to collect personal data when you visit my website, including:

· Information about your browser, network and device

· Web pages you visited prior to coming to this website

· Your IP address

· Information about the general timing, frequency and pattern of visits to the website generally

Squarespace analyzes the data in a de-personalized form. Therefore your personal data remains confidential when you visit the website.

The source of the usage data is google analytics. This usage data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is my legitimate interests, namely monitoring and improving my website and services.

You can find out more about cookies in section 10 and 11 below.

3.3.2 I may process information contained in any enquiry you submit to me regarding a request to use the services I offer ("enquiry data"). The enquiry data may only be processed for the purposes of offering counselling and psychotherapy services to you in exchange for money. The legal basis for this processing is the performance of a contract between you and I and/or the taking steps, at your request, to enter into such a contract.

3.3.3 I may process information that you post for publication on my website ("publication data") for example comments which you post on my blog posts. The publication data may be processed for the purposes of enabling such publication and administering my website and services. The legal basis for this processing is consent. If you post comments on my website it will be assumed that you consent to your data being used in this manner.

3.3.4 I may process information relating to transactions, including purchases of counselling services, that you enter into with me and/or through my website ("transaction data"). The transaction data may include your contact details, your card details and the transaction details. The source of the transaction data is you and/or my payment services provider. The transaction data may be processed for the purpose of supplying the purchased service, receiving payment for the purchased services and keeping proper records of those transactions. If you make a transaction via PayPal the first 10 digits of your PayPal id show on my bank statement for example ‘*cjrainorsh’. My bank statements are stored securely in a passcode-protected account. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract

3.3.5 Personal information is any information that can be related to the identification or used to identify a person. As such, if a client pays me by bank transfer and the bank account used is in their name, their personal information will show up on my bank statement. They may also be identifiable by the way they identify their payment. Should they wish to anonymise payments, I recommend clients use their initials and the day we usually meet. My banks statements are securely stored in my banking app, which is protected using a passcode only I have access to.

4. Disclosing your personal data to others and disclosing others personal data

4.1 On occasion you may request that I disclose your information to third parties, for example for the purpose of writing letters confirming details of our work together. As part of our work in sessions, I will work with you to ensure that you are satisfied with the wording of such correspondence is fully agreed with you. I am also able to password protect these documents if this is helpful to you.

4.2 In addition to the specific purposes for which I may process your personal data set out in Section 3, unless requested to do so by you I will only disclose your personal data where such processing is necessary for compliance with a legal obligation to which I am subject, or in order to protect you or another person, including children, from immediate, significant and lasting harm. I would make every effort to obtain your consent before doing so if possible, the only exception being if obtaining your consent would put yourself or another person involved at greater risk of harm.

4.3 Please do not supply any other person's personal data to me, unless I prompt you to do so.

5. International transfers of your personal data

5.1 In this Section 5, I provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).

5.2 The hosting facilities for my website- Squarespace- are situated in the U.S.A. The European Commission has made an "adequacy decision" with respect to the data protection laws in the U.S.A. Transfers to the U.S.A are protected by appropriate safeguards. In the case of Square space, they have self-certified to the EU-US and Swiss-US Privacy Shield, which allows them to lawfully transfer EU and Swiss personal data to the US, including to their US-based data centers. You can read more about Squarespace’s Privacy Shield certifications here.

5.3 You acknowledge that data that you submit for publication through my website or services, namely through comments made on my blog posts, may be available, via the internet, around the world. I cannot prevent the use (or misuse) of such personal data by others.

6. Retaining and deleting personal data

6.1 This Section 6 sets out my data retention policies and procedure, which are designed to help ensure that I comply with my legal obligations in relation to the retention and deletion of personal data.

6.2 Personal data that I process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6.3 I will retain your data as follows:

(a) website usage data will be retained for a minimum period of 30 minutes following the date of collection, and for a maximum period of 2 years following that date, depending on the type of cookie in question. You can find more information on this here: https://support.squarespace.com/hc/en-us/articles/360001264507

(b) Publication data (for example comments which you post on blog posts etc.) will be retained for as long as the commented on blog post remains on my website. In commenting on my blog post you consent to this. However, if there is a comment that you have good reason to want removed I will do my best to facilitate this.

(d) In the event that you enquire about therapy but do not decide to enter into therapy, your enquiry data (e.g. email threads) will be deleted as soon as possible after you have informed me you do not wish to proceed with therapy and I will not hold any records for you. In the event that you enquire about therapy but do not confirm whether you wish to proceed with therapy, I will delete any such data that is more than one month old on a quarterly basis (meaning that I could potentially hold your data for 4 months, at a maximum)

(e) In the event that you enquire about therapy and do decide to enter into a therapy contract with me, your enquiry data (e.g. email threads) will be held as correspondence between us so long as we have a therapeutic contract together. In the event that we terminate this contract, I will archive these emails (meaning that they will not be visible in my inbox) and they will be held for a maximum of five years after the therapeutic relationship has ended, in line with insurance requirements.

(f) Transaction data will be retained on apps such as PayPal indefinitely, and on bank statements for 7 years. My bank statements are held securely in a password-protected account. Bank statements are held to comply with HMRC regulations

7. Working Online

7.1 I work almost exclusively via the online platform Zoom.

By default, Zoom requires encryption for all data transferred between the Zoom cloud, Zoom client, and Zoom Room. In addition, I have setting turned on which require media encryption for 3rd party endpoints (SIP/H.323) as well. 3rd party (SIP/H.323) endpoints that cannot negotiate media encryption compatible with Zoom's standards will be blocked from joining my Zoom meetings.

The Information Commissioners Office have approved Skype and Zoom for online therapy (provided clients give their consent), whilst noting that these platforms add an element of information insecurity beyond the control of both therapist and client.

Please take this into consideration when deciding if you would like to engage in therapy using this platform. I would be happy to discuss any concerns you have about using online platforms with you.

8. Data Storage

8.1 I store my client information sheet and contract.

I also make an initial assessment and brief, anonymised notes after each of our sessions. These are necessary to support our work together.

(a) The client information sheet and contract and

(b) the initial assessment and notes

will either be stored securely in paper form (locked away) and/or in electronic records (stored in password-protected files).

The documents under (a) and those under (b) are kept separately from each other. This is to avoid the possibility of a data breach where personal details and notes were matched up.

8.2 All data that is collected is subject to the strict rules of confidentiality laid down by Acts of Parliament, including the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

In line with my insurance requirements, if the client is aged over 18 I will keep their records for 5 years from the date of their last session. If the client is aged under 18 I will keep the records for 5 years from the date when they reach 18. If the client is suffering from any mental incapacity rendering them unable to make decisions for themselves, I would keep the records for 5 years from the date when they were deemed to be capable of making their own decisions. In practice, this could mean I would need to keep these records indefinitely.

8.3 I also use an online calendar to keep track of appointments. In this, I record only coded client details alongside appointment times.

9. Your rights

9.1 In this Section 7, I have listed the rights that you have under data protection law.

9.2 Your principal rights under data protection law are:

(a) the right to access - you can ask for copies of your personal data;

(b) the right to rectification - you can ask us to rectify inaccurate personal data and to complete incomplete personal data;

(d) the right to restrict processing - you can ask use to restrict the processing of your personal data;

(e) the right to object to processing - you can object to the processing of your personal data;

(f) the right to data portability - you can ask that I transfer your personal data to another organisation or to you;

(g) the right to complain to a supervisory authority - you can complain about my processing of your personal data; and

(h) the right to withdraw consent - to the extent that the legal basis of my processing of your personal data is consent, you can withdraw that consent.

9.3 These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

9.4 You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out below.

9.5 For more information you can contact the Information Commissioners Office at ico.org.uk or on 0303 123 11 13.

10. About cookies

10.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

10.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

10.3 Cookies do not typically contain any information that personally identifies a user, but personal data that I store about you may be linked to the information stored in and obtained from cookies.

11. Cookies used by my service providers

11.1 My website, which is hosted by Squarespace, uses cookies and similar technologies, which are small files or pieces of text that download to a device when a visitor accesses a website or app. For information about viewing the cookies dropped on your device, visit About the cookies Squarespace uses.

These functional and required cookies are always used, which allow Squarespace, our hosting platform, to securely serve this website to you.

These analytics and performance cookies are used on this site, as described below, only when you acknowledge our cookie banner. We use analytics cookies to view site traffic, activity, and other data.

11.2 I use Google Analytics. Google Analytics gathers information about the use of my website by means of cookies. The information gathered is used to create reports about the use of my website. You can find out more about Google's use of information by visiting https://www.google.com/policies/privacy/partners/ and you can review Google's privacy policy at https://policies.google.com/privacy

12. Managing cookies

12.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

(a) https://support.google.com/chrome/answer/95647 (Chrome);

(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);

(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);

(e) https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac (Safari); and

(f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).

12.2 Blocking all cookies will have a negative impact upon the usability of many websites.

12.3 If you block cookies, you will not be able to use all the features on my website.

13. Amendments

13.1 I may update this policy from time to time by publishing a new version on my website.

13.2 I will notify current or potential clients of significant changes to this policy by email.

14. Business details

13.1 This website is owned and operated by Cassie-Joseph (CJ) Leone Smith, and hosted by Squarespace.

13.2 Rain or Shine Psychotherapy and Counselling/ CJ Smith are registered with the ICO under registration number ZA533707

13.3 My principal place of business is at Chorlton Rooms, Manchester, M21 0RQ

13.4 You can contact me:

(a) using my website contact form;

(d) by email, using cjrainorshine@gmail.com

14. Data protection officer

14.1 Rain or Shine’s data protection officer's contact details are: Cassie-Joseph (CJ) Leone Smith, contactable using the methods stated in 13.4 above

Please be aware that in agreeing to proceed with therapy with me you acknowledge your acceptance of this policy.