Privacy Policy
Summary
We collect the minimum personal data needed to provide our services. We never sell your data. We never use it for advertising. If you share personal information with us for therapy or community wellbeing purposes, it is held securely and in strict confidence. You can ask us to delete your data at any time.
Who We Are
The data controller responsible for your personal information is:
| Organisation | Chazon Psychological & Human Development Services CIC |
| Legal Status | Community Interest Company — registered in England & Wales |
| CIC Number | 16799769 |
| Incorporated | 21 October 2025 |
| Registered Office | [Registered Address, City, Postcode] |
| ICO Registration | [ZA Reference Number] |
| Data Controller | Dr Anthony Ataekong, Founder & Clinical Director |
| Contact Email | privacy@chazonservices.org |
| Website | chazonservices.org · resetwithdranthony.com |
Chazon CIC operates two trading platforms: Chazon Psychological Therapy (clinical services) and 7030MindClub (community wellbeing programmes). This privacy policy applies to both platforms and to all interactions with our website, podcast, and communications.
Personal Data We Collect
We collect personal data in the following categories, depending on how you interact with us:
Identity & Contact Data
Full name, email address, telephone number, postal address, date of birth, and gender (where relevant to service provision).
Clinical & Therapeutic Data
Mental health history, presenting concerns, session notes, assessment outcomes, progress reviews, GP details, and emergency contact information — collected only when you engage with our therapy services.
Technical & Usage Data
IP address, browser type, device type, pages visited, time on site, referral source, and cookie identifiers — collected automatically when you visit our websites.
Communications Data
The contents of enquiry forms, emails, and messages you send us, as well as records of our responses to you.
Podcast & Content Data
Email addresses collected via our newsletter and podcast subscription, and engagement data from YouTube and Instagram (via those platforms’ own analytics).
We do not collect payment card data directly. All payments are processed by a third-party payment provider (e.g. Stripe or PayPal), who are responsible for the security of payment data under their own privacy policies.
Our Lawful Basis for Processing
Under UK GDPR and the Data (Use and Access) Act 2025, we must have a lawful basis for processing your personal data. We rely on the following bases:
| Consent | Where you have actively opted in — for example, subscribing to our newsletter, completing our contact form, or agreeing to receive marketing communications. You may withdraw consent at any time. |
| Contract | Where processing is necessary to deliver the service you have requested — including therapy sessions, supervision, and assessment services. |
| Legal Obligation | Where we are required to process data to comply with a legal obligation, such as safeguarding duties, regulatory requirements, or clinical record-keeping obligations under BABCP standards. |
| Vital Interests | In rare circumstances where processing is necessary to protect your life or the life of another person — for example, in a safeguarding emergency. |
| Legitimate Interests | Where processing is in our legitimate business interests and does not unduly override your rights — for example, improving our services, responding to enquiries, and analysing website usage. |
For special category data (including mental health and clinical information), we rely on your explicit consent and the processing being necessary for the provision of healthcare and psychological services, under Article 9(2)(h) UK GDPR.
How We Use Your Data
We use the personal data we collect for the following purposes:
- To provide, deliver, and administer therapy, supervision, assessment, and corporate wellbeing services
- To respond to your enquiries and communicate with you about our services
- To process bookings, manage appointments, and send appointment reminders
- To maintain clinical records in line with BABCP professional standards and legal requirements
- To send you newsletters, podcast updates, and programme information (only where you have consented)
- To improve and develop our website, content, and services using anonymised analytics data
- To comply with our legal, regulatory, and safeguarding obligations
- To fulfil our community interest obligations as a registered CIC
- To administer 7030MindClub programmes, events, and partnerships
We will never use your data to send you unsolicited marketing, and we will never sell, rent, or share your personal data with advertisers.
Sensitive & Clinical Data
Special Category Data — Higher Protection
Mental health information, psychological assessments, clinical notes, and health data are classified as “special category” data under UK GDPR and receive the highest level of protection. We collect and process this data only to provide you with clinical services, with your explicit consent, and in compliance with BABCP ethical guidelines.
All clinical data is:
- Collected only with your explicit written or verbal consent, documented at intake
- Stored in encrypted, password-protected systems with access restricted to treating clinician(s)
- Never shared with third parties without your explicit consent, except where required by law or to protect safety
- Retained for a minimum of 7 years following the end of therapeutic contact, in line with clinical and legal best practice (or 7 years after a client’s 18th birthday if they were a minor)
- Subject to your right of access, correction, and in certain circumstances, erasure
There are limited circumstances in which we may share clinical information without your consent. These include: where there is a serious and imminent risk to your life or the life of another person; where we are legally required to disclose information (such as a court order); or where a safeguarding concern involving a child or vulnerable adult requires us to contact relevant authorities. We will always tell you about disclosures made, unless doing so would place you or others at risk.
Section 06
Sharing Your Data
We do not sell or rent your personal data. We may share data with the following categories of third parties, only where necessary and appropriate:
| Clinical Supervisors | Anonymised clinical material may be discussed with Dr Anthony’s BABCP-approved clinical supervisor for professional development and quality assurance. No personally identifying information is shared. |
| Payment Processors | Third-party payment providers (e.g. Stripe, PayPal) to process fees securely. They process payment data under their own privacy policies. |
| Scheduling Software | Appointment booking platforms (e.g. Calendly) that process your name and email to manage bookings. These are our data processors and operate under data processing agreements. |
| Email Platforms | Newsletter and communication tools (e.g. Mailchimp) used to send you content you have consented to receive. |
| Website Analytics | Anonymised usage data processed by analytics tools (e.g. Google Analytics). See our Cookie Policy for full details. |
| Regulatory Bodies | Where required by law, or in response to a lawful request from BABCP, ICO, or other regulatory or statutory body. |
| Safeguarding Authorities | In limited circumstances involving serious safeguarding concerns, as described in Section 5 above. |
All third-party processors are subject to data processing agreements that require them to handle your data securely and only for the purposes we specify.
How Long We Keep Your Data
| Clinical Records | 7 years from end of therapeutic contact (or 7 years after 18th birthday for minors) — in line with BABCP and NHS standards |
| Enquiry & Contact Data | 12 months from last contact, unless you become a client |
| Newsletter Subscribers | Until you unsubscribe or withdraw consent |
| Accounting Records | 6 years legal requirement under the Companies Act 2006 |
| Website Analytics Data | 26 months (Google Analytics default), anonymised |
| Employee/Contractor Data | 6 years from end of engagement |
| Event/Programme Records | 3 years from the date of the event |
When data is no longer needed, it is securely deleted or anonymised. We regularly review the data we hold and do not keep it longer than necessary.
Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of Access
You can request a copy of the personal data we hold about you. We will respond within one month. This is free of charge in most circumstances.
Right to Rectification
If the data we hold about you is inaccurate or incomplete, you can ask us to correct it.
Right to Erasure
In certain circumstances, you can ask us to delete your personal data. Note that clinical records may be subject to retention requirements that limit this right.
Right to Object
You can object to us processing your data on the basis of legitimate interests. You can always object to direct marketing.
Right to Portability
Where processing is based on consent or contract, you can request your data in a structured, machine-readable format.
Right to Restrict
You can ask us to pause processing of your data in certain circumstances — for example, while you contest its accuracy.
Withdraw Consent
Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Rights re. Automated Decisions
We do not use automated decision-making or profiling that produces legal or similarly significant effects about you.
To exercise any of these rights, please contact us at privacy@chazonservices.org. We will respond within one calendar month. We may need to verify your identity before fulfilling a request.
Section 09
How We Keep Your Data Secure
We take data security seriously and have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. These include:
- Encryption of data in transit (HTTPS/TLS) and at rest
- Password-protected, access-controlled systems for clinical records
- Regular security reviews and software updates
- Staff and contractor confidentiality agreements
- Secure video conferencing platforms for online therapy (e.g. GDPR-compliant platforms only)
- Secure deletion protocols when data is no longer required
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where required.
Children’s Privacy
Children Higher Protection Standard
In line with the Data (Use and Access) Act 2025 and UK GDPR’s children’s higher protection duties, we apply additional safeguards when processing data relating to anyone under the age of 18.
Where we work with young people through our 7030MindClub outreach and school programmes:
- Parental or guardian consent is obtained before collecting personal data from children under 13
- Young people aged 13–17 may consent independently, subject to capacity assessment
- Clinical records for minors are retained for 7 years after the individual’s 18th birthday
- We apply data minimisation principles rigorously — collecting only what is strictly necessary
- School partnership data is subject to separate data sharing agreements with each institution
International Transfers
We aim to store and process all personal data within the UK or European Economic Area (EEA). In limited circumstances, third-party tools we use (such as certain cloud services) may transfer data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place — such as Standard Contractual Clauses approved by the ICO — to ensure your data receives equivalent protection.
You can request details of any international data transfers and the safeguards in place by contacting us at privacy@chazonservices.org.
Third-Party Links
Our websites and podcast may contain links to third-party websites, including YouTube, Instagram, and Calendly. We are not responsible for the privacy practices of those sites. We recommend you review their privacy policies before submitting personal data through them. Their collection and use of your data is governed by their own policies, not ours.
Changes to This Policy
We review this Privacy Policy at least annually and whenever our data practices change significantly. When we make material changes, we will update the “Last Updated” date at the top of this page and, where appropriate, notify you directly by email. Continued use of our services following an update constitutes your acceptance of the revised policy.
Previous versions of this policy are available on request.
Contact Us & Complaints
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
| Data Controller | Dr Anthony Ataekong — Chazon Psychological & Human Development Services CIC |
| privacy@chazonservices.org | |
| Post | [Registered Address, City, Postcode] |
| Response Time | We aim to respond to all data requests within 30 calendar days |
If you are unhappy with how we handle your data or your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Website: ico.org.uk · Helpline: 0303 123 1113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, welcome the opportunity to address your concerns directly before you contact the ICO.
Contact
- +44 7414 937254
- info@yourdomain.com