Privacy Policy

Last updated:

This Privacy Policy explains what I collect, why I collect it, how long I keep it, who I share it with, and your rights. It aligns with my Terms & Conditions of Business (effective 25 October 2025 for new clients and 1 December 2025 for existing clients).

1) Who I am (Data Controller)

I am William Smith EI (entrepreneur individuel), established in France (SIREN: 847789195).
Email: email@therapyhub.eu
I provide services internationally in English from my professional establishment in France.

2) What this policy covers

This policy applies to:

  • The website therapyhub.eu (the “Website”), and
  • My professional services: online counselling, supervision, mentoring, and training (the “Services”).

3) Data I collect and how I use it (by activity)

I only collect what is necessary for the purposes below.

A. Enquiries & bookings

  • What: name, contact details, availability, your goals/reasons for contact, and logistics.
  • Why: to respond to your enquiry and arrange sessions.
  • Lawful bases: steps at your request to enter a contract; legitimate interests (to run my practice).
  • Retention: enquiries that do not proceed are kept for up to 12 months, then deleted.

B. Counselling sessions (Therapy Clients)

  • What: session notes and related information that may include special category data.
  • Why: to provide safe and effective counselling and maintain appropriate records.
  • Lawful bases: performance of a contract; your explicit consent (where required); in emergencies, vital interests; for insurance/legal queries, legal claims.
  • Retention: normally 7 years after your last session.

C. Supervision & mentoring (Business Clients)

  • What: professional contact details, supervision notes, and materials you provide.
  • Why: to provide supervision/mentoring and maintain appropriate records.
  • Lawful bases: performance of a contract; legitimate interests (quality, continuity, record-keeping).
  • Retention: normally 7 years after your last session.

D. Billing & accounting

  • What: identity details on invoices, billing address, transaction amounts/dates, payer name (if any).
  • Why: to issue invoices, take payment, and meet tax/accounting obligations.
  • Lawful bases: performance of a contract; legal obligation.
  • Retention: up to 10 years (statutory accounting rules).

E. GP and emergency contact details (Therapy Clients)

  • What: your GP (or equivalent) contact and an emergency contact you nominate.
  • Why: used only when necessary to protect vital interests or where legally/ethically required (e.g., serious safeguarding concerns).
  • Lawful bases: vital interests; in rare cases legal obligation.
  • Retention: held with your client record and deleted on its expiry.

F. Payer-funded arrangements (e.g., employer, charity, EAP)

  • What I may share with a payer: administrative information only—session dates/times, attendance/no-show status, invoice and payment status/amounts.
  • What I never share with a payer: no clinical, case, or supervision content without your explicit consent or a legal obligation.
  • Lawful bases: performance of a contract; legitimate interests (billing and credit control).
  • Retention: as per billing and client records above.

G. Website analytics & embedded services (consent-based)

  • I load Google Analytics (via Google Tag Manager) and the booking widget (Book Like A Boss) only if you consent—see the Cookie Policy.
  • Lawful basis: consent (you can withdraw it at any time).
  • If you reject optional cookies, these services do not load.

H. Correspondence outside sessions

  • What: emails/messages for scheduling and administration.
  • Why: to manage the practicalities of our work.
  • Lawful bases: performance of a contract; legitimate interests.
  • Please keep sensitive clinical matters for sessions wherever possible.

4) Confidentiality and when I may disclose information

I keep client information confidential. I may disclose information only when necessary and proportionate:

  1. to prevent or reduce a serious risk of harm to you or others, or to protect a child or vulnerable adult;
  2. where required by law or a court/competent authority;
  3. to my professional insurer or legal advice for advice (strictly need-to-know and under confidentiality);
  4. in supervision or training to support safe and effective practice (clients are not identifiable; supervisors are bound by confidentiality);
  5. to comply with safeguarding or professional reporting duties where applicable;
  6. where you give your explicit consent to a specific disclosure; or
  7. to a named clinical executor (“clinical will”) strictly for continuity/closure if I am incapacitated or die (they will have just your name and contact details, no notes or appointment history).

5) Who processes your data for me (service providers)

I use trusted third-party service providers (“processors”) to run the Website and Services. I disclose only what is necessary for them to provide their service and I have contracts in place requiring confidentiality and appropriate security.

Categories of processors

  • Scheduling / booking system — contact details, availability, appointment data.
  • Video-conferencing — meeting links and session logistics (no recordings by default).
  • Email service — administrative correspondence and contact details.
  • Invoicing / accounting — billing details, invoices, and transaction information.
  • Website hosting / CDN — technical logs and content delivery.
  • Analytics — website usage data.

Locations and transfers
Some providers may process data outside the EEA/UK. Where this happens, I rely on an adequacy decision or approved safeguards (e.g., standard contractual clauses).

Getting more detail
If you would like the current list of key service providers, please contact me and I’ll provide it.

6) International transfers

Your data may be processed in, or transferred to, countries outside the EEA/UK where some providers are located. I prefer EU/EEA data centres when available.

7) Security and communications

I take reasonable technical and organisational measures to protect your information (secure accounts, access controls, encryption in transit where supported, and regular updates).
Email and messaging can never be 100% secure; by contacting me via these channels you accept their inherent risks. Sensitive topics are best discussed in session.

If something goes wrong. If I become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, I will assess the impact, notify the relevant supervisory authority where required, and inform you without undue delay where the risk is high.

8) Your rights

You have the rights to access, rectify, erase, restrict processing, object, port your data, and to withdraw consent where processing relies on consent.

  • I normally respond within one month.
  • I may need to verify your identity before I act.
  • Some rights are limited (e.g., where I must retain records for legal or insurance purposes).

To exercise your rights, email email@therapyhub.eu.

9) Children

My Services are for adults (18+). I do not knowingly collect children’s data.

10) Automated decision-making

I do not carry out automated decision-making or profiling.

11) Recording & accessibility adjustments

I do not record sessions.
If, to meet an agreed accessibility need, enabling a recording or transcript is unavoidable, I will: obtain your explicit consent first; limit any recording to what is necessary; store it securely; retain it only as long as neede* to meet the adjustment; then delete it. Any transcript is for your personal use only and must not be shared.

12) How long I keep information (summary)

Category Typical retention
Enquiries that do not proceed Up to 12 months
Client records (adults) 7 years after last session
Billing and accounting records Up to 10 years (statutory)
Accessibility recordings/transcripts (if any) Only as long as necessary for the adjustment, then deleted

13) No marketing / no sale of data

I do not conduct direct marketing and I do not sell your personal data.

14) Cookies

For details of cookies and how to change your preferences at any time, see the Cookie Policy. I load analytics and the booking widget only after you consent.

15) Contact and complaints

Data Controller: William Smith EI (SIREN 847789195) — email@therapyhub.eu If you have concerns, please contact me first. You also have the right to complain to a supervisory authority:

  • United Kingdom: Information Commissioner’s Office (ICO)
  • France: Commission Nationale de l’Informatique et des Libertés (CNIL)
  • EU/EEA: you may also lodge a complaint with your national data protection authority in your country of residence, your workplace, or where the issue occurred (GDPR Art. 77).
  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC/IFPDT).
  • Other countries: you may have the right to complain to your local privacy regulator under your national law. If you’re unsure who that is, contact me and I’ll try to help you find the appropriate authority.

16) Changes to this policy

If I make significant changes, I will update the last updated date above and, where appropriate (for example if analytics change), I will ask for your consent again.

17) Language

This policy is provided in English. A French version is available for information. If there is any discrepancy, your mandatory consumer rights remain unaffected.