PRIVACY POLICY – HEADFIRST HYPNOTHERAPY®

Website:www.headfirsthypnotherapy.co.uk
Business Address: 2 Hart Walk, Upper Heyford, Oxfordshire, OX25 5AF
ICO Registration Number: ZB630728

Last Updated: 20 May 2026

1. Introduction

This Privacy Policy explains how your personal data is collected, used, stored, and protected when you interact with HeadFirst Hypnotherapy®.

This includes:

  • Visiting my website

  • Making an enquiry

  • Booking and paying for Initial Consultations through my Squarespace website using the integrated Cliniko booking system and Stripe payment portal

  • Attending an Initial Consultation

  • Engaging in Solution-Focused Hypnotherapy services

  • Attending a Parent/Guardian Call (under 18s)

  • Downloading resources or joining my mailing list

  • Communicating via email, telephone, voicemail, messaging platforms such as WhatsApp, social media, professional bodies, online directories, or online platforms

I, Andrew Robin Selway (trading as HeadFirst Hypnotherapy®), am the data controller responsible for your personal data.

I am registered with the Information Commissioner’s Office (ICO) and process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable UK data protection legislation.

I take your privacy and confidentiality seriously and am committed to protecting your information appropriately and transparently.

2. How You May Contact Me

You may contact me via:

  • Website contact form (Squarespace)

  • Email

  • Telephone

  • Messaging platforms such as WhatsApp

  • Voicemail

  • Social media platforms (e.g. Instagram, Facebook, LinkedIn)

  • Professional bodies and online directories (e.g. Hypnotherapy Directory)

  • Cliniko online booking system

These platforms may sometimes be used for initial enquiries before individuals are directed to book an Initial Consultation through my website.

Please note that when you contact me through third-party platforms, your information may also be subject to their own privacy policies and terms.

3. Messaging and Communication Platforms

You may contact me via messaging platforms such as WhatsApp before or during our work together.

These methods are primarily used for:

  • Initial enquiries

  • Appointment booking or changes

  • Administrative communication

  • Brief service-related communication

Messaging platforms are not intended for sharing sensitive clinical or health-related information.

While convenient, these platforms may not be fully secure. I therefore recommend avoiding the sharing of sensitive personal or health information through messaging services or social media platforms.

Please avoid leaving sensitive clinical or health-related information via voicemail where possible.

Where appropriate, more sensitive information will be discussed during consultations or through secure systems.

4. Information I Collect

Website and General Enquiries

When you contact me via my website, social media, professional directories, email, voicemail, or messaging platforms, I may collect:

  • Name

  • Email address

  • Telephone number

  • Any information you choose to provide

New client enquiries may also be received through social media platforms, professional bodies, or online directories. In most cases, individuals will then be directed to my website to book an Initial Consultation through the integrated Cliniko booking system.

Pre-Consultation Telephone Calls

Some individuals may speak with me briefly by telephone before booking an Initial Consultation in order to discuss general suitability for hypnotherapy services.

These calls are informal and exploratory in nature and are not hypnotherapy sessions or formal assessments.

Detailed clinical notes are not routinely taken during these calls. Where appropriate, individuals will be directed to my website to book an Initial Consultation through the integrated Cliniko booking system.

Parent/Guardian Calls (Under 18s)

Before working with clients under 18, I require a Parent/Guardian Call.

During this call, I may collect:

  • Parent/guardian details

  • Child or young person’s details

  • Relevant background information

  • Initial safeguarding, wellbeing, or suitability information

This call is not a hypnotherapy session, but an information-gathering and suitability assessment process.

I currently work with:

  • Clients aged 16+ for general hypnotherapy services

  • Clients aged 15+ for exam revision support

Initial Consultation

Before hypnotherapy sessions begin, clients attend an Initial Consultation.

Initial Consultations booked online through my website are processed using the integrated Cliniko booking system, with online payment processed securely through Stripe.

The Initial Consultation is an assessment and information-gathering session and not a hypnotherapy session.

During this process, I may collect:

  • Personal details

  • Relevant health and wellbeing information

  • Background information

  • Risk-related information

  • Safeguarding information where appropriate

Clients may also complete:

  • Intake forms

  • Consent forms

  • Questionnaires or assessment forms

These are completed digitally through Cliniko.

When booking an Initial Consultation, individuals may also be asked to:

  • Confirm communication preferences

  • Consent to receiving appointment-related communications

  • Choose whether to receive marketing communications

  • Acknowledge this Privacy Policy

Initial Consultations may take place:

  • In person

  • Via Cliniko Telehealth

  • Via Google Meet where appropriate

Ongoing Hypnotherapy Services

If you proceed with hypnotherapy services, I may collect and maintain:

  • Session notes

  • Progress information

  • Relevant clinical or wellbeing information

  • Safeguarding or risk-related notes where necessary

  • Correspondence relating to your care or wellbeing where appropriate

Some of this information may constitute “special category data” under UK GDPR (for example health-related information) and is handled with additional care and confidentiality.

Emergency Contact Details

Where appropriate, I may collect emergency contact details to support your safety and wellbeing.

Financial Information

Payments for services may be made via:

  • Bank transfer (using Tide Business Banking)

  • Stripe (secure online card payment processing)

Online payments made during the booking process are securely processed via Stripe through the integrated Cliniko booking system.

I may retain:

  • Invoice information

  • Payment confirmations

  • Transaction records

I do not store full card details.

Mailing List and Downloads

If you download a resource from my website (for example a relaxation audio), I may collect:

  • Your name

  • Email address

You may then receive:

  • Follow-up emails related to the resource

  • Occasional further communications via Squarespace Email Campaigns

You may unsubscribe from marketing communications at any time.

5. Information About Third Parties

During enquiries, consultations, or hypnotherapy sessions, you may choose to share information relating to other individuals (for example partners, family members, employers, schools, or healthcare professionals).

I ask that you only share information that is relevant and necessary to your support.

Any third-party information disclosed during our work together will be treated confidentially and handled in accordance with this Privacy Policy.

6. Legal Basis for Processing Personal Data

Your personal data is processed under one or more of the following lawful bases:

Contractual Necessity

To provide services you have requested, including:

  • Initial Consultations

  • Hypnotherapy services

  • Appointment booking and administration

Legitimate Interests

To:

  • Assess suitability for services

  • Maintain professional records

  • Operate a safe and effective practice

  • Communicate appropriately with clients

Legal Obligations

To comply with:

  • Safeguarding obligations

  • Financial and accounting requirements

  • Insurance requirements

  • Regulatory or legal responsibilities

Consent

Where consent is required, including:

  • Marketing communications

  • Contacting GPs or healthcare professionals

  • Certain disclosures of information

You may withdraw consent at any time where processing relies upon consent.

Recognised Legitimate Interests (2026 GDPR Update)

In certain circumstances, personal data may be processed where recognised in law as being in the public interest, including:

  • Safeguarding

  • Preventing harm

  • Emergency situations

7. Agreement to This Privacy Policy

This Privacy Policy is available on my website and may also be presented through the integrated Cliniko booking system during the Initial Consultation booking process.

When booking an Initial Consultation, individuals may be asked to:

  • Confirm communication preferences

  • Consent to receiving appointment-related communications

  • Acknowledge this Privacy Policy

This acknowledgement relates to the collection, storage, and processing of personal data in connection with enquiries, bookings, consultations, and related administrative processes.

Before ongoing Solution-Focused Hypnotherapy services begin, clients are required to complete and sign a separate Consent Form for Solution-Focused Hypnotherapy services, which includes agreement to this Privacy Policy.

Hypnotherapy services will not commence until the required consent documentation has been completed.

8. How Your Data Is Used

Your personal data may be used to:

  • Respond to enquiries

  • Manage appointments

  • Assess suitability for hypnotherapy services

  • Provide safe and appropriate support

  • Maintain professional records

  • Communicate with you

  • Meet safeguarding, legal, ethical, insurance, and regulatory obligations

  • Improve services using anonymised information where appropriate

I only collect and process the minimum amount of information necessary.

9. Confidentiality

Confidentiality is a fundamental part of my professional practice.

Your information will not normally be shared with third parties unless:

  • You have provided consent

  • There is a legal obligation

  • There is a safeguarding concern

  • There is a risk of serious harm to yourself or others

Where possible and appropriate, I will discuss this with you first.

10. Contacting Your GP or Healthcare Professional

Where appropriate for your safety and wellbeing, I may:

  • Request your consent to contact your GP or healthcare provider

  • Inform them that we are working together

  • Request confirmation that it is safe to proceed with hypnotherapy services

This may occur where:

  • Significant risk factors are identified

  • Medical or psychological considerations require clarification

  • Additional support is clinically appropriate

Your consent will normally be sought before contact is made unless there is a legal or safeguarding obligation that overrides confidentiality.

If consent is not provided where it is clinically or ethically required, I may not be able to proceed with hypnotherapy services.

11. Communication With Parents, Guardians, and Other Professionals

For clients under 18, communication may take place with parents or guardians as appropriate.

Where appropriate and with consent, communication may also occur with:

  • GPs

  • CAMHS

  • Schools or colleges

  • Other relevant professionals involved in your care or support

Unless safeguarding or legal obligations apply, consent will normally be sought before sharing information.

12. Supervision

I engage in regular professional supervision in accordance with ethical and professional standards.

The purpose of supervision is to:

  • Support safe and ethical practice

  • Maintain professional standards

  • Ensure appropriate client care

Client work may be discussed in supervision; however:

  • Discussions are anonymised

  • No identifiable personal information is shared

13. Professional and Legal Support

In rare circumstances, relevant information may be shared with:

  • My professional supervisor

  • Legal or regulatory bodies

  • Professional indemnity insurers

  • Professional advisers where necessary

Where possible:

  • Information will be anonymised

  • Only the minimum necessary information will be shared

14. Data Storage and Third-Party Processors

To operate my practice safely and efficiently, I use a number of trusted third-party providers. These providers act as data processors on my behalf.

Practice Management

  • Cliniko – integrated with my Squarespace website and used for appointment scheduling, intake forms, consent forms, telehealth, clinical notes, safeguarding/risk notes, and client records

Website and Email Marketing

  • Squarespace – website hosting, contact forms, cookie management, analytics integration, and email campaigns

Payments and Financial Processing

  • Stripe – secure online payment processing

  • Tide Business Banking – bank transfer payments

  • Xero – accounting and financial record management

Communication

  • Google (Gmail, Google Meet, Google Calendar) – email communication, online sessions, and calendar management

  • Messaging platforms such as WhatsApp – appointment and administrative communication

File Transfer Platforms

Where necessary, platforms such as WeTransfer (or similar secure file transfer services) may be used to send audio files or resources.

These providers are selected carefully and are expected to comply with applicable data protection regulations.

Only the minimum necessary information is shared with these systems.

Some providers may process data outside the UK. Where this occurs, appropriate safeguards are expected to be in place.

15. International Clients

I may work with clients located outside the United Kingdom.

Where personal data is transferred internationally, reasonable steps are taken to ensure appropriate safeguards and protections are in place in accordance with applicable data protection laws.

UK law and jurisdiction shall apply to services provided unless otherwise required by applicable local law.

16. Data Security

I operate a fully digital practice and do not routinely store paper records.

Your information is stored securely using encrypted and password-protected systems.

Access to client information is restricted to me only unless disclosure is legally or ethically required.

Appropriate technical and organisational measures are in place to protect personal data from:

  • Unauthorised access

  • Loss

  • Misuse

  • Disclosure

  • Alteration

No method of electronic communication or storage can be guaranteed to be completely secure; however, reasonable measures are taken to protect your information appropriately.

In the event of a personal data breach, appropriate steps will be taken in accordance with applicable data protection laws and ICO reporting requirements.

17. Data Retention

Personal data is retained only for as long as necessary to fulfil professional, legal, safeguarding, and insurance obligations.

Parent/Guardian Calls

Where no further engagement occurs:

  • retained for up to 12 months

Initial Consultations

Where no ongoing hypnotherapy services occur:

  • retained for up to 12 months

Adult Clients

Client records are generally retained for:

  • 8 years after the end of the professional relationship

Retention periods may be extended where necessary to comply with legal, safeguarding, insurance, regulatory, or professional obligations.

Clients Under 18

Records relating to clients under 18 are generally retained until:

  • age 25

  • or age 26 if services ended at age 17

Retention periods may be extended where necessary to comply with legal, safeguarding, insurance, regulatory, or professional obligations.

Financial Records

Financial records are retained for:

  • 6 years in line with UK accounting and tax requirements

Once retention periods expire, information is securely deleted or anonymised.

18. Your Rights

Under UK GDPR, you have the right to:

  • Request access to your personal data

  • Request correction of inaccurate information

  • Request erasure where appropriate

  • Restrict or object to processing in certain circumstances

  • Request portability of your data where applicable

  • Withdraw consent where processing relies upon consent

  • Lodge a complaint with the Information Commissioner’s Office (ICO)

Requests relating to personal data should preferably be made via email.

I will normally respond to valid requests relating to your personal data within one month of receipt, in accordance with UK GDPR requirements.

In certain circumstances, this period may be extended where permitted by law, for example where requests are complex or multiple requests have been received. Where an extension is required, I will inform you accordingly.

Subject Access Requests (2026 GDPR Update)

Requests will be handled using reasonable and proportionate searches.

Where clarification is required, response timeframes may be paused until clarification is received.

19. Complaints About Data Handling

If you have concerns about how your data is handled, please contact me in the first instance.

I will aim to respond appropriately and within a reasonable timeframe.

You also have the right to contact the Information Commissioner’s Office (ICO):

Information Commissioner’s Office (ICO)

20. Reviews and Testimonials

If you choose to leave a review on platforms such as Google or social media:

  • The information will be publicly visible

  • I do not control third-party platforms

  • You are advised not to share sensitive personal or health information publicly

I may refer to publicly available reviews or testimonials for promotional purposes.

21. CCTV

CCTV is in operation at my property for security purposes.

This may include:

  • Driveway areas

  • External entrances

Footage:

  • Is not routinely monitored

  • Is stored securely

  • Is typically deleted within approximately 48 hours unless required for security purposes

22. Cookies and Website Analytics

My website (Squarespace) may use cookies and similar technologies to:

  • Improve website functionality

  • Analyse website usage

  • Enhance user experience

My website may use analytics tools such as Google Analytics to help me understand website usage and improve the functionality and performance of the website. This information is typically aggregated and does not directly identify individual users.

Some low-risk cookies used for analytics or functionality may not require explicit consent under current regulations.

You can manage cookie preferences through your browser settings.

23. Automated Decision-Making and Artificial Intelligence

I do not use automated decision-making or profiling that produces legal or similarly significant effects.

I do not use artificial intelligence (AI) systems to process identifiable client information.

24. External Links

My website or communications may contain links to external websites or resources.

I am not responsible for the privacy practices or content of third-party websites.

25. Updates to This Privacy Policy

This Privacy Policy may be updated periodically to reflect operational, legal, or regulatory changes.

The most recent version will always be available on my website.

26. Contact Details

Andrew Robin Selway
Trading as HeadFirst Hypnotherapy®
2 Hart Walk
Upper Heyford
Oxfordshire
OX25 5AF

📧 andy@headfirsthypnotherapy.co.uk

Logo of the Association for Solution Focused Hypnotherapy (AfSFH), featuring 'AfSFH.com' and a badge stating 'Supporting Solutions Since 2010.'
"DBS Checked" badge with blue checkmark and orange shield icon.
Logo of the National Council for Hypnotherapy with letters 'NCH' in purple and turquoise.