Privacy Policy

Thank you for checking out our privacy policy. At The Sanctuary Exeter we take our client's privacy seriously. We're committed to protecting your privacy and handling your information in a responsible way while you use our website and services. We want you to understand that this is a safe place for you to discuss your feelings and concerns, and we operate in a highly confidential environment. This policy sets out how data is collected and processed through the use of our website and when you use our services.

Who's in charge of your data?

The controller of your data is Dr Emma Pillinger trading as The Sanctuary Exeter and she can be contacted at emma@thesanctuaryexeter.co.uk.

Not happy with something?

We're committed to treating your personal data with respect, transparency, and care. If you ever have questions or concerns about how your data is used, we want to hear from you, and we'll do our best to resolve things quickly and fairly. Under the Data (Use and Access) Act 2025, you have the right to raise a complaint about how your personal data is handled. Here's how:

• Step 1: Email us at emma@thesanctuaryexeter.co.uk with a brief description of your concern. You don't need to use legal language — just tell us what's worrying you.
• Step 2: We'll acknowledge your message and respond without undue delay, usually within 10 working days.
• Step 3: If you're not satisfied with our response, you can escalate your concern to the Information Commissioner's Office (ICO) at www.ico.org.uk.

What type of data do we collect about you?

'Personal data' is information that identifies you. If we've removed your identity (by making the data anonymous), it won't be classed as personal data. We might collect, use, store, and share various types of personal data about you as follows:

Data we collect about therapy clients (individuals and couples):

• Identity details such as first and last name, title and date of birth.
• Contact details such as your email address, telephone number and correspondence address.
• Financial information such as payment details and records of fees paid for therapy sessions.
• Information about transactions including details about payments to and from you and services you have received from us.
• Therapy information including notes, session records, assessments, and correspondence relevant to the provision of therapeutic services.
• Emergency contact details such as the name and telephone number of your nominated In Case of Emergency (ICE) contact.
• GP details including the name, address and contact telephone number of your registered GP.
• Health Data (Special Category Data): Includes information about your health, including information about your existing and previous medical health conditions, diagnoses, medication details, psychiatric history, risk plans, and any other relevant health information to enable us to carry out our services to you. We do not collect any other Special Category Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. Where relevant to your care, we may also record limited information about family members or partners (such as names and contact details) where this is provided to us in the context of your treatment.

Consents for Health Data: We require your specific consent to process Special Category Data so, when you submit your details, we will ask you to confirm your consent to this processing.

Supervision Services: If you are receiving supervision from us, we collect information specific to your professional development, including: your identity and contact details; professional registration details and qualifications (including your accrediting body and regulatory information); copies of relevant qualification certificates (e.g. EMDR); proof of relevant professional body membership (e.g. HCPC); proof of professional indemnity insurance; information about your current role and caseload type; your supervision goals; notes from supervision sessions (with any client cases discussed being anonymised); records of supervision hours and dates for CPD requirements; training attendance records and evaluation forms where relevant; and payment information including invoice records, invoice IDs, dates of invoices sent and dates of payment received. For EMDR supervisees, we also collect details of your progress through EMDR Europe training requirements and competency development. We collect this information to fulfil our supervisory obligations, support your professional development, meet regulatory requirements (including EMDR Europe accreditation requirements where applicable), and maintain accurate records for both your CPD and our professional indemnity purposes.

Data we collect about suppliers and professional contacts:

We may collect and process the following information about suppliers and professional contacts (such as accountants, NHS managers and other service providers):

• Contact details such as name, work email address, phone number and business address.
• Professional information such as job title, organisation name, and role in relation to our services.
• Communications such as correspondence between us (including emails, messages and meeting notes).
• Contractual and service information such as details of the services provided to us or arranged with us (e.g. supervision arrangements, referrals, or business support services).
• Financial information such as invoicing details, payment records and bank details where relevant.
• Administrative information such as records of meetings, agreements, and ongoing working relationships.

How do we collect your personal data?

We use different methods to collect data from and about you. The majority of the time, our information is collected directly when you contact us or engage with our services. This includes when you are a therapy client, supervisee, supplier or other professional contact. The ways in which we collect your data include the following:

• When you enquire about and/or apply for our therapy services via our website;
• When you fill in any new client onboarding forms;
• When you complete any forms before or during an appointment;
• Verbally during discussions and therapy sessions;
• When you engage us to provide training, supervision services, or when you purchase one of our courses;
• Correspondence with us via post, phone, email or otherwise;
• When you complete and return our terms and fees documentation;
• When you give us feedback or contact us;
• Through our appointment scheduling and invoicing systems, which automatically record session dates, fees, invoice IDs and payment records;
• Through third-party communication and collaboration platforms (such as Microsoft Teams), when you are set up to use these as part of your engagement with us; and
• From third parties, including where you are a supplier or professional contact and your details are provided to us in the course of a referral, professional introduction, or business arrangement.

We may collect information using automated technologies such as cookies and similar tracking technologies. These technologies collect information about your device, browsing actions and patterns when you visit our website.

Some of the cookies we use are provided by third parties (such as Google). These third parties may use cookies to collect information about your online activity over time and across different websites. We do not control these third-party cookies and recommend that you review the relevant third party's privacy and cookie policies for further information.

For more information, please refer to our Cookie Policy.

What happens if you don't provide us with the required data?

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services or goods). In this case, we may have to cancel a service or product you have with us, but we will notify you if this is the case at the time.

What are the purposes for which we use your personal data?

The purposes for which we will be using your data include:

• To register you as a new client, supervisee, supplier or other professional.
• To provide our services or courses including: a) to manage payments, fees and charges and b) to collect and recover money owed to us.
• To manage our relationship with you e.g., to notify you about changes to our terms of this privacy policy or to ask you to leave a review.
• To administer and protect our practice and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
• To deliver relevant website content to you and measure or understand the effectiveness of the content we serve to you.
• To use data analytics to improve our website, services, marketing, client relationships and experiences.
• To make suggestions and recommendations to you about services that may be of interest to you.

We rely on one or more of the following lawful conditions to process your data as outlined above:

• To fulfil our contract with you;
• For our legitimate interests; or
• To comply with legal obligations.

In some scenarios, we'll ask for your consent, especially for collecting health data. We may process your personal data for more than one lawful reason at a time, depending on the specific purpose for which we are using your data. If you'd like more information on the specific legal ground we are relying on, on occasions where we rely on more than one legal ground, please feel free to contact us.

Our Lawful Basis: Recognised Legitimate Interests

We sometimes process your personal data under what's called a "recognised legitimate interest". This is a lawful basis introduced by the Data (Use and Access) Act 2025. This means we use your data in ways that support important public or organisational aims, while respecting your rights and freedoms.

Examples include:

• Helping prevent fraud or misuse of our services
• Supporting safeguarding and professional standards
• Responding to emergencies or protecting wellbeing
• Improving accessibility and inclusion in our resources

We always carry out a balancing test to make sure our interests don't override yours. You have the right to object to this type of processing at any time, and we'll explain your options clearly.

If you'd like to know more or raise a concern, just email us at hello@thesanctuaryexeter.co.uk. We're committed to transparency and respectful data use.

Do we use Cookies?

Cookies help make our website work better for you, remembering your preferences and improving your experience. You can control cookie settings in your browser. Cookies make your browsing experience on our site as smooth as possible, because they remember your preferences.

Our website uses cookies to distinguish you from other users of our website. Please refer to our Cookie Policy to learn more.

Do we use third-party links?

Our website might link to third-party websites, tools and apps. Clicking on these links may allow third parties to collect or share your data. We do not control said websites and are not responsible for said websites' privacy policies. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Do we ever share your personal data?

We take your data's security seriously and only allow certain people to access it. We may share your personal data with the parties set out below for the purposes as stated further above.

• Service providers, acting as processors, who support the operation of our business, including:
  • Our IT and communication systems, including Microsoft 365 (such as Teams, OneNote, OneDrive and Outlook), which are used for secure communication, storage and administration;
  • Our website and IT provider, Factory 3 Limited;
  • Our appointment and invoicing system provider, which manages scheduling, automated invoicing and (where applicable) appointment reminders, including SMS/text notifications;
  • Our message handling tools such as WhatsApp, used for administrative communications with supervisees only; and
  • Our secure recording app, Voice Record, used to record meditations.
• Associates and contracted practitioners who work with us from time to time to deliver therapeutic, supervisory or training services. All associates are engaged under written contracts which include appropriate data processing clauses, ensuring that any personal or health data they access is processed only for the purposes for which it was shared and in accordance with applicable data protection law.
• Professional advisers including our accountant, healthcare professionals, lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
• As an HCPC-accredited clinician, we are obliged to consult with another mental health professional for supervision purposes. This is to ensure we reflect and improve on our clinical skills. In the rare instances we discuss clients in supervision, we only refer to clients by their first name or initials, and identifiable information is minimised.
• Sometimes we may need to share details with your GP or a social worker. We will always get your consent prior to doing this. When the information concerns risk of harm to the client or another person then we may need to disclose information about you without your consent for your own safety or for the safety of someone else.
• If you are referred to another psychologist or healthcare professional for specialist care or assessment, your relevant information may be shared with them to ensure continuity of care and appropriate treatment.
• HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
• Debt collection agencies in the event that payment is not received for services rendered. This will be done to recover any outstanding debts, and the debt collectors will process your data solely for this purpose.
• We may need to share your personal data with courts, legal representatives, or other relevant authorities for medico-legal purposes. This includes situations where we are required to do so by law, or where it is necessary to protect your vital interests or the interests of another person. We ensure that this data sharing is conducted lawfully and with due regard for your privacy rights.

All of the above third parties have a requirement to respect the security of your personal data. We do not permit them to use your personal data for their own purposes — they are only permitted to process your data for specified purposes in line with our instructions.

Do we ever transfer your data internationally?

We may transfer your data outside of the United Kingdom, but only when we can be sure it is protected. Many of our external third parties are based outside the United Kingdom and so their processing of your personal data will involve a transfer of data outside the United Kingdom.

Whenever we transfer your personal data out of the United Kingdom, we make sure it is protected by at least implementing one of the following safeguards:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the United Kingdom.
• Where we use certain service providers, we may use specific contracts approved by the UK Information Commissioner's Office which give personal data the same protection it has in the United Kingdom.

Please contact us if you want further information on the specific process used by us when transferring your personal data out of the United Kingdom.

How secure is your data with us?

We have strong security measures in place to keep your personal information safe. Only authorised individuals who have a need to know are granted access to your data, such as our employees or trusted partners. They will process your data in accordance with our confidentiality terms.

We primarily store personal data electronically using secure systems, including Microsoft OneDrive. All electronic records are protected by appropriate technical measures, including password protection, encryption and two-factor authentication where available.

Where limited paper records are retained, these are stored securely in a lockable filing cabinet within a lockable office. Any handwritten or paper-based notes are anonymised where possible, with identifiable information (such as front sheets) stored separately in secure electronic systems.

We take steps to minimise the amount of personal data held in physical form and ensure that any such records are kept securely at all times.

In the rare circumstances that there is a personal data breach, we have procedures in place and will notify you, along with any applicable regulator, when we're legally required to.

What is our process for retaining your data?

We only keep your data as long as necessary for the reasons we collected it.

By law we have to keep medical information about patients for 7 years after treatment has finished. For any children we treat, we are obliged to retain the medical information until the child's 25th birthday. By law we have to keep basic information about our clients (including contact, identity, financial and transaction data) for six years after they cease being patients for tax purposes.

Supervision Data: We retain supervision records, including session notes, CPD hours records, and professional correspondence, for a period of seven years from the date of the last supervision session. For EMDR supervisees, records of training progress and competency development are retained for the same period. After these periods, we securely delete or anonymise your personal data unless we are required to retain it for longer by law.

Discovery Calls: Where we conduct a discovery call or initial consultation with a prospective client, the following retention periods apply:

• Where no clinical judgement was formed: If the call was exploratory in nature and we collected only basic contact details (such as your name, email address and telephone number), and you do not proceed as a client, we will securely delete that information within one month of the call. This aligns with the storage limitation principle under UK GDPR.
• Where a clinical judgement or risk-related decision was made: If, during the discovery call, we formed any clinical assessment of suitability, noted a safeguarding concern, or made any risk-related decision, we will retain a brief record of that call even if you do not proceed as a client. This is consistent with good clinical governance and is supported by UK GDPR's provisions for processing in the context of health-related data and legal claims. In such cases, retention periods will follow applicable professional body guidance — 7 years for adults from the date of the call, and until the individual's 25th birthday where the prospective client was a child at the time of the call.

For information that does not fall under the definition of basic, to determine the appropriate retention time, we look at what kind of data it is, how sensitive it is, the risks if it's misused, why we need it, and if there are other ways to achieve the same goals. We also consider applicable legal, regulatory, tax, accounting and other requirements.

What are your legal rights in relation to your data?

You have the following rights regarding your personal data:

Access: You have the right to ask us what personal data we hold about you and to receive a copy of that data. This is called a Subject Access Request (SAR).

We'll respond within one calendar month, but if we need to verify your identity first, we may pause the clock while we do so. This helps protect your data and ensures we're sharing it with the right person. If your request is complex or repetitive, we may apply proportionality rules under the Data (Use and Access) Act 2025, which allow us to limit the scope or extend the response time. We'll always explain why and keep you informed. To make a request, just email us at hello@thesanctuaryexeter.co.uk with the subject line "DSAR Request". You don't need to use legal language — just let us know what you'd like to see or understand. If you're unhappy with how we handle your request, you can raise a concern with the Information Commissioner's Office (ICO) at www.ico.org.uk.

Correction: If the personal data we have about you is incomplete or incorrect, you can ask us to correct it.

Erasure: You can ask us to delete your personal data. It's important to note, however, that there might be legal reasons that prevent us from fulfilling this request. If such reasons exist, we will inform you when you make your request.

Objection: In certain situations, you have the right to object to the processing of your personal data.

Restriction of Processing: You can request that we restrict the processing of your personal data under specific circumstances.

Data Portability: You have the right to request the transfer of your personal data directly to you or to a third party of your choice.

Withdrawal of Consent: At any point where we rely on your consent to process your personal data, you have the right to withdraw this consent. Withdrawal of consent will not affect the legality of the processing done before the consent was withdrawn. Should you withdraw your consent, we might be unable to provide you with certain products or services. We will inform you if that is the case when you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

We won't charge any fees for you to request access to your personal data. However, a reasonable fee may be charged if your request is clearly unjustified, repetitive or excessive. We also reserve the right to not comply in this scenario. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Changes and Contact

We regularly review our privacy policy. Please keep us updated if your personal data changes. If you have any questions or need to exercise your rights, just get in touch.

The Sanctuary Exeter
58 Rivermead Road, Exeter, EX2 4RL
hello@thesanctuaryexeter.co.uk