top of page

Privacy and Confidentiality

Unruly Therapy

Hiya, welcome to Unruly Therapy’s Privacy Notice. We know... privacy notices aren’t exactly page-turners. But this one matters, because it’s about how we look after your information while you’re getting support from us. Whether you’re a teenager, a parent, or someone checking out our services, we take your privacy seriously (like, proper seriously. Not just the checkbox kind of way).

We’re fully committed to handling your personal data respectfully, transparently, and in line with the UK GDPR, Data Protection Act 2018, and all the other important rules that make sure your info stays safe. This privacy notice explains exactly what kind of data we collect, why we need it, how we store it, and your rights when it comes to your information.

Unruly Therapy is a small private practice run by Leneena Mayne (you’ll probably know me as Lennie). We work with teenagers, young adults, and their families to support emotional wellbeing and growth through counselling, supervision, and therapeutic resources.

This notice covers personal data collected through our website, email, phone, forms, and any other way you might interact with us. Whether you’re just browsing, booking in, or already working with us.

If you’re here for therapy or supervision, you’ll get a more specific privacy notice as part of your welcome pack or intake process. This document focuses on how we handle personal information via our website and communications, but we’ve made sure everything is consistent across the board.​​

1. Who We Are and How to Contact Us

This Privacy Notice applies to Unruly Therapy, a private therapy practice run by Leneena Mayne, trading as Unruly Therapy. We are registered with the Information Commissioner’s Office (ICO) under registration number ZA774598 and we act as the data controller for the personal data we collect and process.

We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant data protection legislation. This Privacy Notice explains how we collect, store, use, and share your personal information, and your rights under these laws.

If you have any questions about this notice or how your data is handled, you can contact us at:

Unruly Therapy
Leneena Mayne (Data Controller)
Email: hello@unrulytherapy.co.uk
Phone: 07784 800712
Postal address: Liverpool Innovation Park, Suite 2, 360 Edge Lane, Fairfield, Baylis L7 9NJ

Unruly Therapy is not required to appoint a Data Protection Officer, but all data protection queries are handled directly by the data controller, Leneena Mayne.

3. Our Legal Basis for Processing Personal Data

Under UK data protection law, we must have a lawful reason (or “legal basis”) for collecting and using your personal data. The lawful basis depends on the purpose of the processing and the nature of the data.

Here are the main lawful bases we rely on at Unruly Therapy:

a. Consent

We may ask for your clear, informed consent to process certain personal data—particularly for:

  • Sending newsletters or marketing emails

  • Sharing your information with other professionals or services (e.g. schools, CAMHS, GPs)

  • Collecting and processing sensitive data where required by law

You can withdraw your consent at any time by contacting us using the details in Section 1.

b. Contract

If you are a client, supervisee, or third-party funder, we need to process certain personal data to enter into and fulfil our agreement with you. This includes:

  • Scheduling appointments

  • Communicating with you

  • Delivering therapy or supervision

  • Managing payments and contracts

Without this data, we may not be able to provide you with our services.

c. Legal Obligation

We may process or retain data to meet legal or regulatory obligations. This applies in cases such as:

  • Record-keeping required by insurance or safeguarding law

  • Responding to lawful requests (e.g. from courts or the ICO)

  • Retaining financial records for tax purposes

d. Vital Interests

In rare circumstances, we may need to process data to protect someone’s life or physical safety. For example, if there’s an immediate risk of harm to you or another person and we need to contact emergency services.

e. Legitimate Interests

We may process your data for our legitimate business needs, where those interests are not overridden by your rights and freedoms. This may include:

  • Managing website performance and user experience

  • Preventing fraud or misuse of our services

  • Communicating with potential clients or referrers who have contacted us

We always balance our legitimate interests with your privacy rights, and we only use this basis when there is minimal impact on you and no better alternative.

5. Data Retention

We only keep your personal data for as long as it’s needed for the purpose it was collected, and in line with legal, ethical, and professional guidelines.

The exact length of time depends on the type of data and who it relates to. Here's how we handle retention:

a. Therapy and Supervision Clients

  • Adults (18+): We retain your records for 7 years from the date of your last session.

  • Children and young people (under 18): We retain records until the client turns 25, in line with NHS guidelines and safeguarding best practice.

  • Safeguarding-related records: If the data includes a concern related to risk or safeguarding, it may be retained beyond the standard period, as required by law or professional guidance.

These timeframes are based on insurance requirements, ethical obligations, and the potential need to refer back to records in the event of complaints, legal claims, or continuity of care.

b. Enquiries and non-client contacts

  • If you contact us to enquire about therapy or supervision but do not proceed, we will delete your identifiable information within one calendar month of our last contact, unless we’re legally required to keep it longer.

c. Website and marketing data

  • Data collected via cookies, Google Analytics, or Facebook Pixel is stored in accordance with the default retention periods set by those platforms.

  • If you sign up for newsletters or email updates but later unsubscribe, we will remove your contact information within one month of your request.

d. Third-party funders

  • If you are funding someone else’s sessions, we will retain records of your funding agreement and relevant communications for 7 years from the end of that agreement.

We regularly review the personal data we hold and securely delete anything that is no longer needed. If you’d like more detail about what we store and for how long, you’re welcome to get in touch (see Section 1).

7. Sharing Your Personal Data

We will never sell your data, and we don’t share it unnecessarily. In most cases, your personal data stays strictly within Unruly Therapy. However, there are some circumstances where sharing data is necessary for delivering our services safely, legally, and professionally.

We may share your personal data with the following:

a. People you’ve given us permission to speak to

If you’ve signed a Release of Information (ROI), we may share relevant details with professionals you’ve explicitly agreed to involve, such as:

  • Your GP

  • School staff

  • CAMHS workers or social workers

  • Other healthcare or support services

You will always know beforehand exactly what is being shared, with whom, and why. The ROI form gives you full control to set clear boundaries around this—you can specify who we can contact, what can be shared, and for how long. You can withdraw or amend your ROI at any time, unless legal or safeguarding duties require otherwise.

b. Safeguarding or legal requirements

We may share information without your consent if:

  • We believe there is a serious risk of harm to you or someone else

  • We are legally required to do so (e.g. court order or law enforcement request)

  • A child or vulnerable adult is at risk of abuse or neglect

We follow UK safeguarding guidance and BACP ethical standards. Where possible, we will still try to inform you before sharing.

c. Trusted support professionals

Certain information may be accessed by:

  • Our virtual assistant, who supports with invoicing and admin (but not session notes)

  • Our accountant, who handles business finance and tax records

  • A named professional trustee, who may access your contact details in the event of Lennie’s death or incapacity

All support professionals are contractually bound by confidentiality and data protection obligations.

d. Third-party systems and platforms

We use secure systems and platforms to manage bookings, records, and admin. These include:

  • Zanda Health (client records)

  • ProtonMail (encrypted email)

  • Calendly (consultation booking)

  • Stripe (for online payments)

  • Starling Bank (bank transactions)

  • Wix (website and contact forms)

These services act as data processors on our behalf. We’ve chosen them for their security and GDPR compliance, and we only share the minimum data necessary for them to perform their role. You can view their privacy policies in our [Third-Party Services section] (add internal link when publishing).

8A. Working with Children & Young People: Data and Consent

Unruly Therapy works with clients aged 12 and older, and we take our responsibility to protect their personal information seriously. We follow the UK GDPR, the Data Protection Act 2018, and the Age Appropriate Design Code (Children’s Code) to ensure data is handled ethically, securely, and with care.

For clients under the age of 16, we will always seek informed consent from both the young person and a parent or legal guardian before therapy begins.

a. How we involve young people

  • We explain therapy and data privacy in age-appropriate ways.

  • If a young person is mature enough to understand their rights, they may exercise those rights independently (e.g. to access or restrict their own data).

  • Where appropriate, parents or guardians may also act on the child’s behalf—particularly when it’s in the young person’s best interest.

b. What happens during consent

At the initial consultation, we ask at least one parent or legal guardian to attend with the young person. This gives everyone a chance to ask questions, understand the therapeutic process, and set expectations for privacy and communication.

Consent is confirmed through a signed form, and we may follow up via email or phone to ensure clarity.

c. Data we may collect for under-18s

To deliver safe and appropriate support, we may collect:

  • Young person’s full name and date of birth

  • Parent or guardian’s name and contact details

  • School name and contact info

  • GP details and any involved services (e.g. CAMHS, SENCO, social worker)

  • Emergency contact details

  • Risk or safeguarding information where relevant

This data is stored securely and only accessed when necessary to provide support or meet legal duties.

d. Withdrawing consent

If consent is withdrawn by either the young person or their parent/guardian, we will talk through what this means. Usually, it will result in ending the therapeutic contract and securely deleting any data we’re no longer required to retain.

In cases where safeguarding or legal duties apply, we may need to retain records longer—and we’ll always explain why.

10. Cookies

Like most websites, we use cookies to help our site function properly, understand how people use it, and (occasionally) improve your experience through performance and analytics tools.

Some cookies are strictly necessary for the site to work (e.g. security and login features), while others are non-essential and used for things like tracking visits or remembering preferences. These are only activated if you give permission.

When you visit our website, you’ll see a cookie banner—powered by Consentik—giving you control over which types of cookies you’re happy with. You can change or withdraw your consent at any time.

You can read more on our Cookies & Terms page.

12. Updates to This Privacy Notice

We review and update this Privacy Notice regularly to reflect changes in the law, our services, or the platforms we use. If anything changes that affects how we handle your personal data, we’ll update this page—and, where appropriate, we’ll let you know directly.

The version you’re reading was last updated on 31 March 2025.

We encourage you to check this page from time to time so you’re always clear on how your information is handled.

2. What Personal Data We Collect

We collect and process different types of personal data depending on how you interact with Unruly Therapy. This includes data provided directly by you, collected automatically through our website, or shared by others with your consent.

We only collect what’s necessary to provide a safe, professional, and effective therapeutic service, or to improve your experience with us online.

a. Data you provide directly

When you use our contact forms, book a consultation, sign up for our newsletter, or work with us as a client, we may collect:

  • Identity and Contact Data: Your full name, email address, phone number, and (for clients) home address and emergency contact details.

  • Client Information: Relevant background details you share before and during sessions, such as age, availability, therapy preferences, and goals.

  • Consent and Intake Forms: Forms completed as part of your therapy or supervision agreement, including signed contracts, risk agreements, and ROIs.

  • Location Data: If you attend therapy online, we’ll ask where you are located at the time of your session for safeguarding purposes.

  • Parent or Guardian Information: For clients under 18, we may also collect contact details for parents, guardians, schools, GPs, or other professionals involved in care—only when necessary and with appropriate consent.

b. Website and communication data

When you visit our website or contact us by email, we may collect:

  • Technical Data: IP address, browser type, device information, and website usage data through tools like Google Analytics and Facebook Pixel.

  • Communication Data: Records of emails or form submissions, including date, content, and sender information.

  • Cookie Data: Information collected through cookies, including necessary cookies for site function and performance cookies (explained in Section 11).

c. Third-party platform data

We use tools such as Calendly, Stripe, and Zanda Health. If you use these services in connection with Unruly Therapy, basic personal information (like name, email address, or appointment preferences) may be collected through those platforms. Each provider maintains their own privacy notice, which you can access via our Third Party Services section.

4. How We Use Your Personal Data

We only use your personal data when it’s necessary, relevant, and lawful to do so. Most of the data we collect is used to support the work we do with you—whether that’s providing therapy, supervision, consultation, or helping you get in touch with the right support.

Here’s how we may use your personal information:

a. To provide therapy or supervision

We use your information to:

  • Contact you and manage your appointments

  • Assess your needs and deliver a safe, effective service

  • Keep records of your sessions, attendance, and any risk or safeguarding concerns

  • Respond to any queries, feedback, or concerns you raise

  • Share information with other professionals (only with your consent or in line with legal/safeguarding obligations)

b. To manage our professional relationship

We process your data to:

  • Send and store contracts, consent forms, and invoices

  • Keep you informed of changes to our services or availability

  • Maintain accurate records in line with ethical and legal requirements

  • Communicate with third-party funders, with appropriate consent

c. To run and improve our website

We use data gathered through cookies and analytics tools to:

  • Monitor site performance

  • Understand how visitors use the site

  • Make improvements based on user behaviour and preferences

  • Ensure security and accessibility

d. To promote our services (with your consent)

If you sign up to receive updates, we may:

  • Send newsletters or announcements about our services or resources

  • Occasionally run feedback or satisfaction surveys

  • Give you the option to unsubscribe at any time

We do not use your personal data for automated decision-making or profiling, and we do not sell your data to anyone. Full stop.

6. How We Keep Your Data Safe

We take the security of your personal data seriously. We have a range of measures in place—both technical and organisational—to protect your information from being lost, misused, accessed without permission, or altered without good reason.

 

a. Electronic security

  • Client records, notes, and most forms (including contracts and intake forms) are stored securely using Zanda Health, a platform designed for therapy practices.

  • If any documents are not compatible with Zanda Health (e.g. certain assessment formats or attachments), they are stored in Proton Drive, which uses end-to-end encryption.

  • Email communication is managed through ProtonMail, which allows for secure password-protected emails when needed.

  • Our internet connection is protected with ProtonVPN for secure, encrypted browsing.

  • All devices used for client work are password-protected, encrypted, and kept up to date with security patches.

b. Website and online safety

  • Our website is hosted by Wix, which uses secure HTTPS encryption and complies with UK and EU data protection regulations.

  • Cookie use is managed through Consentik, allowing you to manage your preferences easily.

  • Online consultation bookings are handled through Calendly, which has its own secure systems and privacy safeguards.

c. Physical security

  • We don’t routinely store physical copies of client data. If paper records are temporarily created (e.g. handwritten notes in an emergency), they are securely stored and destroyed or digitised as soon as possible.

d. Access and confidentiality

  • Client session notes are only ever accessed by the therapist (Lennie). No one else, including support staff, has access to these records.

  • A trusted virtual assistant supports with administrative tasks such as invoicing and session scheduling through Zanda Health but does not access any clinical notes or sensitive therapy content.

  • An accountant has access to scheduling and financial records strictly for tax and business accounting purposes.

  • In the event of incapacity or emergency, a named professional trustee (as outlined in our clinical will) may access essential data to ensure continuity of care or safe closure of the service.

  • All individuals with any form of access are bound by confidentiality agreements and are required to handle data in line with UK GDPR, BACP ethical standards, and professional insurance policies.

In the unlikely event of a data breach affecting your personal data, we will follow the ICO’s reporting procedures and notify you without undue delay where there is a risk to your rights or freedoms.

8. Your Rights

Under UK data protection law, you have rights over how your personal data is used. These rights apply to everyone who interacts with Unruly Therapy, whether you’re a client, funder, visitor to the website, or someone making an enquiry.

Here’s a summary of your key rights:

a. The right to be informed

You have the right to know what data we collect, how we use it, why we need it, and who it may be shared with. This Privacy Notice is one way we do that.

b. The right of access

You can ask for a copy of the personal data we hold about you. This is called a Subject Access Request (SAR). We will respond within one month of receiving your request.

c. The right to rectification

If you believe the information, we hold about you is inaccurate or incomplete, you can ask us to correct it.

d. The right to erasure (“right to be forgotten”)

You can ask us to delete your personal data. In some cases (such as therapy notes), we may not be able to delete information due to legal, clinical, or safeguarding requirements. We’ll explain the reasons clearly if this applies.

e. The right to restrict processing

You can ask us to stop using your data while we look into a concern you’ve raised (e.g. accuracy or how it’s being used). We will continue to store the data, but not use it until resolved.

f. The right to data portability

You can ask us to securely transfer your data to another service or professional. This applies to data you’ve given us directly where it’s been processed by automated means (e.g. online forms or digital records).

g. The right to object

You can object to your data being used for marketing, research, or other purposes where the lawful basis is legitimate interest. This doesn’t usually apply to therapeutic or administrative use, which falls under contract or legal obligation.

h. Rights relating to automated decision-making

We don’t use automated systems to make decisions about you, so this right doesn’t apply here.

To make a request about your personal data, please contact us using the details in Section 1. We’ll always try to respond within one calendar month and explain your options clearly. In some cases, we may need to confirm your identity to protect your privacy.

9. International Transfers

Unruly Therapy is based in the United Kingdom, and we don’t routinely transfer your data outside of the UK or European Economic Area (EEA). However, some of the secure platforms and services we use—such as email, cloud storage, scheduling, and analytics—may store or process data in other countries, including the United States.

When this happens, we make sure that your personal data is protected to the same high standards required under UK data protection law. This means:

  • We only use services that have appropriate data protection agreements in place, including Standard Contractual Clauses (SCCs) where required.

  • We assess the privacy practices of all third-party providers before working with them.

  • Your rights under UK GDPR continue to apply, regardless of where your data is stored or processed.

 

If you’d like more details about any specific provider or transfer, just let us know—we’re happy to explain.

11. Complaints and Contact

If you ever have questions, concerns, or complaints about how your personal data is handled at Unruly Therapy, we want to hear from you. Your trust matters, and we take any issues seriously.

You can contact us directly using the details below:

Leneena Mayne (Unruly Therapy)
📧 hello@unrulytherapy.co.uk
📍 Liverpool Innovation Park, Suite 2, 360 Edge Lane, Fairfield, Baylis L7 9NJ
📞 07784 800712

We’ll do our best to resolve any concerns promptly and with care. In most cases, we can sort things out quickly with a conversation or explanation.

If you're not satisfied with our response, or you believe your data has been used unlawfully, you have the right to make a formal complaint to the Information Commissioner’s Office (ICO).

Information Commissioner’s Office (ICO)
🌐 www.ico.org.uk/make-a-complaint
📞 ICO Helpline: 0303 123 1113

bottom of page