Privacy Policy

Who we are

The Data Controller for this service is Helen McAllister.

Website: https://themindsetup.co.uk

ICO Registration Reference: ZB574739

Lawful Basis for Processing Data (Legitimate Interests)

Under the UK General Data Protection Regulation (UK GDPR), we collect and process your personal data under the lawful basis of Legitimate Interests. This is broken down into three core principles to ensure total transparency:

  • Purpose: We hold a genuine, clear purpose for obtaining your personal information, which is to safely, effectively, and professionally deliver clinical hypnotherapy sessions, manage client bookings, and securely maintain essential clinical case notes.
  • Necessity: We only collect personal data that is strictly necessary to the therapeutic work being undertaken. We do not gather extraneous information that does not serve your treatment or safety.
  • Balance: We intentionally minimize the impact on your privacy. For instance, while it is necessary to record a secure contact number for communications and session management, we do not require or record your full home address unless it is strictly necessary for specific billing requirements or emergency safety protocols.

Recognised Legitimate Interests & Public Safety

In alignment with the Data Uses and Access Act (2025), if your personal data is formally requested by authorized organizations or public bodies (such as law enforcement or the police) for the absolute purpose of safeguarding and protecting public safety, this falls under a “recognised legitimate interest.” In these rare and specific instances, the organization making the request holds the legal responsibility for the decision regarding necessity, and data may be shared without requiring an additional privacy balancing test.

4. Confidentiality & Information Sharing

Discussions within hypnotherapy sessions are strictly confidential, with the following professional exceptions:

  • Supervision: Information may be discussed with a professional supervisor to gain advice or support, as required by therapeutic best practices.
  • Safety: Confidentiality may be breached if there is reason to believe you are at risk of harming yourself or another person.
  • Other Professionals: Information will only be discussed with other health and social care professionals if it is deemed medically necessary and only with your explicit written consent.
  • Public Interactions: If we meet outside of a hypnotherapy session, I will be guided entirely by you. As a default, I will not acknowledge you in public in order to protect the confidential nature of our relationship.

5. Data Storage and Security

Your personal and sensitive information is stored with high levels of security:

  • Digital Data: Any digital records are stored within a password-protected file on a personal, secure laptop.
  • Physical Data: Any paper-based work is stored securely in a locked cabinet, inside a locked room.
  • Data Transmissions: Form entries or comments submitted via the website are checked through automated spam detection and sent securely.

6. Data Retention: How Long Your Information is Kept

In line with the National Council for Hypnotherapy (NCH) guidelines, records are securely retained using the following schedule:

  • Adult Clients: Written records are stored securely for 8 years after the last interaction.
  • Child Clients (Under 16 when last seen): Records are retained up to the age of 25.
  • Young Adult Clients (17–18 years old when last seen): Records are retained up to the age of 26.

7. Your Rights Over Your Data

Right to Erasure (Deletion): Under UK GDPR rules, you are able to request the deletion of any of your records at any time by making a request in writing. Please note that this right does not override data that must be legally or professionally retained for administrative, insurance, clinical record-keeping, or security purposes.

Subject Access Requests (SARs): You have the right to request access to, or a copy of, the personal data held about you. To do so, please submit a written request. In line with UK GDPR and the Data Uses and Access Act (2025), searches conducted to fulfill this request will be processed within 30 days and will be kept to what is entirely reasonable and proportionate to locate relevant data without incurring disproportionate difficulty.

Cookies & Contact Forms

If you leave a comment on our site, you may opt-in to saving your name, email address, and website in cookies. These are strictly for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies last for one year.

When you use our online contact forms, the data you enter is encrypted and sent securely to allow us to reply to your inquiry. Visitor comments and form entries may also be checked through an automated spam detection service.

Embedded Content From Other Websites

Articles or pages on this site may include embedded content (e.g., videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor had visited the other website directly.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction if you have an account and are logged into that specific website.

Data Protection Concerns & Complaints

At The Mindset Up, I take your personal privacy and the security of your data incredibly seriously. In compliance with the Data Uses and Access Act (2025) and UK GDPR requirements, I provide a dedicated process to address any concerns or complaints you may have regarding how your personal information is processed, handled, or stored.

Please Note: This specific procedure and the options below are strictly for complaints regarding the handling, storage, or use of your personal data. This does not apply to general feedback or complaints regarding clinical therapeutic practice or professionalism, which can be made through my professional association.

My Process and Timelines
If you believe I have used your data in a way that does not comply with UK law, you are required to submit your complaint through my internal process using the form on this page first. Upon submission, I commit to the following standards:

30-Day Acknowledgment: I will formally acknowledge receipt of your data protection complaint within 30 days of submission.

Investigation Updates: I will immediately launch inquiries into the subject matter of your complaint and keep you informed of my progress.

Resolution: I will advise you of the formal outcome of our investigation without undue delay.

Escalation: If you remain dissatisfied with my final outcome or response, you hold the legal right to escalate your complaint directly to the Information Commissioner’s Office (ICO).

How to Submit


Please use the contact form on this page to log your concern. In your message, please clearly state if your inquiry relates to:

A question about how your data is stored or secured

A request to access your personal data (Subject Access Request)

A request to correct or delete your personal data (Right to Erasure)

An issue with marketing or communication preferences