en
Free 15-minute consultation
en
Free 15-minute consultation

Privacy Policy

Thank you for taking the time to read the Privacy Policy of Steadfast Psychology (“we”, “us”, “our”). We value your privacy and are committed to protecting your personal information. We understand that therapy is a safe space to discuss confidential information, and we aim to uphold this both in person and online. We make it a priority to ensure your data is handled with respect, securely and responsibly, while you use our website and services.

We recommend reading this policy along with any other privacy notices we may share, so you’re fully informed about how and why we handle your information.

Who is responsible for your data?

Steadfast Psychology is the organisation in charge of managing your data. Steadfast Psychology is managed by Dr Solomon Cheung, who can be contacted at: solomon.cheung@steadfastpsychology.co.uk.

Have a concern or complaint?

We are here to help and would appreciate the opportunity to sort things out with you directly, so please do contact us in the first instance. However, you also have the right to contact the Information Commissioner’s Office (ICO) at www.ico.org.uk if needed.

Personal information we collect:

Personal information is any information that identifies and relates to a living person. If we have anonymised your data, making it impossible to link it back to you, it is no longer considered personal data.

We may collect, use, store, and share the following personal information:

  • Identity details such as your first and last name, title, date of birth, marital status, and gender identity.

  • Contact details such as your home and billing address, the address you will attend remote sessions from if different, email address, and telephone number.

  • Safeguarding information such as your emergency contact and your GP practice and their contact information.

  • Special Category Data:

    • Health information (including medical conditions, allergies, medical requirements and medical history)

    • Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions).

    • Test results (including psychological evaluations).

    • From time to time, we may collect other Special Category Data about you in therapy sessions, including your racial or ethnic origin, religious or philosophical beliefs, sex life and sexual orientation information, and criminal convictions and offences. We do not collect any other Special Category Data about you (this includes details about political opinions, trade union membership and genetic and biometric data).

  • Financial information including your payment card or bank information.

  • Insurance policy details if you are referred by your health insurance provider or would like to make a claim with them.

  • Technical data such as your internet protocol (IP) address, login credentials, browser type and version, browser plug-in types and versions, time zone, location, operating system, platform, and other device-specific details when you access our website.

  • Usage data regarding how you interact with our website and services.

Where we get personal information from

We gather personal data using several methods, mostly directly from you. This includes:

  • When you or we fill in any forms before or during appointments;

  • During verbal conversations;

  • Correspondence with us via phone, email, post, or otherwise;

  • When you apply for our services or any of our products; or

  • When you provide us with feedback or reach out for assistance.

Automated Data Collection:

We may also gather data using automated technologies, such as website cookies or similar tools. This includes details about your device, browsing actions, patterns, and information related to your activity on other websites that share the same cookies as ours. This allows us to receive insights into how you interact with third-party sites.

This data helps us enhance your experience and understand how you use our website. For further details, please refer to our Cookie Policy, which can be found here.

Third-Party Data:

We may receive data from third parties, including:

  • Family members or carers

  • Other health and care providers

  • Social services

  • Charities or voluntary sector organisations

  • Schools, colleges, universities or other education organisations

  • Insurance companies

  • Suppliers and service providers

  • Technical details from analytics providers such as Google.

Why do we process your data?

We process your data for several purposes, including:

  • To register you as a new client.

  • To provide our services, including: a) to manage payments, fees and charges and b) to collect and recover money owed to us.

  • To manage our relationship with you, such as informing you of changes to our privacy policy or requesting reviews.

  • To maintain and protect our practice and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

  • To deliver relevant website content to you.

  • To use data analytics to improve our website, products and services, marketing, client relationships and experiences.

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

To exercise any of these rights, please get in touch with us. We won’t charge you for access to your personal data. However, we may apply a reasonable fee if your request is clearly excessive, repetitive, or unfounded. In such cases, we also reserve the right to refuse the request. We aim to respond to all legitimate requests within one month, though it might take longer if your request is complex or if you’ve made multiple requests. If that’s the case, we’ll notify you and keep you informed of our progress.

Our lawful bases for the collection and use of your data:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

  • Legitimate interests - we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

    • To safeguard a vulnerable individual;

    • To comply with professional and ethical standards.

  • For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

  • Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

Safeguarding as a Legitimate Interest

Safeguarding vulnerable individuals is a lawful basis for processing personal data under Schedule 4 – Lawfulness of processing recognised legitimate interests of the Data Use and Access Act 2025 (DUAA).

‘Safeguarding a vulnerable individual’ means:

  • protecting a vulnerable person from neglect or physical, mental or emotional harm; or

    • protecting the physical, mental or emotional well-being of a vulnerable person.

‘Vulnerable individual’ means a person:

  • aged under 18; or

  • aged 18 or over and at risk.

Protection of a person or of the well-being of a person, includes both protecting a particular person and protecting a type of person.

A person aged 18 or over is ‘at risk’ if the organisation has reasonable cause to suspect that the person:

  • has needs for care and support;

  • is experiencing, or at risk of, neglect or physical, mental or emotional harm; and

  • is unable to protect themselves against the neglect, harm or risk, due to those needs.

Do we use cookies?

Cookies are used to enhance your experience on our website by remembering your preferences and improving functionality. You can control and adjust your cookie settings through your browser. Cookies make your browsing experience more seamless by remembering your preferences.

Our website uses cookies to identify you and distinguish you from other visitors. For more details, please refer to our Cookie Policy.

Links to third-party websites:

Our website may contain links to other websites that are not owned or controlled by us. Please be aware that we are not responsible for such other websites or third parties' privacy practices. We encourage you to be aware when you leave our website and read the privacy policies of each website that may collect personal information.

Information security:

We secure information you provide on computer servers in a controlled, secure environment, protected from unauthorised access, use, or disclosure. We keep reasonable administrative, technical, and physical safeguards to protect against unauthorised access, use, modification, and personal data disclosure in its control and custody. However, no data transmission over the Internet or wireless network can be guaranteed.

In the rare circumstances that there is a personal data breach, we have procedures in place and will notify you, along with any applicable regulator, when we’re legally required to.

Do we share your personal data?

We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:

  • you’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);

  • we have a legal requirement (including court orders) to collect, share or use the data;

  • on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);

  • If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or

  • If in Scotland – we have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.

We may share your personal data with the parties set out below for the purposes as stated further above.

  • Service providers, acting as data processors who provide IT and system administration services.

  • Professional advisers including healthcare professionals, lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.

  • If you are referred by your health insurance provider then we may need to share details about your appointment schedule with your insurer for the purposes of billing and to provide treatment updates.

  • HCPC-registered practitioner psychologists engage in ongoing training, supervision, and mentoring to uphold high standards of clinical practice and professional conduct. As part of this process, we may consult with other mental health professionals to reflect on and enhance our clinical work. When discussing client cases in supervision, only first names are used, and all identifiable information is minimised to protect client confidentiality.

  • Sometimes we may need to share information with other health and care providers, such as your GP or a social worker. We will always get your consent prior to doing this. When the information concerns risk of harm to you as the client or another person then we may need to disclose your personal information, such as with emergency services, without your consent for your own safety or for the safety of someone else.

  • HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.

  • Debt collection agencies in the event that payment is not received for services rendered. This will be done to recover any outstanding debts, and the debt collectors will process your data solely for this purpose.

  • We may be obliged to share your personal data with courts, legal representatives, or other relevant authorities for medico-legal purposes. This includes situations where we are required to do so by law, or where it is necessary to protect your vital interests or the interests of another person. We ensure that this data sharing is conducted lawfully and with due regard for your privacy rights.

All of the above third parties have a requirement to respect the security of your personal data. We do not permit them to use your personal data for their own purposes – they are only permitted to process your data for specified purposes in line with our instructions.

Do we ever transfer your data internationally?

We may transfer your data outside of the United Kingdom/European Economic Area (EEA), but only when we can be sure it is protected.

Many of our external third parties are based outside the United Kingdom/EEA and so their processing of your personal data will involve a transfer of data outside the United Kingdom.

Whenever we transfer your personal data out of the United Kingdom, we make sure it is protected by at least implementing one of the following safeguards:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the United Kingdom

Where we use certain service providers, we may use specific contracts approved by the UK Information Commissioner’s Office and the European Commission which give personal data the same protection it has in Europe.

Please contact us if you want further information on the specific process used by us when transferring your personal data out of the United Kingdom.

What is our process for retaining your data?

We only keep your data as long as necessary for the reasons we collected it.

By law we have to keep medical information about patients for 7 years after treatment has finished. For any children we treat, we are obliged to retain the medical information until the child’s 25th birthday. By law we have to keep basic information about our clients (including contact, identity, financial and transaction data) for six years after they cease being patients for tax purposes.

For information that does not fall under the definition of basic, to determine the appropriate retention time, we look at what kind of data it is, how sensitive it is, the risks if it's misused, why we need it, and if there are other ways to achieve the same goals. We also consider applicable legal, regulatory, tax, accounting and other requirements.

Changes and Contact

We periodically review and update our privacy policy. Please inform us if any of your personal details change. If you have any questions or wish to exercise your rights, feel free to reach out to us.

Thank you for taking the time to read our privacy policy. If you have any questions, don't hesitate to contact us.

Privacy policy updated 30/07/2025

Steadfast Psychology

Standing with you through life’s trials.

About

SERVICES

© 2025 Steadfast Psychology & Dr Solomon Cheung. All rights reserved.

CONTACT

Privacy Policy

Cookie Policy