Privacy Policy, Cookies & Legal
Privacy Policy
Last updated: 2 July 2026
Who we are
Sheena Costello – Coaching, Counselling & Psychotherapy is a private therapeutic practice run by Sheena Costello in partnership with HeadStrong Minds. I am a registered psychotherapist and a member of the UK Council for Psychotherapy (UKCP).
If you have any questions about how I handle your personal data, please contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).
What personal data we collect
I collect and process the following types of personal data:
Contact details — your name, email address, telephone number, and postal address
Enquiry details — information you submit via the contact form on our website
Health and therapy-related information — your presenting issues, relevant medical history, mental health history, medication, and details of other healthcare providers involved in your care
Session notes — written records of our therapeutic work together
Administrative records — appointment dates, invoices, and correspondence
Health and therapy-related information is classified as special category data under Article 9(1) of the UK GDPR. This means it receives enhanced legal protection, and I must meet additional conditions to process it lawfully.
How we collect your data
I collect personal data directly from you:
When you first contact me by email, telephone, or through the website contact form
During our initial consultation and intake process
Throughout our ongoing therapeutic work together
Through any correspondence between us
I do not collect personal data about you from third parties unless you have given explicit consent or there is a lawful basis to do so.
Why we process your data — lawful basis
To process your personal data lawfully under UK GDPR, I rely on the following legal bases:
Article 6 basis (ordinary personal data):
Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. This means I need to process your data to provide you with psychotherapy services and to manage our therapeutic relationship.
Article 9 basis (special category data):
Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.
The additional condition required by UK law is set out in DPA 2018 Schedule 1, Part 1, paragraph 2 — health or social care. Processing is carried out by a registered psychotherapist subject to the professional obligation of confidentiality under the UKCP Code of Ethics and Professional Practice.
Professional obligations and CPD
I am required by the UK Council for Psychotherapy (UKCP) to attend regular clinical supervision. This is an essential part of maintaining high professional standards and providing you with safe, ethical care.
When I discuss our therapeutic work with my supervisor:
Your name and any identifying details are not shared with my supervisor
I use anonymised or pseudonymised case material only
My clinical supervision is provided by a qualified professional bound by the same confidentiality obligations as I am
My supervisor is bound by their own professional code of ethics and practice
Clinical will — what happens to your records if we are unable to practise
I have appointed a Clinical Executor — a trusted fellow therapist — who will act on my behalf if I become seriously ill, incapacitated, or die unexpectedly.
In such circumstances, my Clinical Executor will:
Contact you to let you know what has happened
Offer to provide you with referral information for continuing therapy if appropriate
Retain your records securely until the end of the applicable retention period
Securely destroy your records only after the retention period has ended
My Clinical Executor is bound by the same professional confidentiality obligations as I am. Your records will remain protected throughout this process.
Who we share your data with
I take your confidentiality seriously and only share your data when necessary and appropriate.
Third-party service providers:
I use the following third-party services which may process your data:
Squarespace — website hosting
Zoom — video sessions
High Performance System — practice management
Each of these services is bound by a data processing agreement. Links to their privacy policies are available on request.
Other parties with limited access:
Clinical supervisor — anonymised case material only; no identifying details are shared
External accountant or bookkeeper — invoice data only
Administrative help — calendar and contact details only; no access to clinical notes
External IT support — incidental access during system maintenance only
I never sell your personal data.
International data transfers
The following third-party services I use may transfer personal data outside the United Kingdom:
Squarespace (Squarespace Inc, USA)
Zoom (Zoom Video Communications Inc, USA)
Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025. The USA does not currently have a UK adequacy decision.
You can request a copy of the relevant transfer safeguards by contacting me.
Additional third-party tools:
High Performance System processes limited data on my behalf to deliver its services. For specific details on this provider's data handling practices, international transfers (if any), and applicable safeguards under UK GDPR Chapter V and the Data (Use and Access) Act 2025, please refer to their own privacy policy. You can request additional information from me at any time.
How long we keep your data
I retain your records for the following periods:
TYPE OF RECORD
RETENTION PERIOD
Therapy records (adult clients)
7 years after our last session
Financial records
6 years (HMRC legal requirement)
Website enquiries (non-clients)
12 months
The retention period for therapy records is set in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.
After the applicable retention period, paper records are securely destroyed and electronic records are permanently deleted.
Your rights under UK GDPR
You have the following rights regarding your personal data:
Right to be informed — to know how your data is collected and used (this policy fulfils that right)
Right of access — to request a copy of the personal data I hold about you
Right to rectification — to ask me to correct any inaccurate or incomplete data
Right to erasure — to request deletion of your data in certain circumstances. This right is not absolute; I may need to retain your records until the end of the applicable retention period where required by professional guidelines, insurance, or law
Right to restrict processing — to ask me to limit how I use your data in certain circumstances
Right to data portability — to receive your data in a commonly used format
Right to object — to object to certain types of processing
Rights related to automated decision-making — I do not use automated decision-making or profiling in my practice
How to exercise your rights:
Contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).
If you make a subject access request, I will conduct a reasonable and proportionate search in accordance with the Data (Use and Access) Act 2025. I will respond within one month, or inform you if I need an extension.
Data protection complaints — your right under the Data (Use and Access) Act 2025
You have the right to make a data protection complaint directly to me.
To submit a complaint:
Visit https://sheenacostello.com (Policy Page)
Or contact me at sheena [at] sheenacostello.com
If you are not satisfied with my response, you may escalate your complaint to the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Confidentiality exceptions
Everything you share with me in therapy is treated as confidential. However, there are specific circumstances where I may need to share information without your consent:
Risk of serious harm — if I believe you or someone else is at immediate risk of serious harm
Safeguarding concerns — if there are child protection or vulnerable adult safeguarding concerns
Court order — if I am legally compelled to disclose information by a court of law
I will always try to discuss this with you first, unless doing so would itself put someone at risk.
Changes to this policy
I review this policy annually and whenever my practices change. If I make significant changes that affect how your data is handled, I will inform you directly.
For questions about this policy or how I handle your data, please contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).
Data Retention Policy
Last updated: 2 July 2026
Sheena Costello – Coaching, Counselling and Psychotherapy
1. Why We Retain Your Data
I keep records of our work together because I have legal and professional obligations to do so. These include:
Legal requirements — UK GDPR and the Data Protection Act 2018 require me to process your data lawfully and keep it only as long as necessary
Professional standards — As a registered psychotherapist with the UK Council for Psychotherapy (UKCP), I am bound by their Code of Ethics and Professional Practice, which requires me to maintain accurate records of our therapeutic work
Insurance obligations — My professional indemnity insurance requires me to retain records for a minimum period in case a claim is made after therapy ends
Tax law — HMRC requires me to keep financial records for a set period
Keeping appropriate records also protects both of us. If questions arise about our work together in the future, accurate records help me respond properly.
2. Retention Periods
The table below shows how long I keep different types of information:
TYPE OF RECORD
RETENTION PERIOD
REASON
Client therapy records
7 years after our last session
In line with the Limitation Act 1980 and standard professional indemnity insurance requirements
Enquiry and contact data (if you do not become a client)
12 months
To respond to your enquiry and follow up appropriately
Financial records and invoices
6 years
HMRC requirement
Insurance records
7 years
To support any insurance-related queries
Website contact form submissions
12 months (unless you become a client)
To manage initial correspondence
The retention period for therapy records begins from the date of our last session together, not from the date you first contacted me.
3. What Information We Retain
The records I keep may include:
Contact details — your name, address, phone number, and email address
Session notes — a summary of our therapeutic work together, including themes discussed, interventions used, and progress made
Assessment information — any initial assessments, questionnaires, or background information you provide
Correspondence — emails, letters, or messages between us relating to your therapy
Payment records — invoices, receipts, and records of payments made
Consent and agreements — your signed therapy agreement and any consent forms
Referral information — details of any referrals made to or from other professionals (with your consent)
I do not keep more information than I need, and I regularly review what I hold to ensure it remains relevant and necessary.
4. How Your Data Is Stored
I take the security of your information seriously and store your data as follows:
Electronic records are held on password-protected devices. Access is restricted to me personally, and in the event of my death or incapacity, to my appointed Clinical Executor.
Paper records are kept in a locked filing cabinet in a secure room within my practice. Only I have access to this cabinet during normal circumstances. In the event of my death or incapacity, my Clinical Executor would have access to ensure your records are handled appropriately.
Who else may have access to your data:
Clinical supervisor — I discuss my work in supervision to maintain professional standards. Case material shared with my supervisor is anonymised, meaning your name and identifying details are not disclosed
External accountant or bookkeeper — has access to invoice data only for accounting purposes; they do not see your clinical notes or personal details beyond what appears on invoices
Administrative help — may have access to calendar and contact details to support appointment scheduling; they do not have access to clinical notes
External IT support — may have incidental access to systems during maintenance; they are bound by confidentiality and do not routinely access clinical records
All parties with access to any of your data are bound by confidentiality obligations.
5. Your Right to Request Erasure
Under UK GDPR, you have the right to request that I delete your personal data. However, this right is not absolute.
I may need to retain your records until the end of the applicable retention period where this is required by:
Professional guidelines from the UK Council for Psychotherapy (UKCP)
Professional indemnity insurance requirements
Legal obligations, including the Limitation Act 1980
If you ask me to delete your data before the retention period ends, I will explain clearly why I need to keep it and for how long. Once the retention period has passed, I will securely dispose of your records as described below.
6. Secure Disposal of Records
At the end of the relevant retention period, I dispose of your records securely:
Paper records are securely destroyed
Electronic records are permanently deleted from all devices and backup systems
I keep a record that disposal has taken place, but this record contains no clinical information — only enough detail to confirm that proper procedures were followed.
7. Clinical Executor Arrangements
I have appointed a Clinical Executor — a fellow therapist bound by professional confidentiality — who would step in to manage client records and communications in the event of my death or incapacity.
If this situation arose, my Clinical Executor would:
Contact you to let you know what has happened
Offer to help you find alternative therapeutic support if needed
Retain your records securely until the end of the applicable retention period
Securely destroy your records only after the retention period has ended
This arrangement ensures your confidentiality is protected and your records are handled professionally, even if I am no longer able to do so myself.
8. Questions and Complaints
If you have any questions about how long I keep your data or why, please contact me:
Email: sheena [at] sheenacostello.com
(The email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing)
If you are not satisfied with my response, you can raise a complaint through the complaints form at: https://sheenacostello.com
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent regulator for data protection:https://ico.org.uk
Cookie Policy
Last updated: 2 July 2026
What are cookies
Cookies are small text files that websites place on your device when you visit them. They help websites remember information about your visit, such as your preferences or whether you are logged in. Cookies can be set by the website you are visiting (first-party cookies) or by other services that provide content on that website (third-party cookies).
Cookies we use
Essential cookies
Essential cookies are necessary for this website to function properly. They enable core features such as page navigation and access to secure areas. These cookies do not collect any personally identifiable information about you, and I cannot switch them off in our systems. You can set your browser to block these cookies, but some parts of the website may not work correctly if you do.
Statistical and analytics cookies
We do not currently use any analytics or statistical cookies on this website. If this changes in the future, I will update this policy and provide you with an easy way to opt out.
Advertising and tracking cookies
We do not use any advertising or tracking cookies on this website.
Cookie consent tool
We do not currently use a cookie consent tool on this website. This is because we only use essential cookies that are strictly necessary for the website to function, which do not require your consent under UK privacy regulations.
Third-party cookies
This website is hosted on Squarespace (Squarespace Inc, USA). Squarespace may set cookies on your device to enable essential website functionality, including security features and load balancing. These are necessary for the website to operate correctly.
For full details of the cookies Squarespace uses, please refer to the Squarespace Cookie Policy.
Where Squarespace transfers data to the USA, appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs), in accordance with UK GDPR Chapter V and the Data (Use and Access) Act 2025.
How to opt out or manage cookies
You can control and manage cookies through your browser settings. Most browsers allow you to:
View what cookies are stored on your device and delete them individually
Block third-party cookies
Block cookies from particular websites
Block all cookies from being set
Delete all cookies when you close your browser
Please be aware that blocking all cookies may affect your experience on this and other websites.
For detailed instructions on how to manage cookies in different browsers, visit www.aboutcookies.org, which provides comprehensive guidance for all major browsers.
Your rights
Under UK privacy regulations, including the Privacy and Electronic Communications Regulations (PECR) as updated by the Data (Use and Access) Act 2025, you have the right to opt out of statistical and analytics cookies at any time without affecting the core functionality of this website. Since we do not currently use analytics cookies, this right does not need to be exercised at present.
You also have the right to withdraw any cookie consent you have given at any time by adjusting your browser settings.
Updates to this policy
I will update this cookie policy if our use of cookies changes. Any significant changes will be clearly communicated on this website. I encourage you to check this page periodically to stay informed about how cookies are used.
If you have any questions about how this website uses cookies, please contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).
For more information about how HeadStrong Minds handles your personal data, please see our full privacy policy at https://sheenacostello.com
Appropriate Policy Document
Sheena Costello – Coaching, Counselling & Psychotherapy
Processing of Special Category Personal Data
Prepared by: Sheena CostelloDate: 2 July 2026Review date: 2 July 2027
1. Purpose of this document
This document is prepared in accordance with Schedule 1, Part 4 of the Data Protection Act 2018 (DPA 2018). It demonstrates that Sheena Costello – Coaching, Counselling & Psychotherapy processing of special category personal data is compliant with the UK GDPR, the DPA 2018, and the Data (Use and Access) Act 2025. This document must be provided to the Information Commissioner's Office (ICO) on request and retained for 6 months after the relevant processing ceases.
2. Description of data processed
Sheena Costello – Coaching, Counselling & Psychotherapy processes the following categories of special category personal data:
Mental health information disclosed during therapy sessions
Therapy notes and session records
Relevant medical history and current medications where disclosed
Information relating to emotional wellbeing and psychological functioning
Safeguarding information where relevant to client safety
3. Lawful basis and Schedule 1 condition
Article 6 lawful basis: Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.
Article 9 special category condition: Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.
DPA 2018 Schedule 1 condition: Part 1, paragraph 2 — health or social care. Processing is carried out by a registered psychotherapist subject to the professional obligation of confidentiality under the UK Council for Psychotherapy (UKCP) Code of Ethics and Professional Practice.
4. Compliance with Article 5 UK GDPR principles
Principle 1 — Lawfulness, fairness and transparency
Processing is lawful under the Article 6 and Article 9 bases set out above. Clients are provided with comprehensive information about how their data is processed through a Privacy Policy and GDPR Statement, available at https://sheenacostello.com Information is provided in plain English before therapy begins.
Principle 2 — Purpose limitation
Health and mental health data is collected solely for the purpose of providing psychotherapy services. Data is not used for any other purpose without explicit consent or where required by law.
Principle 3 — Data minimisation
Only the minimum data necessary for effective therapeutic work is collected. Session notes record only what is clinically relevant. I do not request information beyond what is needed for the therapeutic relationship.
Principle 4 — Accuracy
Client records are updated when new information is provided. Clients may request correction of any inaccuracies in their records at any time.
Principle 5 — Storage limitation
Client records are retained for 7 years after the final session, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements. Records are securely destroyed after this period ends.
Principle 6 — Integrity and confidentiality (security)
Electronic records are held on password-protected devices. Paper records are kept in a locked filing cabinet in a secure room. Access is restricted to Sheena Costello. Third-party processors are subject to data processing agreements with appropriate security obligations.
Principle 7 — Accountability
This Appropriate Policy Document is maintained as required by Schedule 1, Part 4 of the DPA 2018. Processing activities are documented, and this document is reviewed annually.
5. Retention and erasure policy
DATA TYPE
RETENTION PERIOD
BASIS
Client therapy records
7 years from final session
In line with the Limitation Act 1980 and standard professional indemnity insurance requirements
Financial and invoicing records
6 years from transaction
HMRC legal requirement
Professional indemnity records
7 years
Insurance requirement
Enquiry data (non-clients)
12 months from last contact
Legitimate interests
At the end of the applicable retention period, paper records are securely destroyed and electronic records are permanently deleted.
The right to erasure under Article 17 UK GDPR is not absolute. Where retention is required by professional guidelines, insurance obligations, or law, records must be retained until the end of the applicable retention period before they can be destroyed.
6. Data access and sharing
The following parties may have limited access to client data in specific circumstances:
Clinical supervisor: receives anonymised case material only for the purpose of professional supervision; client identity is not disclosed
External accountant or bookkeeper: has access to invoice data only for accounting purposes; no access to clinical records
Administrative support: has access to calendar and contact details only; no access to clinical notes
External IT support: may have incidental access to systems during maintenance; bound by confidentiality obligations
Data is not otherwise shared with third parties except where:
The client provides explicit consent
Disclosure is required by law
There is a serious risk of harm to the client or others
7. Third-party processors
The following third-party services process data on behalf of Sheena Costello – Coaching, Counselling & Psychotherapy:
Squarespace (Squarespace Inc, USA) — website hosting
Zoom (Zoom Video Communications Inc, USA) — video sessions where applicable
High Performance System — practice management
Where data is transferred to the USA, appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs), in accordance with UK GDPR Chapter V and the Data (Use and Access) Act 2025.
8. Safeguards
The following safeguards are in place to protect special category data:
Processing is limited to the therapeutic purpose
Data is not shared with third parties except where legally required or with explicit consent
Clinical supervision discussions use anonymised case material — client identity is not disclosed
Processing adheres to the UK Council for Psychotherapy (UKCP) Code of Ethics and Professional Practice, which establishes a professional obligation of confidentiality
A Clinical Executor has been appointed who will contact clients and handle records confidentially in the event of my death or incapacity; the Clinical Executor retains records securely until the end of the applicable retention period and securely destroys them only after that period ends
ICO registration is maintained as required
Clients are informed of their rights and all processing through privacy documentation provided before therapy begins
9. Review
This document is reviewed annually and updated whenever processing activities change materially. It will be retained until 6 months after the relevant processing ceases.
Next review date: 2 July 2027
Signed: Sheena Costello, Sheena Costello – Coaching, Counselling & Psychotherapy
Date: 2 July 2026
This document was prepared in compliance with Schedule 1, Part 4 of the Data Protection Act 2018 and must be provided to the Information Commissioner's Office on request.
GDPR Statement
Last updated: 2 July 2026
Our commitment to your privacy
At Sheena Costello – Coaching, Counselling & Psychotherapy, I understand that coming to therapy involves sharing deeply personal information. Protecting your privacy is not just a legal obligation — it is a fundamental part of the trust that makes therapy work. I want you to feel confident that your information is handled with the same care and respect I bring to our sessions together.
This statement explains, in plain terms, what information I collect, why I need it, and how I look after it.
What information I collect
To provide therapy and manage our work together, I collect and keep:
Your name and contact details (phone number, email address, postal address)
Information about your presenting issues and what brings you to therapy
Session notes recording our work together
Relevant medical or health history that you share with me
Payment information and invoices
Why I collect this information
I need to process your personal information to provide therapy to you. Under data protection law, I rely on:
Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.
Because therapy involves sensitive health-related information, I also rely on:
Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.
DPA 2018 Schedule 1, Part 1, paragraph 2 — the health or social care condition.
Professional obligations and supervision
As a registered psychotherapist with the UK Council for Psychotherapy (UKCP), I am required to discuss my clinical work in professional supervision. This is an important part of maintaining high standards of care.
Your identity is protected in supervision: I do not share your name or any identifying details with my supervisor. My supervisor receives only anonymised case material and is bound by their own professional confidentiality obligations.
Clinical will arrangements
I have appointed a Clinical Executor — a trusted fellow professional — who would act on my behalf if I became seriously unwell or died unexpectedly. In such circumstances, my Clinical Executor would contact you to let you know what has happened and to discuss your options for continuing therapy elsewhere if you wished.
My Clinical Executor would handle all client records with the same confidentiality I provide. They would retain records securely until the end of the applicable retention period and securely destroy them only after that period ends, in line with professional and insurance requirements.
Who else may see your information
Beyond myself, the following people may have limited access to your information:
Clinical supervisor — receives anonymised case material only; does not know your identity
External accountant or bookkeeper — sees invoice data only for accounting purposes
Administrative help — has access to calendar and contact details to help manage appointments; does not see clinical notes
External IT support — may have incidental access during system maintenance; bound by confidentiality
I also use the following service providers to run my practice:
Squarespace — hosts my website
Zoom — for online therapy sessions
High Performance System — for practice administration
These providers process limited data on my behalf. Where services are based outside the UK (such as Squarespace and Zoom in the USA), appropriate safeguards are in place including Standard Contractual Clauses or International Data Transfer Agreements, as required by UK GDPR and the Data (Use and Access) Act 2025.
I may also be required to share information with statutory authorities where legally obliged to do so.
When I might need to break confidentiality
Confidentiality is central to our work, but there are rare situations where I may need to share information without your consent:
If I believe there is a serious risk of harm to you or someone else
If there are child or vulnerable adult safeguarding concerns
If ordered to do so by a court of law
Wherever possible, I will discuss any such situation with you first.
How long I keep your records
I retain your records for 7 years after our last session, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.
At the end of this period, paper records are securely destroyed and electronic records are permanently deleted.
Your rights
You have rights over your personal information. In straightforward terms, you can:
See your records — ask me for a copy of the information I hold about you
Correct errors — let me know if something is inaccurate and I will put it right
Request deletion — ask me to delete your information, although this right is not absolute; I may need to retain records until the end of the retention period where required by professional guidelines, insurance, or law
Raise concerns — speak to me if you are unhappy about how I have handled your information
Making a complaint
If you have concerns about how I handle your data, please speak to me first. You can contact me at:
Email: sheena [at] sheenacostello.com (replace [at] with @ when emailing)
Compliance information:https://sheenacostello.com
Under the Data (Use and Access) Act 2025, you also have the right to complain directly to me or to the Information Commissioner's Office:
ICO website: ico.org.uk
ICO helpline: 0303 123 1113