Privacy Policy, Cookies & Legal

Privacy Policy

Last updated: 2 July 2026

Who we are

Sheena Costello – Coaching, Counselling & Psychotherapy is a private therapeutic practice run by Sheena Costello in partnership with HeadStrong Minds. I am a registered psychotherapist and a member of the UK Council for Psychotherapy (UKCP).

If you have any questions about how I handle your personal data, please contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).

What personal data we collect

I collect and process the following types of personal data:

  • Contact details — your name, email address, telephone number, and postal address

  • Enquiry details — information you submit via the contact form on our website

  • Health and therapy-related information — your presenting issues, relevant medical history, mental health history, medication, and details of other healthcare providers involved in your care

  • Session notes — written records of our therapeutic work together

  • Administrative records — appointment dates, invoices, and correspondence

Health and therapy-related information is classified as special category data under Article 9(1) of the UK GDPR. This means it receives enhanced legal protection, and I must meet additional conditions to process it lawfully.

How we collect your data

I collect personal data directly from you:

  • When you first contact me by email, telephone, or through the website contact form

  • During our initial consultation and intake process

  • Throughout our ongoing therapeutic work together

  • Through any correspondence between us

I do not collect personal data about you from third parties unless you have given explicit consent or there is a lawful basis to do so.

Why we process your data — lawful basis

To process your personal data lawfully under UK GDPR, I rely on the following legal bases:

Article 6 basis (ordinary personal data):

Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. This means I need to process your data to provide you with psychotherapy services and to manage our therapeutic relationship.

Article 9 basis (special category data):

Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.

The additional condition required by UK law is set out in DPA 2018 Schedule 1, Part 1, paragraph 2 — health or social care. Processing is carried out by a registered psychotherapist subject to the professional obligation of confidentiality under the UKCP Code of Ethics and Professional Practice.

Professional obligations and CPD

I am required by the UK Council for Psychotherapy (UKCP) to attend regular clinical supervision. This is an essential part of maintaining high professional standards and providing you with safe, ethical care.

When I discuss our therapeutic work with my supervisor:

  • Your name and any identifying details are not shared with my supervisor

  • I use anonymised or pseudonymised case material only

  • My clinical supervision is provided by a qualified professional bound by the same confidentiality obligations as I am

  • My supervisor is bound by their own professional code of ethics and practice

Clinical will — what happens to your records if we are unable to practise

I have appointed a Clinical Executor — a trusted fellow therapist — who will act on my behalf if I become seriously ill, incapacitated, or die unexpectedly.

In such circumstances, my Clinical Executor will:

  • Contact you to let you know what has happened

  • Offer to provide you with referral information for continuing therapy if appropriate

  • Retain your records securely until the end of the applicable retention period

  • Securely destroy your records only after the retention period has ended

My Clinical Executor is bound by the same professional confidentiality obligations as I am. Your records will remain protected throughout this process.

Who we share your data with

I take your confidentiality seriously and only share your data when necessary and appropriate.

Third-party service providers:

I use the following third-party services which may process your data:

  • Squarespace — website hosting

  • Zoom — video sessions

  • High Performance System — practice management

Each of these services is bound by a data processing agreement. Links to their privacy policies are available on request.

Other parties with limited access:

  • Clinical supervisor — anonymised case material only; no identifying details are shared

  • External accountant or bookkeeper — invoice data only

  • Administrative help — calendar and contact details only; no access to clinical notes

  • External IT support — incidental access during system maintenance only

I never sell your personal data.

International data transfers

The following third-party services I use may transfer personal data outside the United Kingdom:

  • Squarespace (Squarespace Inc, USA)

  • Zoom (Zoom Video Communications Inc, USA)

Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025. The USA does not currently have a UK adequacy decision.

You can request a copy of the relevant transfer safeguards by contacting me.

Additional third-party tools:

High Performance System processes limited data on my behalf to deliver its services. For specific details on this provider's data handling practices, international transfers (if any), and applicable safeguards under UK GDPR Chapter V and the Data (Use and Access) Act 2025, please refer to their own privacy policy. You can request additional information from me at any time.

How long we keep your data

I retain your records for the following periods:

TYPE OF RECORD

RETENTION PERIOD

Therapy records (adult clients)

7 years after our last session

Financial records

6 years (HMRC legal requirement)

Website enquiries (non-clients)

12 months

The retention period for therapy records is set in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.

After the applicable retention period, paper records are securely destroyed and electronic records are permanently deleted.

Your rights under UK GDPR

You have the following rights regarding your personal data:

  1. Right to be informed — to know how your data is collected and used (this policy fulfils that right)

  2. Right of access — to request a copy of the personal data I hold about you

  3. Right to rectification — to ask me to correct any inaccurate or incomplete data

  4. Right to erasure — to request deletion of your data in certain circumstances. This right is not absolute; I may need to retain your records until the end of the applicable retention period where required by professional guidelines, insurance, or law

  5. Right to restrict processing — to ask me to limit how I use your data in certain circumstances

  6. Right to data portability — to receive your data in a commonly used format

  7. Right to object — to object to certain types of processing

  8. Rights related to automated decision-making — I do not use automated decision-making or profiling in my practice

How to exercise your rights:

Contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).

If you make a subject access request, I will conduct a reasonable and proportionate search in accordance with the Data (Use and Access) Act 2025. I will respond within one month, or inform you if I need an extension.

Data protection complaints — your right under the Data (Use and Access) Act 2025

You have the right to make a data protection complaint directly to me.

To submit a complaint:

If you are not satisfied with my response, you may escalate your complaint to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk

  • Telephone: 0303 123 1113

  • Post: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Confidentiality exceptions

Everything you share with me in therapy is treated as confidential. However, there are specific circumstances where I may need to share information without your consent:

  • Risk of serious harm — if I believe you or someone else is at immediate risk of serious harm

  • Safeguarding concerns — if there are child protection or vulnerable adult safeguarding concerns

  • Court order — if I am legally compelled to disclose information by a court of law

I will always try to discuss this with you first, unless doing so would itself put someone at risk.

Changes to this policy

I review this policy annually and whenever my practices change. If I make significant changes that affect how your data is handled, I will inform you directly.

For questions about this policy or how I handle your data, please contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).

Data Retention Policy

Last updated: 2 July 2026

Sheena Costello – Coaching, Counselling and Psychotherapy

1. Why We Retain Your Data

I keep records of our work together because I have legal and professional obligations to do so. These include:

  • Legal requirements — UK GDPR and the Data Protection Act 2018 require me to process your data lawfully and keep it only as long as necessary

  • Professional standards — As a registered psychotherapist with the UK Council for Psychotherapy (UKCP), I am bound by their Code of Ethics and Professional Practice, which requires me to maintain accurate records of our therapeutic work

  • Insurance obligations — My professional indemnity insurance requires me to retain records for a minimum period in case a claim is made after therapy ends

  • Tax law — HMRC requires me to keep financial records for a set period

Keeping appropriate records also protects both of us. If questions arise about our work together in the future, accurate records help me respond properly.

2. Retention Periods

The table below shows how long I keep different types of information:

TYPE OF RECORD

RETENTION PERIOD

REASON

Client therapy records

7 years after our last session

In line with the Limitation Act 1980 and standard professional indemnity insurance requirements

Enquiry and contact data (if you do not become a client)

12 months

To respond to your enquiry and follow up appropriately

Financial records and invoices

6 years

HMRC requirement

Insurance records

7 years

To support any insurance-related queries

Website contact form submissions

12 months (unless you become a client)

To manage initial correspondence

The retention period for therapy records begins from the date of our last session together, not from the date you first contacted me.

3. What Information We Retain

The records I keep may include:

  • Contact details — your name, address, phone number, and email address

  • Session notes — a summary of our therapeutic work together, including themes discussed, interventions used, and progress made

  • Assessment information — any initial assessments, questionnaires, or background information you provide

  • Correspondence — emails, letters, or messages between us relating to your therapy

  • Payment records — invoices, receipts, and records of payments made

  • Consent and agreements — your signed therapy agreement and any consent forms

  • Referral information — details of any referrals made to or from other professionals (with your consent)

I do not keep more information than I need, and I regularly review what I hold to ensure it remains relevant and necessary.

4. How Your Data Is Stored

I take the security of your information seriously and store your data as follows:

Electronic records are held on password-protected devices. Access is restricted to me personally, and in the event of my death or incapacity, to my appointed Clinical Executor.

Paper records are kept in a locked filing cabinet in a secure room within my practice. Only I have access to this cabinet during normal circumstances. In the event of my death or incapacity, my Clinical Executor would have access to ensure your records are handled appropriately.

Who else may have access to your data:

  • Clinical supervisor — I discuss my work in supervision to maintain professional standards. Case material shared with my supervisor is anonymised, meaning your name and identifying details are not disclosed

  • External accountant or bookkeeper — has access to invoice data only for accounting purposes; they do not see your clinical notes or personal details beyond what appears on invoices

  • Administrative help — may have access to calendar and contact details to support appointment scheduling; they do not have access to clinical notes

  • External IT support — may have incidental access to systems during maintenance; they are bound by confidentiality and do not routinely access clinical records

All parties with access to any of your data are bound by confidentiality obligations.

5. Your Right to Request Erasure

Under UK GDPR, you have the right to request that I delete your personal data. However, this right is not absolute.

I may need to retain your records until the end of the applicable retention period where this is required by:

  • Professional guidelines from the UK Council for Psychotherapy (UKCP)

  • Professional indemnity insurance requirements

  • Legal obligations, including the Limitation Act 1980

If you ask me to delete your data before the retention period ends, I will explain clearly why I need to keep it and for how long. Once the retention period has passed, I will securely dispose of your records as described below.

6. Secure Disposal of Records

At the end of the relevant retention period, I dispose of your records securely:

  • Paper records are securely destroyed

  • Electronic records are permanently deleted from all devices and backup systems

I keep a record that disposal has taken place, but this record contains no clinical information — only enough detail to confirm that proper procedures were followed.

7. Clinical Executor Arrangements

I have appointed a Clinical Executor — a fellow therapist bound by professional confidentiality — who would step in to manage client records and communications in the event of my death or incapacity.

If this situation arose, my Clinical Executor would:

  • Contact you to let you know what has happened

  • Offer to help you find alternative therapeutic support if needed

  • Retain your records securely until the end of the applicable retention period

  • Securely destroy your records only after the retention period has ended

This arrangement ensures your confidentiality is protected and your records are handled professionally, even if I am no longer able to do so myself.

8. Questions and Complaints

If you have any questions about how long I keep your data or why, please contact me:

Email: sheena [at] sheenacostello.com
(The email above is shown with [at] in place of @ to reduce spam — please replace [at] with @ when emailing)

If you are not satisfied with my response, you can raise a complaint through the complaints form at: https://sheenacostello.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent regulator for data protection:https://ico.org.uk

Cookie Policy

Last updated: 2 July 2026

What are cookies

Cookies are small text files that websites place on your device when you visit them. They help websites remember information about your visit, such as your preferences or whether you are logged in. Cookies can be set by the website you are visiting (first-party cookies) or by other services that provide content on that website (third-party cookies).

Cookies we use

Essential cookies

Essential cookies are necessary for this website to function properly. They enable core features such as page navigation and access to secure areas. These cookies do not collect any personally identifiable information about you, and I cannot switch them off in our systems. You can set your browser to block these cookies, but some parts of the website may not work correctly if you do.

Statistical and analytics cookies

We do not currently use any analytics or statistical cookies on this website. If this changes in the future, I will update this policy and provide you with an easy way to opt out.

Advertising and tracking cookies

We do not use any advertising or tracking cookies on this website.

Cookie consent tool

We do not currently use a cookie consent tool on this website. This is because we only use essential cookies that are strictly necessary for the website to function, which do not require your consent under UK privacy regulations.

Third-party cookies

This website is hosted on Squarespace (Squarespace Inc, USA). Squarespace may set cookies on your device to enable essential website functionality, including security features and load balancing. These are necessary for the website to operate correctly.

For full details of the cookies Squarespace uses, please refer to the Squarespace Cookie Policy.

Where Squarespace transfers data to the USA, appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs), in accordance with UK GDPR Chapter V and the Data (Use and Access) Act 2025.

How to opt out or manage cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

  • View what cookies are stored on your device and delete them individually

  • Block third-party cookies

  • Block cookies from particular websites

  • Block all cookies from being set

  • Delete all cookies when you close your browser

Please be aware that blocking all cookies may affect your experience on this and other websites.

For detailed instructions on how to manage cookies in different browsers, visit www.aboutcookies.org, which provides comprehensive guidance for all major browsers.

Your rights

Under UK privacy regulations, including the Privacy and Electronic Communications Regulations (PECR) as updated by the Data (Use and Access) Act 2025, you have the right to opt out of statistical and analytics cookies at any time without affecting the core functionality of this website. Since we do not currently use analytics cookies, this right does not need to be exercised at present.

You also have the right to withdraw any cookie consent you have given at any time by adjusting your browser settings.

Updates to this policy

I will update this cookie policy if our use of cookies changes. Any significant changes will be clearly communicated on this website. I encourage you to check this page periodically to stay informed about how cookies are used.

If you have any questions about how this website uses cookies, please contact me at sheena [at] sheenacostello.com (please replace [at] with @ when emailing).

For more information about how HeadStrong Minds handles your personal data, please see our full privacy policy at https://sheenacostello.com

 

Appropriate Policy Document

Sheena Costello – Coaching, Counselling & Psychotherapy

Processing of Special Category Personal Data

Prepared by: Sheena CostelloDate: 2 July 2026Review date: 2 July 2027

1. Purpose of this document

This document is prepared in accordance with Schedule 1, Part 4 of the Data Protection Act 2018 (DPA 2018). It demonstrates that Sheena Costello – Coaching, Counselling & Psychotherapy processing of special category personal data is compliant with the UK GDPR, the DPA 2018, and the Data (Use and Access) Act 2025. This document must be provided to the Information Commissioner's Office (ICO) on request and retained for 6 months after the relevant processing ceases.

2. Description of data processed

Sheena Costello – Coaching, Counselling & Psychotherapy processes the following categories of special category personal data:

  • Mental health information disclosed during therapy sessions

  • Therapy notes and session records

  • Relevant medical history and current medications where disclosed

  • Information relating to emotional wellbeing and psychological functioning

  • Safeguarding information where relevant to client safety

3. Lawful basis and Schedule 1 condition

Article 6 lawful basis: Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.

Article 9 special category condition: Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.

DPA 2018 Schedule 1 condition: Part 1, paragraph 2 — health or social care. Processing is carried out by a registered psychotherapist subject to the professional obligation of confidentiality under the UK Council for Psychotherapy (UKCP) Code of Ethics and Professional Practice.

4. Compliance with Article 5 UK GDPR principles

Principle 1 — Lawfulness, fairness and transparency

Processing is lawful under the Article 6 and Article 9 bases set out above. Clients are provided with comprehensive information about how their data is processed through a Privacy Policy and GDPR Statement, available at https://sheenacostello.com  Information is provided in plain English before therapy begins.

Principle 2 — Purpose limitation

Health and mental health data is collected solely for the purpose of providing psychotherapy services. Data is not used for any other purpose without explicit consent or where required by law.

Principle 3 — Data minimisation

Only the minimum data necessary for effective therapeutic work is collected. Session notes record only what is clinically relevant. I do not request information beyond what is needed for the therapeutic relationship.

Principle 4 — Accuracy

Client records are updated when new information is provided. Clients may request correction of any inaccuracies in their records at any time.

Principle 5 — Storage limitation

Client records are retained for 7 years after the final session, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements. Records are securely destroyed after this period ends.

Principle 6 — Integrity and confidentiality (security)

Electronic records are held on password-protected devices. Paper records are kept in a locked filing cabinet in a secure room. Access is restricted to Sheena Costello. Third-party processors are subject to data processing agreements with appropriate security obligations.

Principle 7 — Accountability

This Appropriate Policy Document is maintained as required by Schedule 1, Part 4 of the DPA 2018. Processing activities are documented, and this document is reviewed annually.

5. Retention and erasure policy

DATA TYPE

RETENTION PERIOD

BASIS

Client therapy records

7 years from final session

In line with the Limitation Act 1980 and standard professional indemnity insurance requirements

Financial and invoicing records

6 years from transaction

HMRC legal requirement

Professional indemnity records

7 years

Insurance requirement

Enquiry data (non-clients)

12 months from last contact

Legitimate interests

At the end of the applicable retention period, paper records are securely destroyed and electronic records are permanently deleted.

The right to erasure under Article 17 UK GDPR is not absolute. Where retention is required by professional guidelines, insurance obligations, or law, records must be retained until the end of the applicable retention period before they can be destroyed.

6. Data access and sharing

The following parties may have limited access to client data in specific circumstances:

  • Clinical supervisor: receives anonymised case material only for the purpose of professional supervision; client identity is not disclosed

  • External accountant or bookkeeper: has access to invoice data only for accounting purposes; no access to clinical records

  • Administrative support: has access to calendar and contact details only; no access to clinical notes

  • External IT support: may have incidental access to systems during maintenance; bound by confidentiality obligations

Data is not otherwise shared with third parties except where:

  • The client provides explicit consent

  • Disclosure is required by law

  • There is a serious risk of harm to the client or others

7. Third-party processors

The following third-party services process data on behalf of Sheena Costello – Coaching, Counselling & Psychotherapy:

  • Squarespace (Squarespace Inc, USA) — website hosting

  • Zoom (Zoom Video Communications Inc, USA) — video sessions where applicable

  • High Performance System — practice management

Where data is transferred to the USA, appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs), in accordance with UK GDPR Chapter V and the Data (Use and Access) Act 2025.

8. Safeguards

The following safeguards are in place to protect special category data:

  • Processing is limited to the therapeutic purpose

  • Data is not shared with third parties except where legally required or with explicit consent

  • Clinical supervision discussions use anonymised case material — client identity is not disclosed

  • Processing adheres to the UK Council for Psychotherapy (UKCP) Code of Ethics and Professional Practice, which establishes a professional obligation of confidentiality

  • A Clinical Executor has been appointed who will contact clients and handle records confidentially in the event of my death or incapacity; the Clinical Executor retains records securely until the end of the applicable retention period and securely destroys them only after that period ends

  • ICO registration is maintained as required

  • Clients are informed of their rights and all processing through privacy documentation provided before therapy begins

9. Review

This document is reviewed annually and updated whenever processing activities change materially. It will be retained until 6 months after the relevant processing ceases.

Next review date: 2 July 2027

Signed: Sheena Costello, Sheena Costello – Coaching, Counselling & Psychotherapy

Date: 2 July 2026

This document was prepared in compliance with Schedule 1, Part 4 of the Data Protection Act 2018 and must be provided to the Information Commissioner's Office on request.

 

GDPR Statement

Last updated: 2 July 2026

Our commitment to your privacy

At Sheena Costello – Coaching, Counselling & Psychotherapy, I understand that coming to therapy involves sharing deeply personal information. Protecting your privacy is not just a legal obligation — it is a fundamental part of the trust that makes therapy work. I want you to feel confident that your information is handled with the same care and respect I bring to our sessions together.

This statement explains, in plain terms, what information I collect, why I need it, and how I look after it.

What information I collect

To provide therapy and manage our work together, I collect and keep:

  • Your name and contact details (phone number, email address, postal address)

  • Information about your presenting issues and what brings you to therapy

  • Session notes recording our work together

  • Relevant medical or health history that you share with me

  • Payment information and invoices

Why I collect this information

I need to process your personal information to provide therapy to you. Under data protection law, I rely on:

  • Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.

Because therapy involves sensitive health-related information, I also rely on:

  • Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.

  • DPA 2018 Schedule 1, Part 1, paragraph 2 — the health or social care condition.

Professional obligations and supervision

As a registered psychotherapist with the UK Council for Psychotherapy (UKCP), I am required to discuss my clinical work in professional supervision. This is an important part of maintaining high standards of care.

Your identity is protected in supervision: I do not share your name or any identifying details with my supervisor. My supervisor receives only anonymised case material and is bound by their own professional confidentiality obligations.

Clinical will arrangements

I have appointed a Clinical Executor — a trusted fellow professional — who would act on my behalf if I became seriously unwell or died unexpectedly. In such circumstances, my Clinical Executor would contact you to let you know what has happened and to discuss your options for continuing therapy elsewhere if you wished.

My Clinical Executor would handle all client records with the same confidentiality I provide. They would retain records securely until the end of the applicable retention period and securely destroy them only after that period ends, in line with professional and insurance requirements.

Who else may see your information

Beyond myself, the following people may have limited access to your information:

  • Clinical supervisor — receives anonymised case material only; does not know your identity

  • External accountant or bookkeeper — sees invoice data only for accounting purposes

  • Administrative help — has access to calendar and contact details to help manage appointments; does not see clinical notes

  • External IT support — may have incidental access during system maintenance; bound by confidentiality

I also use the following service providers to run my practice:

  • Squarespace — hosts my website

  • Zoom — for online therapy sessions

  • High Performance System — for practice administration

These providers process limited data on my behalf. Where services are based outside the UK (such as Squarespace and Zoom in the USA), appropriate safeguards are in place including Standard Contractual Clauses or International Data Transfer Agreements, as required by UK GDPR and the Data (Use and Access) Act 2025.

I may also be required to share information with statutory authorities where legally obliged to do so.

When I might need to break confidentiality

Confidentiality is central to our work, but there are rare situations where I may need to share information without your consent:

  • If I believe there is a serious risk of harm to you or someone else

  • If there are child or vulnerable adult safeguarding concerns

  • If ordered to do so by a court of law

Wherever possible, I will discuss any such situation with you first.

How long I keep your records

I retain your records for 7 years after our last session, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.

At the end of this period, paper records are securely destroyed and electronic records are permanently deleted.

Your rights

You have rights over your personal information. In straightforward terms, you can:

  • See your records — ask me for a copy of the information I hold about you

  • Correct errors — let me know if something is inaccurate and I will put it right

  • Request deletion — ask me to delete your information, although this right is not absolute; I may need to retain records until the end of the retention period where required by professional guidelines, insurance, or law

  • Raise concerns — speak to me if you are unhappy about how I have handled your information

Making a complaint

If you have concerns about how I handle your data, please speak to me first. You can contact me at:

Email: sheena [at] sheenacostello.com (replace [at] with @ when emailing)

Compliance information:https://sheenacostello.com

Under the Data (Use and Access) Act 2025, you also have the right to complain directly to me or to the Information Commissioner's Office:

ICO website: ico.org.uk

ICO helpline: 0303 123 1113