This privacy policy explains how and why I, Donato Giuseppe Leo (the hypnotherapist), collect any personal information about you (the client). This may be via the social media contact page(s), during the hypnotherapy sessions you attend, by text and/or by email. It explains how I use this information, who I share it with, your rights regarding personal information that I hold, who to contact in the event that you want to raise a complaint, as well as detailing other issues. The basis on which I collect this data is that of “legitimate interest”, which means that this data is necessary for me to fulfill the contract that we have together (provide hypnotherapy), and that it is data that you would reasonably expect me to hold and use.

About Me

I am a sole trader and data controller of the information I hold and process about individuals who have expressed an interest in my hypnotherapy services. I am a member of the Professional Hypnotherapy Practitioner Association (PHPA) and adhere to their code of ethics. 

I am registered as Data controller with the Information Commissioner’s Office (ICO). All privacy & data protection policies and practices are in line with the General Data Protection Regulation (GDPR) and follow the ICO guidance.

What information I collect

I collect the following information:

1. Address, email address, phone number: to contact you regarding your hypnotherapy sessions. Your contact details/address will only be used with your explicit consent. You can let me know your preferred method of communication (e.g., by phone or by email) during our initial session. 
2. GP details: I may need to contact your GP if I am worried that you were at risk of serious harm. Where possible, I will discuss this with you first. If you were to become ill during your session, then  I may also need to contact your GP or 111. Your GP details will only be used with your explicit consent. 
3. Emergency contact details: in the event that you become ill during your session, I will need to contact a person close to you that can provide assistance. Your emergency contact details will only be used with your explicit consent. 
4. What you want to achieve during the hypnotherapy sessions. To tailor the hypnotherapy plan to your needs and objectives.
5. A limited amount of relevant medical information (current medical conditions/medication/disabilities): to help me work safely with you. 
6. Brief session notes: to monitor the progress of the hypnotherapy sessions and make amendments where necessary. These are anonymised with your unique client code and do not include your name.

I collect information about you when you contact me via email, my social media page(s) or telephone. I also collect information about you during the hypnotherapy sessions I conduct with you.

Why I need a record of this information

I collect personal information about you, your background, your lifestyle, and your health, in order to provide you with hypnotherapy sessions that are tailored to your needs. Your requesting hypnotherapy and my agreement to provide hypnotherapy constitutes a contract. You can refuse to provide this information but if you were to do that, I would be unable to provide my hypnotherapy services to you. I have a “Legitimate Interest” in collecting this personal information because without it I could not do my job well or safely.

I also have a “Legitimate Interest” to use your personal information to respond to your requests for information related to my hypnotherapy sessions, to provide you with information as part of the hypnotherapy plan, to confirm with you details of your hypnotherapy sessions, and to update you on any matters related to your hypnotherapy sessions.

I may ask for details of your medical history and current medical conditions. This information is regarded as special category data and the basis for collecting it is defined by the General Data Protection Regulation (GDPR), Article 9, paragraph 2. This sensitive information is kept only for treatment (hypnotherapy), legal and insurance purposes and will not be shared with third parties unless legally required to do so. 

Your rights

You have the following data protection rights:

1. The right to access or update the information I have on you. You have the right to access your personal data and supplementary information. Following a request, I will provide all the data about you that I have on file within 30 days (unless this is not possible due to holidays, illness, or other unforeseen circumstances).
2. The right of rectification. If the data I hold about you is incorrect, inaccurate or incomplete, you can request that I correct it. Following a request, I will correct all the data about you that I have on file within 30 days (unless this is not possible due to holidays, illness, or other unforeseen circumstances).
3. The right to delete the information that I have on you. You can request that I delete or remove your personal data where there is no compelling reason for me to continue processing it. Following a request, I will permanently delete any computer records and destroy any paper records (using a cross shredding machine) as soon as possible (and within 30 days from the date of the request, unless this is impossible due to holidays, illness, or other unforeseen circumstances). Please note that I must save the deletion request you made.
4. The right to object. You have the right to object to me processing your data under certain circumstances. For example, you can object to: a)Direct marketing (including profiling). I do not engage in these activities; b)Processing for purposes of scientific/historical research and statistics; c)Automated decision making (including profiling). I do not engage in these activities.
5. The right of restriction.You have the right to request that I cease processing your data if: a)You consider it inaccurate or incomplete. This would usually be a temporary measure before the correction/update of any errors in the data provided, or before the erasure of such data; b)You object to processing it (except if I still have a legitimate interest to process it).
6. The right to data portability. Where you have consented to me processing your data, or where the processing is necessary for me to deliver a contract (my hypnotherapy service), you can request a copy of your data to be provided to a third party in electronic format. Following a request, I will provide to complete it within 30 days (unless this is not possible due to holidays, illness, or other unforeseen circumstances).
7. The right to withdraw consent. You have the right to withdrawn any given consent for processing your personal data at any time; however this may prevent me continuing the delivery of my hypnotherapy services to you.

You may exercise any of your right in relation to your personal data by sending a written notice to me at this email address: info@donatoleo.co.uk 

Data storage and retention

All paper documents are stored in a locked cabinet. Electronic documents are password protected and stored on a password protected computer. My work phone (e.g, for text messages) is secured with a pin code, and my email account is protected by password.

I will keep your personal data for no longer than necessary for the purposes of providing my service to you and to fulfil my obligations for financial and insurance record keeping (and for any other legal requirement). This period is usually of seven years following the completion of the hypnotherapy service with me. After this period all your paper records will be shredded with a cross shredding machine. Any electronic data such as emails, text messages and contact forms will be permanently deleted from the device they are stored on. 

Confidentiality 

Everything we discuss during the sessions remains strictly confidential between us both. On occasion I may choose to share and discuss anonymous case studies for the purpose of continued professional development, supervision or training. During these discussions I will not disclose any identifying details about you.

Also, if you were to make a complain about me to my professional body, I would be entitled to share your notes to them in order to comply with any investigation procedure.

I am only able to contact Health and Social Care providers with your written consent. In the event that I write to your GP, to notify them that you are receiving hypnotherapy and then when the hypnotherapy ends, I would require your consent in line with GDPR regulations. The only exception would be if I believed that you were about to harm yourself or others. In this case I would be required to inform the relevant authorities as part of my ‘Duty of Care’. However, I would make every effort to discuss this with you before taking any action. Legally, I would also have to provide information to the police as set out in a warrant or court order, should the situation arise.

What if we meet away from the hypnotherapy sessions?

I am obliged by GDPR to protect your confidentiality. For this reason, although I will acknowledge you, it would be appropriate to avoid conversation.

I do not search for you on social media. I have a public profile on social media, where I advertise my hypnotherapy services. You are free to follow my public profile, if you wish to. If you contact me via social media about info on the hypnotherapy services that I offer, then I will reply to you only in function of this. Please if you decide to contact me on social media only use the private message function: do not disclose any personal information by posting or commenting on my public social media page(s). Communication, engagement and actions taken through external social media platforms in which I participate on rely to the terms and conditions as well as the privacy policies held with that specific social media platform. I will never ask for personal or sensitive information through social media platforms. 

Marketing

I do not hold or keep records/databases of your personal information as a means of targeting customers with leaflets or using e-mail marketing. Neither contact details nor personal information are shared, nor passed on to third parties for marketing purposes.

Links to other websites

This website may contain links to other websites (including social media). This Privacy Policy does not apply to other websites. I have no control over how your personal information is collected, stored or used by other websites. You should check the privacy policies of other websites before you provide personal information through them.

Cookies

This website uses first party analytics cookies. Cookies are used to store information including the pages on the website that the visitor accessed or visited. The purpose of the information collected by these files is for analysing trends, administering the site and tracking users’ movement on the website.

The information collected by cookies include the internet protocol (IP) address used to connect your device to the internet, your browser type and version, your operating system and other technology you use to access this website, your Internet Service Provider (ISP), and date and time stamp. The cookies also collect information about your visit, including what you click on, pages you view, page response times, download errors, length of visit to certain pages, and methods used to browse away from the page. These are not linked to any information that is personally identifiable.

You can choose to disable cookies through your individual browser options. More information on how to do this can be found on the dedicated support page of the browser you are using. 

Note that if you block cookies, some features of this website may not work properly.

Other issues

If there is any breach of data security I will give full details to the Information Commissioner’s Office (ICO) and to any person affected within 72 hours of the breach, and will do all possible to minimise any potential impact.

This privacy note may be updated when important changes are required. Please check for updates. This privacy note was reviewed on 30 September 2024.

The data controller is Donato Giuseppe Leo. Contacts: info@donatoleo.co.uk 

Complaints Policy

If a complaint occurs, then I will attempt to resolve the situation by asking to discuss it with you. Although I do realise that in some circumstances you might prefer to contact my professional body, the PHPA, directly: https://www.phpa-online.org/pages/phpaComplaintProcedure.php 

You can also raise a complain contacting  the Information Commissioner’s Office (ICO) if you think there is a problem with the way I am handling your data: https://ico.org.uk/make-a-complaint/ 

How to contact me

Please contact me if you have any questions about this privacy note or information I hold about you. Please email: info@donatoleo.co.uk