In short: I only collect the information I need to offer you safe, effective therapy and to run the practice properly. I never sell your data. What you share in sessions is confidential, with the narrow legal and safeguarding exceptions set out below. You can ask to see, correct or delete your data at any time.
Who I am — the data controller
This website (therapyinmarlow.co.uk) and the therapy practice it represents are operated by Keeley Taverner, trading as Key for Change (“I”, “me”, “the practice”). For the purposes of UK data protection law, Key for Change is the data controller for the personal data described in this policy.
I am registered with the Information Commissioner’s Office (ICO), registration reference ZA151838, and I am a BACP Accredited psychotherapist bound by the BACP Ethical Framework for the Counselling Professions. This policy applies only to data collected by Key for Change through this website and the practice’s own forms and channels. Third-party sites linked from here have their own privacy policies, which are outside my control.
“Therapy in Marlow” is a trading name of Key for Change — they are the same practice and the same data controller. This policy applies equally regardless of whether you found me via therapyinmarlow.co.uk, keyforchange.com, or any other trading name I use.
The information I collect
When you communicate with me — through the website enquiry form, WhatsApp, phone, or in the course of therapy — you voluntarily provide information that I collect and process. I also use a small number of website technologies (see Cookies & analytics) that collect limited information automatically. The information I hold may include:
- Contact & enquiry details — your name, telephone number, email address, the area you live in, your preferred way of being contacted, and the content of any message you send me.
- Assessment & session information — once you begin working with me, relevant details about your personal, social, medical, financial and family circumstances, your history and the issues you bring to therapy. This is necessary to provide a safe, competent service.
- Special-category (health) data — information about your mental and physical health sits in a protected category under Article 9 of the UK GDPR. I treat it with particular care and only process it where the law specifically allows (see Lawful basis below).
- Financial information — records of fees, payments and receipts. Card payments are handled by my payment provider; I do not store your full card details.
- Website usage data — anonymous, aggregated statistics about how visitors use the site (pages viewed, approximate region, device type), collected via analytics if you consent to non-essential cookies.
Lawful basis for processing
Under UK GDPR I must have a lawful basis for processing your personal data. Depending on the situation I rely on one or more of the following:
- Consent — for example, when you submit an enquiry, join a mailing list, or agree to non-essential cookies. You can withdraw consent at any time.
- Contract — to provide the therapy services you have asked for and to administer our working agreement.
- Legitimate interests — to run the practice responsibly (for example, keeping accurate records, responding to enquiries, and seeking occasional feedback), balanced against your rights and freedoms.
- Legal obligation — where I am required to keep or disclose information by law.
For special-category health data, I additionally rely on Article 9(2)(h) of the UK GDPR (the provision of health and social care and treatment by, or under the responsibility of, a professional bound by a duty of confidentiality), and/or your explicit consent, and the safeguarding conditions in the Data Protection Act 2018 where someone may be at risk of harm.
How I use your information
I use the information I collect to:
- respond to your enquiry and arrange a free introductory call;
- provide professional therapy and offer suitable appointment times;
- let you know about appointment or service changes;
- keep accurate, confidential clinical and supervision records as required by my professional body and my indemnity insurer;
- manage payments, receipts and the financial running of the practice;
- occasionally ask for feedback so I can improve the service;
- keep in touch about the practice where you have asked me to.
Confidentiality — and its limits
What you share with me in therapy is confidential. I will not discuss it outside our sessions except as set out here. As a BACP Accredited therapist I receive regular clinical supervision, in which client material is discussed anonymously to keep my practice safe and effective — your supervisor will not know your identity.
There are a small number of situations where I may need to break confidentiality — always, where possible, after talking it through with you first.
Those exceptions are limited to:
- where there is a serious and imminent risk of harm to you or to another person (including a child or vulnerable adult);
- where I am required to disclose information by law or by order of a court;
- certain disclosures required under UK terrorism, money-laundering or safeguarding legislation.
Outside these exceptions, I will only share information about you with someone else — such as your GP or another professional — with your consent.
Who I share your information with
I do not sell your personal data, and I do not share it with organisations outside the practice unless you have consented, I am legally obliged to, or it is necessary to deliver the service you have asked for. To run the practice I use a small number of trusted service providers who process data on my behalf under appropriate data-processing agreements, including:
- Client & enquiry management — a secure CRM platform (GoHighLevel) that receives website enquiries and helps me manage appointments and communications.
- Website hosting & security — providers who host the website and keep encrypted backups.
- Communications — phone, secure video and messaging services (including WhatsApp) used to arrange and deliver sessions.
- Payments — a regulated payment provider that processes card transactions.
- AI-assisted session summaries — for some coaching sessions, with your explicit prior permission, I use an AI tool to help generate a written summary of action points discussed. Client names and other directly identifying details are not included in what is shared with this tool; only the substance of the session (e.g. topics discussed, action points) is used to produce the summary, which I review before sending it to you.
- Analytics & advertising — where you consent, providers such as Google and Meta may process anonymous or pseudonymous usage data (see Cookies).
Some of these providers may process data outside the UK or European Economic Area. Where that happens, I take steps to ensure your data is protected by safeguards recognised under UK data protection law (such as adequacy regulations or standard contractual clauses).
How I keep your information safe
I take the security of your information seriously. Any paper records and correspondence are kept in locked storage on secure premises. Electronic records are held on reputable cloud services protected by up-to-date firewalls, encryption and password-controlled access, with restricted access limited to what is necessary.
No transmission of information over the internet can ever be guaranteed completely secure. While I use industry-standard protocols and encryption to protect your data, I cannot guarantee the security of information you choose to send me by ordinary email or message — please bear that in mind when sharing anything sensitive, and tell me if you would prefer a more secure channel.
How long I keep your information
I keep personal data only for as long as necessary for the purposes set out above and to meet my legal and professional obligations. Clinical records for adult clients are generally retained in line with professional and insurance guidance (typically up to seven years after our work ends; longer for records relating to people who were under 18 at the time). Enquiry details from people who do not go on to become clients are kept only for a short period and then securely deleted. Once data is no longer needed, it is securely destroyed or anonymised.
Your rights
Under UK data protection law you have the right to:
- be informed about how your data is used (this policy);
- request a copy of the personal data I hold about you;
- ask me to correct information that is inaccurate or incomplete;
- ask me to erase your data, where there is no overriding legal or professional reason to keep it;
- object to, or ask me to restrict, certain processing;
- withdraw consent at any time (note that withdrawing consent necessary for your care may mean I can no longer continue active therapy);
- data portability, where applicable.
There is normally no charge to exercise these rights, and I will respond within one month. To make a request, please use the contact page or message me on WhatsApp.
Cookies & analytics
Cookies are small files placed on your device when you visit a website. This site uses only what it needs to work, plus — with your consent — a small number of analytics and marketing cookies:
- Essential cookies — needed for the site to function and to remember your cookie preferences.
- Analytics — Google Analytics collects anonymous, aggregated data about how the site is used so I can improve it.
- Marketing — tools such as the Meta (Facebook/Instagram) pixel may be used to measure and tailor relevant content where you have consented.
You can control or delete cookies through your browser settings at any time. Blocking some cookies may affect how parts of the site work.
Children’s privacy
This website and service are intended for adults. I do not knowingly collect personal data from children through this website. Where I work with a young person, this is arranged directly and with the appropriate consent of a parent or guardian.
Changes to this policy
I may update this policy from time to time. If I make a significant change, I will post a prominent notice on the website. The “last reviewed” date at the top of this page shows when it was most recently updated.
How to contact me & how to complain
If you have any questions about this policy, want to exercise your rights, or wish to raise a concern about how your data has been handled, please get in touch via the contact page or by WhatsApp, or write to me at:
Key for Change (Keeley Taverner)
The Courtyard, 60 Station Road
Marlow, Buckinghamshire SL7 1NX
I hope to resolve any concern directly. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection, at ico.org.uk or on their helpline 0303 123 1113.