Privacy and Data Protection Policy

Effective Date: 13th of October 2024

Last Update: 25th of October 2025

At Tiffany Leung Psychological Services, your privacy and the security of your personal information are of utmost importance.
This Privacy and Data Protection Policy explains how your personal data is collected, used, stored, and protected in accordance with:

The UK General Data Protection Regulation (UK GDPR)
The Data Protection Act 2018
Professional ethical standards of the Health and Care Professions Council (HCPC) and the British Psychological Society (BPS)

By using this website and engaging in therapy, supervision, or coaching services, you consent to the processing of your data as outlined below. A brief summary of this policy is included in the Therapy Agreement Summary provided before the first session.

1. Information We Collect

We collect and process personal data that is necessary for providing psychological services and fulfilling our legal and ethical responsibilities.

Personal Information

Full name, date of birth, gender, contact details (email, phone, address), and emergency contact.

Health and Therapy Information

Information shared during the intake process or therapy sessions, including mental health history, presenting issues, and clinical notes.

Financial Information

Payment information (e.g., Stripe/Wix Payments details).

Technical Information

Website usage data, IP address, and cookies (see Cookies Policy).

Communication Records

Messages exchanged via email, text, WhatsApp, or WeChat (if used for initial contact or administrative coordination only). These are not used for therapeutic work and are stored securely in compliance with GDPR.

2. How We Use Your Data

We process personal data for the following purposes:

To provide, manage, and evaluate psychological services.
To schedule, confirm, and administer appointments.
To communicate about therapy sessions or related matters.
To issue invoices and process payments.
To comply with professional, ethical, and legal obligations (e.g., record-keeping, safeguarding).
To maintain website security and functionality.
Cross-border Service Provision: For clients based outside the UK (e.g., EU, Hong Kong, or Mainland China), data processing complies with international transfer safeguards (see Section 9).

3. Legal Basis for Processing Your Data

Processing of data occurs under the following legal bases:

Consent: When you explicitly consent to data collection (e.g., through the website form or cookies).
Contract: To deliver agreed services such as therapy or supervision.
Legal Obligation: To comply with UK legal, tax, or professional record-keeping requirements.
Legitimate Interest: For communication, service improvement, or risk management, provided such use respects your rights and confidentiality.
Vital Interests: When necessary to protect life or prevent serious harm.

4. How We Protect Your Data

We implement strong technical and organisational measures to prevent unauthorised access or disclosure of personal information.

Encryption: Data is encrypted during transfer (SSL/TLS) and stored securely on encrypted servers managed by Wix and other GDPR-compliant platforms.
Access Control: Access to client data is restricted to Dr Tiffany Leung and authorised administrative support (if any).
Device Security: All devices used for communication are password-protected and use up-to-date antivirus and encryption software.
Regular Review: Security systems and data protection practices are reviewed annually or when new technologies are introduced.
Communication Platform Safeguards:
- Zoom: All therapy sessions are conducted via secure, password-protected Zoom links. Sessions are not recorded unless explicitly agreed in writing.
  Zoom is used as the standard telehealth platform because it provides end-to-end encryption, password-protected access, and compliance with NHS Digital and UK GDPR security standards.
- Text/WhatsApp: Used only for practical coordination (e.g., scheduling). Sensitive or clinical information will not be discussed via these apps.
- WeChat: May be used for clients located in Mainland China when no other platform is accessible. Clients using WeChat acknowledge that data transmitted via WeChat may be subject to local data regulations outside the UK’s GDPR protection. A separate Data Protection Impact Assessment (DPIA) applies to WeChat use, and clients will receive written consent documentation before use.

For details about how clinical information and therapy records are handled, please also refer to the Confidentiality Policy.

5. Data Retention

Personal data is retained only as long as necessary to fulfil service purposes and legal obligations.
Clinical records are stored securely for 7 years after the last session (or until the client reaches age 25 if under 18 at the time of therapy).
Financial records are retained for at least 6 years for accounting compliance.
After this period, data is permanently deleted or securely destroyed.
Backup and Cloud Storage: Electronic files (notes, invoices, correspondence) are stored on encrypted, GDPR-compliant cloud servers (e.g., Wix, Google Workspace, or similar). No data is stored on unencrypted personal devices.
Wherever possible, data is stored within the UK or EEA. When data is processed outside these regions, Standard Contractual Clauses (SCCs) or equivalent safeguards are used to ensure GDPR-level protection.

6. Sharing Your Data

Your data will never be sold or shared with unauthorised third parties.
Limited data may be shared only when necessary for:

Payment Processing: via secure platforms such as Wix Payments.
IT/Hosting Services: providers offering GDPR-compliant technical support.
Legal or Ethical Requirements: if disclosure is required by court order, safeguarding duty, or professional regulation.

All third-party processors have signed data processing agreements ensuring compliance with UK GDPR standards.

7. Your Rights

Under the UK GDPR, you have the right to:

Access your personal data.
Request correction of inaccuracies.
Request deletion of data (where legally permissible).
Restrict or object to data processing.
Request data transfer in machine-readable format.
Withdraw consent at any time (where consent applies).

Requests can be made by email to admin@tiffany-leung.com and will be addressed within 30 calendar days.

8. Cookies Policy

Our website uses cookies to improve functionality and user experience.

Essential Cookies: enable secure website operation.
Analytics Cookies: track anonymous usage data to improve content.

You may disable cookies via browser settings, but this may affect certain features.

For more information, please refer to our Cookies Policy .

9. Data Transfers Outside the UK

Your data may occasionally be transferred to or accessed from outside the UK (e.g., via Wix servers or clients based internationally). Data is hosted within the UK/EEA where possible; SCCs apply otherwise.
Such transfers comply with GDPR standards through Standard Contractual Clauses (SCCs) or equivalent safeguards.

For Mainland China Clients (WeChat use): WeChat operates under data governance laws that differ from UK GDPR. While reasonable steps are taken to protect confidentiality, Dr Leung cannot fully guarantee equivalent data protection. Clients using WeChat will receive and sign a specific WeChat Consent and DPIA Notice outlining potential risks and boundaries of use.

10. Changes to this Policy

This policy may be updated periodically to reflect legal, technological, or service-related changes.
Updates will be published on this website, and significant changes will be communicated by email. Continued use of services constitutes acceptance of the updated policy.

11. Contact Information

If you have any questions or concerns about how your data is handled, please contact:

Email: admin@tiffany-leung.com
Phone: 0161 850 3557

If your concern is not resolved, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.