Legal
Privacy Policy
Last updated 04/07/2026
Introduction
What Data We Collect
We collect and process the following categories of personal data:
- Account Information: Your name, email address, and password (stored in hashed form).
- Payment Information: We do not store your bank details. All instant bank payments and Direct Debit collections are processed securely by GoCardless, our payment partner.
- Usage Data: Information about how you interact with our platform, such as session attendance and resource access.
- Communications: Emails and messages you send to us, including support requests.
- Technical Data: IP address, browser type, and device information for security and analytics purposes.
How We Use Your Data
We use your personal data for the following purposes:
- To create and manage your member account.
- To process your membership subscription and payments via GoCardless.
- To send you session reminders, resource updates, and membership communications.
- To respond to your enquiries and provide customer support.
- To maintain the security and integrity of our platform.
- To comply with legal obligations.
Legal Basis for Processing
How We Store & Protect Your Data
Your data is stored securely using industry-standard encryption and access controls. We use Lovable Cloud for our backend infrastructure, which provides enterprise-grade security, including encrypted data at rest and in transit.
We retain your personal data only for as long as necessary: account data is kept for the duration of your membership plus up to 6 years for legal and tax purposes, after which it is securely deleted or anonymised.
Data Sharing & Third Parties
We do not sell your personal data. We only share data with trusted third parties when necessary:
- GoCardless: For processing instant bank payments and Direct Debit collections. Your bank details are handled directly by them.
- Microsoft Teams: For hosting group sessions. Only your name and email are used for session access.
- Service Providers: Trusted vendors who help us operate our platform, bound by strict confidentiality agreements.
Your GDPR Rights
Under UK GDPR, you have the following rights:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
- Right to Restrict Processing: Request that we limit how we use your data.
- Right to Data Portability: Request your data in a structured, commonly used format.
- Right to Object: Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
Requesting Account Deletion
You can request deletion of your account and associated personal data at any time. To do so:
- Log in to your Maintained Mind dashboard and use the account settings.
- Or email us at kim@online-psychotherapist.com with the subject "Account Deletion Request."
We will process your request within 30 days and confirm once your data has been deleted, except where we are legally required to retain certain records.
How to Make a Subject Access Request
Under UK and EU GDPR, you have the right to request a copy of the personal data we hold about you (a Subject Access Request, or SAR). To make a request:
- Email kim@online-psychotherapist.com with the subject line "Subject Access Request."
- Include your full name, the email address associated with your account, and a brief description of the information you would like to receive.
- We may ask you to verify your identity before we disclose any data, to protect your information.
We will respond within one month of receiving your request. If your request is particularly complex, or you make several requests, we may extend this period by up to a further two months. We will let you know within the first month if this is the case and explain why.
There is no fee for a Subject Access Request, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request.
Raising a Complaint
If you believe we have not handled your personal data correctly, or you are unhappy with how we have responded to a request about your rights, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Online complaints form: ico.org.uk/make-a-complaint
If you are based in the EU, you may also lodge a complaint with the supervisory authority in your country of residence. We would encourage you to contact us first so we can try to resolve any concerns directly.
Cookies & Tracking
Changes to This Policy
Contact Us
If you have any questions about this Privacy Policy, how to exercise your data protection rights, or how to raise a complaint, please contact us:
