Legal

Privacy Policy

Last updated 04/07/2026

Introduction

Maintained Mind is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What Data We Collect

We collect and process the following categories of personal data:

  • Account Information: Your name, email address, and password (stored in hashed form).
  • Payment Information: We do not store your bank details. All instant bank payments and Direct Debit collections are processed securely by GoCardless, our payment partner.
  • Usage Data: Information about how you interact with our platform, such as session attendance and resource access.
  • Communications: Emails and messages you send to us, including support requests.
  • Technical Data: IP address, browser type, and device information for security and analytics purposes.

How We Use Your Data

We use your personal data for the following purposes:

  • To create and manage your member account.
  • To process your membership subscription and payments via GoCardless.
  • To send you session reminders, resource updates, and membership communications.
  • To respond to your enquiries and provide customer support.
  • To maintain the security and integrity of our platform.
  • To comply with legal obligations.

Legal Basis for Processing

Under UK GDPR, we process your data on the basis of: (1) contract performance — to fulfill our agreement with you; (2) legitimate interests — to run and improve our service; (3) legal obligation — where required by law; and (4) consent — where you have explicitly agreed, such as for marketing emails.

How We Store & Protect Your Data

Your data is stored securely using industry-standard encryption and access controls. We use Lovable Cloud for our backend infrastructure, which provides enterprise-grade security, including encrypted data at rest and in transit.

We retain your personal data only for as long as necessary: account data is kept for the duration of your membership plus up to 6 years for legal and tax purposes, after which it is securely deleted or anonymised.

Data Sharing & Third Parties

We do not sell your personal data. We only share data with trusted third parties when necessary:

  • GoCardless: For processing instant bank payments and Direct Debit collections. Your bank details are handled directly by them.
  • Microsoft Teams: For hosting group sessions. Only your name and email are used for session access.
  • Service Providers: Trusted vendors who help us operate our platform, bound by strict confidentiality agreements.

Your GDPR Rights

Under UK GDPR, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Data Portability: Request your data in a structured, commonly used format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

Requesting Account Deletion

You can request deletion of your account and associated personal data at any time. To do so:

  1. Log in to your Maintained Mind dashboard and use the account settings.
  2. Or email us at kim@online-psychotherapist.com with the subject "Account Deletion Request."

We will process your request within 30 days and confirm once your data has been deleted, except where we are legally required to retain certain records.

How to Make a Subject Access Request

Under UK and EU GDPR, you have the right to request a copy of the personal data we hold about you (a Subject Access Request, or SAR). To make a request:

  1. Email kim@online-psychotherapist.com with the subject line "Subject Access Request."
  2. Include your full name, the email address associated with your account, and a brief description of the information you would like to receive.
  3. We may ask you to verify your identity before we disclose any data, to protect your information.

We will respond within one month of receiving your request. If your request is particularly complex, or you make several requests, we may extend this period by up to a further two months. We will let you know within the first month if this is the case and explain why.

There is no fee for a Subject Access Request, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request.

Raising a Complaint

If you believe we have not handled your personal data correctly, or you are unhappy with how we have responded to a request about your rights, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)

If you are based in the EU, you may also lodge a complaint with the supervisory authority in your country of residence. We would encourage you to contact us first so we can try to resolve any concerns directly.

Cookies & Tracking

We use essential cookies/LocalStorage for session persistence to maintain your session and ensure the platform functions correctly. We do not use third-party tracking cookies or advertising pixels. You can manage cookie preferences through your browser settings.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or via the dashboard. The "Last updated" date at the top of this page indicates when the policy was last revised.

Contact Us

If you have any questions about this Privacy Policy, how to exercise your data protection rights, or how to raise a complaint, please contact us:

Email: kim@online-psychotherapist.com