Privacy policy

Portals Hypnotherapy | Data Controller: Katharina Thiel

Last updated: April 2026. This policy may be updated at any time, please check back regularly.

How will my data be processed and stored?

Portals Hypnotherapy operates in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and is registered with the Information Commissioner's Office (ICO). These laws exist to protect your rights as an individual and to ensure that any personal data you share is handled privately, securely, and only in ways you would reasonably expect.

Your personal data includes anything that can identify you: your name, contact details, the reason you sought hypnotherapy, session notes, and any communications between us.

Why do we collect your information?

In order to provide you with effective, consistent support, Portals Hypnotherapy collects the following:

  • What you would like to achieve through hypnotherapy

  • Relevant medical background

  • Brief session notes

  • Your contact details

  • Your GP's contact details

  • Some basic information about the people important to you

This information allows Portals Hypnotherapy to maintain continuity across sessions and refer back to previous discussions. Your contact details and your GP's details will only be used with your explicit consent, unless a safeguarding concern arises (see below).

What is the lawful basis for processing my data?

Under UK GDPR, Portals Hypnotherapy must have a lawful basis for processing your personal data. Depending on the purpose, the following bases apply:

  • Contract Processing your data is necessary to provide the hypnotherapy service you have engaged.

  • Legal obligation Portals Hypnotherapy is required by law and by its insurance and professional membership bodies to retain your records for a minimum period after your final session.

  • Legitimate interests Portals Hypnotherapy may discuss elements of your sessions with a clinical supervisor to ensure you receive the most effective support. No identifying information about you will be disclosed. The supervisor is also ICO-registered and GDPR-compliant.

  • Consent Where Portals Hypnotherapy needs to contact your GP or other health professionals on your behalf, your written consent will always be obtained first. The only exceptions are where a safeguarding concern or legal requirement applies (see below).

How long will my information be held?

As an ICO member, Portals Hypnotherapy follows ICO and NHS guidelines on data retention:

  • Adults: records are held for 8 years after your final session.

  • Children: records are held until the individual's 25th birthday.

  • Young adults whose treatment ends at age 17: records are held until their 26th birthday.

  • Client records are destroyed in the January following the applicable date above.

Can I request early deletion of my data?

Due to the nature of the service provided, Portals Hypnotherapy's insurers advise that client data cannot be deleted before the minimum retention period has elapsed. This is a legal and professional safeguarding requirement, not a discretionary decision.

What are my rights under UK GDPR?

You have the following rights in relation to your personal data:

  • Right of access — You can request a copy of the data Portals Hypnotherapy holds about you. Requests must be made in writing specifying the data you wish to see. You will receive a response within 30 days at no charge. Portals Hypnotherapy will verify your identity before sending any information. Please note that the insurer's legal team may review information before it is released.

  • Right to rectification — If any information held about you is inaccurate or incomplete, you can request that it be corrected.

  • Right to restriction — In certain circumstances, you can ask Portals Hypnotherapy to limit how your data is used while a concern is being resolved.

  • Right to object — You have the right to object to processing based on legitimate interests. Portals Hypnotherapy will consider your objection and respond accordingly.

  • Right to erasure — You have the right to request deletion of your data. As noted above, this right is limited during the mandatory retention period by legal and insurance obligations.

  • Right to lodge a complaint — If you have concerns about how your data is being handled, you have the right to complain directly to the ICO at ico.org.uk or by calling 0303 123 1113.

How is my information kept secure?

  • Text messages — The Portals Hypnotherapy work phone is secured by Face ID and device encryption.

  • Email and electronic records — Electronic records are stored in double-password-protected, encrypted software. The email account requires two-factor authentication (2FA).

Are my sessions confidential?

Everything discussed during your sessions remains strictly confidential. The only circumstances under which confidentiality may be limited are:

  • Clinical supervision — Portals Hypnotherapy discusses cases with a clinical supervisor to ensure effective practice. No identifying details about you are shared.

  • Safeguarding — If Portals Hypnotherapy has serious concern that you or someone else is at risk of harm, it has a duty of care to inform the relevant authorities. Where possible, this would be discussed with you first.

  • Legal requirement — Portals Hypnotherapy is required by law to provide information to the police if presented with a valid warrant or court order.

What if I see my hypnotherapist outside of a session?

In order to protect your confidentiality, Portals Hypnotherapy may acknowledge you but will not initiate any conversation about your therapy in a public or social setting. If you choose to discuss your therapy with others, that is entirely your decision.

Will my data be shared with other health professionals?

Portals Hypnotherapy will only contact other health or social care professionals with your written consent, for example, to notify your GP that you have begun or concluded a course of hypnotherapy. The exceptions are safeguarding situations and legal obligations, as described above.

Does Portals Hypnotherapy transfer data outside the UK?

Portals Hypnotherapy uses a small number of third-party services to operate securely and efficiently. Some of these providers are based in the United States, which means your data may be transferred outside the UK. Where this occurs, Portals Hypnotherapy ensures that appropriate safeguards are in place, specifically Standard Contractual Clauses (SCCs) approved by the ICO. The services used are:

Calendly (appointment scheduling) — US-based; transfers protected by UK SCCs.

Google Workspace (email and record storage) — US-based; transfers protected by UK SCCs.

Squarespace (website) — US-based; transfers protected by UK SCCs and the UK Extension to the EU-US Data Privacy Framework.

IONOS (domain and email hosting) — EU/UK-based; data remains within the UK/EEA.

Each of these providers has a Data Processing Agreement in place. You can request further information about any of these arrangements by contacting Portals Hypnotherapy directly.

Cookies and website data

The Portals Hypnotherapy website (portalshypnotherapy.com / .co.uk) is hosted on Squarespace, which uses cookies to support basic website functionality and analytics. A cookie banner is displayed on the site, and non-essential cookies will only be activated with your consent. You can adjust your cookie preferences at any time via the banner.

Who is the Data Controller?

Katharina Thiel

Portals Hypnotherapy

ICO Registration: ZC149118

For any data-related queries, please contact: kat@portalshypnotherapy.com