Privacy notice generator

Build a UK GDPR privacy notice for your practice in plain English, covering everything Article 13 requires.

Not sure? Search your name on the ICO register at ico.org.uk.

What you collect

Contact details, session notes and appointment records are always in.

Tools that touch client data

7 years is commonly held; check your insurer and professional body.

Privacy notice

[your name or practice name]

Who I am and how to contact me

This notice explains how [your name or practice name] handles information about clients and people who enquire. If you have any questions about it, contact me at [contact email].

What information I hold

I keep only what the work needs:

  • your contact details
  • appointment records
  • brief notes of each session
  • your GP's details
  • an emergency contact or next of kin
  • payment records

Why I hold it, and my lawful basis

I hold this information to provide you with therapy safely: to keep accurate notes of our work, to stay in touch about appointments, and to meet my professional and insurance obligations.

In data protection terms, the lawful basis for most of this is our contract (UK GDPR Article 6(1)(b)); for enquiries before we agree to work together, it is legitimate interests (Article 6(1)(f)). Session notes are health data, which has extra protection: my condition for holding them is the provision of health and social care (Article 9(2)(h), with the conditions in Schedule 1 of the Data Protection Act 2018), and safeguarding where that applies.

Consent is deliberately not the basis for the records themselves. I am professionally required to keep proper notes of our work, whether or not consent is later withdrawn, so it would be misleading to suggest the records rest on it.

Who sees it

I do not share what you tell me, apart from the narrow exceptions set out in our counselling agreement: risk of serious harm, safeguarding concerns, court orders and narrow legal duties. Beyond those:

  • I discuss anonymised case material in clinical supervision, which is a professional requirement; my supervisor never hears your name and is bound by the same confidentiality
  • my practice management software stores my diary, notes and documents
  • my video platform carries our online sessions
  • my email provider handles our messages

How long I keep it

I keep records for 7 years after our work ends, which is the period commonly required by professional indemnity insurers, and then delete them securely. Enquiry details from people who do not become clients are deleted much sooner.

Your rights

You can ask for a copy of the information I hold about you, ask me to correct anything that is wrong, and ask me to delete it. I will respond within one month.

One honest caveat on deletion: because I am required to keep proper records for insurance and professional reasons, a request to erase clinical records may be lawfully declined in part until the retention period has passed. I will always explain what I can and cannot do.

How to complain

If you are unhappy with how I handle your information, please tell me first and I will try to put it right. You can also complain to the Information Commissioner's Office at ico.org.uk.

Why consent is the wrong foundation

Most free privacy notice templates are built on consent, and for therapy records that is building on sand. Consent can be withdrawn at any moment, but a practitioner cannot un-hold clinical records: your insurer and professional body require notes to exist for years after the work ends. A notice that says “I hold your data because you consent” is making a promise the practice cannot keep.

The correct structure, and the one this generator writes, is contract as the lawful basis for the therapy itself, legitimate interests for enquiries, and the health and social care condition under Article 9(2)(h) for the clinical content, with safeguarding conditions where relevant. Clients are still fully informed, which is the actual point of the notice; they are just not being asked a permission you could not honour withdrawing.

Give the notice before or at the first session, and link it from your booking page so it is technically given before anyone even enquires. It pairs with the GDPR self-assessment, which checks the practices behind the promises, and the counselling agreement, which carries the confidentiality wording this notice refers to.

The output deliberately fits on one side of A4 at normal type. Every section Article 13 requires is in there; nothing else is, because length is where notices go to die unread. This page is not legal advice, and if your situation is unusual, employed associates, working with children, research use, it is worth an hour of a data protection specialist’s time.

Frequently asked questions

Bloom is one named line in your notice instead of four: diary, notes, documents and payments under a single data processing agreement.