top of page

Privacy Policy

What are the General Data Protection Regulations, 2018 (GDPR) and how do they affect me?

The GDPR replaces the 1998 Data Protection Act to ensure your personal and sensitive, confidential data is kept private and held securely, being processed in the way that you have agreed to. It is there to protect your rights as a consumer of a service or product that might involve your identifiable data, e.g. your name and address or whether you have a specific condition. It also covers any session records, text messages or emails we exchange. 

Private Keep Out sign

How long will you hold my information for?

If you are an adult your data is kept for 7 years after your counselling, psychotherapy and/or supervision sessions have finished for insurance purposes. After 7 years your electronic data is permanently deleted and your paper-based data is shredded with a cross-cut shredding machine owned by the organisation.

If you are a child (i.e. under 18 years old) your data is kept until the month after your 25th birthday, or your 26th birthday if you are aged 17 when counselling and psychotherapy sessions end. At this point your electronic data is permanently deleted and your paper-based data is shredded with a cross-cut shredding machine owned by Paper Plane Counselling.

What rights do I have over my data?

If you wish to see a copy of your data then you need to request this clearly in writing. If Amy Mills (who is the data controller) doubts the identity of the person making the request then she will first take reasonable steps to ensure it’s really you before releasing any records. Amy will check whether there is specific data that you wish to see or whether you wish to see all your data. A copy of your data will be provided within one month. There is no monetary charge for this. If you wish to make a correction to any of the data you believe to be inaccurate, you can do so by informing Amy. If you do not want your data to be collected in the manner described in this document you can discuss this with Amy.

You can ask for all your data to be deleted if you don’t want it to be stored for 7 years. Again, you need to make this request in writing to Amy at Paper Plane Counselling. Once your identity is confirmed, all your paper records will be shredded with a cross-cut shredding machine and any electronic data such as emails or text messages will be permanently deleted from the devices they are stored on. Amy will have to save the request for deletion you made but would not save any other data. Please note that in some circumstances Amy's insurance company’s legal team may want to verify the information she processes and she may by law be unable to delete data if it is subject to a police or legal investigation (please see ‘Exceptions’ below).

You have the same rights to your data regardless of your age (i.e. children have the same rights to their data as adults).

Why do you need to record information about me?

Amy collects information about; why you are using the service, a small amount of medical information and a small amount of information about your important others, alongside brief session notes. This information enables her to provide a high-quality service to you, ensuring she is equipped with the knowledge of our previous discussions prior to each session. Your contact details will only be used for purposes other than scheduling sessions with your explicit signed consent.

Website Visitors

When an individual visits we use Google analytics who are considered a third party service, to collect information about what visitors do when they click on our website, e.g. which page they visit the most. Google analytics only collect non-identifiable data which means we or they cannot identify who is visiting. Paper Plane Counselling will always be transparent when it comes to collecting personal data and will be clear about how that data is processed. Google analytics privacy notice can be found here:

Wix is a third-party service that hosts Paper Plane Counselling's website. Wix uses anonymised data to collect visitor information such as how long an individual remains on a page of a website. Wix also hosts the Contact form on Paper Plane Counselling's website and a copy of any data sent via this form is stored by Wix. Wix Bookings hosts the online session booking function on Paper Plane Counselling's website and a copy of any data given when booking a session online will be stored by Wix Bookings. Wix’s privacy notice can be found here for further information:

Financial data

Paper Plane Counselling use Stripe and SumUp respectively to process payments online through this website and by credit/debit card. Both these providers record the payee’s contact details and banking details in order to process payments. Their privacy policies can be found here and

Paper Plane Counselling Ltd uses a third-party provider, PayPal, to take online payments (on the request of clients who specifically wish to use this platform). PayPal will record an individual’s contact and bank details when taking a payment. PayPal’s privacy notice can be found here:

Paper Plane Counselling banks with Virgin Money who record the account name, payment date and amount of all transactions made electronically (i.e. for payments made via online BACS transfer, or via SumUp and Stripe). Virgin Money’s privacy policy can be found here:

Paper Plane Counselling uses Quickbooks to manage our accounting electronically. Quickbooks records an individual’s name, payment amount and date of payment for each transaction made electronically (i.e. for all payments made via Stripe, SumUp or by making an online BACS payment). Quickbooks’ privacy notice can be found here:

Paper Plane Counselling uses an independent accountant, Botterill & Co, to prepare our annual accounts and tax returns. Botterill & Co views all data inputted by Paper Plane Counselling on to Quickbooks. This includes each individual’s name, payment amount and payment date for all transactions made electronically. Botterill & Co’s privacy policy can be found here:

What do you do to ensure my information is held securely?

Hardcopy documents – These are all stored in a locked filing cabinet in a locked room. They are stamped as “Private and Confidential”.

Text messages and Telephone Calls – Amy uses a dedicated mobile phone which is secured with a pin code.

Emails – Amy’s email account requires a user name and password, and two-step authentication is enabled. The account is only logged on to from devices which are the sole property of Paper Plane Counselling or Amy. All emails sent are encrypted in transit. Amy uses Frama RMail software to encrypt emails which contain sensitive personal information. This software includes the option for you to reply by encrypted email without having to install or register for software yourself.  

Email attachments – Any attachments sent by email to you containing your personal information are sent by Frama RMail encrypted email. Each attachment is also password protected and the password is sent to you via a different medium (e.g. text message).

Online Agreement documents – Online contracting documents are sent to you via Frama RMail to sign electronically. This software offers full encryption and a verified electronic trail confirming the identity, date and time of the signature.   

Electronic documents – Electronic documents are stored on a password protected and encrypted external hard drive which is stored in a locked filing cabinet behind a locked door when not in use. A back-up of all electronic documents is made on a monthly basis and is stored in a separate password protected and encrypted external hard drive which is stored in a locked filing cabinet behind a locked door when not in use. The computers used to access this data are password protected and are the sole property of Paper Plane Counselling or Amy.

Is what we discuss kept confidential?

Everything you talk about during your sessions is strictly confidential between you and Amy Mills. In accordance with the BACP Ethical Framework, all counsellors consult a supervisor on a regular basis to ensure their practice is ethical and that they are working in the best interests of their clients. Amy’s supervision sessions usually take place online, usually using the platform Zoom. Amy’s supervisor(s) is verbally told broad overarching themes of sessions. The supervisor(s) is not told your real name nor contact details and does not have direct access to written records of your electronic or hard-copy data. The supervisor(s) also adheres to the GDPR.

What if I see you outside of the session?

If you see Amy outside of a session (e.g. you pass each other in the street) she may smile but will not engage in any further conversation to ensure your confidentiality. You are welcome to talk to other people about the therapy you are receiving, but Amy is obligated by GDPR law to ensure your confidentiality is protected. She requests that in order to ensure the success of your therapy, that you refrain from discussing your therapy with her outside of your sessions. This extends to the online world where Amy is obliged by law to protect your confidentiality. Therefore, she is unable to respond directly to any client interaction via social media, blogpost or other public internet forum.

What about other Health and Social Care Professionals?

As Amy adheres to the GDPR any contact, relating to you, with other health care professionals would only be made with your signed consent. For example, if she were to write to your GP to notify them of your sessions with her, and then notify them of the sessions ending, she would only do this if you were to sign specific consent.


  • Amy may contact your GP or another professional if she believes that you are likely to cause significant harm to yourself or somebody else. This would be done if judged to be in your best interests in order to keep you and/or other people safe. If this happens Amy will make every effort to discuss the situation with you first before sharing information in order to agree what information to share and to whom.

  • Amy may contact relevant authorities if she believes children or vulnerable adults are at risk of significant harm in order to safeguard their development and wellbeing (this applies to both “real world” and online risks). If this happens Amy will make every effort to discuss the situation with you first to agree what information to share and to whom; unless to do so would be to endanger the children or vulnerable adults concerned.

  • Your data must be shared with another organisation if it is legally necessary to do so. This happens if Amy becomes aware that you (or someone else you talk to her about) are planning, or have participated in, a crime such as money laundering, terrorism or murder.

  • If Amy is subpoenaed to give evidence in court then she is legally required to do so and to discuss your data if necessary.

  • In the event of Amy becoming incapacitated due to an unforeseen emergency then your contact details will be passed to her supervisor. This person will contact you to explain the situation and discuss alternative support.


Our Information Governance Policy and Procedure gives further details of all aspects of our compliance with GDPR.

bottom of page