Privacy Policy
Sutton Psychology | Dr Nicola Sutton
Last updated: 01/06/2026
This privacy notice tells you what to expect us to do with your personal information.
Contact details
Sutton Psychology is operated by Dr Nicola Sutton, HCPC Registered Forensic Psychologist.
Address: Unit 3, Antioch Centre, Copperworks Road, Llanelli, SA15 2NE
Telephone: 07772 866883
Email: nicola.sutton@suttonpsychology.co.uk
Website: suttonpsychology.co.uk
1. What information we collect, use, and why
We collect or use the following information to provide therapy services and clinical care:
• Name, address and contact details
• Gender and pronoun preferences
• Date of birth
• Next of kin details including any support networks
• Emergency contact details
• Health information (including medical conditions, medical requirements and medical history)
• Information about care needs (including disabilities, medication and dietary requirements)
• Test results (including psychological evaluations)
• Payment details (including card information)
• Insurance policy details
• Records of sessions and decisions
We collect or use the following information for safeguarding or public protection reasons:
• Name, address and contact details
• Emergency contact details
• Health information (including medical conditions and medical history)
• Information about care needs
• Relevant information from previous investigations
• Psychological evaluation results
• Records of meetings and decisions
We collect or use the following personal information to comply with legal requirements:
• Name
• Contact information
• Safeguarding information
We collect or use the following personal information for information updates and marketing purposes:
• Names and contact details
• Marketing preferences
• Website usage information
• IP addresses
• Records of consent, where appropriate
We collect or use the following personal information for dealing with queries, complaints or claims:
• Names and contact details
• Addresses
2. Lawful bases and data protection rights
Under UK data protection law, we must have a lawful basis for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website.
Your data protection rights include:
• Your right of access -- you have the right to ask us for copies of your personal information.
• Your right to rectification -- you have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
• Your right to erasure -- you have the right to ask us to delete your personal information.
• Your right to restriction of processing -- you have the right to ask us to limit how we can use your personal information.
• Your right to object to processing -- you have the right to object to the processing of your personal data.
• Your right to data portability -- you have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
• Your right to withdraw consent -- when we use consent as our lawful basis you have the right to withdraw your consent at any time.
If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for therapy services
Our lawful bases for collecting or using personal information to provide therapy services are:
Consent -- we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. You have the right to withdraw your consent at any time.
Contract -- we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests -- we are collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. Our legitimate interests are:
Sutton Psychology collects and processes personal information to provide psychological therapy services. This is necessary to assess suitability for therapy, provide safe and effective psychological treatment, maintain clinical records as required by our regulatory body (HCPC), communicate with clients about appointments, manage invoicing and payment, and liaise with insurance providers (AXA, Bupa, and WPA) where applicable. Processing this information is essential to deliver a safe, personalised, and clinically appropriate therapy service. Without it, we would be unable to assess, treat, or maintain appropriate duty of care to our clients. The benefits of this processing include enabling individuals to access psychological support that can improve their emotional wellbeing and quality of life. We minimise risk to individuals by collecting only the information that is necessary, storing data securely, limiting access to authorised personnel only, and never sharing personal data with third parties for marketing purposes.
Vital interests -- collecting or using the information is needed when someone's physical or mental health or wellbeing is at urgent or serious risk. All of your data protection rights may apply, except the right to object and the right to portability.
Our lawful bases for safeguarding and public protection
Our lawful bases for collecting or using personal information for safeguarding or public protection reasons are:
Consent -- we have permission from you after we gave you all the relevant information.
Contract -- we have to collect or use the information so we can enter into or carry out a contract with you.
Legal obligation -- we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Legitimate interests -- as an HCPC-registered psychologist, Dr Nicola Sutton has a professional and legal duty to safeguard clients and protect the public from serious harm. In rare and exceptional circumstances, it may be necessary to process and share personal information without consent for safeguarding or public protection purposes. This may include situations where there is a risk of serious harm to the client or to others, concerns about the safety or welfare of a child or vulnerable adult, a legal obligation to share information with statutory agencies such as social services, police, or the courts, or a requirement from our regulatory body (HCPC) in connection with fitness to practise proceedings. In these circumstances, we will only share the minimum information necessary and only with the relevant authority or professional body. We will always aim to discuss any disclosure with the client first, unless doing so would increase the risk of harm. The benefits of this processing are the protection of life, prevention of serious harm, and fulfilment of our legal and professional obligations.
Vital interests -- collecting or using the information is needed when someone's physical or mental health or wellbeing is at urgent or serious risk.
Our lawful bases for legal compliance
Our lawful bases for collecting or using personal information to comply with legal requirements are:
Consent -- we have permission from you after we gave you all the relevant information.
Contract -- we have to collect or use the information so we can enter into or carry out a contract with you.
Legal obligation -- we have to collect or use your information so we can comply with the law.
Legitimate interests -- Sutton Psychology is required by law to collect, process, and retain certain personal information to comply with legal and regulatory obligations. These include regulatory requirements as set by the HCPC, which requires registered psychologists to maintain accurate and up-to-date clinical records for all therapy clients. These records must be retained for a minimum period as specified by professional guidelines. Tax and financial obligations under HMRC requirements require us to retain records of financial transactions for a minimum period as required by law. Insurance provider requirements from AXA, Bupa, and WPA may require us to share relevant client information to process claims and authorise treatment. This is limited to the information necessary to administer the insurance claim. Data protection legislation under UK GDPR and the Data Protection Act 2018 requires us to maintain records of our data processing activities, respond to subject access requests, and report data breaches where required.
Our lawful bases for marketing and information updates
Our lawful bases for collecting or using personal information for information updates and marketing purposes are:
Consent -- we have permission from you after we gave you all the relevant information. You have the right to withdraw your consent at any time.
Legitimate interests -- Sutton Psychology collects and processes personal information for the purpose of sending information updates and marketing communications. For email marketing, we collect names and email addresses when individuals voluntarily sign up for our mailing list via the website. This information is used to send educational content and updates about our services that are relevant to the individual's interests. All marketing communications are sent with the individual's consent, and they can unsubscribe at any time via the link provided in every email. For transactional communications, we use contact details to send emails directly related to an enquiry or appointment. These are necessary to fulfil our contractual obligations and are not considered marketing. We minimise the impact on individuals by only sending communications to those who have given consent, making it simple to unsubscribe at any time, and never sharing personal data with third parties for their marketing purposes.
Our lawful bases for handling queries, complaints or claims
Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:
Consent -- we have permission from you after we gave you all the relevant information.
Contract -- we have to collect or use the information so we can enter into or carry out a contract with you.
Legitimate interests -- Sutton Psychology collects and processes personal information to respond to queries, manage complaints, and handle any claims that may arise in connection with our therapy services. For queries, we collect names, email addresses, phone numbers, and any details the individual chooses to share when they contact us via our enquiry form, email, or phone. This information is used to understand their query and respond appropriately. For complaints, we may need to collect and retain personal information relating to the nature of the complaint, the individuals involved, and any communications exchanged. This is necessary to investigate the complaint thoroughly, respond fairly, and meet our professional obligations under HCPC standards. For claims, in the event of a legal claim, insurance claim, or regulatory investigation, we may need to process and retain personal information relevant to the matter. This may include sharing information with our professional indemnity insurer, legal advisors, or the HCPC where required.
Vital interests -- collecting or using the information is needed when someone's physical or mental health or wellbeing is at urgent or serious risk.
3. Where we get personal information from
• Directly from you
• Insurance companies (AXA, Bupa, and WPA)
4. How long we keep information
Sutton Psychology retains personal data for different periods depending on the type of data and the purpose for which it was collected:
• Clinical therapy records for adult clients are retained for a minimum of 7 years after the last contact, in line with British Psychological Society and HCPC guidance.
• Where therapy has involved a minor, records are retained until the individual's 25th birthday or 7 years after last contact, whichever is longer.
• Financial and tax records are retained for a minimum of 6 years as required by HMRC.
• Records relating to insurance providers are retained for the duration required by the provider or 7 years after the last session, whichever is longer.
• Records relating to complaints or claims are retained for 10 years from the date of resolution.
• Marketing and mailing list data is retained until the individual unsubscribes or requests deletion, and is deleted within 30 days of that request.
• Enquiry form data that does not lead to a therapeutic relationship is deleted within 12 months.
When the relevant retention period expires, personal data is securely deleted or anonymised.
5. Who we share information with
We may share personal information with:
• Insurance companies, brokers and other intermediaries (AXA, Bupa, and WPA)
• Organisations we need to share information with for safeguarding reasons
• Professional advisors
• Organisations we are legally obliged to share personal information with
6. Third party data processors
We use the following trusted third party services to operate this website and manage our business processes. These services may process personal data on our behalf:
• Squarespace -- website hosting and contact form processing (squarespace.com)
• Asana -- enquiry form management and workflow processing (asana.com)
• Microsoft -- email and calendar services
• Booking calendar software -- appointment scheduling
All third party processors are required to handle personal data in accordance with UK GDPR. We only share the minimum personal data necessary for each processor to carry out their function.
7. Duty of confidentiality
We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:
• You have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses).
• We have a legal requirement (including court orders) to collect, share or use the data.
• On a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).
• The requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied.
8. Cookies
This website uses cookies to improve your browsing experience and to understand how visitors use the site. Cookies are small files stored on your device.
We use the following types of cookies:
• Essential cookies -- necessary for the website to function correctly. These cannot be disabled.
• Analytics cookies -- help us understand how visitors interact with the website. These are only placed with your consent.
• Marketing cookies -- used to track visitors across websites. These are only placed with your consent.
You can choose to accept or decline non-essential cookies when you first visit the site. You can also manage cookies through your browser settings at any time. Please see our Cookie Policy for full details.
9. Your rights
You have the right to:
• Request access to any personal data held about you.
• Request that your data is corrected or deleted.
• Withdraw consent at any time where consent is the lawful basis for processing.
• Object to processing based on legitimate interests.
• Request restriction of processing.
• Request data portability.
To exercise any of these rights, please contact us at nicola.sutton@suttonpsychology.co.uk.
10. How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the ICO.
The ICO's address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
11. Updates to this policy
This privacy policy may be updated from time to time. Any changes will be posted on this page with an updated date. We encourage you to review this policy periodically.
Last updated: 01/06/2026
Sutton Psychology | nicola.sutton@suttonpsychology.co.uk | 07772 866883