Last updated: 29/04/ 2026

1. Introduction

Stronger Minds is the trading name of StrongerMinds Psychology Ltd, a clinical psychology practice based in the United Kingdom.

This Privacy Notice explains how we collect, use, store, share and protect personal information when you visit our website, contact us, make an enquiry, use our clinical psychology services, communicate with us, or interact with our online content.

We aim to be transparent about how personal information is used, including where data may be processed by third-party systems, secure practice-management tools, cloud services, analytics providers, payment providers, professional systems, and large language model or artificial intelligence tools.

This Privacy Notice should be read alongside our other website policies, including our:

  • Editorial and Clinical Content Policy
  • Corrections and Content Review Policy
  • Feedback and Complaints Policy
  • Ethics Policy
  • Diversity Policy
  • Diversity Staffing Report
  • Ownership, Funding and Advertising Policy
  • Terms and Conditions
  • Cookie Policy, where applicable

2. Definitions

In this Privacy Notice and related website policies, the following terms have the meanings set out below.

We, us, our means StrongerMinds Psychology Ltd of Office 37975, PO Box 15113, Birmingham, B2 2NJ, operating through www.strongerminds.co.uk.

You, your means a visitor to our website, a person making an enquiry, a client or prospective client, or any person using or considering using our services.

Site means www.strongerminds.co.uk.

Services means the clinical psychology, psychological assessment, consultation, therapy, psychoeducation, supervision, reporting, and related professional services we provide.

Personal data means information that identifies, or could reasonably identify, a living person.

Special category data means more sensitive personal data, including health information, mental health information, information about racial or ethnic origin, religious or philosophical beliefs, sex life or sexual orientation, and other categories given additional protection under data protection law.

Clinical data means information relating to psychological assessment, therapy, clinical questionnaires, presenting difficulties, diagnosis, formulation, treatment, risk, safeguarding, mental health history, correspondence, clinical notes, reports and professional opinions.

Processing means anything done with personal data, including collecting, storing, using, sharing, analysing, reviewing, deleting or securely archiving it.

UK GDPR means the UK General Data Protection Regulation.

Data Protection Act 2018 means the UK law that supplements the UK GDPR.

PECR means the Privacy and Electronic Communications Regulations 2003, which apply to cookies, electronic marketing and similar technologies.

Privacy laws means the UK GDPR, Data Protection Act 2018, PECR and any other applicable privacy or data protection laws.

Controller means the organisation that decides why and how personal data is processed.

Processor means an organisation or service provider that processes personal data on our behalf.

Third party means any person, organisation, company, regulator, insurer, professional adviser, platform, service provider or public body that is not you and is not StrongerMinds Psychology Ltd.

Large language model, LLM or AI tool means a software system that can process, analyse, summarise, generate or transform text or other information using artificial intelligence.

3. Who we are

We are StrongerMinds Psychology Ltd, a UK clinical psychology practice.

Address:
Office 37975
PO Box 15113
Birmingham
B2 2NJ
United Kingdom

Website: www.strongerminds.co.uk
Telephone: 0121 314 1211
Email: [email protected]
ICO registration number: ZA288287

For most personal data we process, StrongerMinds Psychology Ltd is the data controller. This means we decide why and how your personal data is processed.

4. The type of organisation we are

We provide psychological assessment, therapy and related professional services. Because of this, we may process information about mental health, physical health, risk, personal circumstances, relationships, family history, employment, education, identity, and other sensitive matters.

We recognise that psychological and health information is highly sensitive. We therefore aim to process only the information that is necessary, proportionate and relevant to the service being provided.

5. The personal data we may collect

The personal data we collect depends on how you interact with us.

5.1 Website visitors

When you visit our website, we may collect:

  • IP address
  • device information
  • browser type
  • operating system
  • approximate location data
  • referral source
  • pages visited
  • time spent on pages
  • cookie preferences
  • analytics information
  • security logs
  • contact form submissions

5.2 Enquiries and prospective clients

If you contact us, we may collect:

  • name
  • email address
  • telephone number
  • preferred method of contact
  • reason for enquiry
  • brief information about the difficulties for which you are seeking help
  • referral information
  • availability
  • communication history
  • information needed to decide whether our service is suitable

5.3 Clients using our services

If you become a client, we may collect and process:

  • contact details
  • date of birth
  • address
  • emergency contact details
  • GP details, where relevant
  • consent forms
  • therapy agreement information
  • assessment information
  • psychological history
  • medical and mental health information
  • medication information, where relevant
  • risk and safeguarding information
  • questionnaire responses and scores
  • session notes
  • correspondence
  • reports
  • formulation and treatment planning information
  • payment and invoice information
  • attendance records
  • information from or about third parties, where relevant and appropriate

5.4 Third-party funded therapy

Where therapy is funded or arranged by a third party, such as an insurer, employer, parent, solicitor, case manager, school, university or other organisation, we may also process:

  • authorisation details
  • claim or membership numbers
  • funding approvals
  • limited attendance information
  • reports or updates, where agreed
  • invoices and payment information
  • information needed to clarify confidentiality, consent and reporting arrangements

We aim to clarify confidentiality, consent and reporting expectations before information is shared with a third party.

5.5 Payments and invoicing

We may process:

  • billing details
  • invoice records
  • payment status
  • transaction references
  • insurer or third-party payer details
  • accounting records
  • limited financial information needed to manage payment

We do not normally store full card details ourselves. Where card or payment processing is used, this is usually handled by a third-party payment provider.

5.6 Feedback, complaints and reviews

If you provide feedback, make a complaint, submit a review, or contact us about website content, we may process:

  • your name and contact details
  • the content of your feedback or complaint
  • correspondence relating to the matter
  • information needed to investigate and respond
  • records of actions taken

6. Special category data

Because we provide clinical psychology services, we may process special category data, particularly health and mental health information.

We process this information only where we have a lawful basis under UK GDPR and a relevant special category condition under Article 9 UK GDPR and the Data Protection Act 2018.

This may include processing that is necessary for:

  • psychological assessment
  • therapy and treatment
  • clinical record keeping
  • safeguarding
  • risk management
  • professional supervision or consultation
  • responding to legal or regulatory requirements
  • establishing, exercising or defending legal claims
  • managing complaints
  • protecting someone’s vital interests in an emergency

7. Why we process personal data

We may process your personal data for the following purposes:

  • to respond to enquiries
  • to assess whether our services are appropriate for you
  • to provide psychological assessment or therapy
  • to communicate with you
  • to manage appointments
  • to maintain clinical records
  • to administer questionnaires and outcome measures
  • to prepare clinical letters, reports or summaries, where appropriate
  • to manage risk and safeguarding concerns
  • to liaise with GPs, insurers, solicitors or other professionals, where appropriate and lawful
  • to process payments and invoices
  • to manage complaints or feedback
  • to maintain professional standards
  • to meet legal, regulatory, insurance, tax and accounting obligations
  • to protect our website and systems
  • to monitor and improve website performance
  • to review and improve the quality of our services
  • to maintain accurate editorial, clinical and website content
  • to use secure digital, administrative, clinical, AI-assisted or LLM-supported tools where appropriate

8. Lawful bases for processing

Depending on the context, we may rely on one or more of the following lawful bases under UK GDPR:

Purpose Possible lawful basis
Responding to enquiries Legitimate interests; steps prior to entering into a contract
Providing therapy or assessment Contract; legitimate interests; provision of health care
Clinical record keeping Legitimate interests; legal obligation; provision of health care
Processing health and mental health information Article 9 health or social care condition; explicit consent where appropriate; legal claims; vital interests; substantial public interest where relevant
Managing risk or safeguarding Legal obligation; vital interests; substantial public interest; legitimate interests
Communicating with GPs or other professionals Consent where appropriate; health or social care; legitimate interests; vital interests in urgent situations
Third-party funded therapy administration Contract; legitimate interests; consent where appropriate
Payment, accounting and tax records Contract; legal obligation; legitimate interests
Website analytics and cookies Consent where required; legitimate interests for essential security and functionality
Complaints and legal matters Legal obligation; legitimate interests; legal claims
AI or LLM-assisted processing Contract; legitimate interests; health or social care; legal obligation, depending on purpose and safeguards

We do not rely on consent for every type of processing. In clinical and legal contexts, other lawful bases may be more appropriate. Where we do rely on consent, you may withdraw it, although this will not affect processing that has already taken place lawfully.

9. Clinical confidentiality

Information shared in therapy or assessment is treated as confidential, subject to important limits.

We may need to share information without your consent if we reasonably believe that:

  • there is a serious risk of harm to you or another person
  • a child or vulnerable adult may be at risk
  • disclosure is required by law or court order
  • disclosure is required by a regulator or professional body
  • disclosure is necessary to prevent or detect serious crime
  • disclosure is necessary to protect someone’s vital interests
  • disclosure is necessary to defend or respond to a legal claim or complaint

Where possible and appropriate, we will usually try to discuss disclosure with you first. However, this may not always be possible, especially where there is urgent risk, safeguarding concern or a legal requirement.

10. Professional supervision and consultation

Clinical psychologists may discuss aspects of their work in professional supervision, consultation or peer review. This is an important part of safe, ethical and effective clinical practice.

Where possible, information discussed in supervision or consultation is anonymised or minimised. Supervisors and professional consultees are expected to maintain confidentiality and appropriate professional standards.

11. Use of large language models, AI and digital tools

We may use secure digital tools, including AI-assisted tools or large language models, to support administrative, editorial, drafting, summarising, transcription, quality-improvement or clinical-documentation workflows.

Examples may include using such tools to assist with:

  • drafting or formatting letters
  • summarising administrative information
  • structuring reports
  • improving website content
  • preparing internal notes or templates
  • processing questionnaire or form information
  • supporting workflow automation
  • improving clarity, consistency or efficiency

Where AI or LLM tools are used, we aim to apply the following safeguards:

  • we use only the minimum necessary information
  • we anonymise or de-identify information where reasonably possible
  • we avoid entering identifiable clinical information into public or unsecured AI systems
  • we use systems with appropriate contractual, technical and organisational safeguards where identifiable data is processed
  • we review AI-assisted outputs before relying on them
  • clinical judgement remains with the qualified clinician
  • AI is not used to make autonomous clinical decisions about you
  • we do not intentionally use your identifiable clinical information to train public AI models unless you have explicitly agreed or appropriate contractual protections are in place
  • we consider data protection, confidentiality and professional obligations before using such tools

Some AI or LLM providers may process data outside the UK. Where this occurs, we aim to ensure that appropriate safeguards are in place, such as adequacy arrangements, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or other lawful transfer mechanisms.

12. Automated decision-making

We do not use solely automated decision-making to make clinical decisions about you or to make decisions that have legal or similarly significant effects.

AI-assisted tools may support drafting, organisation, summarisation or administrative processing, but they do not replace professional clinical judgement.

13. Cookies and similar technologies

Our website may use cookies and similar technologies.

Cookies are small files placed on your device. They may be used to:

  • make the website function properly
  • remember your preferences
  • support website security
  • understand how visitors use the website
  • improve website performance
  • support analytics, where enabled
  • assist with marketing or search performance, where applicable

Some cookies are essential and do not require consent. Non-essential cookies, such as analytics or marketing cookies, will normally only be used where you have given consent through the website’s cookie settings.

You can usually change your cookie preferences through your browser settings or through the cookie controls on our website, where available.

For more information about cookies, you may visit:

14. Website analytics

We may use analytics tools to understand how visitors use our website. Analytics information may include pages visited, device type, browser type, approximate location, referral source and interaction patterns.

Where analytics cookies or similar technologies are non-essential, they will normally require consent. We aim to configure analytics tools in a privacy-conscious way where possible.

15. Website content, editorial standards and corrections

Our website contains information about mental health, psychological therapy, clinical psychology and related topics. Website content is provided for general information only and is not a substitute for individual clinical assessment, diagnosis, therapy or medical advice.

We aim to keep website content accurate, proportionate, evidence-informed and clinically responsible. We may process personal data when responding to:

  • content feedback
  • correction requests
  • complaints
  • questions about our website
  • requests to amend or clarify information

Please see our Editorial and Clinical Content Policy and Corrections and Content Review Policy for more information.

16. Diversity, ethics and accessibility

We aim to provide services and website content in a way that is respectful, inclusive and non-discriminatory.

We may process information relevant to accessibility, reasonable adjustments, communication needs, cultural context, protected characteristics or personal circumstances where this is necessary to provide appropriate care, respond to feedback, manage complaints, or meet legal and professional obligations.

Please see our Ethics Policy, Diversity Policy and Diversity Staffing Report for more information.

17. Who we may share personal data with

We do not sell your personal data.

We may share personal data where necessary, proportionate and lawful with:

  • GPs or other healthcare professionals
  • emergency services
  • safeguarding bodies
  • insurers or third-party funders, where appropriate
  • solicitors, courts or legal representatives, where required or agreed
  • professional supervisors or consultees
  • regulators or professional bodies
  • accountants or bookkeepers
  • payment processors
  • practice management systems
  • secure email, hosting and cloud service providers
  • IT support providers
  • website hosting and security providers
  • analytics providers, where applicable
  • AI or LLM service providers, where appropriate safeguards are in place
  • professional indemnity insurers
  • HMRC or other public authorities where legally required

We only share the information that is necessary for the relevant purpose.

18. Third-party service providers

We use third-party providers to support our website, communications, clinical administration, payment processing, accounting, IT, security, data storage, analytics and professional workflows.

Where third-party providers process personal data on our behalf, we aim to ensure that appropriate data processing agreements, confidentiality arrangements, security measures and data protection safeguards are in place.

19. International transfers

Some providers we use may process or store data outside the United Kingdom.

Where personal data is transferred outside the UK, we aim to ensure that appropriate safeguards are in place. These may include:

  • UK adequacy regulations
  • the UK International Data Transfer Agreement
  • the UK Addendum to EU Standard Contractual Clauses
  • contractual safeguards
  • technical and organisational security measures
  • transfer risk assessments where required

20. How we protect personal data

We take reasonable technical and organisational steps to protect personal data. These may include:

  • password protection
  • secure systems
  • access controls
  • encryption where appropriate
  • secure storage
  • confidentiality obligations
  • data minimisation
  • professional record-keeping procedures
  • secure deletion or destruction
  • careful selection of processors
  • reviewing the necessity and proportionality of data processing

No system can be guaranteed to be completely secure. However, we aim to use safeguards appropriate to the sensitivity of the information we process.

21. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including clinical, legal, regulatory, insurance, accounting and professional requirements.

Typical retention periods are as follows:

Type of information Typical retention period
Website analytics data Usually kept only as long as needed for analytics and reporting
Contact form enquiries where no service is provided Usually deleted or anonymised within 3 to 12 months, unless there is a reason to retain it longer
Administrative correspondence Kept as long as necessary for service, legal, complaint, accounting or professional purposes
Adult clinical records Usually retained for up to 8 years after the last clinical contact, unless there is a reason to keep them longer
Child or young person clinical records Usually retained until the person’s 25th birthday, or 26th birthday if they were 17 when treatment ended, unless a longer period is necessary
Financial and accounting records Usually retained for at least 6 years
Complaints and legal correspondence Kept as long as necessary to manage the complaint, respond to legal issues, meet insurance requirements, or defend legal claims
Website content review records Kept as long as necessary for governance, editorial accountability and quality assurance

Retention periods may be extended where required for safeguarding, legal claims, insurance, regulatory matters, professional obligations or other legitimate reasons.

When personal data is no longer required, we aim to delete, anonymise or securely destroy it.

22. Your rights

Under UK data protection law, you may have the following rights:

  • the right to be informed about how your data is used
  • the right of access to your personal data
  • the right to request correction of inaccurate data
  • the right to request deletion of data in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to object to processing in certain circumstances
  • the right to data portability in certain circumstances
  • the right to withdraw consent where processing is based on consent
  • rights relating to automated decision-making and profiling
  • the right to complain to the Information Commissioner’s Office

These rights are not absolute. For example, we may need to retain some clinical, legal, safeguarding, accounting or regulatory records even if you ask us to delete them.

23. Subject access requests

You can ask for a copy of the personal data we hold about you by contacting us at:

[email protected]

We may need to verify your identity before responding. We will usually respond within one month, unless the request is complex or an extension is permitted by law.

In some cases, information may be withheld where disclosure would adversely affect the rights and freedoms of another person, create serious risk, breach confidentiality obligations, or fall within another lawful exemption.

24. Keeping your information accurate

Please tell us if your personal data changes, including changes to:

  • contact details
  • GP details
  • emergency contact details
  • insurer details
  • relevant health or risk information
  • consent or communication preferences

You can contact us at:

[email protected]

25. Marketing communications

We do not send clinical marketing emails to clients without an appropriate lawful basis.

If we offer newsletters, updates or marketing communications, you will be able to unsubscribe or opt out. We will not sell your contact details to third parties for marketing purposes.

26. Links to other websites

Our website may contain links to other websites. This Privacy Notice applies only to our website and services.

If you follow links to other websites, you should read their privacy notices and terms. We are not responsible for the privacy practices, security or content of external websites.

27. Children and young people

Where we work with children or young people, we may process information about the child or young person, their parents or carers, family circumstances, school or education, healthcare, safeguarding, and relevant professionals.

We aim to consider the young person’s age, understanding, capacity, confidentiality, parental responsibility, safeguarding needs and best interests when deciding how information is used or shared.

28. Complaints

If you are concerned about how we process your personal data, please contact us first so that we can try to resolve the matter.

Email: [email protected]
Telephone: 0121 314 1211

You also have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office
Website: www.ico.org.uk

29. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in law, professional guidance, our services, our website, our systems, or our use of technology.

The latest version will be published on our website.