1. Introduction

I am Nicola Barraclough, operating as Nicola Barraclough Stammering Therapy. I am the data controller for your personal data. This notice explains how your personal data is used when you contact me or receive speech and language therapy from me. See section 6 for my contact details.

I am a speech and language therapist and am registered with/subject to professional standards (e.g., HCPC) and professional ethics (e.g., RCSLT), including duties of confidentiality.

2. Data Collection

When you contact me or access my speech therapy services, I may collect and process the following personal data:

• Contact and identity details: Name, address, email, phone number, date of birth, emergency contact details (where appropriate).
• Health and therapy information (special category data): Relevant case history, therapy goals and assessments. Session notes, care plans, recommendations, progress records. Any information you share that is relevant to your therapy (e.g., wellbeing, circumstances affecting communication).
• Administrative and financial information Appointment history, correspondence (email/text). Invoices, payment status, and basic transaction records.
• Optional additional data: Where needed and discussed, with explicit consent provided, I may collect and use recordings of sessions (audio/video), transcripts/summaries (including where AI tools are used), and feedback/testimonials.

Source of your information: I usually collect personal data directly from you. With your permission, I may also receive relevant information from other people or organisations (for example, a GP, another healthcare professional, an employer, or a family member), where this is necessary and appropriate for your therapy.

Some information (e.g. contact details, relevant health history, and session notes) is necessary for me to provide safe and effective therapy and to keep appropriate clinical records. You are not under a statutory obligation to provide this information, but if you enter into therapy with me, providing key information is a contractual requirement so that I can deliver safe and appropriate services. If you choose not to provide key information, I may be unable to offer therapy service.

3. Data Use and Lawful Basis

UK GDPR requires a lawful basis under Article 6 for personal data, and an additional condition under Article 9 for health data. I may use your data for:

A) Therapy services and clinical record-keeping

• Purpose: To assess needs, provide therapy, monitor progress, and keep appropriate clinical records.
• Lawful Basis: Contract (Article 6(1)(b)) — to provide the service (speech therapy sessions) you request and/or Legitimate Interests (6(1)(f)) — to deliver a high-quality, ethical, and clinically appropriate and effective speech therapy service to adults who stammer. This includes assessing your needs, planning and delivering individualised therapy, monitoring progress, ensuring quality care and maintaining accurate professional records. Where I rely on Legitimate Interests, I have considered the impact on your privacy and your rights.
• Article 9 condition (health data): Health or social care (Article 9(2)(h)) together with the related UK legal condition in Schedule 1 of the Data Protection Act 2018 (health or social care purposes) and subject to my duty of confidentiality as a health professional.

B) Appointments, communications, and admin

• Purpose: Booking/confirming appointments, sending reminders, responding to messages, and day-to-day service administration.
• Lawful Basis: Contract (6(1)(b)) and/or Legitimate Interests (6(1)(f)) where appropriate (e.g., responding to enquiries before a contract exists; running a small clinical practice efficiently (scheduling, record management, invoicing follow-up); maintaining client and practitioner safety.)
• Article 9 condition (if health info is included in messages): Health or social care (Article 9(2)(h)) together with the related UK legal condition in Schedule 1 of the Data Protection Act 2018 and subject to confidentiality safeguards.

C) Invoicing, accounting, and tax

• Purpose: Issuing invoices, maintaining financial records, and meeting tax/accounting obligations.
• Lawful Basis: Legal obligation (6(1)(c)) and/or Contract (6(1)(b))

D) Sharing information with other professionals

• Purpose: Coordinating care or making referrals where relevant. I will seek your permission before sharing, unless there is a legal/safeguarding reason not to.
• Lawful Basis: Contract (6(1)(b)) and/or Legitimate Interests (6(1)(f)) depending on context
• Article 9 condition (health data): Health or social care (Article 9(2)(h)) together with the related UK legal condition in Schedule 1 of the Data Protection Act 2018 and subject to confidentiality safeguards.

E) Recordings, AI transcription/summarisation, testimonials, or marketing

• Purpose: These are optional and will only happen if you choose to proceed after being given clear information.
• Lawful Basis: Consent (6(1)(a))
• Article 9 condition (health data): Explicit consent (Article 9(2)(a))
• You can withdraw your consent at any time by contacting me (see Section 6). Withdrawing consent will not affect the lawfulness of any processing carried out before you withdrew it.

I do not use automated decision-making or profiling that produces legal or similarly significant effects for you.

4. Data Storage, Security and Sharing

I take the security of your personal data seriously. I store and handle your information in a way that is designed to keep it confidential, secure, and available when needed for your care. Where I use third-party services to help me provide my service (for example, email, video calls, and secure storage), those organisations act as my data processors and I ensure appropriate contractual protections are in place (including data processing terms). My website uses only essential cookies for functionality and does not use tracking or analytical cookies.

• Where your data is stored: I store your records in password-protected digital systems (Google Drive and Microsoft OneDrive) and/or in locked physical files.
• How I communicate with you: I use Gmail for email communications and Google Meet for online sessions or appointments.
• Security measures: Access is restricted to me. I use strong passwords and, where available, multi-factor authentication, and I take reasonable steps to keep devices and accounts secure (for example, device lock, updates, and secure Wi-Fi). I only keep the personal data I need for the purposes set out in this notice.
• International transfers: Some of my service providers may process or store data outside the UK. Where this happens, I ensure that an appropriate transfer safeguard is in place as required by UK data protection law (for example, UK adequacy regulations where applicable, or the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses, together with any required risk assessment and supplementary measures).
• How long I keep your data: I retain records only for as long as necessary for the purposes described in this notice and to meet professional and legal obligations. Typically, I retain therapy records for eight years after the end of therapy in line with professional guidance, unless a longer or shorter period is required by law or is clinically/legally appropriate.If you contact me but do not become a client, I will normally keep enquiry correspondence for up to 12 months, unless there is a reason to keep it for longer (for example, if you ask me to). Financial and tax records are kept for at least five years after the 31 January submission deadline for the relevant tax year (and longer if required, for example if a return is filed late or HMRC opens an enquiry). When data is no longer needed, it is securely deleted or destroyed.

I do not sell your personal data. Other than my service providers described above, I will only share your personal data in the following circumstances:

• With your explicit consent (for example, sharing relevant information with your GP, another therapist, or other professionals involved in your care). You can withdraw consent to sharing at any time; this will not affect any sharing that has already taken place.
• Where I am required to do so by law (for example, court orders, regulatory requirements, or where disclosure is necessary for safeguarding concerns).
• Where necessary to protect vital interests (for example, in a medical emergency where you are unable to provide consent).

5. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data (some rights apply only in certain circumstances):

• Access: You can request a copy of the data I hold about you.
• Rectification: You can request corrections to inaccurate or incomplete data.
• Erasure: You can request the deletion of your data, subject to legal or professional requirements for retention.
• Restriction: You can request restrictions on how your data is processed.
• Objection: You can object to data processing in certain circumstances. This includes the right to object where I rely on Legitimate Interests, and an absolute right to object to direct marketing.
• Portability: You can request your data in a portable format.

If you wish to exercise any of these rights, please contact me using the details below.

6. Contact Information

I am registered with the Information Commissioner’s Office under registration number ZB952908. If you have any questions or concerns about this privacy policy or how your data is handled, please contact the data controller:

You also have the right to contact the Information Commissioner’s Office (ICO) if you are unhappy with how I handle your data (Tel: 0303 123 1113; Website: https://www.ico.org.uk).

7. Changes to This Policy

This privacy policy may be updated periodically to reflect changes in legal or professional requirements. Any significant changes will be communicated to you. Last updated: January 2026.