Privacy Policy

Last Updated: 13/07/2026

Introduction

This privacy notice provides you with details of how we collect and process your personal data through your use of our website.

By providing us with your data, you confirm that you are over 13 years of age.

Mark Condon CBT is the data controller and is responsible for your personal data. “We”, “us” and “our” in this privacy notice refer to Mark Condon CBT.

Contact Details

Business name: Mark Condon CBT
Contact email: mark@markcondoncbt.com

It is important that the information we hold about you is accurate and up to date. Please let us know if your personal information changes by emailing mark@markcondoncbt.com.

What Data We Collect, Why We Collect It and Our Lawful Basis

Personal data means any information capable of identifying an individual. It does not include anonymised data.

We may process the following categories of personal data:

Communication Data

This includes any communication you send to us through our website’s contact form, email, text message or telephone.

We process this data to:

  • Communicate with you
  • Maintain accurate records
  • Establish, pursue or defend legal claims

Our lawful basis for this processing is our legitimate interest in responding to communications and maintaining accurate records.

Customer and Client Data

This includes information relating to services you have purchased or requested, such as your:

  • Name
  • Billing address
  • Email address
  • Telephone number
  • Transaction details

We process this data to provide the therapy services you have requested and to maintain financial records.

Our lawful basis for this processing is the performance of a contract between you and us.

Technical and User Data

This includes information about how you use our website, such as your:

  • IP address
  • Browser details
  • Page views
  • Analytics data

Our lawful basis for this processing is our legitimate interest in properly administering and securing our website.

Sensitive Data (Special Category Data)

As a Cognitive Behavioural Therapy (CBT) practice, we collect and process Special Category Data concerning your health and mental wellbeing. This enables us to provide safe, ethical and effective psychological treatment.

Our lawful basis for processing health data under UK GDPR is Article 9(2)(h): the provision of health or social care or treatment.

We do not collect information about criminal convictions or offences unless it is directly relevant to a clinical risk assessment.

How We Collect Your Personal Data

We may collect personal data directly from you when you:

  • Complete a form on our website
  • Send us an email
  • Contact us by telephone or text message
  • Complete a clinical intake form

We may also automatically collect certain technical data when you use our website through cookies and similar technologies.

Marketing Communications

Our lawful basis for sending you marketing communications is either your explicit consent or our legitimate interest in growing our practice.

We will never share your personal data with a third party for its own marketing purposes.

You can opt out of marketing communications at any time by emailing mark@markcondoncbt.com.

Disclosure of Your Personal Data

Everything discussed during therapy sessions remains strictly confidential. However, we may need to share general personal or contact data with:

  • Service providers that supply secure IT services, encrypted cloud storage or practice-management systems
  • Professional advisers, including supervisors, insurers and accountants; clinical details shared with supervisors are kept anonymous
  • Government or regulatory bodies, such as the Information Commissioner’s Office, where required by law
  • Emergency services or your GP, but only where there is a severe and immediate risk of harm to you or another person

International Transfers

We use secure, GDPR-compliant systems.

If a technical service provider stores data outside the UK or European Economic Area, such as through a US-based secure platform, we ensure that appropriate safeguards are in place. These may include standard contractual clauses or equivalent legal frameworks approved by the UK Government.

Data Security

We have implemented appropriate security measures to prevent your personal and clinical data from being accidentally lost, used, altered, disclosed or accessed without authorisation.

These measures include password-protected and encrypted devices and secure practice-management software.

Data Retention

We retain personal and clinical data only for as long as necessary to fulfil the purposes for which it was collected.

  • Financial records are retained for six years for tax purposes.
  • Clinical records are retained for seven years after your therapy ends, in line with professional guidelines. They are securely destroyed after this period.

Your Legal Rights

Under data-protection law, you have rights concerning your personal data. These include the right to request:

  • Access to your personal data
  • Correction of inaccurate personal data
  • Erasure of your personal data
  • Restriction of how your personal data is processed

You also have the right to make a formal complaint if you believe your personal data has been mishandled.

How to Make a Data-Protection Complaint

If you are unhappy with how your personal or clinical data has been collected, stored or used, please contact us so that we can try to resolve the issue.

Email: mark@markcondoncbt.com

Please explain the nature of your concern. You do not need to use formal legal language.

Our Complaints Process

We will handle your complaint as follows:

  1. Acknowledgement: We will formally acknowledge receipt of your complaint within 30 days.
  2. Investigation: We will investigate the matter thoroughly and without undue delay.
  3. Outcome: We will write to explain the outcome of our investigation, any steps we have taken and how the matter has been resolved.

If you remain dissatisfied with our response or how your complaint was handled, you have the right to escalate the matter to the UK supervisory authority, the Information Commissioner’s Office (ICO).

Visit the Information Commissioner’s Office website or read the ICO’s guidance on individual data-protection rights.