GDPR Compliance

Last updated: 9 April 2026

Our Commitment to Data Protection

Dusk Glow Psychology Services Ltd is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we comply with these regulations and what your rights are as a data subject.

Data Controller Information

Dusk Glow Psychology Services Ltd is the data controller responsible for your personal information. Our contact details are:

Dusk Glow Psychology Services Ltd
42 Deansgate
Manchester M3 2AY
United Kingdom
Email: [email protected]

We are registered with the Information Commissioner's Office (ICO), the UK's independent authority for data protection.

Types of Personal Data We Process

In the course of providing our services, we process the following categories of personal data:

  • Identity Data: Name, date of birth, age
  • Contact Data: Email address, postal address, emergency contact details
  • Health Data: Information about your mental health, wellbeing concerns, medical history, therapeutic goals, and session notes
  • Financial Data: Payment information and billing records
  • Technical Data: IP address, browser type, device information when you visit our website
  • Usage Data: Information about how you use our website and services
  • Communication Data: Emails and other correspondence with us

Lawful Basis for Processing

Under the UK GDPR, we must have a lawful basis to process your personal data. We rely on the following legal grounds:

Consent

For processing special category data (such as health information), we obtain your explicit consent. You have the right to withdraw this consent at any time, though this may affect our ability to provide services to you.

Contract Performance

Processing is necessary to fulfil our contractual obligations to provide psychological services to you.

Legal Obligation

We are required to process certain data to comply with legal and regulatory requirements, including maintaining clinical records in accordance with professional standards.

Legitimate Interests

We may process data where it is in our legitimate business interests to do so, such as improving our services, preventing fraud, or ensuring network security, provided this does not override your fundamental rights and freedoms.

Vital Interests

In rare circumstances, we may need to process data to protect someone's life or prevent serious harm.

Your Data Protection Rights

Under the UK GDPR, you have comprehensive rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This information is provided through our Privacy Policy and this GDPR page.

Right of Access

You can request a copy of the personal data we hold about you, known as a Subject Access Request (SAR). We will provide this within one month, free of charge in most cases. To make a request, email us at [email protected] with proof of your identity.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will update our records promptly upon receiving such a request.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances. However, this right is not absolute, particularly where we have legal or professional obligations to retain records (such as clinical notes which must be kept for seven years).

Right to Restrict Processing

You can ask us to restrict how we use your data in certain situations, such as when you contest the accuracy of the data or object to our processing.

Right to Data Portability

Where technically feasible, you can request that we provide your personal data in a structured, commonly used, machine-readable format, or transmit it directly to another organisation.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. Any clinical decisions are made by qualified practitioners using professional judgment.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us at [email protected]. We will:

  • Respond to your request within one month
  • Verify your identity before proceeding
  • Provide information free of charge (unless the request is manifestly unfounded or excessive)
  • Explain any reasons if we cannot comply with your request

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Pseudonymisation where appropriate
  • Regular security testing and vulnerability assessments
  • Access controls and authentication requirements
  • Staff training on data protection principles
  • Regular backup procedures and disaster recovery plans
  • Confidentiality agreements with staff and contractors
  • Secure destruction of data when no longer needed

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

  • Clinical Records: Minimum seven years after the end of treatment (or until age 25 for clients under 18)
  • Financial Records: Seven years in accordance with HMRC requirements
  • Enquiry Information: Two years from last contact if no service relationship established
  • Website Analytics: 26 months
  • Email Correspondence: Duration of service relationship plus two years

International Data Transfers

We primarily store and process your data within the United Kingdom. If we need to transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Transfer to countries deemed adequate by the UK government
  • Use of standard contractual clauses approved by the ICO
  • Ensuring the recipient has appropriate data protection certifications

We will inform you if your data will be transferred internationally and the safeguards applied.

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document the breach, its effects, and remedial action taken
  • Take immediate steps to contain and minimise the impact
  • Review and improve our security measures to prevent recurrence

Third-Party Data Processors

We work with carefully selected third-party service providers who process data on our behalf. These include:

  • IT infrastructure and cloud storage providers
  • Payment processing services
  • Email and communication platforms
  • Website hosting and analytics services

All processors are bound by data processing agreements that ensure they comply with UK GDPR requirements and implement appropriate security measures.

Children's Data

When providing services to individuals under 18, we obtain appropriate consent from parents or guardians in accordance with UK GDPR requirements. We take extra care to ensure young people's data is protected and that information is provided in an age-appropriate manner.

Professional and Legal Exceptions

As healthcare professionals, we are bound by clinical confidentiality standards that sometimes intersect with data protection law. There are limited circumstances where we may need to share information without consent:

  • Where there is serious risk of harm to the individual or others
  • To prevent or detect serious crime
  • Where required by court order or legal obligation
  • For safeguarding purposes in accordance with local authority procedures

These exceptions are carefully applied and we will inform you about limitations to confidentiality at the outset of our work together.

Updates to This Information

We may update this GDPR compliance information to reflect changes in regulations or our practices. Significant changes will be communicated to active clients. The date at the top of this page shows when it was last updated.

Questions or Concerns

If you have questions about how we handle your personal data or our GDPR compliance, please contact us at [email protected]. We are committed to addressing your concerns transparently and promptly.

Right to Lodge a Complaint

If you are not satisfied with how we have handled your personal data or responded to your requests, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113
Email: [email protected]
Website: www.dusk-glow.com

However, we would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first if possible.

Professional Registration

Our practitioners are registered with relevant professional bodies including the British Psychological Society (BPS) and British Association for Counselling and Psychotherapy (BACP), which have their own ethical codes regarding confidentiality and data handling. We comply with both data protection law and professional standards.