Privacy Policy

Privacy Policy on a tablet

Privacy Policy

This policy explains how Counselling Matters collects, uses, stores, shares and protects personal data when people use this website, contact the organisation, complete forms, book events, sign up for updates or otherwise interact with the site.

Last updated: 12 June 2026.

Contents

Who we are

Counselling Matters is a trading style of Counselling Connections, a private limited company registered in England and Wales with company number 11564334. The registered office and other organisation details are as set out on this website.

For the purposes of UK data protection law, Counselling Connections is the controller of the personal data collected through this website unless this policy states otherwise.

The organisation is registered with the Information Commissioner’s Office under registration number C1541097.

 

Contact for privacy matters: directors@counselling-matters.org.uk

What personal data we collect

Depending on how this website is used, personal data collected may include:

  • Name, email address, telephone number and postal details.
  • Information submitted through the contact form, referral form, event booking form and mailing list sign-up form.
  • Booking and attendance information relating to events.
  • Communications sent by email, web form or other contact routes made available on the site.
  • Technical information such as IP address, browser type, device information, referral source, pages viewed and interaction data.
  • Comment data, where comments are enabled, including the information entered in the comment form and associated anti-spam information.
  • Information required to administer accounts, website security, anti-spam and analytics services.

Special category data

Some forms and assessments available through this website may collect information relating to mental health, including depression and anxiety assessment responses. Information about an individual’s mental health is special category personal data under UK GDPR and receives additional legal protection.

Special category data will only be processed where a valid condition under data protection law applies in addition to a lawful basis under Article 6 UK GDPR. Depending on the service, this may include explicit consent, the provision of health or social care, safeguarding-related reasons, or the establishment, exercise or defence of legal claims where applicable.

People should avoid including unnecessary sensitive personal data in general enquiries unless it is relevant to the support, referral or service requested.

How data is collected

Personal data is collected directly from individuals when they complete website forms, book onto events, sign up for the mailing list, complete assessments, leave comments, email the organisation or otherwise contact Counselling Matters.

Technical data is collected automatically through cookies, analytics technologies, server logs, security tools and anti-spam services used to operate and protect the website.

Form responses are stored in the website database where the relevant forms or assessments are configured to do so.

How we use personal data

Personal data may be used to:

  • Respond to enquiries and administer requests made through the website.
  • Process referrals, event bookings and mailing list subscriptions.
  • Provide information about events and related activities where a person has subscribed to receive updates.
  • Administer assessments and related support or signposting functions.
  • Operate, maintain, troubleshoot and secure the website.
  • Prevent spam, abuse, fraud and unauthorised access.
  • Measure website use and improve website content, structure and performance.
  • Comply with legal, regulatory, safeguarding and risk-management obligations.

Lawful bases

Personal data is processed only where there is a lawful basis under UK GDPR. The lawful basis used depends on the activity involved.

Purpose Typical data Lawful basis
Responding to enquiries and managing requests Contact details, message content, related records Legitimate interests, and where applicable steps requested before entering into a contract
Referrals, event bookings and service administration Identity, contact and booking/referral information Legitimate interests, contract-related steps, and other bases as required by the circumstances
Event mailing list Name, email address, subscription preferences Consent
Depression and anxiety assessments and related sensitive information Mental-health-related responses and associated identifiers Article 6 lawful basis plus an additional special category condition under Article 9 UK GDPR, depending on the context
Security, anti-spam and website protection IP address, device/browser data, request metadata Legitimate interests
Website analytics and performance improvement Usage data, identifiers, device and browser information Legitimate interests, subject to PECR and cookie rules

Where consent is relied on, consent may be withdrawn at any time. Withdrawal will not affect the lawfulness of processing carried out before consent was withdrawn.

Mailing list and event updates

The website includes a sign-up form for email updates about upcoming events. These messages are sent on the basis of consent.

Subscriptions are gathered through a form on the website and are configured to use double opt-in. This means a person must confirm their subscription before being added to the mailing list.

Each email should contain a clear unsubscribe option. If consent is withdrawn, mailing list records should be updated promptly so that future event messages are not sent.

Cookies and similar technologies

This website uses cookies and related technologies to operate the site, support forms and security functions, remember settings, measure usage and support third-party services used through the website.

Based on the current website configuration and existing published policies, this includes WordPress-related cookies and technologies associated with services such as MailerLite, Matomo, Google services, CleanTalk, Wordfence, Gravatar, YouTube, Google Maps, JotForm, Stripe and any custom plugin used to manage cookie preferences or consent.

Some cookies are strictly necessary for the operation and security of the website and do not require consent. Under the Data (Use and Access) Act 2025, certain low-risk analytics or functionality technologies may also be exempt from prior consent where the legal conditions for exemption are met and appropriate information and controls are provided.

However, analytics, advertising, embedded media, third-party forms and similar tools may still require consent under PECR depending on how they operate. For that reason, cookie controls should remain in place unless and until a fresh audit confirms that only exempt technologies are active.

Further detail about cookies used on this website is provided in the website’s cookie policy.

Who data may be shared with

Personal data may be shared with trusted service providers where reasonably necessary to operate the website, communicate with users, process forms, protect the website and deliver services. These may include:

  • Hosting and infrastructure providers, including the website host.
  • Email and communications providers.
  • MailerLite for mailing list management.
  • CleanTalk and Wordfence for anti-spam and website security.
  • Matomo and Google services used for analytics, tags or other website functionality.
  • Gravatar for profile image support where comments or related WordPress features use it.
  • YouTube or Google Maps where content is embedded on the site.
  • JotForm, Stripe or other third-party tools where forms, event functions or payments use them.

Personal data may also be disclosed where required to comply with legal obligations, court orders, regulatory requirements, safeguarding duties or to protect rights, safety and the integrity of the website and services.

International transfers

Counselling Matters does not transfer personal data outside the UK or EU as part of its ordinary operations. However, some service providers used through this website may process data in other countries in the course of providing their services.

Where an international transfer takes place, appropriate safeguards will be used where required under UK data protection law, such as an adequacy decision or approved contractual protections.

Retention

Personal data is kept only for as long as necessary for the purpose for which it was collected, together with any period needed for legal, regulatory, safeguarding, insurance, dispute-resolution or legitimate business purposes. Unless a different retention period is required in a specific case, the following default periods apply.

  • General enquiries that do not lead to an ongoing service: normally up to twelve months after the last substantive contact.
  • Referral and event booking records: normally up to two years after the event or referral closure, unless a longer period is justified.
  • Mailing list records: active while subscribed; unsubscribe and suppression records may be kept for up to seven years to demonstrate compliance with consent and opt-out requirements.
  • Assessment responses and related sensitive form submissions: retained only for as long as necessary for the relevant support, referral, safeguarding or administrative purpose, and normally reviewed at least annually. Assessment responses are not stored unless the user asked us to contact them.
  • Analytics data: retained in accordance with the settings of the analytics tools in use and normally no longer than 26 months.
  • Server, security and anti-spam logs: normally between 30 days and 12 months depending on operational need and incident history.
  • Comment data and associated metadata: retained until deletion is requested, moderation requires removal, or the comments function is discontinued.

Different periods may apply where the law requires longer retention or where shorter retention is appropriate.

Security

Appropriate technical and organisational measures are used to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures may include access controls, software updates, secure hosting, spam and intrusion protection, encryption where appropriate, backups and restricted administrative access.

Although reasonable steps are taken to protect data, no method of transmitting information over the internet or storing data electronically can be guaranteed to be completely secure.

Your rights

Under UK data protection law, individuals may have the right to:

  • be informed about how personal data is used;
  • request access to personal data;
  • request correction of inaccurate or incomplete personal data;
  • request erasure in certain circumstances;
  • request restriction of processing in certain circumstances;
  • object to processing in certain circumstances;
  • request data portability where applicable; and
  • withdraw consent at any time where consent is the basis relied on.

Requests may be made by email using the contact details set out in this policy. Proof of identity may be required before a request is actioned.

How to complain

If there are any concerns about how personal data is handled, a complaint may be made by email to directors@counselling-matters.org.uk or by using the website contact form.

A complaint will be acknowledged within thirty days of receipt and appropriate steps will then be taken to investigate and respond without undue delay. The outcome of the complaint will be communicated as soon as reasonably possible.

If a complaint is not resolved satisfactorily, there is also a right to complain to the Information Commissioner’s Office. Information about the ICO is available at ico.org.uk.

Changes to this policy

This policy may be updated from time to time to reflect legal, technical or operational changes, or future changes to forms, cookies, analytics, embeds or service providers.

When material changes are made, the updated version will be published on this page and the revision date will be changed accordingly.