Privacy Policy

Version: 1.2 (Updated December 2025)
Applies to: Strive
ICO Reg: ZC042401

1. Introduction
   Strive is committed to protecting the privacy and confidentiality of all personal information entrusted to us. This Privacy Policy explains how we collect, use, store, and share personal data in line with the Data Protection Act 2018, UK GDPR, and professional ethical obligations under the BACP Ethical Framework.
2. Scope
   This policy applies to all personal data processed by Strive, including data relating to clients, placement counsellors, volunteers, employees, contractors, and third parties. It covers data processed through our website, booking systems, email, and counselling records.
3. Data We Collect
   We may collect and process the following categories of data:
   – Contact details (name, address, email, phone).
   – Personal details provided by clients during assessment and counselling.
   – Health information relevant to counselling provision.
   – Emergency contact and GP details for safeguarding purposes.
   – Counsellor or volunteer application and supervision records.
   – Financial information related to payments (processed securely via PayPal).
   – Email correspondence exchanged through Google Workspace (Gmail), including metadata such as timestamps and sender/recipient details.
4. Legal Basis for Processing
   Strive processes data on the following bases:
   – Consent: Where clients or counsellors provide explicit consent (for assessment, counselling, or data sharing).
   – Contract: Where processing is necessary for the provision of counselling services.
   – Legal obligation: To comply with legal and regulatory requirements (e.g., safeguarding).
   – Legitimate interests: For purposes such as service evaluation, supervision, communication, and organisational management.

4a. Stages of Data Collection and Legal Basis
Referral and Self-Referral
– Data collected: Name, email, phone, brief overview of presenting issue(s).
– Legal basis: Consent (information provided voluntarily to access services).

Clinical Assessment
– Data collected: Full personal details, health and wellbeing information, risk and safeguarding details, GP/emergency contact.
– Legal basis: Consent (for counselling purposes), Legitimate Interests and Legal Obligation (where safeguarding is required).

Counsellor Assignment
– Data collected: Allocation records, internal suitability notes.
– Legal basis: Legitimate Interests (safe and appropriate matching).

Counselling Sessions
– Data collected: Client location at each session, notes, session records.
– Legal basis: Contract, Legitimate Interests (safe practice, supervision), and Legal Obligation (safeguarding requirements).

Review
– Data collected: Monitoring and evaluation data, outcome measures such as CORE forms.
– Legal basis: Legitimate Interests and Consent (where anonymised data is used in reporting).

End of Counselling
– Data collected: Closing summary, retained notes.
– Legal basis: Legitimate Interests and Legal Obligation (minimum retention requirements).

Complaints
– Data collected: Complaint details, investigation records, correspondence.
– Legal basis: Legitimate Interests and Legal Obligation.

Email Communications and Mailing Lists
Strive may send occasional email communications to individuals who have expressly consented to receive them, including newsletters, service updates, wellbeing resources and other relevant information. We will only send marketing and informational emails to individuals who have actively opted-in to receive these communications.

When you subscribe to our mailing list, for example through a subscribe form on our website, we collect your name and email address for the purpose of sending the communications you have consented to receive. Your consent to receive these emails is our lawful basis for processing this data.

We use MailerLite as our email marketing platform to manage mailing list subscriptions and to send email communications on our behalf. MailerLite processes personal data in accordance with applicable data protection laws and MailerLite’s own privacy practices. You can learn more about MailerLite’s privacy practices here: https://www.mailerlite.com/legal/privacy-policy

Every email we send includes an easy option to unsubscribe. You can withdraw your consent at any time by clicking the unsubscribe link in the email, by updating your preferences, or by contacting us directly. Once you unsubscribe, we will stop sending you marketing emails.

We will retain your subscription information only for as long as necessary to provide you with the requested communications or as required by law.

5. Confidentiality
   All counselling records are treated as confidential and will not be disclosed without consent, except where:
   – There is a risk of serious harm to the client or others.
   – There is a legal obligation to disclose (e.g., safeguarding, terrorism, money laundering).
   – A court order requires disclosure.

Other limits of confidentiality exist and should be contracted with clients. The Proprietor and CEO reserves full access to all records across Strive for quality assurance, safeguarding, and compliance purposes.

6. Data Storage and Security
   – Client data, assessments, and notes are stored securely on Strive-managed systems (Microsoft 365, Google Workspace, Setmore).
   – Email communications are processed and stored using Google Workspace (Gmail).
   – Strive also uses Mailsuite, a Gmail addon that assists with email organisation and follow-up. Mailsuite processes only the information necessary to provide its service.
   – Both Google and Mailsuite act as data processors, meaning they handle data strictly in accordance with UK GDPR and our documented instructions.
   – Some data processed by Google or Mailsuite may be stored outside the UK or EEA. Where this occurs, processing is protected by safeguards such as Standard Contractual Clauses.
   – We use MailerLite to manage our mailing list and email communications. MailerLite processes personal data on our behalf as a data processor under a GDPR-compliant Data Processing Addendum
   – Paper records (if any) are kept in locked storage accessible only to authorised personnel.
   – Access to data is restricted to individuals who require it for legitimate organisational purposes.
   – Personal devices must not be used to store Strive records unless encrypted and authorised. Multi-factor authentication should be used wherever possible.
   – Please note: while email is widely used and reasonably secure, no email system is completely risk-free. Clients are encouraged to avoid sharing very sensitive personal information via email where possible.
7. Data Retention
   Strive retains counselling records for a minimum of seven years following the end of counselling, in line with professional guidance. After this period, records will be securely destroyed unless required for legal or regulatory purposes.

For evaluation or statistical purposes, Strive may use pseudonymised data. The master counselling record will remain securely attributable to the individual for a minimum of seven years before being securely destroyed or anonymised.

8. Data Sharing
   – Strive does not sell or share personal data with third parties for marketing purposes.
   – Data may be shared with external agencies where required for safeguarding, legal compliance, or where the client has given consent.
   – Data processors used by Strive (including Setmore, PayPal, Microsoft, Google Workspace, and Mailsuite) are required to comply with UK GDPR and maintain appropriate security measures.
9. Individual Rights
   Individuals have the following rights under UK GDPR:
   – The right to be informed.
   – The right of access.
   – The right to rectification.
   – The right to erasure in certain circumstances.
   – The right to restrict processing.
   – The right to data portability.
   – The right to object.
   – Rights in relation to automated decision-making and profiling.

Requests should be submitted in writing to the Proprietor and CEO.

10. Breach of Data Security
    Any data breach will be reported promptly to the Proprietor and CEO, who will investigate and take appropriate actions in line with ICO guidance.
11. Review
    This Privacy Policy will be reviewed annually, or sooner if required by legislation, guidance from the ICO, or organisational needs.
12. Version History
    Version 1.2 – December 2025
    Added details of email processing through Google Workspace (Gmail).
    Added use of Mailsuite as a Gmail addon and its role as a data processor.
    Updated Data Storage and Security section to reflect current systems and safeguards.
    Minor clarity improvements across wording and terminology.
    Version 1.1 – August 2025
    Initial publication of revised Privacy Policy under the Strive brand.
    Updated scope, legal bases, retention, and data processing details.
    Added pseudonymisation information and clarified supervision records.
    Version 1.0 – April 2025
    First full Privacy Policy drafted for launch of Strive.