Privacy Notice – How We Use Personal Data

Think CBT Ltd (“Think CBT”, “we”, “us”) is committed to protecting the privacy and security of personal data. This Privacy Notice explains how we collect, use, store and share personal data, and describes individuals’ rights under UK data protection law.

We are registered with the Information Commissioner’s Office (ICO).
ICO registration number: ZA050075

Who we are

Think CBT Ltd is the data controller for personal data processed in connection with:

• Commissioned psychological therapy services (e.g. NHS, employer-funded or insurer-funded contracts)

• Therapist recruitment and governance

• Employment and HR activities

• Business operations and statutory obligations

Data Controller Status for Privately Funded Therapy

For privately funded therapy delivered by Associate Therapists, the Associate Therapist acts as an independent Data Controller in relation to clinical records. In these cases, the therapist’s own privacy notice also applies.

Data protection enquiries:

Email: info@thinkcbt.com 

(Think CBT Ltd is not required to appoint a statutory Data Protection Officer. Data protection responsibilities are overseen by the Information Governance Lead.)

What personal data we process

Clients

We may process:

• Name, contact details, date of birth

• Referral and assessment information

• Clinical records, reports and correspondence

• Appointment and service delivery information

• Billing and payment information (where applicable)

Therapists

We may process:

• Contact details

• Professional registration and accreditation details

• DBS status

• Insurance and governance information

• Contract and payment information

• Availability, specialisms and service delivery details

Employees

We may process:

• Contact and employment details

• Payroll and statutory information

• Training, supervision and HR records

Members of the public

We may process:

• Website enquiry data

• Published professional information about therapists (e.g. therapy types, specialisms, approximate location)

Why we process personal data

We process personal data to:

• Deliver psychological therapy services

• Assess suitability and allocate therapists

• Maintain accurate clinical and governance records

• Manage therapist recruitment, onboarding and contracts

• Manage employment and HR obligations

• Handle billing, payments and accounting

• Comply with legal, regulatory and safeguarding obligations

• Respond to complaints, enquiries and information requests

Lawful bases for processing

We process personal data under one or more of the following lawful bases:

• Contract

• Legal obligation

• Legitimate interests

• Special category data – provision of health care and treatment (for client clinical data)

Where consent is used, it can be withdrawn at any time, though this may affect the services we can provide.

How personal data is shared

Personal data may be shared with:

• Allocated associate or inhouse therapists

• Commissioning organisations (e.g. NHS or other contracting bodies, where applicable)

• External accountants and payroll providers (restricted to what is necessary)

• Regulators or authorities where legally required

Data is shared via:

• Secure system access

• Password-protected documents shared by email

• Secure cloud-based systems

We do not sell personal data or use it for marketing purposes.

National Data Opt-Out

Think CBT Ltd does not currently use or share confidential patient information for research or planning purposes beyond direct care. Where applicable, we recognise and comply with the National Data Opt-Out policy and will respect any opt-out preferences should such processing be undertaken in future.

International transfers

Personal data is normally stored within the UK or EEA.

Where data is processed outside the UK/EEA, appropriate safeguards are in place in accordance with UK data protection law.

How we keep data secure

We use appropriate technical and organisational measures including:

• Role-based access controls

• Restricted user permissions

• Strong passwords and multi-factor authentication where available

• Secure cloud-hosted systems

• Regular backups

• Contractual confidentiality obligations

How long we keep data

• Client clinical records: retained in line with recognised NHS records management guidance (minimum 8 years from last contact)

• Therapist records: retained for the duration of the contractual relationship and a minimum of 8 years thereafter

• Employee HR records: retained in line with employment and statutory requirements (minimum 6 years)

• Financial records: retained in line with HMRC requirements (minimum 6 years)

Data is securely deleted or anonymised when no longer required.

Your rights

Under UK data protection law, individuals have the right to:

• Request access to their personal data (subject access request)

• Request correction of inaccurate or incomplete data

• Request erasure of personal data in certain circumstances

• Request restriction of processing in certain circumstances

• Object to processing where we rely on legitimate interests

• Request data portability where processing is based on contract and carried out by automated means

• Lodge a complaint with the Information Commissioner’s Office (ICO)

The right to erasure and certain other rights are not absolute. Personal data may be retained where it is necessary to comply with legal, regulatory or professional obligations, including the establishment, exercise or defence of legal claims. In particular, clinical records are retained in accordance with our stated retention periods and cannot ordinarily be deleted on request during that period.

Requests should be made in writing to info@thinkcbt.com. We aim to respond within one month of receipt.

Complaints

If you are unhappy with how we handle personal data, you may contact the ICO at www.ico.org.uk.

Updates to this notice

We may update this Privacy Notice from time to time.

The most recent version will always be published on our website.

Last reviewed: January 2026