top of page
Privacy Policy

​​

Thank you for checking out the privacy policy.

 

Connection Psychology is committed to handling your information in a responsible, secure, and confidential way while you use our website and services.

Connection Psychology is founded and directed by Giorgia Garozzo, who is also the psychologist delivering the services. I want you to feel safe reaching out and confident that anything you share with us is treated with care, respect, and confidentiality.

This policy explains how we collect, store, and process personal data via our website and as part of the psychological services we provide. Please read it alongside any other privacy notices we may provide so you are fully informed about how and why your personal information is used.

Who is responsible for your data?

The data controller is: Connection Psychology, Giorgia Garozzo
Director & Practitioner: Giorgia Garozzo
Operating under UK GDPR and the guidance of the Information Commissioner’s Office (ICO)

Contact details:
Email: Giorgia.garozzo11@gmail.com
Phone: {email to request a call}

If you have any concerns, I encourage you to contact me first so we can try to resolve them together.

You also have the right to contact the Information Commissioner’s Office (ICO): www.ico.org.uk

 

What type of data do we collect?

We may collect and store the following types of personal data:

  • First and last name, title

  • Phone number and email address

  • Address

  • Mental health history, relevant medical information, and medications

  • Clinical notes and records from sessions

  • IP address, browser type, operating system, and time zone

  • Information about how you interact with our website

  • Information you voluntarily submit via contact forms or communications

  • Transactional and communication history (e.g. emails)

Health-related information is treated as Special Category Data and handled with additional safeguards.

 

How we collect your data

We collect personal data when you:

  • Fill out the contact form on our website

  • Contact us by email or phone

  • Attend sessions or provide information during onboarding

  • Use our website (including cookies – see our Cookie Policy)

  • Respond to feedback requests or surveys

Where your data is stored and processed

We use GDPR-compliant systems to store and manage personal and clinical information securely.

 

Primary clinical record system

  • WriteUpp is used as our primary clinical practice management system to store:

    • Client records and therapy notes

    • Personal and contact information

    • Appointment scheduling

    • Secure client communications and automated emails

WriteUpp is a UK-based, GDPR-compliant platform designed specifically for healthcare and psychological services.

 

Communication and shared materials

  • Gmail (Google Workspace) is used to respond to enquiries and communicate with clients

  • Google Drive is used only to store non-clinical shared materials (such as worksheets, resources, or information documents shared with clients)

  • Some automated emails may be sent via WriteUpp as part of appointment reminders or service-related communication

Clinical notes and sensitive personal information are not routinely stored on Google Drive and are held securely within WriteUpp.

Google Workspace data may be stored across data centres in the UK, EU, and the United States. To ensure lawful and secure processing:

  • Google is certified under the UK Extension to the EU–US Data Privacy Framework

  • Google uses Standard Contractual Clauses (SCCs) to protect international data transfers

  • All systems are protected with encryption, strong passwords, and two-factor authentication

 

How long do we keep your data?

We only retain personal data for as long as necessary and in line with professional, ethical, and legal requirements:

  • Client records (adults): 7 years after the end of treatment

  • Client records (children and young people): until the client’s 25th birthday

  • Basic client data (contact and billing details): 6 years for tax and accounting purposes

  • Initial enquiries (where no therapeutic relationship begins): deleted after 6 months

For any data outside these categories, retention is assessed based on clinical, legal, and ethical obligations.

 

Why do we use your personal data?

We use your data to:

  • Register you as a client

  • Assess suitability for psychological services

  • Schedule, deliver, and review therapy sessions

  • Maintain appropriate clinical records

  • Manage payments and invoicing, where applicable

  • Communicate about appointments, updates, or service changes

  • Respond to enquiries

  • Meet legal, regulatory, and professional obligations

  • Improve our website and services through usage data

We do not use your personal data for marketing or advertising unless you have explicitly opted in.

 

What lawful bases do we rely on?

Under UK GDPR, we process personal data under the following lawful bases:

  • Consent – particularly for processing health-related (Special Category) data

  • Performance of a contract – to provide psychological services

  • Legal obligations – such as record keeping or safeguarding

  • Legitimate interests – for managing the business aspects of the practice in a way that does not override your rights

Some processing activities may rely on more than one lawful basis.

 

Do we share your personal data?

Your information is treated with the highest level of confidentiality. We only share data when necessary and under strict safeguards, including with:

  • Secure IT and cloud service providers (e.g. WriteUpp, Google Workspace)

  • Professional advisers (e.g. clinical supervisors, legal or financial advisers)

  • Insurance providers, where applicable

  • Other healthcare professionals (with your consent, unless there is a serious risk)

  • Supervisors, as required by professional standards (using initials or anonymised information where possible)

  • Legal or regulatory authorities where disclosure is required by law

All third parties are contractually required to protect your data and only process it on our instructions.

 

International data transfers

Because we use Google Workspace, some data may be processed outside the UK. Safeguards include:

  • UK–US Data Privacy Framework certification

  • Standard Contractual Clauses

  • Data Processing Agreements with providers

We do not otherwise transfer data internationally unless required and lawfully safeguarded.

 

Your rights under UK GDPR

You have the right to:

  • Access your data

  • Request correction

  • Request erasure (where legally possible)

  • Object to or restrict processing

  • Request data portability

  • Withdraw consent at any time

Requests are responded to within one month, unless an extension is legally permitted.

 

Changes and contact

We review this privacy policy regularly. Please let us know if your personal information changes so we can keep records accurate.

If you have questions or wish to exercise your rights, contact: 📧 Giorgia.garozzo11@gmail.com

bottom of page