Legal Documentation

Privacy Policy

Last Updated: April 2026

At Mike Scarano Therapy, I am committed to maintaining the trust and confidence of my clients. This Privacy Policy details how I collect, use, and protect your personal information in strict accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

For the purposes of data protection legislation, Mike Scarano is the Data Controller. This means I am responsible for deciding how I hold and use personal info about you.

2. Information I Collect

To provide professional psychotherapy and counselling services, I collect and process the following data:

  • Identity & Contact Data: Name, address, phone number, email address, and date of birth.
  • Special Category Data: Health information, medical history, GP details, and brief clinical notes regarding therapy sessions.
  • Financial Data: Billing information for processing payments.

3. Lawful Basis for Processing

I rely on the following lawful bases to process your personal data:

  • Contract: Processing is necessary for the performance of our therapeutic agreement.
  • Legitimate Interests: To run my practice effectively, maintain clinical records, and manage enquiries.
  • Legal Obligation: To comply with tax, HMRC, or legal safeguarding requirements.
  • Special Category Data: Processed under the condition that it is necessary for the provision of health or social care/treatment.

4. Data Security & Storage

All personal and clinical records are kept strictly confidential. Electronic data is stored on secure, encrypted devices and platforms compliant with GDPR standards. Physical notes (if any) are anonymised and stored in a locked filing system. I implement robust technical measures to prevent unauthorised access or disclosure.

5. Data Sharing & Confidentiality

Therapy is a confidential space. I will not share your data with third parties for marketing purposes. Your information may only be shared under the following conditions:

  • Clinical Supervision: As per BACP ethical guidelines, I discuss clinical casework with a qualified supervisor. Identity is always anonymised during these sessions.
  • Legal & Safeguarding: If I am legally compelled by a court of law, or if there is a severe, immediate risk of harm to yourself or others.

6. Data Retention

I will only retain your personal data for as long as necessary to fulfil the purposes I collected it for. Clinical records and session notes are typically securely destroyed 7 years after therapy concludes, aligning with clinical and legal best practices.

7. Your Rights

Under UK GDPR, you possess several rights regarding your data, including:

  • Access: Request a copy of the personal data I hold about you.
  • Rectification: Request correction of incomplete or inaccurate data.
  • Erasure: Ask to delete or remove personal data where there is no good reason for continuing to process it (often restricted for medical/tax records).
  • Restriction: Ask me to suspend processing your timeline data in certain scenarios.

8. Contact & Complaints

If you have any questions about this Privacy Policy, or if you wish to exercise your data rights, please contact the Data Controller:

If you believe your data protection rights have been breached, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.