Last updated: May 2026

Privacy & GDPR

How I collect, store and protect your personal information.

1Data Controller

Giancarlo Cristea, UK-registered psychotherapist. Email: contact@giancarlocristea.com. Address: United Kingdom.

2What Data I Collect

I collect the following personal data: name, email address, content of messages sent through the contact form, session notes (stored securely and encrypted). Health data (session notes, transcripts, clinical observations) is special category data under Art. 9 UK GDPR. I do not collect financial data — payments are processed directly.

3Purpose of Collection

Your data is collected solely for: delivering psychotherapy services, communication related to appointments and consultations, and fulfilling legal and ethical obligations as a therapist.

4Legal Basis for Processing

I process your data on the following bases: Art. 6(1)(b) — performance of the therapy contract; Art. 6(1)(c) — legal obligations (medical record retention); Art. 6(1)(f) — legitimate interest (appointment communication, site security). For health data (special category), the basis is Art. 9(2)(h) UK GDPR — provision of healthcare by a professional bound by confidentiality.

5Storage and Security

Session notes and client data are stored in Firestore (Google Cloud, region europe-west2 — London), encrypted at rest and in transit. The site runs on Vercel with serverless functions pinned to London (lhr1) — same region as the database, no transatlantic hop. Email communication is encrypted. Access to client data is strictly limited to me as the therapist.

6Third-Party Processors

I use the following processors under DPA: Google Firebase / Firestore (UK, europe-west2) — storage; Vercel Inc. (UK, lhr1) — site hosting (US parent, under Standard Contractual Clauses); Resend (US, SCC) — transactional email; Sentry (Germany, GmbH) — error tracking (opt-in via cookie banner); PostHog (EU, eu.i.posthog.com) — site analytics (opt-in via cookie banner, form inputs masked); Make.com (EU/CH) — operational automation. No processor receives session data in clear without pseudonymisation.

7International Transfers

Where a processor is based outside the European Economic Area or the United Kingdom (e.g. US-parented companies), transfers are made under Standard Contractual Clauses (SCC) approved by the European Commission / ICO, with supplementary measures (encryption, data minimisation). There is no direct transfer of session data to non-UK/EU processors — health data stays in London (Firestore europe-west2 + lhr1 functions).

8Cookies & Similar Technologies

We use necessary cookies (authentication, session security) — no opt-in required, indispensable to the site working. Optionally, with your consent: analytics (PostHog EU, anonymous, form inputs masked) and error tracking (Sentry, masked recording only on error). Refusal does not affect site use. You can change your preferences anytime from the site footer → "Cookie preferences".

9Automated Decisions and Profiling

You are not subject to any automated decisions producing legal effects or significantly affecting you. Any clinical decision (therapeutic recommendation, risk assessment) is made by me as a human therapist, not by an automated system (Art. 22 UK GDPR).

10Data Retention

Under UK law and NCPS ethical standards, therapeutic records are kept for 7 years after therapy ends (or 7 years from age 18 for clients who began therapy as minors). Site data (contact forms, technical logs) is kept for a maximum of 12 months.

11Your Rights (UK GDPR)

You have the right to: access your personal data, rectification of inaccurate data, erasure (subject to legal obligations to retain medical records), restriction of processing, data portability, objection to processing, withdrawal of consent (analytics/debugging cookies). To exercise these rights, contact me at contact@giancarlocristea.com and I will respond within a maximum of 30 days.

12Breach Notification

In the event of a security breach involving personal data, I will notify the Information Commissioner's Office (ICO) within a maximum of 72 hours (Art. 33 UK GDPR). If the breach poses a high risk to your rights, I will also notify you directly without undue delay (Art. 34).

13Complaints to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK data protection authority: ico.org.uk · 0303 123 1113. I encourage you to contact me first at contact@giancarlocristea.com — I will do everything possible to resolve the matter directly.

14Confidentiality in Therapy

Session content is strictly confidential, except in cases provided for by ethical standards: imminent risk to yourself or others, abuse of a minor, or legal obligations imposed by a court. I will discuss any exceptions with you, where possible, before acting.

15Professional Insurance

Covered by Holistic Insurance Services, policy HIS99423, FCA 475577. Valid August 2025 – August 2026. £100,000 per claim, £500,000 aggregate.

16Professional Membership

NCPS (National Counselling and Psychotherapy Society) member. Complaints can be directed to NCPS via their official website: ncps.com.

17Policy Changes

This policy may be updated periodically. The current version is always available on this page. Last updated: May 2026.