Client Privacy Notice

Last updated: 20 January 2026

1. Who we are

Openforwards Ltd (and/or Openforwards CBT & Counselling, as the trading name) is the controller for therapy-client personal data.

Contact: support@openforwards.com | Tel. +44 121 523 1108 | The Jewellery Business Centre, 95 Spencer Street, Birmingham, B18 6DA, UK

2. What this notice covers

This notice applies when you:

enquire about therapy
book/attend therapy sessions (in person or online)
communicate with us about your care

3. The personal data we collect in therapy contexts

Identity and contact

Name, contact details, date of birth [if collected], emergency contact [if collected]

Information you share in sessions (including mental/physical health details)
Assessments, formulations, goals, progress notes
Appointment history, correspondence, and any questionnaires/outcome measures

Health/therapy information is usually “data concerning health” and is treated as special category data.

Admin and payments

Invoices, receipts, payment status
Insurance details [if applicable]

4. Why we use your data (purposes)

We use therapy client data to:

assess suitability and provide therapy
arrange appointments and communicate with you
keep appropriate clinical records
manage safeguarding, risk, and professional responsibilities
handle billing and accounting
respond to complaints or clinical governance issues
meet legal/regulatory obligations

5. Lawful basis (Article 6) and special category condition (Article 9)

We rely on one or more lawful bases depending on the situation (e.g., contract, legal obligation, legitimate interests).

Because therapy involves special category (health) data, we also rely on an Article 9 condition. The most relevant condition for therapy is commonly health or social care / treatment (where applicable), and/or other relevant conditions depending on context and safeguarding needs.

Note: If we ever rely on explicit consent for specific processing, we will make that clear and you can withdraw it.

6. Confidentiality and when information may be shared

Therapy is confidential. We only share information where necessary and appropriate, for example:

Clinical supervision/consultation: to maintain quality of care (normally anonymised/pseudonymised wherever possible)
Safeguarding / serious risk: if there is a serious risk of harm to you or others
Legal obligations: where disclosure is required by law or court order
With your consent: e.g., sharing a letter/report to a GP, insurer, or another professional

Only as needed, for example:

secure practice management/notes system [WriteUpp]
video platform for online sessions [ZOOM]
email/phone providers [GenieAI, ConvertKit]
payment provider [Stripe, Paypal]
professional advisers (e.g., Professional Consultant)
regulators/insurers where required

8. International transfers

If any therapy systems store/process data outside the UK, we use appropriate safeguards.

9. How long we keep therapy records

We keep therapy records for a defined period to support clinical governance, insurance, and legal requirements. If you publish a specific period here, make sure it matches your internal retention policy; otherwise, state clear criteria (ICO expects either a period or criteria).

Typical approach:

Adult client records: 7 years after last contact
Where work involves a child/young person: until age 25 or 7 years after last contact, whichever is longer
Financial records: 6 years (HMRC/accounting)

10. Your rights

You have rights including access to your data. In therapy contexts, there can be limited exemptions (e.g., where disclosure would cause serious harm or reveal third-party information). We handle requests carefully and lawfully.

11. Complaints

12. Changes to this notice

We may update this notice. The latest version will be posted on this page.