We're now offering a 20-minute FREE introductory session. Book Now

BOOK FREE SESSION
BOOK FREE SESSION

Privacy Policy

At a glance

At The Blue Lotus Practice, we only collect the information we need to provide therapy and run our website. We never sell your data, and we keep it safe and confidential. This page explains in detail how we use and protect your information, and your rights under data protection law.

The Blue Lotus Practice is the data controller responsible for your personal information.

This Privacy Policy explains how we process and protect the information collected by The Blue Lotus Practice, and why we may need to collect certain personal data about you. By using our website, you agree to the practices described in this Policy.

We take your privacy seriously and are committed to maintaining the confidentiality and security of your personal data.

Personal Information We Collect

When you visit The Blue Lotus Practice website, we may automatically collect certain information about your device, including:

  • Your web browser, IP address, and time zone

  • Cookies installed on your device

  • The individual pages you view, websites or search terms that referred you to our site, and details of how you interact with our website

We refer to this automatically collected information as “Device Information.”

In addition, you may choose to provide personal data to us directly, for example when filling in a form or registering. This may include:

  • Name and surname

  • Address

  • Email and telephone number

  • Payment information (card details are securely processed and stored by Stripe, our payment provider, in accordance with their Privacy Policy: https://stripe.com/gb/privacy.)

  • Other details relevant to our services

Why We Process Your Data

Our priority is to ensure the security of client information. We only process personal data that is necessary to deliver our services and maintain the website.

  • Device Information is used to prevent misuse, identify technical issues, and generate anonymous statistical data about website usage.

  • Personal Information you provide enables us to deliver services, respond to enquiries, and fulfil agreements with you (e.g., session bookings).

  • Payment authorisations and weekly charges: We process your data to manage payments for booked sessions, including securely charging your stored card details approximately 48 hours before a scheduled session.

You can browse our website without providing personal data. However, certain features—such as booking sessions, receiving newsletters, or contacting us directly—require some personal details.

If you are unsure which details are required, you can contact us at therapy@thebluelotuspractice.com

Your Rights

If you are based in the UK or EU, under GDPR you have the following rights regarding your personal data:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights in relation to automated decision-making and profiling

To exercise these rights, please contact us using the details below.

Please note: your data may be processed outside of the UK/EU (including in Canada or the USA), but always with appropriate safeguards in place.

Links to Other Websites

Our website may include links to third-party websites. Please note that we are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies when you leave our website.

Use of Zanda

At The Blue Lotus Practice, we use Zanda, a secure, GDPR-compliant practice management system, to store your personal information, clinical notes, and appointment records. Zanda acts as a data processor on our behalf, meaning they manage and protect your data but do not use it for their own purposes. All data is encrypted, stored securely, and only accessible to your therapist for the purposes of providing you with care.

Use of Stripe

At The Blue Lotus Practice, we use Stripe, a secure, GDPR-compliant payment provider, to process and manage client payments. Stripe acts as a data processor on our behalf, meaning they process card payments and securely store card details but do not use them for their own purposes.

There are two ways Stripe is used within our practice:

  • Initial Bookings: When you book your first session, Stripe processes the payment at the point of sale. Your card details are encrypted and securely handled by Stripe.

  • Ongoing Therapy: With your consent, Stripe securely stores your card details to enable us to charge your account approximately 48 hours prior to each scheduled session. This ensures continuity of therapy and avoids interruptions to your reserved appointment slot.

All card data is encrypted and handled in accordance with Stripe’s security standards and Privacy Policy (https://stripe.com/gb/privacy). The Blue Lotus Practice does not store or have access to your card details directly.

Information Security

We store personal information on secure servers, protected against unauthorised access, use, or disclosure. We apply reasonable administrative, technical, and physical safeguards to protect data in our care.

Card details are not stored or accessible to The Blue Lotus Practice directly. All card data is encrypted and managed securely by Stripe in line with their international security standards.

Please note that no transmission over the internet or wireless network can be guaranteed to be 100% secure.

Legal Disclosure

We may disclose personal data if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

  • Comply with a legal obligation

  • Protect our rights or property

  • Protect your safety or the safety of others

  • Investigate fraud or misconduct

  • Respond to lawful requests from authorities

Contact Information

If you would like further information about this Privacy Policy, or wish to exercise your rights in relation to your personal data, please contact us:

📧 therapy@thebluelotuspractice.com

Cookies Policy

The Blue Lotus Practice uses cookies to improve your browsing experience and to ensure our website works effectively. This policy explains what cookies are, how we use them, and how you can manage your preferences.

What Are Cookies?

Cookies are small text files stored on your device by your web browser when you visit a website. They help websites remember your preferences, understand how you use the site, and improve your experience.

How We Use Cookies

At The Blue Lotus Practice, we use cookies to:

  • Ensure the website functions correctly.

  • Remember your cookie preferences.

  • Analyse website traffic and improve usability.

  • Enable secure online payments via our booking (Zanda) and payment (Stripe) provider, which may use cookies or similar technologies to authenticate transactions and prevent fraud.

Types of Cookies We Use

  • Necessary cookies – essential for the functioning of our website. These cannot be switched off.

  • Performance cookies – collect anonymous data to help us understand how visitors use our site.

  • Functionality cookies – remember your preferences for a more personalised experience.

  • Payment cookies - used by third-party providers (Zanda and Stripe) to process and secure online payments. These cookies are essential for completing transactions safely.

Managing Cookies

You can manage or disable cookies via your browser settings. Please note that disabling cookies may affect the functionality of our website; in addition, some features, such as booking or secure payments, may not function correctly.

Changes to This Policy

We may update this policy from time to time. Please check this page regularly to stay informed about how we use cookies.

For more information about how we process your data, please read our Privacy Policy

Record keeping and Retention Policy

1. Purpose of this Policy

This policy sets out how The Blue Lotus Practice creates, stores, manages, and disposes of client records. It ensures compliance with the UK GDPR, Data Protection Act 2018, and professional standards (BACP/UKCP).

2. Types of Records Kept

We keep only the minimum necessary records required to provide safe and effective counselling. These may include:

  • Personal details (name, contact information, GP details, emergency contact).

  • Signed counselling agreements and consent forms.

  • Session notes (brief factual summaries, not full transcripts).

  • Risk assessments and safety plans (if applicable).

  • Correspondence relevant to therapy (e.g., emails, GP letters).

  • Payment records (via Stripe/Zanda) to make clear that client financial information (transactions, invoices, receipts) is stored securely.

3. Storage of Records

  • All electronic records are stored securely within Zanda, a GDPR-compliant practice management system.

  • Notes are encrypted, password-protected, and access is restricted to authorised staff only.

  • Paper records (if any) are kept in locked storage and transferred to digital format as soon as possible.

  • Card details are securely stored and encrypted via Stripe, a PCI-DSS compliant payment provider.

4. Retention Periods

  • Adult client records: Retained for 7 years after the end of therapy.

  • Children and young people’s records: Retained until the client is 25 years old (or 26 if aged 17 at the end of therapy).

  • Financial records (invoices, payment receipts and Stripe transaction logs): Retained for 7 years in line with HMRC requirements.

  • Email correspondence: Deleted within 6 months of therapy ending, unless clinically relevant (then stored within Cliniko as part of the client file).

5. Disposal of Records

At the end of the retention period:

  • Digital records will be permanently deleted from Cliniko and all backups.

  • Any paper records will be shredded and disposed of securely.

  • No client data will be kept beyond the necessary retention period.

  • Financial records stored within Stripe and Zanda will be deleted or anonymised after the mandatory 7-year period.

6. Client Access to Records

  • Clients have the right to request access to their records under UK GDPR Subject Access Rights.

  • Requests must be made in writing and will be responded to within 30 days.

  • Records will only be shared with the client, or with a third party if there is explicit written consent (except where disclosure is legally required).

7. Exceptions to Retention/Confidentiality

Records may be retained or disclosed beyond these limits if:

  • Required by law (e.g., court order, safeguarding).

  • Relevant to a serious complaint or ongoing legal proceedings.

  • Necessary to protect vital interests (e.g., risk of harm).

8. Review of Policy

  • This policy will be reviewed annually or sooner if legislation, ICO guidance, or professional standards change.

  • This policy will also be reviewed if there are changes to our booking or payment systems (e.g., Stripe or Zanda) that affect data handling

© 2025. All rights reserved.

Ts&Cs

Please note: The Blue Lotus Practice is not a crisis service and we cannot provide emergency support outside of scheduled sessions. Click here for Crisis Support.