Privacy Policy

KILTER HYPNOTHERAPY LTD

Last updated: June 2026

1.Who We Are

This privacy policy explains how Kilter Hypnotherapy Ltd (company number 16674051), trading as Kilter Hypnotherapy, collects, uses, and protects your personal data. Our registered office is Unit A, James Carter Road, Mildenhall, United Kingdom, IP28 7DE.

We are the data controller for the personal information you provide to us. We are registered with the Information Commissioner's Office (ICO) under the Data Protection (Charges and Information) Regulations 2018.

If you have any questions about this policy or how we handle your data, you can contact us at:

Email: kirsty@kilterhypnotherapy.co.uk

Website: kilterhypnotherapy.co.uk

2.What Personal Data We Collect

2.1 Clients and prospective clients

When you enquire about or engage our services, we may collect:

• Your name and contact details (email address, phone number)
• Health history and relevant medical background
• Information about your GP (name and practice)
• Information about your coach or support team, where relevant to your sessions
• Session notes and progress records
• Payment records (we do not store card details; payments are processed by third-party providers)

2.2 Website visitors

When you visit kilterhypnotherapy.co.uk, we may collect:

• Technical data such as your IP address, browser type, and pages visited, via cookies and analytics tools
• Any information you submit through contact or enquiry forms

Please see our separate Cookie Policy for full details of how we use cookies on this website.

3.Special Category Data

Health and wellbeing information is classified as ‘special category data’ under UK GDPR, which means it receives a higher level of protection than ordinary personal data.

We collect and process health information because it is necessary to provide you with safe and effective hypnotherapy and sports performance coaching services. The legal bases on which we rely are:

• Your explicit consent, obtained before we begin working together
• The provision of health and social care services (Article 9(2)(h) UK GDPR, Schedule 1 Part 1 DPA 2018)

You have the right to withdraw your consent at any time.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4. How We Use Your Data

We use the personal data we collect to:

• Provide hypnotherapy and sports performance coaching services
• Manage appointments and communicate with you about your sessions
• Maintain clinical records as required by our professional obligations
• Send you information about our services, where you have opted in to receive this (you may unsubscribe at any time)
• Comply with our legal and regulatory obligations
• Improve our services and website

We process your personal data on the following legal bases under UK GDPR:

• Contract: to fulfil our service agreement with you.
• Legitimate interests: to manage and develop our business, and to maintain the security of our systems.
• Legal obligation: where we are required to process data to comply with applicable law.
• Consent: where we have asked for and received your explicit consent, particularly for health data and marketing communications.

5.Legal Bases for Processing

We process your personal data on the following legal bases under UK GDPR:

Contract: to fulfil our service agreement with you.

Legitimate interests: to manage and develop our business, and to maintain the security of our systems.

Legal obligation: where we are required to process data to comply with applicable law.

Consent: where we have asked for and received your explicit consent, particularly for health data and marketing communications.

6.Who We Share Your Data With

We take confidentiality seriously. We will not sell, rent, or share your personal data with third parties for marketing purposes. We may share your information in the following limited circumstances:

Clinical supervision: We discuss client work with our clinical supervisor for the purposes of

professional oversight and quality of care. This is done on an anonymised basis

wherever possible.

Healthcare professionals: With your explicit consent, we may liaise with your GP, coach, or other members of

your support team where this would benefit your care.

Safeguarding: If we believe there is a serious and imminent risk of harm to you or to others, we may be required to contact relevant authorities or emergency services without your consent. We will inform you of any such disclosure wherever it is safe to do so.

Legal requirements: Where we are required to disclose information by law, court order, or regulatory

authority.

Service providers: We use a small number of trusted third-party services to operate our business (see

Section 7 below). These parties act as data processors on our behalf and are contractually required to handle your data securely and only as we instruct.

7.Third-Party Data Processors

We currently use the following third-party services that may process personal data on our behalf:

• Kit (ConvertKit): Email marketing platform used to send our newsletter and updates. Data is stored on servers in the United States. Kit participates in the EU-US Data Privacy Framework and provides appropriate safeguards for international transfers. You can unsubscribe from our newsletter at any time using the link in any email.
• Calendly: Online appointment scheduling tool. When you book a session, your name and email address are processed by Calendly on servers located in the United States. Calendly provides appropriate safeguards for international data transfers.
• WordPress: Our website is built on WordPress. Data submitted through our contact and enquiry forms is processed in accordance with our hosting provider’s data handling practices.

We do not use these services to share your data with third parties for advertising or marketing purposes.

8.International Data Transfers

Some of our third-party service providers are based outside the UK. Where we transfer personal data internationally, we ensure that appropriate safeguards are in place, such as standard contractual clauses approved by the ICO, or reliance on frameworks such as the UK-US Data Bridge.

9. How Long We Keep Your Data

We retain client records for a minimum of seven years following the end of our working relationship, in line with standard professional practice and insurance requirements. Health records may be retained for longer where required by law or professional obligation.

Website and enquiry data is retained for as long as is reasonably necessary to manage your enquiry or for the purposes described in this policy.

When data is no longer required, we delete it securely.

10. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• The right to be informed about how we use your data (this policy fulfils that obligation)
• The right of access – you can request a copy of the personal data we hold about you
• The right to rectification – you can ask us to correct inaccurate or incomplete data
• The right to erasure – you can ask us to delete your data
• The right to restrict processing – you can ask us to limit how we use your data
• The right to data portability – you can ask us to transfer your data to another provider
• The right to object – you can object to our processing in certain circumstances
• Rights in relation to automated decision-making – we do not make automated decisions about you

To exercise any of these rights, please contact us at kirsty@kilterhypnotherapy.co.uk. We will respond within one calendar month.

There is no charge for making a request.

11. How to Make a Complaint

If you are unhappy with how we have handled your personal data, please contact us in the first instance so that we can try to resolve the matter.

If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: ico.org.uk/make-a-complaint

Telephone: 0303 123 1113

12. How We Keep Your Data Secure

We take the security of your personal data seriously. The measures we have in place include:

• Password protection on all devices and files containing personal data
• Session notes are taken on a password-protected device using a local app with cloud sync disabled, and are anonymised before recording.
• Use of secure, reputable third-party platforms for email and booking management
• SSL encryption on our website
• Limiting access to personal data to authorised personnel only

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

13.Changes to This Policy

We review this privacy policy regularly and will update it when necessary. The date at the top of this document reflects when it was last revised. Continued use of our services after any changes constitutes acceptance of the updated policy.

Kilter Hypnotherapy Ltd – Company No. 16674051