Dragonfly Shop

DRAGONFLY PSYCHOTHERAPY
Privacy Notice
Last updated: May 2026 (e-commerce update pending review)

Introduction
Your privacy matters to me. This notice explains how I collect, use, and protect your personal information when you use my services, visit my website, or interact with me in any way.
I provide psychotherapy services, wellness walks, in-person workshops, online CPD training, and therapeutic resources. This privacy notice covers all of these activities.
I follow the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), and my professional codes of conduct (BACP and UKCP).

1. Who I Am
I am the data controller for the personal information you provide. This means I decide how your data is used and I am responsible for keeping it safe.
Name: Victoria Froome
Trading as: Dragonfly Psychotherapy
Address: Guildford Therapy Rooms, 3 Beaufort, Railton Road, Guildford, Surrey GU2 9JX
Phone: 07546 431 448
Email: victoria@dragonflypsychotherapy.co.uk
Website: dragonflyshop.co.uk
ICO Registration: ZB904048
If you have any questions about this notice or how I handle your data, please get in touch using the details above.

2. Why I Can Use Your Data (Lawful Basis)
Data protection law requires me to have a valid reason for processing your personal information. Depending on what we are doing together, I rely on different lawful bases:
Contract: When you book therapy sessions, wellness walks, or purchase resources, I process your data to provide those services to you.
Legitimate Interests: I keep records to meet my professional and insurance obligations, and to respond to any legal claims. I also use your data to run my practice effectively.
Consent: For sensitive information (such as health information shared in therapy), I ask for your explicit consent. I also ask consent before using your image in photographs or sending you marketing communications.
Legal Obligation: Sometimes I am required by law to share information, for example for safeguarding purposes.
Recognised Legitimate Interests: The Data (Use and Access) Act 2025 introduced a new lawful basis for certain types of processing that are considered to be in the public interest. Where I process your data for the purpose of safeguarding a child or vulnerable adult, or in response to an emergency, I may rely on this basis.

3. What Information I Collect
The information I collect depends on which of my services you use.

Therapy Clients
When you come to me for therapy, I collect:
Your name, contact details (phone, email, address), date of birth, and emergency contact information. I also record your GP details.
Brief session notes about our work together. These are factual and anonymised where possible.
Information about your mental health and wellbeing that you share with me during our sessions. This is classed as sensitive (special category) data and I ask for your explicit consent to hold it.
Any correspondence between us, including emails, text messages, and messages through my website or social media.
If you are referred by another professional (such as your GP) or by someone you know, I may receive some information from them.

Wellness Walk Participants
When you book a wellness walk, I collect:
Your name, contact details, and emergency contact information.
Any relevant health information you choose to share that might affect your participation (for example, mobility considerations). This is sensitive data and I ask for your consent.
Booking and payment information.
Photographs taken during walks, but only with your consent. I will always ask before using any images for marketing or social media.
Please note: Initially, bookings for wellness walks are handled through the venue (West Horsley Place). Their privacy notice will apply to the booking process. Once you attend a walk, this privacy notice applies to any information I collect directly.

Resource Purchasers
When you purchase resources (such as guides, workbooks, or other materials), I collect:
Your name, email address, and delivery address (for physical products).
Payment information. I do not store your full card details – these are processed securely by my payment provider.
Your purchase history so I can provide customer support and, if you have opted in, let you know about related resources.
If you purchase through Amazon, Amazon’s privacy policy applies to that transaction. I receive limited information from Amazon to fulfil your order.
When you check out through my own online shop, the shop website processes your order information on my behalf. For digital downloads (such as PDF guides or workbooks), I keep a record of your download to allow re-download if needed and to provide customer support. Section 9 below lists the specific service providers I use.

Order communications: When you place an order, you will receive an order confirmation/receipt from Stripe. I may contact you directly by email if I need to respond to a query, resolve an issue with your order, or provide customer support.

Online CPD Participants
When you register for or purchase online CPD (continuing professional development) sessions, I collect:
Your name, email address, and professional details (such as your profession, employer, and professional registration number if you need a CPD certificate).
Payment information. I do not store your full card details – these are processed securely by my payment provider.
Records of which sessions you have completed, including dates and times. This is necessary to issue CPD certificates and to provide evidence of your learning if required by your professional body.
Any feedback or evaluation responses you provide.
Technical information about how you access the content (such as device type and viewing duration) to help me improve the learning experience.

In-Person Workshop Participants
When you book an in-person workshop or training event, I collect:
Your name, contact details, and emergency contact information.
Professional details (such as your profession, employer, and professional registration number) if you need a CPD certificate.
Any dietary requirements, accessibility needs, or health information you choose to share to help me accommodate you. This may include sensitive data, and I ask for your consent to hold it.
Payment and booking information.
Attendance records, which are necessary for issuing CPD certificates.
Photographs taken during workshops, but only with your consent. I will always ask before using any images for marketing or social media.
Any feedback or evaluation responses you provide.

Website Visitors
When you visit my website, I may collect:
Technical information such as your IP address, browser type, and which pages you visit. This helps me understand how people use the site and improve it.
Information you provide through contact forms or enquiry forms.
Cookie data (see the Cookies section below).

General Enquiries
If you contact me with an enquiry but do not go on to use my services, I keep your contact details and our correspondence for up to six months, then delete them (unless you ask me to delete them sooner).

4. How I Use Your Information
I use your information to:
Provide the services you have asked for (therapy, wellness walks, resources).
Communicate with you about appointments, bookings, and purchases.
Keep appropriate professional records.
Meet my legal, regulatory, and professional obligations.
Send you information about my services, but only if you have opted in to receive marketing.
Improve my website and services.
I do not use automated decision-making or profiling with your personal data.

5. Sensitive Information (Special Category Data)
Some of the information I collect is classed as sensitive or “special category” data under data protection law. This includes information about your physical or mental health.
For therapy clients, I need to collect this information to provide my services effectively and safely. I ask for your explicit consent to process this data when we begin working together.
For wellness walk participants, I may ask about health conditions that could affect your participation. You can choose what to share, and I ask for your consent to hold any health information you do provide.
You can withdraw your consent at any time, though this may affect my ability to continue providing services to you.

6. Young People
I work with young people aged 11 and over. When working with anyone under 18, I involve parents or guardians appropriately while respecting the young person’s developing autonomy and right to confidentiality.
For young people under 13 who use my website or services, I require parental consent before collecting their personal information.
I keep records for young people until they reach the age of 25, or for seven years after our work ends, whichever is longer.

7. Confidentiality
Confidentiality is fundamental to my work. What you share with me stays between us, except in certain limited circumstances where I may need to share information:
If you disclose involvement in, or knowledge of, terrorism, money laundering, or drug trafficking.
If there is a serious risk of harm to yourself or others.
If there is a safeguarding concern involving a child or vulnerable adult.
If I am required by law or a court order to share information.
I will always try to discuss this with you first, unless doing so would put someone at risk.
I have regular clinical supervision, which is a professional requirement. I discuss my work in supervision to ensure I am providing safe and effective support. I do not share identifying information about you unless there is a safeguarding concern.

8. How I Keep Your Information Safe
I take the security of your information seriously:
Paper records are stored in a locked filing cabinet in a locked room.
Digital records are stored on password-protected, encrypted devices. I use secure, encrypted systems for client records.
Emails and texts: I delete text messages after one week (with any relevant information saved in your records). Unnecessary emails are deleted after one week.
Backups are made securely and stored in compliance with UK GDPR.
I use strong passwords and keep my devices and software up to date.

9. Who I Share Your Information With
I do not sell your information or share it for marketing purposes.
I may share your information with:
Service providers who help me run my practice, such as secure practice management software, cloud storage, website hosting, email marketing platforms, or booking systems. These providers are under strict contracts and cannot use your data for any other purpose.
Payment processing (Stripe): I use Stripe to process payments securely. I do not see, store, or have access to your full card or bank details. Stripe acts as an independent data controller for the payment data it processes and has its own privacy notice, available on its website.
Website analytics (Google Analytics): If you accept optional cookies, I use Google Analytics to collect information about how visitors use my website. This helps me understand usage and improve the site. Google’s information about how it uses data is available at https://policies.google.com/technologies/partner-sites.
Email service providers: I use 123 Reg as my email hosting provider for business correspondence. If you have opted in to receive marketing communications, I use MailerLite as my email marketing platform. MailerLite is based in the European Economic Area.
Delivery providers: For physical books and other physical products, I share your name and delivery address with Royal Mail or a courier service for the purpose of fulfilling your order.
Professional advisers such as accountants or lawyers, where necessary.
Regulatory bodies or government agencies, if required by law.
Some of my service providers may be based outside the UK. Where this is the case, I ensure appropriate safeguards are in place to protect your data. This may include using providers in countries that have passed the UK data protection test (meaning their data protection standards are not materially lower than in the UK), or providers who have signed international data transfer agreements or standard contractual clauses.
In particular, Stripe transfers some payment-related data to the United States. These transfers are protected by the UK Extension to the EU-US Data Privacy Framework adequacy decision, which the UK Government has determined provides essentially equivalent data protection to UK standards.

10. How Long I Keep Your Information
I only keep your information for as long as I need it:
Therapy records: Seven years from the end of our work together. If you were under 18 when we finished, I keep records until you reach 25 or for seven years, whichever is longer.
Wellness walk records: Seven years from the date of the walk, in line with insurance requirements.
Resource purchase records: Six years after the transaction, for tax and accounting purposes.
CPD records: Six years after the session, to allow me to evidence my learning to professional bodies and for tax purposes.
Workshop records: Six years after the event, to allow you to evidence your learning to professional bodies and for tax purposes.
General enquiries: Six months if you do not proceed with services.
Marketing preferences: Until you unsubscribe, plus a record of your opt-out to ensure I respect your wishes.
After these periods, I securely delete or destroy your information.

11. Your Rights
You have rights over your personal information. You can:
Access the information I hold about you.
Correct any inaccurate or incomplete information.
Request deletion of your information in certain circumstances.
Restrict how I use your information.
Object to certain types of processing.
Request a copy of your information in a portable format.
Withdraw consent at any time (where I am relying on consent to process your data).
To exercise any of these rights, please contact me using the details at the top of this notice. I will respond within one month. If your request is unclear or requires clarification, I may pause this timeframe while I seek the information I need from you, and I will let you know if this is the case.
Right to complain: Under the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), you have a statutory right to raise a data protection complaint directly with me as the data controller. If you believe your personal data has been handled in a way that does not comply with data protection law, please raise the matter with me in the first instance using the contact details at the top of this notice. I have a formal Data Protection Complaints Procedure, which is available on request. I will acknowledge your complaint within 30 days and investigate it without undue delay.
If you are not satisfied with the outcome of your complaint, or at any time, you also have the right to complain to the Information Commissioner’s Office (ICO). Their website is www.ico.org.uk and their telephone number is 0303 123 1113.

12. Marketing Communications
I will only send you marketing information (such as newsletters, updates about new resources, or information about events) if you have specifically opted in.
You can unsubscribe at any time by clicking the unsubscribe link in any email, or by contacting me directly.
If you have previously purchased resources from me, I may send you information about similar products or services, but you can opt out at any time.
How I obtain consent: When you sign up for my newsletter or other marketing communications, I will ask you to confirm your subscription by clicking a link in a confirmation email. This is to make sure your email address is correct and that you have actively chosen to receive my emails. I keep a record of when and how you signed up so I can demonstrate your consent if asked.
How my marketing emails are sent: Marketing emails are sent through MailerLite, my email marketing platform. MailerLite acts as a data processor and processes your contact details and email engagement information (such as whether you opened an email or clicked a link) on my behalf, under a written processor agreement.
Soft opt-in for past customers: The arrangement above is permitted under the Privacy and Electronic Communications Regulations (PECR) and is sometimes called the “soft opt-in”. Every email I send under this arrangement will include a clear and easy unsubscribe link, and you were given the opportunity to opt out at the point of purchase. You can opt out at any time without giving a reason.

13. Cookies
My website uses cookies, which are small files stored on your device that help the site work properly and help me understand how visitors use it.
Essential cookies: These are necessary for the website to function. They do not collect personal information about you.

Analytics cookies (Google Analytics):
I use Google Analytics to understand how visitors use my website (for example, which pages are most popular) and to improve the site. Google Analytics is only loaded if you accept optional cookies in the cookie banner. You can change your choice at any time via the cookie settings. You can also opt out of Google Analytics tracking at tools.google.com/dlpage/gaoptout.

Shop and checkout cookies (Stripe):
When you use my online shop, essential cookies or similar technologies are used to make the site work properly (for example, remembering your basket). Stripe may also set cookies or use similar technologies as part of secure payment processing and fraud prevention. These are necessary to provide the service you have requested.

Cookie banner:
When you first visit my website, you will be asked to accept or reject optional cookies (such as analytics cookies) before they are placed on your device. Essential cookies are used regardless, because they are required for the website and checkout to function.

14. Data Breaches
In the unlikely event of a data breach that poses a risk to your rights and freedoms, I will inform the ICO within 72 hours and will notify you as soon as possible.

15. Links to Other Websites
My website may contain links to other websites. I am not responsible for the privacy practices of other sites. I encourage you to read the privacy notice of any website you visit.

16. Changes to This Notice
I may update this privacy notice from time to time. The date at the top shows when it was last updated. For significant changes, I will let you know directly where possible.

17. Questions and Concerns
If you have any questions about this notice, or if you want to exercise any of your rights, please contact me:
Email: victoria@dragonflypsychotherapy.co.uk
Phone: 07546 431 448
Post: Dragonfly Psychotherapy, Guildford Therapy Rooms, 3 Beaufort, Railton Road, Guildford, Surrey GU2 9JX

Thank you for taking the time to read this privacy notice. I want you to feel confident that your information is safe with me.