Privacy Policy

At The CYP Services CIC, your privacy is of paramount importance to us. We are committed to protecting your personal data and handling it in a transparent and lawful manner, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains how we collect, use, store, and share your personal information.

1. Who We Are

The CYP Services (The CYP Services is the trading name of Children & Young People's Services CIC)

Website: www.thecypservices.com

2. Data Protection Officer (DPO)

To ensure compliance with all applicable data protection laws, we have appointed a Data Protection Officer (DPO).

If you have any questions about how we handle your personal data or wish to exercise any of your rights under data protection law, please contact our DPO:

Name: Rickiesha Williams
Email: data@thecypservices.com
Mailing Address: Aston Court, Frederick Place, High Wycombe HP11 1JU

We are happy to assist you with any data protection-related inquiries or concerns.

3. What Personal Data We Collect and Why

We only collect personal information that is necessary for us to provide you with safe, effective, and tailored care. The types of personal data we collect and our lawful bases for doing so are:

Identity Data:

What we collect: Name, date of birth, gender.
Purpose: To identify you, ensure we are providing care to the correct individual, and for record-keeping purposes.
Lawful Basis: Performance of a contract (to provide our services to you) and/or legitimate interests (for accurate record-keeping and service delivery).

Contact Data:

What we collect: Email address, phone number, postal address.
Purpose: To communicate with you regarding appointments, session updates, billing, and other service-related information.
Lawful Basis: Performance of a contract (to communicate as part of providing services) and/or legitimate interests (for efficient communication).

Special Category Data (Health/Wellbeing Information):

What we collect: Health or wellbeing needs, session notes, assessments and treatment plans.
Purpose: To understand your specific needs, provide appropriate care, monitor progress, and ensure your safety.
Lawful Basis: Explicit consent (obtained during onboarding) and/or for the provision of health or social care and treatment

Financial Data:

What we collect: Payment details (e.g., bank account details, credit/debit card information - this is processed by a third-party payment provider and not directly stored by The CYP Services).
Purpose: To process payments for our services.
Lawful Basis: Performance of a contract (for payment of services).

Usage Data:

What we collect: Information about how you use our website (e.g., IP address, browser type, pages visited).
Purpose: To improve our website, understand user behaviour, and for security purposes. This often involves cookies (see Section 7).
Lawful Basis: Legitimate interests (to improve our services and website functionality) and/or consent (for non-essential cookies).

4. How We Collect Your Personal Data

We collect data from you in the following ways:

Direct Interactions: When you fill out forms on our website, contact us by email or phone, or engage in our services.
Automated Technologies or Interactions: As you interact with our website, we may automatically collect Usage Data through cookies and similar technologies.

5. How We Use Your Personal Data

We use your personal data primarily to:

Provide you with the services you have requested.
Manage your account and our relationship with you.
Process payments and issue invoices.
Communicate with you effectively.
Maintain accurate and confidential records of your care.
Improve our website and services.
Comply with legal and regulatory obligations.

6. Sharing Your Personal Data

We will always keep your records private. We will only share your personal information in the following limited circumstances:

Safety Concerns: If there is a serious safety concern for you or others, we are legally and ethically obliged to share relevant information with appropriate authorities or individuals (e.g., emergency services, social services). We will, where possible and appropriate, inform you before sharing such information.
With Your Explicit Consent: We will seek your explicit consent before sharing your information with other professionals (e.g., your GP, other healthcare providers) for the purpose of your care, unless there is a clear and urgent safety concern.
Third-Party Service Providers: We may use third-party service providers (e.g., for website hosting, secure online payment processing, video conferencing platforms for online sessions, cloud-based record-keeping systems) who process data on our behalf. We ensure all such providers are UK GDPR compliant and have robust data protection agreements in place. We only share the minimum necessary information.
Legal Obligation: Where we are legally required to do so by law, court order, or regulatory body.

We do not sell your personal data to third parties.

7. Data Security

We have implemented appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. This includes:

Using secure, encrypted systems for storing digital records.
Maintaining strict confidentiality protocols for physical records.
Restricting access to your personal data to authorised personnel only.
Regularly reviewing and updating our security practices.

8. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to meet any legal, accounting, or reporting requirements.

We keep your information only as long as necessary:
If you’re under 18, until your 25th birthday (or until 26 if you were 17 when you finished therapy).
If you’re over 18, for 7 years after your final session.
If you have been in care, or if other legal or safeguarding requirements apply, we may need to keep your records for longer. We will let you know if this is the case.

If you no longer access our services, we will formally discharge you and retain your information only for the required legal retention period. After that, we securely delete or destroy all records.

We will always securely dispose of or anonymise your data once it is no longer needed.

9.Your Legal Rights

Under UK GDPR, you have the following rights regarding your personal data. We will respond to all legitimate requests within one month.

Right to be Informed: This privacy policy serves to inform you about how we process your data.
Right of Access: You have the right to request a copy of the personal data we hold about you.
Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure (the "Right to be Forgotten"): You have the right to request that we delete your personal data in certain circumstances (e.g., if it's no longer necessary for the purpose it was collected).
Right to Restrict Processing: You have the right to request that we limit the way we use your data in certain situations.
Right to Data Portability: You have the right to request that we transfer your data to another organisation or to you, in a structured, commonly used, machine-readable format.
Right to Object: You have the right to object to the processing of your personal data in certain circumstances (e.g., for direct marketing).
Rights in relation to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently use automated decision-making or profiling in this way.
Right to Withdraw Consent: Where we rely on your consent to process your data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

To exercise any of these rights, please contact us at data@thecypservices.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

10. Cookies

Our website may use cookies to enhance your Browse experience. Cookies are small text files placed on your device. We use:

Strictly Necessary Cookies: Essential for the website to function.
Analytical/Performance Cookies: To understand how visitors interact with our website (e.g., Google Analytics). We will obtain your consent for these.
Functionality Cookies: To remember your preferences and provide enhanced features.
Targeting/Advertising Cookies: (If applicable) To deliver relevant advertisements.

You can manage your cookie preferences through your browser settings.

11. Complaints

If you have any concerns about our use of your personal information, please contact us in the first instance at info@thecypservices.com.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

ICO Contact Details:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: www.ico.org.uk

12. Changes to This Privacy Policy

This policy is reviewed annually or sooner if needed to ensure it remains accurate and compliant with relevant laws. Any changes will be posted on this page with an updated "Last Updated" date.

This policy is reviewed annually or sooner if needed.
Effective: June 2025 / Next Review: September 2026

The CYP Services is the trading name of Children & Young People’s Services CIC. “The CYP Services CIC” may be used throughout our policies for clarity.