GDPR Compliance Information

Last updated: 8 April 2026

This document provides detailed information about how Sharp Cube Psychology Limited complies with the UK General Data Protection Regulation (UK GDPR) and your rights as a data subject.

Data Controller Information

Organisation: Sharp Cube Psychology Limited
Registration Number: Company No. 09234567
Registered Address: 42 Bloomsbury Square, London WC1A 2RP, United Kingdom
Contact Email: [email protected]

As the data controller, we determine how and why your personal data is processed. We're committed to transparency about our data practices and protecting your privacy rights.

Categories of Personal Data We Process

We process various categories of personal information depending on your relationship with us:

Identity Data

This includes your name, date of birth, gender, and other identifying information necessary for providing our services and maintaining accurate records.

Contact Data

We process your postal address, email address, and other contact details you provide to enable communication about our services and your care.

Health Data

When you're a client, we process special category data related to your psychological wellbeing, mental health history, assessment results, and information discussed during sessions. This is essential for providing psychological services.

Financial Data

We process payment information, billing addresses, and transaction history necessary for payment processing and financial record keeping.

Technical Data

When you visit our website, we collect IP addresses, browser information, device data, and usage patterns to maintain and improve our online presence.

Communication Data

We retain correspondence including emails, letters, and notes from telephone conversations as part of maintaining comprehensive records of our interactions.

Lawful Basis for Processing

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

Contract (Article 6(1)(b))

Processing is necessary to provide the psychological services you've engaged us for. This includes scheduling appointments, maintaining clinical records, and delivering therapeutic interventions.

Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal requirements applicable to healthcare providers, including record retention requirements, responding to lawful requests from authorities, and fulfilling tax obligations.

Legitimate Interests (Article 6(1)(f))

We process data for legitimate business purposes including administration, quality improvement, professional supervision, defending legal claims, and maintaining website functionality. We've assessed that these interests don't override your fundamental rights.

Consent (Article 6(1)(a) and Article 9(2)(a))

For special category health data, we primarily rely on explicit consent or the necessity for healthcare provision. You may withdraw consent at any time, though this may affect our ability to provide services.

Vital Interests (Article 6(1)(d) and Article 9(2)(c))

In rare emergency situations, we may process data to protect someone's life or physical safety.

Your Rights Under GDPR

UK GDPR grants you specific rights regarding your personal data. Here's what each right means in practice:

Right of Access (Article 15)

You can request confirmation of whether we process your personal data and receive a copy of that data. This is commonly known as a Subject Access Request (SAR).

We'll provide this information free of charge within one month of your request. If the request is complex or voluminous, we may extend this period by two months and will explain why. We'll provide information in an accessible format, typically electronic unless you specifically request otherwise.

Right to Rectification (Article 16)

If personal data we hold is inaccurate or incomplete, you can ask us to correct it. We'll assess the accuracy of challenged information and make appropriate corrections. For clinical records, we may add your correction or note of disagreement rather than deleting original entries, as professional standards require maintaining accurate historical records.

Right to Erasure / Right to be Forgotten (Article 17)

In specific circumstances, you can request deletion of your personal data. However, this right is not absolute. We may need to retain data to comply with professional obligations, defend legal claims, or fulfil legal retention requirements. We'll explain our reasoning if we cannot fully comply with an erasure request.

Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in certain situations, such as when you're challenging the accuracy of data or objecting to processing. During a restriction period, we'll store the data but not actively use it except for specific permitted purposes.

Right to Data Portability (Article 20)

Where technically feasible, you can request transfer of your data to another service provider in a structured, machine-readable format. This applies to data processed with your consent or for contract performance.

Right to Object (Article 21)

You can object to processing based on legitimate interests. We'll stop processing unless we can demonstrate compelling legitimate grounds that override your rights. You have an absolute right to object to processing for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

We don't use automated decision-making or profiling that produces legal or similarly significant effects. All clinical decisions are made by qualified human practitioners.

How to Exercise Your Rights

To exercise any GDPR rights, contact us at [email protected] or write to us at our registered address. Please include:

Your full name and contact details
Identification to verify your identity (we can't release personal data without confirming who you are)
Specific details about your request
Your preferred format for receiving information

We'll acknowledge receipt of your request promptly and provide a full response within one month unless the request is complex.

Special Category Data Protection

Health information is classified as special category data requiring additional protection. We implement enhanced security measures including:

Encrypted storage of all clinical records
Strict access controls limiting who can view health data
Secure communication channels for sharing sensitive information
Regular security audits and updates
Staff training on handling sensitive data
Incident response procedures for any data breaches

International Data Transfers

We primarily process and store data within the United Kingdom. If we need to transfer data internationally, we'll implement appropriate safeguards such as standard contractual clauses or adequacy decisions to ensure your data receives equivalent protection.

Some of our technology service providers may operate servers in other countries. We've carefully vetted these providers and ensured appropriate data protection agreements are in place.

Data Breach Procedures

Despite our security measures, data breaches can occur. We have procedures to:

Detect and contain breaches quickly
Assess the severity and potential impact
Notify the Information Commissioner's Office within 72 hours if required
Inform affected individuals without undue delay if there's a high risk to their rights
Take steps to prevent future incidents
Document all breaches for regulatory compliance

If you become aware of any potential data security issue, please contact us immediately at [email protected].

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when implementing new processes or technologies that might pose high risks to personal data. These assessments help us identify and mitigate privacy risks proactively.

Staff Training and Awareness

All staff members receive regular training on data protection principles, confidentiality requirements, and their responsibilities under GDPR. This ensures everyone handling your data understands the importance of privacy and security.

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure:

Written contracts specify their data protection obligations
They provide sufficient guarantees of appropriate security measures
They only process data according to our documented instructions
They assist with fulfilling data subject rights requests
They notify us of any data breaches promptly

Record Keeping and Accountability

We maintain comprehensive records of our data processing activities as required by GDPR Article 30. This includes documenting:

Categories of personal data processed
Purposes of processing
Data recipients and transfers
Retention periods
Security measures implemented

Children's Data

When providing services to individuals under 18, we consider their developing capacity to understand and consent to data processing. We involve parents or guardians appropriately while respecting the young person's confidentiality rights in accordance with professional guidelines.

Questions and Complaints

If you have questions about how we handle your personal data or want to discuss your GDPR rights, contact us at [email protected].

If you believe we've not handled your data properly, please raise this with us first. We take complaints seriously and will investigate thoroughly.

If you're not satisfied with our response, you can lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.sharp-cube.com
Email: [email protected]

Updates to This Document

We may update this GDPR information to reflect changes in our practices or legal requirements. Significant changes will be communicated to current clients, and the updated version will be posted on our website with a revised date.