Last updated: 18 June 2026

This privacy notice explains how I collect, use, store and protect personal information in my coaching and training practice.

I am Heather Colman, a counsellor, coach and training facilitator working in person, online, outdoors and by phone. I am the data controller for personal information I collect through Heather Colman Counselling.

This means I am responsible for deciding how personal information is used and for keeping it safe.

If you have any questions about this privacy notice, or about how your information is handled, you can contact me at:

Email: enquiries@heathercolman.com

Website: www.heathercolman.com

This privacy notice applies to people who contact me about training, current and former clients, and visitors to my website.

Information I collect

I may collect and use the following information.

When you contact me, I may collect:

• your name

• your email address

• your phone number

• the information you choose to share in your enquiry

• any preferences around contact, availability or training format.

If we arrange an initial call or you begin training with me, I may also collect:

• your address

• your date of birth

• your GP details

• emergency contact details, where appropriate

• relevant health, mental health or wellbeing information

• attendance and payment information

• correspondence between us

Some of this information may be classed as special category data under UK data protection law. This includes information about health and mental health.

I only collect information that is necessary for providing therapy safely, ethically and professionally.

How I use your information

I use your personal information to:

• respond to enquiries

• arrange initial calls and appointments

• provide coaching and training

• keep appropriate course records

• manage payments and financial records

• communicate with you about courses and their content

• meet legal, professional and ethical responsibilities

• manage risk, safeguarding or emergency situations where necessary

• maintain insurance, tax and accounting records

• respond to data protection requests or complaints

I do not sell your personal information.

Lawful basis for using your information

Under UK GDPR, I need a lawful basis for using personal information.

For different parts of my work, I may rely on different lawful bases under Article 6 UK GDPR. For example, I may rely on contract where processing is needed to arrange or provide training or coaching, legitimate interests where I need to run my practice safely and keep appropriate records, and legal obligation where I need to keep or share information to comply with the law.

• contract: where information is needed to arrange and provide training or coaching.

• legitimate interests: where I need to use information to run my practice safely, respond to enquiries, keep appropriate records and protect both you and me

• legal obligation: where I need to keep or share information to comply with the law

Where I process special category data, such as information about health or mental health, I must also identify a separate condition under Article 9 UK GDPR before I begin that processing and reflect this in my privacy information. Depending on the reason for processing, I may also need to meet additional conditions and safeguards under the Data Protection Act 2018.

Where I ask for your consent for something specific, I will explain what I am asking for and whether you can withdraw that consent. Consent is not the only lawful basis available under data protection law, and I will only rely on it where it is appropriate to do so.

Confidentiality

Coaching is confidential, but confidentiality is not absolute. I will not share what you tell me unless there is a lawful, ethical or safeguarding reason to do so, and where possible I will limit any sharing to the minimum information necessary.

There are some limits to confidentiality. I may need to share information if:

• I believe there is a serious risk of harm to you or someone else

• there is a safeguarding concern involving a child, vulnerable adult or person at risk

• I am required to do so by law, court order or legal process

• disclosure is necessary to prevent or detect a serious crime

• there is a medical emergency and information is needed to protect life

• I need to consult my clinical supervisor, while protecting your identity as far as possible

Where possible and appropriate, I would aim to discuss this with you before sharing information. However, I may not be able to do so if this would increase risk, prejudice safeguarding action, undermine the purpose of the disclosure, or would otherwise not be possible.

Records

I keep coaching and training notes to support a safe and ethical service. These are usually factual, proportionate and relevant to the work.

Records may include:

• Attendance dates

• Training undertaken

• relevant risk, safeguarding or clinical information

• agreed actions or important decisions

• contact and administrative information

I do not aim to keep a full transcript of sessions.

How long I keep information

I keep information only for as long as necessary for the purpose for which it was collected. Retention periods may vary depending on the type of record, the nature of the work, legal and professional requirements, and whether the work involved a child or young person. As a general guide:

• enquiry information may be deleted if you do not start training or coaching with me, usually within 12 months

• Training and coaching records may be kept for 5 years after our contract ends, due to the requirements of my insurer.

• if the work involved a child or young person, records will be kept for 5 years following their 18th birthday due to the requirements of my insurer.

• financial records may be kept for the period required for tax and accounting purposes

• emails, messages and administrative records are reviewed periodically and deleted when no longer needed

There may be times when I need to keep records for longer, for example where there are safeguarding, legal, insurance, complaint-related or professional-body reasons. I keep my retention periods under review and aim to make sure they remain justified and proportionate.

Where your information is stored

Your information may be stored in the following systems:

• Website / contact form: Hostinger

• Email: Hostinger

• Online sessions: Zoom

• Payments / invoicing: Bank transfer

• Phone / messages: SMS and WhatsApp

I use appropriate technical and organisational measures to keep information secure. This may include password protection, device security, two-factor authentication, restricted access and secure storage.

Where I use external providers, they may process data on my behalf. I aim to use reputable providers with appropriate data protection and security arrangements.

Online training and coaching

If we work online, sessions will take place using Zoom I will take reasonable steps to protect confidentiality from my side.

Online platforms may process technical information such as IP address, device information or connection data. Please also check the privacy notice of the platform we use if you would like more detail.

AI tools, transcription and recording

I may record any coaching or training programmes. Before doing so, I will give you advanced notification.

I may use digital tools for general practice administration, writing, planning or education. Where I do, I take data protection and confidentiality into account when choosing how to use those tools.

Website visitors and cookies

When you visit heathercolman.com some technical information may be collected automatically, such as your IP address, device type, browser type, pages visited and the time of your visit. This may happen through website hosting, security, analytics or cookie tools.

My website is hosted by Hostinger. The website may use cookies or similar technologies to make the site work, improve performance, understand visitor behaviour or support security.

You can usually control cookies through your browser settings. If I use cookies or similar technologies that are not strictly necessary, I will make sure the website provides the level of notice, choice or consent required by law. In some cases, current UK rules may allow limited exemptions for certain analytics or functionality cookies, but only where the legal conditions for those exemptions are met.

Sharing your information

I will not share your personal information unless there is a clear reason to do so. Depending on the circumstances, I may share limited information with the following people or organisations where this is necessary, proportionate and lawful:

• professional advisers, such as an accountant, insurer or legal adviser

• safeguarding services, emergency services or your GP, where there is serious risk or safeguarding concern

• a court or legal authority, if required by law

• trusted digital service providers who process data on my behalf

Where I share information, I aim to share only what is relevant and necessary for that purpose. If I or one of my providers transfers personal information outside the UK to a separate organisation, I will only do so where the law allows it and an appropriate transfer mechanism or other safeguard is in place where required.

Your rights

Under UK data protection law, you have rights over your personal information. These may include the right to:

• be informed about how your data is used

• access a copy of your personal information

• ask for inaccurate information to be corrected

• ask for information to be deleted in some circumstances

• restrict or object to certain processing

• complain about how your information has been handled

Some rights are not absolute and may depend on the circumstances. For example, I may need to keep some information for legal, professional, safeguarding, insurance or complaint-related reasons, and there may be limits on what can be disclosed where information includes third-party data or where a relevant exemption applies.

If you would like to exercise your rights, please contact me using the details above. I will respond to a request about your rights within one month. If a request is particularly complex, or if I need to consider whether any restriction or exemption applies, I may need longer, in which case I will let you know.

Data protection concerns and complaints

If you have a concern about how I have handled your personal information, you can make a data protection complaint by contacting me using the details in this notice. I will acknowledge your complaint within 30 days and take appropriate steps to look into it without undue delay.

Please include:

• your name

• what your concern is about

• what you would like me to look into

• how you would prefer me to respond

I will investigate your complaint as appropriate, keep you informed where necessary, and tell you the outcome without undue delay.

If you are not satisfied with my response, or if you would prefer to contact the UK regulator directly, you can contact the Information Commissioner’s Office:

Information Commissioner’s Office

Website: www.ico.org.uk

Telephone: 0303 123 1113

Changes to this privacy notice

I may update this privacy notice from time to time to reflect changes in my practice, legal requirements, professional guidance or the systems I use.

The latest version will be available on my website.

Empowering You to Live with Purpose

Contact: enquiries@heathercolman.com

My Socials

join the wellbeing journey

© 2024. All rights reserved.

heather colman