Privacy Policy


Roohaz Limited – Privacy Policy

Effective May 2023

I am Niki Costas Tanto, BACP Accredited and UKCP Registered Psychotherapist, and I provide psychotherapy and counselling services under the auspices of Roohaz Limited, trading as Roohaz Counselling & Psychotherapy.

I aim to be as clear as possible about how and why I use information about you so that you can be confident that your privacy is protected.

This policy describes the information that I collect when you use my services.  This information includes personal information as defined in the EU General Data Protection Regulation (GDPR) 2018.

The policy describes how I manage your information when you use my services, if you contact me or when I contact you.  The legal basis for my privacy policy is the Practice Agreement between you and me and is a legitimate interest.


  1. Why do I need to collect your personal data?

1.1       I need to collect information about you so that I can know who you are and can communicate with you.

1.2       To provide my services to you.

1.2       Process your payment for my services to you.

1.3       Verify your identity so that I know I am dealing with the right person.

1.4       Contact you in case there is a problem with our arrangements, for example, re-arranging an appointment.


  1. What personal information do I collect and when do I collect it?

2.1       Your name, postal address, telephone number, email address, date of birth and GP’s details.

2.2       I collect this information directly from you at the start of your treatment.

2.3       I may also collect information about you from third parties, for example if you have been referred to me by a referral agency or insurance company.

2.4       I write brief clinical notes referring to your treatment.


  1. How do I use the information that I collect?

3.1       To communicate with you so that I can inform you about your appointments with me, I use your name and your contact details such as your telephone number, email address or postal address.

3.2       If you have requested an invoice I use your name and email address.

3.3       To process your payment, I use your name and your payment card details (only partial payment card details are kept, as when you pay by card this is taken immediately using a mobile card-reader).  There is also an option to pay using PayPal via my website which retains personal data within my secure PayPal account.

3.4       I use clinical notes to keep a record of your attendance and progress in treatment.

3.5       My Professional Will

 Your name, telephone number and email address are shared with my clinical supervisor in the event that you will need to be contacted by them on my behalf.  Once you finish treatment, my clinical supervisor will destroy all personal data they hold on you.


  1. Where do I keep the information?

4.1       As a paper copy

  • At the start of your treatment I complete a ‘personal data sheet’ with name, postal address, telephone number, email address, date of birth and GP’s details. This paper copy is kept in a locked metal filing cabinet in my home office.

4.2       Electronic format

  • I keep records on my computer which is password protected and encrypted.
  • Electronic format includes an excel spreadsheet with your name, telephone number and email address.
  • It also includes your clinical notes.
  1. How long do I keep the information?

I will keep your personal data and clinical notes for 7 years from completion of treatment, after which point they are securely deleted.  Any paper documents will be confidentially shredded.


  1. Who do I send information to?

6.1       I would never send any aspect of your personal data to any third party without your explicit written consent and/or unless required to do so by a court of law.

6.2       I may write to your GP if I consider that you are at risk of harming yourself or another and I would normally discuss this with you before doing so.  In extreme circumstances of imminent risk, I would contact your GP directly as my duty of care to you.

6.3       If you have been referred to me by an EAP (employee assistance programme), all information about you is communicated through their own encrypted extranet system, for which I have my own log in and password.


  1. How can you see all the information I have about you?

You can make a subject access request (SAR) by contacting the Data Protection Officer.  I may require additional verification that you are who you say you are to process this request.  I may withhold such personal information to the extent permitted by law.  In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.


  1. What if your information is incorrect?

Please contact the Data Protection Officer.  I may require additional verification that you are who you say you are to process this request.  If you wish to have your information corrected, you must provide me with the correct data and after I have corrected the data in my system I will send you a copy of the updated information.


  1. How can you have your information removed?

If you want to have your data removed I have to determine if I need to keep the data, for example, in case HMRC wish to inspect my records.  If I decide that I should delete the data, I will do so without undue delay.


  1. What if there is a data breach?

My Data Security Procedure includes a clear process for handling a personal data breach, should one occur.  Where appropriate, I will promptly notify you of any unauthorised access to your personal information.


  1. Will I send emails and text messages to you?

As part of providing my services to you I will communicate with you via email or SMS text message in order to send you details of appointments and consulting room locations.  Any clinical information, form letters or reports will be emailed to you in a password protected format.


  1. How do I use cookies?

A cookie is a small amount of data stored on a computer that contains information about the internet pages that have been viewed from that computer.  Cookies are used to improve your website experience when you access my website.  By continuing to browse my website you consent to my use of cookies.


12.1     Description of cookies on my website:

Google Analytics

These cookies give me critical information about various pages on my website and how users interact with them.  I use this information to improve the performance of my website and the information presented to users.


I use cookies within a search engine optimisation service to promote my services.  They gather information regarding the visitors to my website on my behalf, using cookies, log file data and code which is embedded on my website. These cookies allow me to identify users sent to my website by individual and third parties so that I can identify how to improve my services.


A set of cookies designed to deliver the smooth running of my website and to identify areas of improvement in the browsing experience.


12.2     How to reject and delete cookies

Should you wish to reject or block the use of cookies, you can do so anytime, usually by clicking ‘Help’ on your browser.  Cookies are specific to individual browsers so if you use more than one browser, you will need to delete cookies on each browser.  Please be aware though that by rejecting cookies you may not receive the optimum website experience.

To find out more about cookies, visit


  1. Complaints

If you wish to raise a complaint on how I have handled your personal information, you can contact me directly and I will investigate the matter.  If you are not satisfied with my response or believe I am processing your personal information not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO),


  1. Changes to my Privacy Policy

I review my privacy policy on a regular basis and it was last updated in May 2023.  I reserve the right to update this privacy policy at any time and will inform you should any significant changes be made.


  1. Data Protection Officer

 I am the Data Protection Officer, as well as the Data Controller and Data Processor for Roohaz Limited.   If you have any questions about my privacy policy or the information I hold about you, please contact me at

Last updated May 2023.