Privacy Policy

This Privacy Notice explains how The Retreat Clinics collects, uses, stores and shares personal data about you and how we maintain your confidentiality during our work with you.

  1. Who We Are

We are a private mental health provider that offers services in:

  • Diagnosis of Autism and ADHD (adults and children);
  • Therapy for adults, children and young people;
  • Specialist therapy services e.g. Relationship Therapy,  Psychosexual Therapy, Group Therapy, etc;
  • Therapy for particular difficulties such as PTSD and trauma-related difficulties.
  1. Registration

The Retreat Clinics is a company registered in England and Wales. Our company number is 4325622.

We are also a charity registered with the Charities Commission. Our  registration number is 1089826.

For the purposes of this notice, The Retreat Clinics is the data controller for all information it creates and receives. We are registered with the Information Commissioner’s Office (ICO) at: Our Registration Number is Z6470446.

  1. How We Collect Information

To be able to provide a service to you we first need to collect some information from you, to recommend appropriate treatment and next steps. This is done in a number of ways:

  • When we interact with you directly face to face during our registration and consultation activities or where we create accounts for you;
  • When you apply for a job or volunteer placement;
  • When you interact with us for any reasons for e.g. over the phone or when you complete our online forms;
  • When you interact with us through third parties;
  • When you request information on our services or make a purchase with us;
  • When you view our website. Our website collects location data and general information on website pages you visit most often and the information you are most interested in. More information about this is listed in the ‘Web Cookies Section’ below.
  1. Why We Collect Information

We collect information from you to enable us to deliver a high-quality care and treatment service to you. This is because as we form a relationship with you it is important that we have a complete picture of your medical history, so that we can assess your needs with you and develop plans for your care and treatment. Collecting information about you helps us to:

  • Provide a range of services to you. This includes creating and administering client accounts, fulfilling transactions, providing related assistance and sending administrative information to you;
  • Provide better care. Our staff need information from you to make informed decisions about you and to ensure all care provided is safe and effective;
  • Ensure our outsourced suppliers have relevant information to work with you effectively;
  • Inform our professional bodies and commissioning bodies of the treatment and services we are providing to you (all data reports are anonymised);
  • Safeguard vulnerable children and adults (including staff) who may be at risk of harm or where an incident has occurred and needs to be reviewed;
  • For research and audit purposes. (This will always be in an anonymised format unless consent has been sought from you);
  • Accomplish our business goals and plan our services (especially if we ask you to complete surveys/questionnaires about yourself);
  • Report and identify current trends;
  • Respond to our legal duties and be able to defend our legal rights;
  • Complete audits to verify internal processes are compliant with current legislation and standards;
  • Keep track of any volunteer arrangements that may be in place.
  1. What Data We Collect

The data we collect includes:

  • Personal information (, address, date of birth, GP details);
  • Contact information (email address, telephone/mobile number);
  • Health condition and status data (e.g. medical records/medical history and diagnostic and observational data);
  • Details of appointment with practitioners (i.e. dates and times);
  • Next of kin details and emergency contact details (this will be family members or those you define as your next of kin);
  • Referrals and assessment letters;
  • Details regarding medication and prescription records;
  • Exemption details if you do not pay NHS prescriptions;
  • Transaction and bank details;
  • Photographs and videos;
  • Consents to treatment;
  • CCTV images;
  • Clinical records of treatments provided.

All information collected is classed as special category data and will be treated with the utmost care.

  1. Lawful Basis for Collecting Your Personal Data
  2. a) Personal data

The legal basis relied on for processing your personal data will be that it is required to fulfil a contract (agreement) with you as per Article 6(1)(b) of UK GDPR.

For other processing activities such as consent or research requirements we will rely on Article 6(1)(a) of UK GDPR – explicit consent for the data processing activity.

  1. b) Special category data

For the processing of special category data such as your health information we will rely on Article 9(2)(h) of UK GDPR – the processing is necessary for the provision of health or social care treatment or ‘pursuant to contract with a health professional’. This is because you have placed a request with us to provide a service to you.  For consent/research issues we will rely on Article 9(2)(a) – explicit consent – under UK GDPR.

We may also rely on the ‘legitimate interests’ basis for data processing (Article 6(1)(f) for UK GDPR) where as a business we need to pursue and achieve our vision and work arrangements for example employment arrangements, research analytics, improving services, complaints, legal claims etc. Where we process your information for a ‘legitimate interest’ we will always make sure that your rights and freedoms are taken into account and will not process any information where an imbalance or privacy issue exists.

Any other uses of data will be explained at the point of collection and will apply to all relevant statutory provisions.

For the purposes of this Privacy Notice, special category data is deemed as any information that is in relation to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and health data.

  1. Who We Share Data With

We will never share any personal information with any third parties unless we have your explicit consent to do so or under the exceptional circumstances further below. Organisations that we primarily share personal information with include:

  • GPs and Health Care Professionals associated with your referral, assessment or treatment;
  • Social and welfare organisations;
  • NHS England Commissioning Teams (CCGs), Vale of York CCG;
  • NHS Spine (for E-Prescribing Services);
  • Outsourced suppliers and providers (private and public) who help us to provide services to you and who are involved in your care;
  • Other healthcare organisations.

Subject to stricter requirements data may be shared where there are exceptional circumstances and where we are required to share to comply with the law. These include:

  • Local Authorities / social services;
  • Education establishments;
  • Voluntary providers;
  • The police or other law enforcement authority;
  • Family members or those who act on your behalf e.g. Power of Attorneys, acting agents;
  • Selected employees, and only where absolutely necessary e.g. to fulfil their job role;
  • Fraud prevention agencies.

Information shared may be in respect of:

  • A court order which is served upon us (if not challenged);
  • To the extent that we are required to do so by law;
  • In connection with any legal proceedings or prospective legal proceedings;
  • To prevent and detect serious crime, disorder and/or fraud;
  • Where it is required for ‘substantial public interest’;
  • To protect vulnerable children and adults;
  • For a life or death matter;
  • Where there is a risk of harm to another individual(s);
  • For health and safety purposes e.g. infectious diseases such as meningitis, measles etc.
  1. Research

Research plays a pivotal role in the development of health and medical care services. At The Retreat Clinics, we are proactive in research studies and will always ask you for your explicit consent and advice before directly entering you into any trials or studies as a participant unless legislation permits otherwise.

  1. Responding to Emails and Phone Calls

If you have contacted us by email we will use this to contact you. Please do not send anything confidential to us via email unless it is password protected. Confidential information can be intercepted online via personal email accounts (e.g. Yahoo or Hotmail) where they are not encrypted in transmit.

  1. Staff Training and Data Quality

Calls to The Retreat Clinics are not recorded but occasionally they may be used for staff training and quality purposes. Please do inform us of any changes to your mobile, email or home address so that we can ensure that we keep your contact details up to date.

  1. Text Reminders and Marketing

We may sometimes send you information about services you may find helpful, and may send you text messages to remind you of your appointment if you have formally agreed to this beforehand. You can opt out of this service at any time If you wish to change your contact preferences, please contact us to update your choices so that we can ensure that we are sending you the right communication via the right route.

  1. Signing in Services

You can now log onto our clinical system Compucare to see your appointment and general information. To do this you will need to authenticate your identity and provide your name and email address information. Details will be collected in relation to your username and password.

  1. Payment Processors

We use a third-party processor for our payment transactions. Information collected for this purpose may be transferred to the relevant third-party processor and will be subject to the third party’s Privacy Notice.

  1. Social Media Platforms and Blogs

Our website and social media pages and blogs will contain information about the services we provide. Please keep in mind that if you share any personal information about yourself on these platforms that this information will be viewed, collected and used by others worldwide.

  1. Testimonials and Reviews

If you submit testimonials or reviews to our website please note this may include personal information about you.

  1. Data Subject Legal Rights

Either as a client or an employee of The Retreat Clinics you will have the following legal rights in respect of your data under UK GDPR. Please note that there may be exceptions and limitations to some of these rights in regards to health data.

  • A Right to Access to Your Information (Article 15): (Also known as a Data Subject Access Request (DSAR). If you want to find out what information is held about you then you can either submit a verbal or written request to us. To ensure there is no confusion or unwarranted delays we may contact you to ensure we have understood your request correctly. SARs are free and will be responded to within 30 days (i.e. 1 month) from the date we receive your request. Where the cost to produce your request is excessive a reasonable administrative charge may be applied to cover any disbursement costs. All costs will be advised upfront, where this applies. Please advise if you want to receive your information either physically or electronically and we will try to accommodate your request, where possible.
  • A Right to Rectification (Article 16): You can request information to be rectified or updated about you where personal data is found to be inaccurate, incomplete or out of date.
  • A Right to Erasure (Article 17): (Also known as a ‘Right to be Forgotten’). You can request data to be erased about you where it is no longer necessary for The Retreat Clinics to retain your data, or where you have withdrawn consent or where there is no legal basis for us to keep your information. However, please note it is our policy not to delete data whilst you are still in our care or where the retention period in relation to our Records Management policy has not been reached. All records are managed in accordance with the Records Management Code of Practice – Oct 2023 (NHS England).
  • A Right to Restriction (Article 18): You have a right to request your data be restricted where you have objected, where it is considered incorrect, where the processing is regarded as unlawful or you have asked us to erase it. However, such a request must be reasonable for us to consider it.
  • A Right to Data Portability (Article 20): You have the right to ask us to transfer your data to another service provider where we hold your data in a structured, common electronic format and where it is easily transferrable.
  • A Right to Object (Article 21): You have a right to object to how your data is processed where we are relying on a legitimate interest (or those of a third party) or where you consider your information is being misused e.g. direct marketing. With all objections we will consider any legitimate reasons and will contact you formally with an outcome once we have finalised our decision. No personal information is used for direct marketing or research purposes without your consent upfront.
  • A Right to not be Subjected to Automated Decision Making, including Profiling (Article 22): You have the right not to be subjected to any automated decisions that may create legal effects or which may have a similar significant impact on you unless you have consented to it, it is necessary for the performance of a contract or it is otherwise permitted by law. Currently no automated decision is undertaken at The Retreat Clinics.
  • A Right to Withdraw Consent: You have a right to withdraw your consent to any processing at any time where we have sought your explicit consent to do so. Simply contact us to make any relevant changes.
  • The Right to Make a Complaint: If you are unhappy about how your data has or is being processed or handled then you a right to make a complaint to the Information Commissioner’s Office (ICO).

All data subject right queries will be handled within 30 days (i.e. 1 month) of receiving a request.

  1. Employment Data

All personal data submitted for employment and administration purposes i.e. applying for a job role at The Retreat Clinics will be processed on the basis of Article 9(2)(b) (i.e. the processing is necessary for the Performance of a Contract) of the UK GDPR. If we do not offer you a role then your data will be kept for 6 months before it is securely destroyed. Any other use of your data will be explained to you at the point of collection in respect of any other relevant statutory provisions.

  1. CCTV Images

The Retreat Clinics has surveillance cameras onsite to monitor the security of its estate as well as the safety of its staff and clients. All CCTV surveillance provision in York is maintained by our outsourced security provider SWAT. All CCTV footage is retained for 30 days.

  1. Retention of Data

All data held by The Retreat Clinics is retained in respect of our Corporate Retention Schedule.

  1. a) Non-accepted or withdrawn referrals: These are retained for a period of 2 years from the date of the initial referral or withdrawal.
  2. b) Medical Files and Assessments: All client data is retained for a period of 20 years from the date of your discharge from the centre or 8 years after death, whichever is applicable.
  3. Security of Personal Information

As a business we take the protection of your personal data very seriously. Appropriate technical and organisational measures have been implemented to protect your personal data from unauthorised access, abuse, loss, theft, alteration or misuse. All data is stored on secure servers and cloud-based solutions which have encrypted back up data measures in place. All data uses TLS encryption for data to be encrypted at rest and transfer. Access to your data is protected through role-based access controls limited to authorised personnel, via password management tools, data encryption and two factor authentications, where practical.

Information that is collected by The Retreat Clinics may be stored (including back-ups), processed and transferred between any of the countries in the EU in accordance with this Privacy Policy.

  1. Cross Data Border Transfers

As a rule, we do not transfer or process personal data outside the European Economic Area unless we have your specific consent to do so or where the nature of the processing requires it (for example, because you have chosen to use an email or other communications service which routes data outside the EEA).

In addition, any approved personal information that is submitted for publication on our website will also be published on the internet making it available around the world.

  1. Website Cookies Policy

Our website uses technology called ‘cookies’ to enable us to deliver a better user browser experience for our clients and to help us understand your preferences and habits. This involves a cookie file being placed on your device each time you visit our website. Cookies do not contain any person-identifiable information.

The Retreat Clinics uses three types of cookies:

Session Cookies: These enable the tracking of your movement across the website and save information to make life easier.

Persistent Cookies:  These enable your preferences and settings to be saved each time you visit our website. This enables you to use the site more efficiently and reduces the need to re-enter data.

Third Party Cookies:  These enable us to track your user activity outside the website and optimise campaigns and analytics.

All cookies can be disabled but you are advised that this will limit the service you receive online. For more information on this please review our Cookie Policy online.

  1. Log Files

For the purpose of error capture and analysis, we capture log files which contain information about you and/or your computer. This includes:

  • Computer name
  • Operating System version
  • Browser version
  • IP address

No data processing or transformation is undertaken with this data. We do however analyse usage of our website to ensure our pages and services are relevant and current and that information can be delivered effectively.

  1. Complaints

The Retreat Clinics aims to meet the highest of standards when collecting and using personal data. As a business we treat all complaints we receive very seriously. We encourage anyone to bring concerns to our attention if they think we are using their data in any unfair or misleading way.

Contact Us (Data Protection Officer)

If you have any queries about exercising your data subject rights or about how your data is being processed and handled, then please contact our Data Protection Officer at:

The Tuke Centre

28 Green Dykes Lane


YO10 3HH

If you would like to discuss the confidentiality of your data, please contact our Caldicott Guardian:

  1. Information Commissioner’s Office (ICO)

The Information Commissioner’s Office (ICO) is the UK’s independent supervisory authority responsible for overseeing all data protection issues. If you are still dissatisfied with how your data is being processed or handled by us following our complaint procedure then you can submit a complaint to the Information Commissioner’s Office (ICO) to ask for an independent review at the following address:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire

Telephone: 0303 123 1113


Changes to this Privacy Notice

From time to time we may amend this Privacy Notice to reflect changes in the law, case law, updates in ICO guidance or for other legitimate reasons. We suggest you check our latest Notice to ensure you are up to date with our latest version.

Last updated: 21st March 2024