Privacy Policy

Last updated: 3 April 2026

This privacy policy explains how Glasgow Therapists ("we", "us", "our") collects, uses, stores, and protects personal data when you use our website at glasgowtherapists.com. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data controller

The data controller responsible for your personal data is:

Illuminated Thinking Ltd
Dr Aisha Tariq, Clinical Director
Mearns Castle Golf Academy, Waterfoot Road, Glasgow, G77 5RR
Email: [email protected]
ICO Registration: ZB859542

2. What personal data we collect

2.1 Directory visitors

When you browse the directory, we collect:

  • Enquiry forms: your name, email address, phone number (if provided), and message content when you submit an enquiry about a therapist or use our "Post Your Need" service.
  • Questions: your name, email address, and question text when you submit a question on a therapist's profile.
  • Analytics data: anonymised usage data including pages visited, search terms used, and referring pages. This data is collected via Google Analytics 4 only with your explicit consent (see our Cookie Policy).
  • Technical data: IP address, browser type, and device information processed by Cloudflare for security and performance purposes.

2.2 Listed practitioners

When you register as a practitioner, we collect:

  • Account data: your name, email address, and password (stored as a cryptographic hash; we cannot read your password).
  • Profile data: professional credentials, registration details, biography, photograph, practice address, phone number, website, session fees, specialisms, therapeutic modalities, languages spoken, insurance providers accepted, and availability information.
  • Payment data: subscription payments are processed by Stripe. We store your Stripe customer ID and subscription ID to manage your listing. We do not store or have access to your card number, expiry date, or CVC. See Stripe's privacy policy.

2.3 Data we do not collect

We do not collect special category data (such as health data, racial or ethnic origin, or sexual orientation) about directory visitors. While therapist profiles may mention areas of clinical expertise, we do not process health data about the people seeking therapy.

3. How we use your data

We process your data on the following lawful bases under UK GDPR:

PurposeLawful basis
Displaying practitioner profiles in the directoryContract (with practitioner) and Legitimate interest (for visitors)
Responding to enquiries and matching requestsLegitimate interest
Managing practitioner accounts and subscriptionsContract
Sending service communications (password resets, claim links, subscription updates)Contract
Sending practitioner announcementsLegitimate interest (with opt-out)
Improving the site through analyticsConsent
Security, fraud prevention, and abuse detectionLegitimate interest

4. Who we share data with

We do not sell your personal data. We share data only with the following processors:

  • Cloudflare (hosting, CDN, security, email routing) - data processed in the EU/UK. Privacy policy.
  • Stripe (payment processing) - data processed in the EU/UK and US under appropriate safeguards. Privacy policy.
  • Google Analytics (anonymised site analytics, consent-based only) - data processed under Google's EU data processing terms. Privacy policy.

When a visitor submits an enquiry about a specific practitioner, we share the visitor's name, email, phone number, and message with the site owner (Dr Aisha Tariq) for the purpose of facilitating the connection. Enquiry data is not shared directly with the practitioner without the visitor's knowledge.

5. International data transfers

Your data is primarily stored and processed within the UK and European Economic Area. Where data is transferred to the United States (via Stripe and Google), these transfers are covered by the EU-US Data Privacy Framework, Standard Contractual Clauses, or equivalent safeguards as required by UK GDPR.

6. Data retention

  • Enquiries and contact requests: retained for 12 months from submission, then deleted.
  • Practitioner accounts: retained while the subscription is active and for 30 days after cancellation, after which the account and profile data are deleted.
  • Complimentary listings: retained while the listing is active. We will contact practitioners annually to confirm they wish to remain listed.
  • Analytics data: anonymised and aggregated. Individual session data is retained for a maximum of 14 months (Google Analytics default).
  • Search query logs: retained for 12 months for the purpose of improving search functionality.
  • Audit logs: administrative action logs are retained for 24 months.

7. Your rights

Under UK GDPR, you have the following rights:

  • Right of access: you can request a copy of the personal data we hold about you.
  • Right to rectification: you can ask us to correct inaccurate data. Practitioners can update their own profiles via the dashboard.
  • Right to erasure: you can ask us to delete your data. For practitioners, this means removing your account and profile.
  • Right to restrict processing: you can ask us to temporarily stop processing your data in certain circumstances.
  • Right to data portability: you can request your data in a machine-readable format.
  • Right to object: you can object to processing based on legitimate interest.
  • Right to withdraw consent: where we process data based on consent (analytics cookies), you can withdraw consent at any time via the cookie banner.

To exercise any of these rights, email [email protected]. We will respond within one month as required by UK GDPR.

8. Cookies

We use essential cookies for site functionality (session management) and analytics cookies only with your explicit consent. For full details, see our Cookie Policy.

9. Security

We take appropriate technical and organisational measures to protect your data, including:

  • Passwords stored using PBKDF2 cryptographic hashing (never stored in plain text)
  • All data transmitted over HTTPS/TLS encryption
  • Session tokens with automatic expiry
  • Cloudflare DDoS protection and Web Application Firewall
  • Database access restricted to authenticated, authorised users only

10. Children's data

This directory is intended for general use. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the website. The "last updated" date at the top indicates the most recent revision.

12. Complaints

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113

We would appreciate the opportunity to address your concern directly first. Please contact [email protected].