PRIVACY POLICY

Katy Stevenson

Last Updated: 27th Feb, 2026  |  Effective Date: 27th Feb, 2026

1. Introduction

Welcome to Katy Stevenson ("we", "our", "us"). We are committed to protecting and respecting your personal data and your privacy.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website at [www.yourwebsite.co.uk] ("the Website"), complete a booking form to schedule a discovery or consultation call, or otherwise interact with us online.

This policy is written in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read this policy carefully before submitting any personal information to us. By using our website and completing our booking form, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are — Data Controller

The data controller responsible for your personal information is:

Business Name:  Katy Stevenson

Email: katy@katystevenson.com



If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details above.

3. What Personal Data We Collect

We collect personal data that you voluntarily provide to us when you interact with our website. This may include the following categories of information:

3.1 Information You Provide Directly

  • Full name

  • Email address

  • Phone number

  • The reason you are seeking hypnotherapy or the issue you want to work on (if provided in a free-text field on our booking form)

  • Any additional information you choose to share in a message or comments box on the booking form

3.2 Information We Collect Automatically

When you visit our website, we may automatically collect certain technical data, including:

  • Your IP address

  • Browser type and version

  • Operating system

  • Pages visited on our website and time spent on each page

  • Referring website (the site you came from before landing on ours)

  • Date and time of your visit

  • Device type (desktop, mobile, tablet)

This information is typically collected through cookies and similar tracking technologies. Please refer to our Cookie Policy for more details.

3.3 Information from Third-Party Booking Platforms

If you book a call through a third-party scheduling platform (such as Calendly, Acuity Scheduling, or similar), we may receive information from that platform including your name, email address, selected appointment time, and any pre-screening answers you provide. Those platforms have their own privacy policies, and we encourage you to review them.

3.4 Special Category Data

Hypnotherapy is a health-adjacent service. You may choose to share information with us that relates to your physical or mental health or wellbeing. Under UK GDPR, this is classed as 'special category data' and is given a higher level of protection. We only collect and process such data with your explicit consent and strictly for the purpose of providing our services to you. We will never use this information for any other purpose.

4. How We Use Your Personal Data

We use your personal data for the following purposes:

4.1 To Process Your Booking Request

We use your name, email address, and phone number to confirm your discovery call booking, send you calendar invitations or reminders, and contact you regarding your appointment. This is necessary to fulfil our contractual obligation to you.

4.2 To Communicate With You

We use your contact details to respond to any enquiries you make before, during, or after the booking process. This includes answering questions about our services, sending pre-call preparation information, and following up after our call if you have requested us to do so.

4.3 To Send Marketing Communications (With Your Consent)

If you have explicitly opted in by ticking the relevant checkbox on our booking or contact form, we may send you marketing emails such as newsletters, tips and insights on hypnotherapy and wellbeing, updates about our services, and promotional offers. You can withdraw your consent and unsubscribe from marketing emails at any time by clicking the 'Unsubscribe' link at the bottom of any email, or by contacting us directly.

4.4 To Comply With Legal Obligations

In certain circumstances, we may be required to process your personal data to comply with legal or regulatory obligations, including tax records, health and safety requirements, or responding to lawful requests from law enforcement or regulatory bodies.

4.5 To Improve Our Website and Services

We may use anonymised or aggregated data (which cannot identify you) to analyse how visitors use our website, understand which services attract the most interest, and improve our content, user experience, and booking process.

4.6 To Protect Our Legitimate Interests

We may process data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights. This includes activities such as preventing fraud, ensuring the security of our systems, and maintaining business records.

5. Legal Basis for Processing Your Data

Under UK GDPR, we must have a lawful basis for processing your personal data. The legal bases we rely on are:

  • Contractual necessity — processing your booking and delivering our service to you

  • Consent — for sending marketing communications and for processing any special category (health) data you share with us

  • Legal obligation — where we are required by law to retain or share certain data

  • Legitimate interests — for website analytics, fraud prevention, and general business administration, provided your interests and rights are not overridden

Where we rely on consent as the legal basis, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing that took place before the withdrawal.

6. How We Share Your Personal Data

We do not sell, rent, or trade your personal data to third parties. We may share your data in the following limited circumstances:

6.1 Service Providers and Data Processors

We work with trusted third-party service providers who process personal data on our behalf and under our instructions. These include:

  • Scheduling and booking platforms (e.g., Calendly, Acuity Scheduling) — to manage appointment bookings

  • Email service providers (e.g., Mailchimp, ActiveCampaign, ConvertKit) — to send booking confirmations and, where consented, marketing emails

  • Website hosting providers — to host and maintain our website

  • CRM or client management tools — to manage client records and communications

  • Payment processors (if applicable) — to process payments securely

All third-party processors are carefully selected and are required to handle your data securely, in accordance with UK GDPR, and only for the purposes we specify. We have appropriate data processing agreements in place where required.

6.2 Legal and Regulatory Requirements

We may disclose your personal data if required to do so by law, by a court order, or by a regulatory authority. We may also disclose it where we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.

6.3 Business Transfers

If we sell or transfer our business or assets, your personal data may be transferred to the new owner as part of that transaction. We will notify you in advance if this occurs and ensure the new owner is bound by equivalent privacy obligations.

7. International Data Transfers

Some of our third-party service providers may be based outside the UK or European Economic Area (EEA). Where your data is transferred to a country outside the UK or EEA, we ensure that appropriate safeguards are in place to protect your data. These safeguards may include:

  • Transfers to countries recognised by the UK government as providing an adequate level of data protection

  • Use of Standard Contractual Clauses (SCCs) approved by the UK's Information Commissioner's Office (ICO)

  • Other appropriate transfer mechanisms as permitted by UK GDPR

You can request information about the specific safeguards in place for any international transfers by contacting us.

8. How Long We Keep Your Data

We retain your personal data only for as long as is necessary for the purposes outlined in this Privacy Policy, or as required by law.

  • Booking and contact information: We retain this for [e.g., 12 months] from the date of your last interaction with us, after which it is securely deleted or anonymised.

  • Client session records and health-related data: If you become a client, we retain relevant records for [e.g., 7 years] in line with recommended practice guidelines for health professionals in the UK, and then securely destroy them.

  • Financial and transaction records: Retained for 6 years as required by HMRC regulations.

  • Marketing consent records: Retained for as long as you are subscribed, plus a reasonable period thereafter to demonstrate compliance.

After the applicable retention period, your data will be securely deleted, destroyed, or anonymised so that it can no longer identify you.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data. You can exercise any of these rights by contacting us at [hello@yourwebsite.co.uk]:

9.1 Right to Access

You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within 30 days of receiving your request at no cost to you (unless the request is repetitive or excessive).

9.2 Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. We will rectify any errors without undue delay.

9.3 Right to Erasure ('Right to be Forgotten')

You have the right to request that we delete your personal data in certain circumstances — for example, if the data is no longer necessary for the purpose it was collected, or if you withdraw your consent. Note that this right is not absolute and may be overridden by legal obligations we have to retain certain records.

9.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have contested, or while we consider your objection to processing.

9.5 Right to Data Portability

Where processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller.

9.6 Right to Object

You have the right to object to processing based on legitimate interests or direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately.

9.7 Rights Related to Automated Decision-Making

We do not use any automated decision-making or profiling that produces legal or significant effects on you. If this changes, we will update this policy and ensure you have the right to request human review of any such decisions.

9.8 Right to Withdraw Consent

Where we rely on your consent to process your data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out prior to your withdrawal.

9.9 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:

  • Website: www.ico.org.uk

  • Phone: 0303 123 1113

  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us in the first instance.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse site traffic, and support our marketing activities.

10.1 What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website. They allow the website to remember your actions and preferences over a period of time, so you do not have to re-enter them whenever you come back to the site or browse from one page to another.

10.2 Types of Cookies We Use

  • Strictly Necessary Cookies: These are essential for the website to function properly. They enable core functionality such as page navigation and access to secure areas. The website cannot function properly without these cookies and they do not require your consent.

  • Performance and Analytics Cookies: These collect anonymous information about how visitors use our website — for example, which pages are visited most often. We use tools such as Google Analytics to understand and improve our site. These cookies require your consent.

  • Functionality Cookies: These allow the website to remember your preferences (such as your location or language) and provide more personalised features. These cookies require your consent.

  • Marketing and Targeting Cookies: We may use tracking pixels from platforms such as Meta (Facebook), Google Ads, or others to measure the effectiveness of our advertising and retarget visitors who have shown interest in our services. These cookies require your explicit consent.

10.3 Managing Your Cookie Preferences

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You can change your preferences at any time by accessing our [Cookie Settings] link in the website footer.

You can also control cookies through your browser settings. However, disabling certain cookies may affect the functionality of our website.

11. Data Security

We take the security of your personal data very seriously. We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

These measures include:

  • SSL/TLS encryption on our website (indicated by 'https' in your browser)

  • Password-protected access to systems that store personal data

  • Use of reputable, GDPR-compliant third-party service providers

  • Limiting access to personal data to only those staff members or contractors who need it to perform their role

  • Regular review of our data protection practices

While we do everything we can to protect your data, please be aware that no method of transmission over the internet or method of electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and we will notify you without undue delay where required to do so under UK GDPR.

12. Third-Party Websites and Links

Our website may contain links to third-party websites, social media platforms, or resources that are operated by other organisations. This Privacy Policy applies only to our website. We are not responsible for the privacy practices of third-party websites and we encourage you to review the privacy policies of any external websites you visit.

13. Children's Privacy

Our website and services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you are under 18, please do not submit any personal information to us through our website or booking form. If we become aware that we have inadvertently collected personal data from a child under 18, we will delete such information promptly. If you believe we may have collected information from a child, please contact us.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the 'Last Updated' date at the top of this page and, where appropriate, notify you by email or by a prominent notice on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data.

15. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

By Email:   katy@katystevenson.com



We will endeavour to respond to all requests within 30 days. If your request is complex or if you have made multiple requests, we may extend this period by a further 60 days, but we will inform you of any such extension within the initial 30-day period.

This Privacy Policy was prepared in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.