Privacy policy.

1. Who I am
I am Dr Vladislava Susanina, HCPC-registered Clinical Psychologist, providing online psychological services to clients based in the European Union.

You can contact me at:
Email: vsusanina@gmail.com

I act as the Data Controller, which means I decide how and why your personal data is used.

2. What personal data I collect

I may collect and process the following data about you:

  • Identification and contact details: name, email address, phone number

  • Administrative information: appointment history, payment records (if applicable)

  • Clinical information: information you share in sessions, psychological history, assessment results, clinical notes and reports

Because I am a psychologist, some of this information may be considered special category data (e.g. health-related information).

3. Purposes and legal bases for processing

I use your personal data for the following purposes and under these legal bases:

  1. To provide psychological services to you

    • Scheduling and conducting sessions, keeping clinical records.

    • Legal basis (Article 6 GDPR): Performance of a contract (providing psychological services at your request).

    • For health-related data (Article 9 GDPR): Provision of health or social care or treatment (Article 9(2)(h)).

  2. To manage my practice and comply with legal obligations

    • Accounting, invoicing, record keeping, responding to legal requests.

    • Legal basis: Legal obligation and legitimate interests in running a professional practice safely and lawfully.

  3. To communicate with you

    • Confirming appointments, sending links for online sessions, responding to your enquiries.

    • Legal basis: Performance of a contract and legitimate interests in effective communication.

I do not use your data for marketing or profiling.

4. How I obtain your data

  • Directly from you (via email, messages, online platforms, and during therapy sessions).

  • Occasionally, from referrers (e.g. other professionals) with your consent, where applicable.

5. Data sharing and data processors

I do not sell or share your data for advertising. I may share your personal data with:

  • Service providers (data processors) who support my practice, such as:

    • Gmail & Google Drive – for email communication and storage of documents.

    • Superdoc & Healee – online practice management / telehealth platforms (if used for scheduling, records or sessions).

    • Viber – for messaging and/or calls.

These providers may process data on my behalf under their own security and privacy frameworks. I only share the minimum data necessary and, where required, rely on data processing agreements or equivalent safeguards.

I may also share information where required by law, or if I believe there is a serious risk of harm to you or others, in line with professional and legal obligations.

6. International transfers

I am based in the United Kingdom, which is considered a “third country” under the EU GDPR. The European Commission has granted the UK an adequacy decision, which means personal data can flow from the EU to the UK under similar protections to EU law.

Some of the service providers I use (e.g. Google) may process data outside the EU/EEA. In these cases, I rely on appropriate safeguards such as standard contractual clauses or adequacy decisions where applicable.

7. Data retention – how long I keep your data

  • Clinical records (therapy notes, assessments, key correspondence): normally kept for 7 years after the end of our professional relationship.

  • Records for children and young people: normally kept until at least their 25th birthday (or 26th if aged 17 at end of treatment), in line with common professional guidance.

  • Contact details and basic administrative data: kept for as long as needed for the purposes above, and then securely deleted or anonymised.

I may keep some data for longer if required by law or if necessary for legal claims.

8. Your rights under GDPR

You have the following rights in relation to your personal data (subject to certain legal conditions and limitations):

  • Right of access – to request a copy of your personal data.

  • Right to rectification – to have inaccurate or incomplete data corrected.

  • Right to erasure – to request deletion of your data, where legally possible.

  • Right to restriction of processing – to limit how your data is used in certain circumstances.

  • Right to data portability – to receive your data in a commonly used format, where applicable.

  • Right to object – to object to processing based on legitimate interests.

Because I hold clinical records, I may not always be able to delete or amend certain information if there is a legal, professional, or clinical reason for retaining an accurate record. I will explain this if it applies.

To exercise any of these rights, please contact me at: vsusanina@gmail.com

9. Automated decision-making

I do not use your personal data for automated decision-making or profiling.

10. Security

I take appropriate technical and organisational measures to protect your personal data, which may include:

  • Using strong, unique passwords and secure devices

  • Restricting access to records

  • Storing digital information in trusted services with security measures

  • Confidential disposal of any paper records (if used)

However, no system can be completely secure. If I become aware of a data breach that may pose a risk to your rights and freedoms, I will act in accordance with legal requirements.

11. Complaints

If you have any concerns about how I use your personal data, please contact me first at vsusanina@gmail.com, and I will do my best to address them.

You also have the right to lodge a complaint with a data protection supervisory authority in the EU country where you live or work, or where you believe a breach has occurred.

12. Updates to this notice

I may update this Privacy Notice from time to time. The latest version will be made available to you on request and, where appropriate, I will inform you of any significant changes.