GDPR Compliance

Last updated: April 2026

Our Commitment to Data Protection

ClearForge Works Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a psychology practice handling sensitive personal information, we maintain the highest standards of data protection and privacy.

This page provides specific information about our GDPR compliance practices and your rights under UK data protection law.

Data Controller Information

Data Controller: ClearForge Works Ltd
Registration Number: 08742156
Registered Address: 42 Deansgate, Manchester M3 2EG, United Kingdom
Data Protection Officer: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. For different types of processing, we rely on:

Consent

We obtain your explicit, informed consent before providing therapeutic services and maintaining clinical records. You have the right to withdraw this consent at any time, though this may affect our ability to continue providing services.

Contractual Necessity

Processing your personal information is necessary to fulfill our service agreement with you, including scheduling appointments, providing consultations, and processing payments.

Legal Obligation

We are required by professional regulations and UK law to maintain certain records and process information in specific ways. This includes record retention requirements and reporting obligations in exceptional circumstances.

Legitimate Interests

In some cases, we process information based on legitimate business interests, such as improving our services or preventing fraud, provided these interests don't override your fundamental rights and freedoms.

Special Category Data

The therapeutic information we collect constitutes special category data under GDPR (health data). We process this based on explicit consent and for the provision of health or social care services under professional obligations.

Your Rights Under UK GDPR

UK GDPR grants you comprehensive rights regarding your personal data. We respect and facilitate the exercise of these rights:

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. This notice, along with our Privacy Policy, provides that transparency.

Right of Access

You can request a copy of the personal data we hold about you at any time. This is commonly known as a Subject Access Request (SAR). We will provide this information within one month, free of charge, unless your request is manifestly unfounded or excessive.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected or completed. This applies to both administrative and clinical records.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances. However, this right is limited by our professional obligation to maintain clinical records for specified periods and other legal requirements.

Right to Restrict Processing

You can ask us to restrict processing of your personal data in specific situations, such as when you contest the accuracy of data or object to processing.

Right to Data Portability

You have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit that data to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. Where we process data based on legitimate interests, we must stop unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

We do not use automated decision-making or profiling in our practice. All decisions regarding your care are made by qualified professionals.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

Email: [email protected]
Post: Data Protection Officer, ClearForge Works Ltd, 42 Deansgate, Manchester M3 2EG, United Kingdom

When making a request, please include:

  • Your full name and contact information
  • Details of your specific request
  • Proof of identity (to protect your information from unauthorized access)

We will respond to your request within one month. In complex cases, this may be extended by up to two additional months, and we will inform you if this is necessary.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in processing your personal data:

Technical Measures

  • Encryption of data both in transit and at rest
  • Secure password policies and multi-factor authentication
  • Regular security updates and patches to systems
  • Secure backup procedures with encrypted storage
  • Firewalls and intrusion detection systems

Organizational Measures

  • Strict access controls limiting data access to authorized personnel
  • Confidentiality agreements with all staff and contractors
  • Regular training on data protection and security
  • Clear policies and procedures for handling personal data
  • Regular audits of data protection practices

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we have procedures in place to:

  • Detect and contain the breach as quickly as possible
  • Assess the nature and severity of the breach
  • Notify the Information Commissioner's Office within 72 hours where required
  • Inform affected individuals without undue delay if there is a high risk to their rights
  • Document the breach and our response for regulatory purposes
  • Take steps to prevent similar breaches in the future

International Data Transfers

We store and process all personal data within the United Kingdom. We do not routinely transfer personal data outside the UK. In the rare circumstance where international transfer might be necessary, we would:

  • Only transfer data to countries or organizations with adequate protection
  • Use appropriate safeguards such as standard contractual clauses
  • Inform you of the transfer and obtain consent where required

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure they:

  • Process data only on our documented instructions
  • Maintain appropriate security measures
  • Assist with fulfilling data subject rights requests
  • Delete or return data when services are completed
  • Are bound by written data processing agreements

We carefully vet all processors and regularly review their compliance with data protection requirements.

Data Protection Impact Assessments

Where we introduce new processing activities that may pose high risks to individual rights, we conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate those risks before implementation.

Record Keeping

We maintain comprehensive records of our processing activities, including:

  • Categories of personal data processed
  • Purposes of processing
  • Recipients of personal data
  • Retention periods
  • Security measures implemented

These records demonstrate our compliance with GDPR principles and are available to the ICO upon request.

Privacy by Design and Default

We integrate data protection considerations into all our operations from the outset. This means:

  • Collecting only data that is necessary for specific purposes
  • Implementing privacy-protective settings as the default
  • Ensuring data protection measures are in place before processing begins
  • Regularly reviewing and updating our practices

Children's Data

When working with individuals under 18, we obtain appropriate consent from parents or guardians and implement additional safeguards for children's data. Children aged 13 and over may provide their own consent for online services under UK law, though we typically work with adult clients.

Accountability

We take responsibility for demonstrating our compliance with data protection principles. This includes maintaining documentation, conducting regular reviews, and being transparent about our practices.

Complaints and Concerns

If you have concerns about how we handle your personal data or believe your rights have been violated, please contact us first so we can address the issue:

Email: [email protected]

You also have the right to lodge a complaint directly with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Notice

We review and update this GDPR compliance notice regularly to reflect changes in law, guidance, or our practices. Significant changes will be communicated to current clients, and we will update the date at the top of this page.