Change Feels Good

Privacy Policy

Last updated: 24/01/2025

My website address is: https://www.changefeelsgood.co.uk

I, Jonathan Baker, am the Data Controller and Processor of Change Feels Good.

I adhere to the code of ethics of NSTT. If you are unhappy with my treatment of you, you may write to them.

The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (i.e. to provide therapy, coaching, guided meditation or mentoring supervision) and that it is data that you would reasonably expect me to hold and use.

For those who enquire about therapy, coaching, guided meditation or mentoring supervision the data I hold includes any information you have communicated to me by email/text/message/phone.

The data I hold includes:

  • Basic information such as name, email address, phone number
  • Information that you give me as part of the work we do together
  • Records of what interventions that I use (or potentially do not use) in our sessions
  • Emails, texts and/or messages that are sent between us 
  • Information sent from any third party, e.g. GP

Some of the information that you give me may fall under the definition of a special category of data as defined by the General Data Protection Regulation. The condition for processing this special data is “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional”. However, data on any criminal offences (including allegations, proceedings and convictions) is even more tightly controlled and so I need your specific consent in order to hold any such information.

Data is not shared with anyone, except my clinical trustee and possibly your GP and my supervisor to ensure your continued care, and for any reasons covered by the Requirements for Disclosure section below. However, if you were to make a complaint about me to my professional body, I would be entitled to share your notes with any investigation procedures. 

The data is primarily used to enable me to provide therapy for you. It may also be used for scientific research purposes and statistical purposes.

Details of where data is held:

  • Any emails sent between us, contact form submissions from you and contact details are held either on my computer’s hard drive or exchange server or if archived, or in Google Drive, or Google Contacts.
  • Any that may be held on my mobile phone are fingerprint/code protected.
  • Any texts/WhatsApp/Messenger/Telegram messages sent between us (See Social Media and Electronic Information policy) are held on my mobile phone which is fingerprint/code protected.
  • Your notes are hand typed and are kept in Google Drive, or my computer’s hard drive. As an additional layer of security they are ‘zero-knowledge’ encrypted, either client-side using Cryptomator, or server-side using Cyberduck, both at rest and in transit. A coding system enables the therapist to know whose notes are whose, but a stranger seeing the notes would not be able to identify who they referred to.
  • Any credit card information is deleted, or shredded as soon as processed.
  • If you use online payment, or banking platforms, then clearly these systems will hold your data. I will download from these systems for accounting purposes and the resulting spreadsheets are held (and zero-knowledge encrypted) in Google Drive. When sent to my accountant/commercialista, they will be password protected.
  • Invoicing data, including names, contact details and unique taxpayer references are held by Aruba Fatturazione Elettronica and are password protected. They are also accessible by my accountant/commercialista, as required by Agenzie delle Entrate, Italia.
  • If you subscribe to a mailing list on Changefeelsgood.co.uk your data will be held by Mailchimp and may be used for direct email and/or messaging marketing. Mailchimp, which is a GDPR compliant marketing service.
  • Any recordings are zero-knowledge encrypted and stored, in a secure computer database on a computer that is password protected and accessible only by me, or on Google Drive.

All of these forms of storage and data transit are secure and GDPR compliant.

I retain your data indefinitely, so that you can have access to your recent health records, should you need them, in case you ever want to work together again, or in case research is to be conducted and in line with my insurance policy. Historical anonymised notes provide necessary information about your therapeutic profile and the process of reaching (or not reaching) your goals for therapy. Contact details provide the code needed to identify your notes for any further psychotherapy work together, but would never be used in research.

Change Feels Good takes the security of data seriously and as such:

  • All data is held securely (see details of where data is held above)
  • Any data transmitted is sent encrypted, or zero-knowledge encrypted, where possible
  • For accounting purposes spreadsheets and invoices are used

However:

I am not in control of data (including emails, texts and contact form submissions) which you send me.

Apps such as Facebook routinely access any information held and this is beyond my control.

If there is any breach of data security I, Jonathan Baker at Change Feels Good will give full details to the Information Commissioner’s Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.

You have rights with regards to the data held:

  • The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
  • The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
  • The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). NB: data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include case notes or data such as address/email/phone.
  • The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure
  • The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. I would send the data to you.
  • The right to object to:
    • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). Change Feels Good does not engage in these things
    • Processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.
    • Automated decision making and profiling. Change Feels Good does not engage in automated decision making or profiling.

Insurance

I am insured through BGi.eu

Data Protection Authority

I am regulated by the Information Commissioner’s Office (ICO) in the UK with regards to data protection. Any disputes would be handled by them in the UK.

Cookies

Like many websites, I use cookies. A cookie is a small amount of data that is sent to your computer or mobile phone browser from a website’s computer and is stored on your device’s hard drive.

Cookies record information about your online preferences. They help me understand how visitors engage with my sites so that I can improve your online experience with me, Change Feels Good. I do not use cookies to collect personally identifiable information about you.

Each website you visit can send its own cookie to your browser if your browser’s preferences allow it. To protect your privacy, your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites.

How to control and delete cookies

You may restrict or block the cookies which are set by our website, or any other website, through your browser settings. You can also ask your browser to alert you when a cookie is issued.

For more information about cookies and how to manage them is available at www.aboutcookies.org

I use Google Analytics to understand how visitors engage with my websites. It collects information anonymously and reports website trends without identifying individual visitors. For more information visit Google Analytics privacy and security information.

Change Feels Good

Social Media and Electronic Information Policy

Last updated: 20/05/2023

My website address is: https://www.changefeelsgood.co.uk

I, Jonathan Baker, am the Data Controller and Processor of Change Feels Good.

This section outlines the policy of Change Feels Good with regard to the use of social media and electronic information. If you, as a client, have questions about any aspect please do ask. As the world of technology is constantly changing this document is likely to be updated regularly and the latest version will always be available on my website.

Since 14/05/2025 The NSTT code of ethics and conduct has additionally applied to my social media policy. This means that some things have changed and the following points apply to social media activity after this date.

Professional vs. personal social media connections

I tweet on Twitter/X, post on LinkedIn, Instagram, and my Facebook page, as a professional. All these tweets/posts are therapy and wellbeing related and none of them contain my personal information. I have one personal social media profile, which is on Facebook.

As a client you are welcome to follow me on any of my professional profiles that I have on social media, but please do not “friend” me on my personal profile. I would only request to follow you through my professional profile/s.

If as a client of mine, you request a personal connection on any social media platform I will not reciprocate it.

If I were to accept a personal connection with you it could not only compromise your confidentiality (e.g. if another of my friends saw that you were a friend they may wonder how we know each other) but would also blur the boundary of the therapeutic relationship.

If you are an existing personal social media connection of mine and you ask to work with me, please do so through a private channel and not publicly (please see the “interacting” section below). Following this request, I would come to a conclusion, in consultation with my supervisor, as to whether it would be appropriate for us to work together, which may result in ending this friend-type connection. If I were to conclude that it would not be appropriate to work together, I would explain this reason to you and directyou on to other support solutions, which may be more appropriate.

Interacting

Please do not use public ways of contact (e.g. @replies or tagging) again because of the potential for this to compromise your confidentiality. You may use WhatsApp, Telegram or SMS to discuss appointment times or other logistics. Please only use WhatsApp, Telegram, or Signal (which are zero-knowledge encrypted) if you want to discuss therapeutic issues and do not use SMS. SMS cannot be kept secure.

As a client, or previous client, you are welcome to comment, or otherwise interact with posts I make through my professional profiles on social media platforms. I will not initiate any such interactions directly with you publicly. If I respond publicly to your interaction with me, it will be polite, brief and general, so as not to compromise your confidentiality and the therapeutic relationship.

Use of search engines

I do not routinely Google my clients but may very occasionally in a time of crisis. For example, if you had failed to attend a session and I was concerned for your safety I may try to find out about you this way. If I did so, I would tell you about it the next time we met.

Business reviews and testimonials

Before I began training to become a psychotherapist with the NCHP I did collect and publish testimonials. This was permitted by the ethical codes of professional bodies, such as CNHC and BAThH, with whom I had and still have membership. Through my training with NCHP I realised that even if testimonials are anonymised, the things clients may write about in testimonials could be recognised by others and they could therefore compromise confidentiality. In addition, testimonials cannot be sourced and verified as accurate information. This is why it is considered unethical by NSTT, a professional body within which I have become a member since training with NHCP, to publish testimonials, and so I no longer post, or publicise testimonials, nor will I ever ask you for one.

I have a business page on Facebook, a profile on LinkedIn and a Google Business Profile. Some people have independently left reviews and recommendations in these places (and possibly other parts of the internet that I am unaware of). Anyone (including a competitor) can post anything so it is advisable to be aware that reviews (good or bad) may not be representative of the views of real clients. No reviews are published on my website, or any of my promotional material. I will never ask anyone to give a review, or recommendation for Change Feels Good and I will never comment on any that are given.

Location-based services

I currently only work online, but if I do begin to work in-person again, if you use location-based services on your phone you should be aware that others may surmise that you are a therapy client if you are seen as “checking in” at my address.

Email

It is preferable to use email only for logistical contact (e.g. to get a reminder of an appointment time) due to the inherent insecurity of email. 

Email, or text therapy

If you wish to engage in “email therapy” then please “zip” an .odt, .dox, or .doc document in a password protected compressed folder to contain what you wish to say. If you wish to engage in “text therapy” then please only use Signal, Whatsapp, or Telegram, which are zero-knowledge encrypted. I can help you set these methods up if you need them.

Phone

As above, SMS, WhatsApp, or Telegram texting, or voice messages may be used for contact about appointment times. This is preferable to making a phone call. It is easier to respond, as I cannot answer the phone if I am with another client. Whether phoning or texting, please only do so between the hours of 9am and 8pm.

Phone and messaging technology security good practise

Please be mindful, while using any of these channels of communication, that others could have access to this information. This could be by overlooking your screen while you text, or email, by being in the same room as you while you speak on the phone. Someone else may have administrator privileges on your account/s, or they may know your login credentials.

If it is important to you that our conversations are kept confidential from these possibilities from leakage. You may wish to consider how and where you communicate logistical, vs. personal information. You may also wish to take steps to ensure your account credentials are unknown to and inaccessible by others.

In order to avoid replying to imitation accounts, check the source of any communications that appear to be from me against the contact details you have form on record, or those available on my website.

Please only use these channels of communication from a mobile network, or a private, or home WiFi network, administered by yourself, or someone you trust. Public WiFi networks are notoriously insecure.

It is also possible that malware, or spyware can be installed on a computer, tablet, or phone and for a hacker to be able to listen remotely. I don’t mean to be alarming in raising this. This is a security consideration that applies to all uses of communication technology. In order to reduce this likelihood it is advisable to keep your device operating systems up to date, scanning frequently with antivirus and malware software that is also up to date and to avoid clicking on links, or downloading attachments from spam emails and messages.