Privacy Policy

Last Updated: 01/02/2026

1. Introduction

Tinnitus Talking Therapies ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are the data controller responsible for your personal data. If you have any questions about this policy or how we handle your data, please contact us using the details provided at the end of this document.

2. Information We Collect

In order to provide our tinnitus video therapy services, we collect and process the following categories of personal data:

2.1 Personal Identification Information

  • Full name
  • Date of birth
  • Address (postal address)
  • Email address
  • Telephone number(s)

2.2 Medical Information

  • Hearing test results and audiological data
  • Tinnitus-related health information
  • Medical history relevant to your treatment
  • General Practitioner (GP) details and contact information
  • Therapy session notes and progress records

2.3 Technical Information

  • Login credentials for the patient portal (encrypted)
  • IP address and browser information when accessing our website
  • Session data and portal usage information

3. Legal Basis for Processing

We process your personal data under the following legal bases as defined by UK GDPR:

  • Consent: You have given clear consent for us to process your personal data for specific purposes related to your therapy
  • Contract: Processing is necessary to fulfill our contract with you to provide tinnitus therapy services
  • Legal Obligation: Processing is necessary to comply with healthcare regulations and legal requirements
  • Vital Interests: Processing is necessary to protect your vital interests in emergency situations

For special category data (health information), we rely on:

  • Your explicit consent for processing health data
  • The provision of health or social care treatment (Article 9(2)(h) UK GDPR)

4. How We Use Your Information

We use your personal data for the following purposes:

  • To provide tinnitus video therapy services
  • To conduct and record hearing tests and assessments
  • To monitor your progress and adjust treatment plans accordingly
  • To communicate with you about your appointments and treatment
  • To communicate with your GP when clinically necessary or with your consent
  • To maintain accurate patient records
  • To comply with legal and regulatory obligations
  • To provide you with secure access to your information via our patient portal
  • To improve our services and patient care

5. Data Storage and Security

5.1 Where We Store Your Data

All personal data is stored using Google Workspace services with data hosting exclusively within the United Kingdom. We have ensured that our data processing arrangements comply with UK GDPR requirements.

5.2 Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Secure authentication and access controls for the patient portal
  • Regular security updates and monitoring
  • Restricted access to personal data on a need-to-know basis
  • Staff training on data protection and confidentiality
  • Regular backups and disaster recovery procedures

5.3 Data Retention

We retain your personal data in accordance with UK healthcare regulations and professional guidelines. Typically:

  • Adult patient records: Minimum of 8 years from the date of last contact
  • Records for children and young people: Until the patient's 25th birthday or 8 years after death
  • We may retain data for longer periods where required by law or for legitimate business purposes

6. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

6.1 Healthcare Professionals

  • Your General Practitioner (GP) - when clinically necessary or with your consent
  • Other healthcare professionals involved in your care - with your consent

6.2 Service Providers

  • Google Workspace (for data storage and management) - operating under a data processing agreement
  • IT support and security providers - bound by confidentiality obligations

6.3 Legal Requirements

  • When required by law, court order, or regulatory authority
  • To protect the rights, property, or safety of our patients or others

All third parties are required to maintain the confidentiality and security of your personal data and use it only for the purposes we specify.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you. You can access much of this information directly through our secure patient portal.

7.2 Right to Rectification

You can request that we correct any inaccurate or incomplete personal data.

7.3 Right to Erasure

You can request deletion of your personal data in certain circumstances, subject to legal and professional retention requirements.

7.4 Right to Restrict Processing

You can request that we limit how we use your data in certain situations.

7.5 Right to Data Portability

You can request to receive your data in a structured, commonly used format for transfer to another service provider.

7.6 Right to Object

You can object to processing of your data in certain circumstances.

7.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

Important: Some rights may be limited by healthcare regulations that require us to maintain certain records. We will explain any limitations when you exercise your rights.

8. Patient Portal Security

Our website includes a secure patient portal where you can access your information. To protect your privacy:

  • You must create a secure password and keep it confidential
  • We use encryption to protect data transmission
  • Sessions automatically time out after periods of inactivity
  • You should log out after each session
  • Never share your login credentials with others
  • Report any suspected unauthorised access immediately

9. Cookies and Website Usage

Our website uses essential cookies to enable the patient portal and maintain your secure session. We may also use analytics cookies to improve our website experience. You can control cookie settings through your browser, though disabling essential cookies may affect portal functionality.

10. Children's Privacy

If we provide services to patients under 16 years of age, we obtain consent from a parent or guardian. Young people aged 13-15 may be able to consent to treatment themselves if they have sufficient understanding, in accordance with Gillick competence principles.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the updated policy on our website and updating the "Last Updated" date. For material changes affecting your rights, we will provide direct notification where possible.

12. Your Right to Complain

If you have concerns about how we handle your personal data, please contact us first so we can address your concerns. You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Tinnitus Talking Therapies
6 Nursery Gardens, Waterlooville, Hampshire, PO8 9LE
Email: info@tinnitustalkingtherapies.co.uk
Telephone: +44(0)7512 256 038

We aim to respond to all requests within one month of receipt.