Privacy Policy

Harrison Wellness Limited | Effective Date: June 2026 | Version 1.0

In brief: what you need to know

  • We only collect the personal data needed to provide therapy and assessment services safely and lawfully.
  • Your health information is treated as confidential and protected with strict security safeguards.
  • We do not use AI tools in therapy sessions. Some administrative tools use AI for business tasks only.
  • You have rights over your data, including the right to access, correct, or object to how we use it.
  • You have the right to complain to us directly about how we handle your personal data. We will acknowledge your complaint within 30 days.
  • You can also complain to the Information Commissioner's Office (ICO) at any time.

1. Who We Are

Harrison Wellness Limited is the data controller for personal data collected in connection with our clinical services.

Company number: 16316708
ICO Registration number: ZC179971

Data controller contact:
Dr Frankie Harrison, Clinical Psychologist (HCPC Registered)
Email: hello@miraclemoon.co.uk
Website: www.miraclemoon.co.uk

Associate clinicians

Some therapy is delivered by associate psychologists working with Harrison Wellness Limited. Each associate is an independent data controller for the clinical records they generate. Harrison Wellness Limited remains the data controller for central administration including appointments and billing.

If you wish to exercise your data rights relating to records held by an associate, contact us at the email above and we will coordinate your request.

2. Personal Data We Collect

a) Website visitors

  • IP address and browser metadata
  • Pages visited and time on site (analytics, if you consent)
  • Name, email, phone, and message content (if you use our contact form)

b) Clients - personal and contact information

  • Name, date of birth, address
  • Email address and telephone number
  • Emergency contact details
  • GP details (where relevant)

c) Clients - special category health data

  • Therapy session notes
  • Clinical formulations and outcome measures
  • Referral letters and correspondence
  • Relevant medical and psychiatric history

This is special category personal data under UK GDPR and is handled with the highest level of care and confidentiality.

d) Financial information

  • Payment records and invoices (we do not store card details)

3. Lawful Basis for Processing

a) General personal data - Article 6 UK GDPR

Processing activity Lawful basis
Providing therapy and assessment services Contract
Managing appointments and communications Contract
Maintaining clinical records Contract and legal obligation
Processing payments Contract and legal obligation
Responding to contact form enquiries Legitimate interests
Clinical supervision Legitimate interests - professional obligation to ensure safe practice
Website analytics (if accepted) Consent
Safeguarding disclosures Legal obligation and/or vital interests
Zoom meeting notes (non-clinical meetings only) Legitimate interests

b) Special category health data - Article 9 UK GDPR

We process health data under:

  • Article 9(2)(h): processing necessary for the provision of health or social care treatment, by a health professional subject to a duty of confidentiality
  • Article 9(2)(c): protection of vital interests, where applicable (e.g. safeguarding)

4. How We Use Personal Data

  • To provide psychological therapy and assessment services
  • To maintain accurate clinical records
  • To manage appointments and communications
  • To process payments and issue invoices
  • To meet our legal, ethical, and professional obligations
  • To ensure quality of care, including through clinical supervision

5. Third-Party Systems and Data Processors

a) Practice management system

WriteUpp is used for appointment scheduling, secure storage of clinical records, and invoicing. Client data is stored securely on WriteUpp's UK-hosted infrastructure and WriteUpp acts as a data processor on our behalf.

b) Stripe (payments)

We use Stripe to process payments. Stripe handles payment data directly and we do not store card details.

c) Zoom (meetings)

We use Zoom for some communications, including supervision and associate meetings. Zoom's AI note-taking feature may be used in internal business meetings.

We do not use AI note-taking or any AI tools in therapy sessions. If a session is to be recorded for any reason (for example, for training or with your explicit consent), we will discuss this with you in advance and obtain your written consent.

d) Claude (AI assistant - business administration only)

We use Claude, an AI assistant by Anthropic, for internal business administration tasks such as drafting documents and administrative planning. Claude is not used in any clinical capacity and plays no role in your therapy or any decisions about your care.

We take care not to input identifiable client data into Claude.

e) Secure email

We use secure, encrypted email for communications that include sensitive clinical information.

6. Who We Share Data With

We share personal data only when there is a lawful basis and it is necessary and proportionate. This may include:

  • Data processors listed above, under data processing agreements
  • Clinical supervisors - with information anonymised or minimised wherever possible
  • Safeguarding bodies and emergency services - where necessary to protect you or others from serious harm
  • Courts, legal representatives, or statutory authorities - where required by law
  • Your GP or other health professionals - only with your explicit consent, except in safeguarding situations
  • Professional advisers - such as accountants or legal advisers, under confidentiality obligations

7. International Data Transfers

Where service providers process data outside the UK, we ensure appropriate safeguards are in place:

  • Zoom: United States, under Standard Contractual Clauses
  • Anthropic (Claude): United States, under Standard Contractual Clauses
  • Stripe: United States, under Standard Contractual Clauses

8. Data Retention

Data type Retention period
Clinical records (adults) Minimum 7 years post-therapy, or longer if required by law or professional obligation
Clinical records (children and young people) Until the patient's 25th birthday (or 26th if they were 17 at end of treatment), in line with BPS guidance
Client contact information Retained for the same period as associated clinical records
Financial records 6 years, in line with HMRC requirements
Contact form submissions Deleted within 6 months of enquiry being resolved

9. Data Security

We take appropriate technical and organisational measures to protect personal data, including:

  • Encrypted storage of electronic records
  • Password-protected and access-restricted systems
  • Two-factor authentication where available
  • Secure email for sensitive communications
  • Secure disposal of records at the end of retention periods

10. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. AI tools used for business administration do not play any role in clinical decisions or decisions about your care.

11. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access: request a copy of your personal data
  • Right to rectification: request correction of inaccurate data
  • Right to erasure: request deletion, subject to our legal and professional obligations to retain clinical records
  • Right to restriction: request that we limit how we use your data
  • Right to object: object to processing based on legitimate interests
  • Right to data portability: receive your data in a portable format
  • Right to withdraw consent: where we rely on consent, you can withdraw it at any time without affecting your access to therapy

To exercise any of these rights, email hello@miraclemoon.co.uk. We will respond within one month. If your request is complex we may extend this by a further two months and will let you know.

12. Data Breaches

We have procedures in place to detect and respond to personal data breaches. If a breach is likely to result in a high risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay.

If you believe your data has been compromised, please contact us immediately at hello@miraclemoon.co.uk.

13. Your Right to Complain

If you have concerns about how we handle your personal data, you have the right to complain to us directly. Email hello@miraclemoon.co.uk and we will acknowledge your complaint within 30 days, investigate, and respond.

You also have the right to complain to the Information Commissioner's Office (ICO) at any time:

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Changes to This Policy

We may update this policy from time to time. The current version will always be available with the effective date shown at the top.

Become a part of our supportive community today!

Thank you! Your submission has been received!
Oops! Something went wrong. Please try again later.