Privacy and cookies policy - updated 21/03/2019


This Policy applies as between you, the User of this Web Site and Rock Psychological Therapy Services Limited (Trading name ‘Headroom’) the owner and provider of this Web Site.  This Policy applies to our use of any and all Data collected by us in relation to your use of the Web Site and any Services or Systems therein.

Definitions and Interpretation

In this Policy the following terms shall have the following meanings:

“Account”means collectively the personal information, Payment Information and credentials used by Users to access Material and / or any communications System on the Web Site;

“Content”means any text, graphics, images, audio, video, software, data compilations and any other form of information capable of being stored in a computer that appears on or forms part of this Web Site;

“Cookie”means a small text file placed on your computer by Headroom when you visit certain parts of this Web Site.  This allows us to identify recurring visitors and to analyse their browsing habits within the Web Site.  Where e-commerce facilities are provided, Cookies may be used to store your shopping basket.  Further details are contained in Clause 10 of this Policy;

“Data”means collectively all information that you submit to the Web Site.  This includes, but is not limited to, Account details and information submitted using any of our Services or Systems;

“We, Us or Our”means Rock Psychological Therapy Services (trading name ‘Headroom’), a company registered in England under 09587163, whose registered address is 2 Barnfield Crescent, Exeter, 

“Service”means collectively any online facilities, tools, services or information that We makes available through the Web Site either now or in the future;

“System”means any online communications infrastructure that We makes available through the Web Site either now or in the future.  This includes, but is not limited to, web-based email, message boards, live chat facilities and email links;

“User” / “Users”means any third party that accesses the Web Site and is not employed by Us and acting in the course of their employment; and

“Web Site”means the website that you are currently using ( and any sub-domains of this site (e.g. unless expressly excluded by their own terms and conditions.

Data Collected

Without limitation, any of the following Data may be collected:

  • name;

  • date of birth;

  • gender;

  • job title;

  • profession;

  • contact information such as email addresses and telephone numbers;

  • demographic information such as post code, preferences and interests;

  • financial information such as credit / debit card numbers;

  • IP address (automatically collected);

  • web browser type and version (automatically collected);

  • operating system (automatically collected);

  • a list of URLS starting with a referring site, your activity on this Web Site, and the site you exit to (automatically collected); and

  • Cookie information (see Clause 10 below).


Data Protection & Privacy Policy  (Updated May 2018)

We will keep your records safely. This Practice complies complies with the Data Protection Act (1998) and general Data Protection Regulation (GDPR) 2018. This means that we will ensure that your information is processed fairly and lawfully.

What personal information do we need to hold?

  • Information relating to your past and current mental health; personal details such as your age, address, telephone & General Medical Practitioner (GP)

  • Records of correspondence (email, telephone or other) between you and Headroom.

  • Records of correspondence between Headroom staff and professionals involved in your healthcare.

  • Any correspondence relating to you with other health care professionals, for example in the hospital or community services.

  • Assessment reports detailing presenting problems, personal information, risk assessments, and recommendations for treatment.

  • Information about treatment we have provided or purpose and it's cost.

  • Notes of conversations or incidents that might occur for which a record needs to be kept.

  • Records of consent to treatment.

Why do we hold this information?  


  • We need to keep accurate personal data about patients in order to provide you with safe & appropriate mental healthcare.

  • We also need to process personal data about you if we are referring you to a private counsellor, psychotherapist or practitioner psychologist.

  • In some circumstances we also need to process personal data about you if we are referring you to an NHS service.

  • As a healthcare provider, we are permitted to process special categories of personal data in accordance with article 9(2) (GDPR, 2018). In line with GDPR article 9(2)(h), Headroom’s processing of personal data is exclusively for the provision of health treatment or the management of health or social care systems (unless specific consent is obtained for the processing of personal data for other specific purposes). Headroom also adheres to GDPR article 9(3) which states: ‘Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.’ The Health Care Professions Council (HCPC) constitutes the ‘national competent body’ whose Professional Standards and Ethics include an obligations of professional secrecy to which Headroom’s staff are bound.

  • Personal data may also be used to evaluate and/or audit Headroom’s services. Such evaluations would be conducted internally. Any publications of findings from internal research or audit will not contain any identifiable information. In line with GDPR (2018), for us to process your data in this way, we require you to consent via opt-in in response to an explicit and specific request.

  • Personal data may be used for marketing purposes but only with you consent. In line with GDPR (2018), for us to process your data in this way, we require you to consent via opt-in in response to an explicit and specific request.


Retaining information

We will retain our records indefinitely.


Your information is held in Headroom's computer system and in a secure manual filing system. The information is only accessible to authorised personnel. Personal information will not be removed from this practice without the patients authorised consent.
Your Personal information is carefully protected by the staff at Headroom. All access to information is held securely and can only be accessed by regularly changed passwords. Computer terminals are closed if unattended.

Why we may need to disclose your information. In order to provide proper and safe care to:

  • Your general medical practitioner

  • Emergency services

  • Other health professionals caring for you

  • Private counsellors, psychotherapists and practitioner psychologists to whom you are potentially being referred to.

Disclosure will take place on a 'need to know' basis, so that only those individuals/organisations who need to know in order to provide care to you and the proper administration of Government (whose personnel are covered by strict confidentiality rules) will be given the information. Only information that the recipient needs to know will be disclosed. In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this code of practice will only occur when we have your specific consent. Where possible you will be informed of these requests for disclosure.

GDPR - Lawfulness of processing, Article (6)(b) 

GDPR - Lawfulness of processing, Article (6)(b)

i. Processing data to fulfil our contractual obligations to clients

For Headroom to undertake a psychological assessment, make recommendations for treatment and make an appropriate referral, personal data needs to be recorded and processed appropriately. By requesting Headroom’s services, clients expect their data to be processed for these specific purposes as a part of Headroom undertaking their contractual responsibilities.

Headroom’s processing of the data subject is therefore a necessary aspect of the fulfilment of our contractual obligation to the clients to whom We provide Our services. Headroom therefore adheres to Article (6)(b) following terms: ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;’

ii. Processing data as a part of evaluating and improving Headroom’s services

Headroom will also process data for the purpose of obtaining feedback and outcome data relating to the suitability and effectiveness of our therapist matching service. We will routinely send clients and therapists questionnaires that relate to their experience of Headroom’s service. From therapists, we will be requesting information about the suitability of referrals, the quality of our assessment reports and their experience referral process. From clients we request information about their experience of our consultation and matching services and their experience of the therapy with the therapist we have matched them with. When requesting this information, we outline how this data will be processed and request permissions accordingly.

Feedback and outcome data from clients will be processed in the following ways:

  • As a part of evaluating the quality of our consultation and matching services

  • To evaluate the quality of our matching process

  • As a part of continually developing our matching algorithm including the interaction between client and therapist characteristics and how these relate to outcomes in therapy

  • To provide data on the competence and performance of individual therapists that Headroom can use when considering therapists for future referrals*

  • To provide data on the competence and performance of individual therapists that the therapist will have the choice of publishing on a Headroom profile page*

*Therapists must give permission for data gathered from clients that specifically relates to them to be processed for these purposes.

Feedback and outcome data from therapists will be processed in the following ways:

  • As a means of evaluating therapist experience of the referral process

  • As a means of evaluating the quality and usefulness of our reports

  • As a means of evaluating the quality of our matching process

  • As a part of continually developing our matching algorithm including the interaction between client and therapist characteristics and how these relate to outcomes in therapy

Third Party Web Sites and Services

We may, from time to time, employ the services of other parties for dealing with matters that may include, but are not limited to, payment handling, delivery of purchased items, search engine facilities, advertising and marketing.  The providers of such services do have access to certain personal Data provided by Users of this Web Site.  Any Data used by such parties is used only to the extent required by them to perform the services that We request.  Any use for other purposes is strictly prohibited.  Furthermore, any Data that is processed by third parties must be processed within the terms of this Policy and in accordance with the Data Protection Act 1998..

Changes of Business Ownership and Control

  • We may, from time to time, expand or reduce its business and this may involve the sale of certain divisions or the transfer of control of certain divisions to other parties. Data provided by Users will, where it is relevant to any division so transferred, be transferred along with that division and the new owner or newly controlling party will, under the terms of this Policy, be permitted to use the Data for the purposes for which it was supplied by you.

  • In the event that any Data submitted by Users will be transferred in such a manner, you will be contacted in advance and informed of the changes. When contacted you will be given the choice to have your Data deleted or withheld from the new owner or controller.

Controlling Access to your Data

  • Wherever you are required to submit Data, you will be given options to restrict our use of that Data. This may include the following:

    • use of Data for direct marketing purposes; and

    • sharing Data with third parties.

Your Right to Withhold Information

  • You may access certain areas of the Web Site without providing any Data at all. However, to use all Services and Systems available on the Web Site you may be required to submit Account information or other Data.

  • You may restrict your internet browser’s use of Cookies. For more information see Clause 10 below.

Accessing your own Data

  • You may access your Account at any time to view or amend the Data. You may need to modify or update your Data if your circumstances change. Additional Data as to your marketing preferences may also be stored and you may change this at any time.

  • You have the right to ask for a copy of your personal Data on payment of a small fee.


  • Data security is of great importance to Us and to protect your Data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure Data collected online.


  • We may set and access Cookies on your computer. First-party Cookies that may be placed on your computer are detailed in Schedule 1 and third-party Cookies that may be placed on your computer are detailed in Schedule 2. All Cookies used by the Web Site are used in accordance with the provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. We have carefully chosen these Cookies and uses them to facilitate certain functions and features of the Web Site. We also use Cookies for analytics purposes. These Cookies track your movements and activities on the Web Site and are designed to give us a better understanding of our users, thus enabling us to improve the Web Site and our services.

  • Before the Web Site sets Cookies on your computer, you will be presented with a message bar requesting your consent to set those Cookies. None of the Cookies set by the Web Site jeopardise your privacy in any way and no personal data is collected. By giving your consent to the setting of our Cookies you are enabling us to provide the best possible experience and service to you through our Web Site. If you wish to deny your consent to the placing of Cookies, certain features of the Web Site may not function fully or as intended.

  • Certain features of the Web Site depend upon Cookies to function and are deemed, within the law, to be strictly necessary. These Cookies are detailed in Schedule 1A. You will not be asked for your consent to place these Cookies however you may still disable cookies via your web browser’s settings, as set out in sub-Clause 10.4.

  • You can choose to enable or disable Cookies in your web browser. By default, your browser will accept Cookies, however this can be altered. For further details please consult the help menu in your browser. Disabling Cookies may prevent you from using the full range of Services available on the Web Site.

  • You may delete Cookies at any time however you may lose any information that enables you to access the Web Site more quickly.

  • The Web Site uses the third-party Cookies detailed in Schedule 2 for the purposes described therein. These Cookies are not integral to the services provided by the Web Site to you and may be blocked at your choosing via your internet browser’s privacy settings or via your response to the request for consent detailed in sub-Clause 10.2.

  • It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your browser if you are unsure as to how to adjust your privacy settings.

Changes to this Policy

Headroom reserves the right to change this Privacy Policy as we may deem necessary from time to time or as may be required by law.  Any changes will be immediately posted on the Web Site and you are deemed to have accepted the terms of the Policy on your first use of the Web Site following the alterations.