search icon Harley StreetLondon BridgeCityUK-wideOnline
Harley StreetLondon BridgeCityUK-wideOnline
Harley Therapy
Book now phone iconCall us

Privacy Notice

Last updated: 3 June 2026

Introduction

Welcome to Harley Therapy's privacy notice.

Harley Therapy respects your privacy and is committed to protecting your personal data. This privacy notice will inform you about how we look after your personal data when you visit our website (regardless of where you visit it from) or engage with us via phone or email, and tell you about your privacy rights and how the law protects you.

Please note that we are not a healthcare provider and we do not provide clinical or therapeutic services. Independent practitioners who use this platform are solely responsible for the clinical care they provide. They operate as independent professionals and are not employees or agents of Harley Therapy or HT Management Services Ltd.

Nothing on this platform constitutes medical advice. If you have any concerns about your health or wellbeing, you should seek independent medical advice from a qualified healthcare professional.

Please also use the Glossary to understand the meaning of some of the terms used in this privacy notice.

  1. Important information and who we are
  2. The data we collect about you
  3. How is your personal data collected
  4. How we use your personal data
  5. Disclosures of your personal data
  6. International transfers
  7. Data security
  8. Data retention
  9. Your legal rights
  10. Glossary

1. Important information and who we are

Purpose of this privacy notice

This privacy notice aims to give you information on how Harley Therapy collects and processes your personal data through your use of this website. This website is not intended for children and we only collect data relating to children with the guardian's permission.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

Controller

This privacy notice is issued on behalf of HT Management Services Ltd, so when we mention "Harley Therapy", "we", "us" or "our" in this privacy notice, we are referring to the relevant company in the Harley Therapy group responsible for processing your data.

HT Management Services Ltd is the controller and is responsible for this website. We have appointed a Data Protection Lead who is responsible for overseeing questions in relation to this privacy notice. If you have any questions, including any request to exercise your legal rights, please contact the Data Protection Lead using the details below.

Contact details

Full name of legal entity: HT Management Services Ltd

ICO registration number: ZA831962

Data Protection Lead: Gemma Price

Email: help[at]harleytherapy.co.uk

Postal address: 10 Harley Street, London, England, W1G 9PF

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Changes to the privacy notice and your duty to inform us of changes

This version was last updated on 3 June 2026. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

2. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

  • Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes email address, home address and telephone numbers.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, your interests, preferences, skills, connections, feedback and survey responses.
  • Demographic data /strong>includes information such as age range, location and other information you choose to provide that helps us match you with an appropriate practitioner.
  • Payment and Transaction Data includes payment details, billing information, details of payments made through the platform and related transaction records.
  • Legal Data includes information needed to manage complaints, disputes, safeguarding concerns, legal claims or regulatory obligations.
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
  • Professional History Data includes details about your work experience, title, and current and previous employer.
  • Medical History Data includes presenting issues and medical history, and the name and address of your GP.
  • Image includes profile photographs uploaded by practitioners and any images you choose to provide to us.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law, as this data does not directly or indirectly reveal your identity. If we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this privacy notice.

We collect Special Categories of Personal Data about you (this includes details about your health) as this is necessary for us to provide you with the best match of practitioner. We do not collect any other special category data, and we do not collect information about criminal convictions and offences.

If you fail to provide personal data where we need to collect it by law, or under the terms of a contract we have with you, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case we may have to cancel the service you have with us, but we will notify you at the time.

3. How is your personal data collected?

We use different methods to collect data from and about you, including through:

Direct interactions. You may give us data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

  • request to see a practitioner;
  • sign up to a newsletter or blog;
  • register for access or create an account on our website;
  • request marketing to be sent to you;
  • enter a competition, promotion or survey; or
  • give us feedback.

Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.

Third parties or publicly available sources. We may receive Technical Data from analytics providers such as Google.

4. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • where we need to perform the contract we are about to enter into or have entered into with you;
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
  • where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending marketing communications to you. You have the right to withdraw consent to marketing at any time by contacting us.

Health and other special category data. Some of the information we process may concern your health, which is special category data under the UK GDPR. We process this only where we have a lawful basis under Article 6 and an additional condition under Article 9. We use health information only to help facilitate access to independent practitioners and administer related services. Where applicable, we rely on Article 9(2)(h), where processing is necessary for health or social care by, or under the responsibility of, a professional subject to confidentiality obligations, and/or on your explicit consent. Special category data is subject to additional safeguards and is accessed only by those who need it.

Advertising and measurement. With your consent, we work with advertising partners, including Google and Meta, to measure the effectiveness of our advertising and to show relevant adverts on other websites and platforms. This may involve placing cookies or similar technologies on your device and sharing limited information with these partners, such as your device or browser identifiers, IP address and the pages or actions you take on our website. For this collection and sharing of data through advertising technologies, we and the relevant partner act as joint controllers, and each partner also processes the data for its own purposes under its own privacy policy. We rely on your consent as the lawful basis for this processing. You can manage or withdraw your consent at any time through our cookie banner. For more detail on the specific technologies used, please see our cookie policy

Purposes for which we will use your personal data

We have set out below a description of the ways we plan to use your personal data and the legal bases we rely on to do so. Note that we may process your personal data for more than one lawful ground depending on the specific purpose. 

Purpose / activityType of dataLawful basis for processing
To register you as a new customer or practitioner

 Identity; Contact

 Performance of a contract with you.
To process your request to connect with a practitioner



 Identity; Contact; Medical; Demographic; Legal and payment information

 Performance of a contract with you, your practitioner, your employer or community manager. Necessary for our legitimate interests (to support our business model). For health data, Article 9(2)(h) UK GDPR (provision of health and social care).
To manage our relationship with you, including notifying you about changes to our terms or services


 Identity; Contact; Marketing and Communications

 Performance of a contract with you, your employer or community manager. Necessary to comply with a legal obligation.
To enable you to complete a survey


 Identity; Contact; Profile; Usage; Marketing and Communications Necessary for our legitimate interests (to study how customers use our services, to develop and improve them, and to grow our business).
To enable you to upload, update or create a profile on our platform

 Identity; Contact; Professional History

 Performance of a contract with you. Necessary for our legitimate interests (to support our business model).
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting data)

 Technical



 Necessary for our legitimate interests (running our business, IT services, network security, fraud prevention, and group restructuring). Necessary to comply with a legal obligation.
To use data analytics to improve our website, services, marketing and customer relationships

 Technical; Usage


 Necessary for our legitimate interests (to keep our website relevant, develop our business and inform our marketing strategy).
To make suggestions and recommendations to you about services that may be of interest

 Identity; Contact; Technical; Usage

 Necessary for our legitimate interests (to develop our services and grow our business).

 

Promotional offers from us

Promotional offers from us. We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what services may be relevant to you. Where required by law, we will only send electronic marketing with your consent. Where PECR permits, we may rely on the “soft opt-in” for existing customers or people who have enquired about similar services, provided you are given a clear opportunity to opt out. You can opt out of marketing at any time.

Opting out

You can ask us to stop sending you marketing at any time by following the opt-out links on any marketing message or by contacting us. Where you opt out of marketing messages, this will not apply to personal data provided as a result of a service purchase or other transaction, as we may still need to communicate with you about those services.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, some parts of this website may become inaccessible or may not function properly. For more information, please see our cookie policy.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Email tracking for communication verification

Some emails sent through our communication system may include a tracking pixel which tells us when an email is first opened. We use this to support reliable administration of services and, where relevant, to verify receipt of important communications. Our system does not use this feature to monitor behaviour or to collect additional information beyond the first open event. Tracking pixels may be blocked by some email providers or privacy settings, so an open receipt may not always be available.

How email tracking works. Our system relies on a tracking pixel to detect when an email is first opened. This feature does not collect any other details about your device or usage beyond the initial opening. As a standard function of our communication platform, email tracking cannot be selectively disabled on a per-client basis. However, if you wish to manage email tracking independently, you may consider:

  • Using privacy-focused email providers: some email services, such as ProtonMail and Tutanota, block tracking pixels by default.
  • Adjusting settings in your email app: many popular email apps, including Apple Mail and Outlook, provide options to block tracking pixels. For example, Apple's "Mail Privacy Protection" helps prevent tracking pixels from revealing whether emails have been opened.

We rely on the legitimate interests basis (Article 6(1)(f) UK GDPR) for this feature, to ensure safe and effective communication with clients. We do not use it to monitor behaviour or to collect personal data beyond the stated purpose.

Mobile communication (SMS and instant messaging)

Scope of use. We may use SMS (text messaging) and encrypted instant messaging platforms to communicate with you regarding the administration of services from your practitioner. This is strictly limited to:

  • appointment scheduling, confirmations and reminders;
  • sharing links to secure clinical portals or payment systems; and
  • brief administrative updates from your practitioner or our support team.

Security and data management. To ensure a high level of data protection, we do not use personal mobile devices for clinical correspondence. All mobile messaging is managed through a secure, centralised professional communication interface, ensuring a full audit trail is maintained and that your data is stored within a UK GDPR-compliant, encrypted environment rather than on a private handset. Where instant messaging is used, we prioritise end-to-end encrypted services. Please note that standard SMS is an unencrypted technology and carries inherent privacy risks.

Boundaries. Mobile messaging channels are not monitored for support or crisis intervention. You are advised not to share sensitive therapeutic information or medical history via these channels. These platforms must not be used in a mental health emergency. If you are at risk of harm, please contact the emergency services (999) or the Samaritans (116 123) immediately.

Your choices. You have the right to opt out of mobile communication at any time. Opting out will not affect your access to therapy, though it may result in administrative updates being sent via email.

Payment processing

We use Stripe to process payments on behalf of practitioners and/or the platform. Stripe may process basic personal, billing and payment information, such as your name, contact details, payment method details and transaction information, for the purpose of handling payments, fraud prevention, security and compliance with legal obligations. Stripe processes this information in accordance with data protection law.

Call recording policy

We may record administrative calls for training, quality assurance, complaint handling, service verification and maintaining appropriate service standards. Calls are not intended to be used for clinical assessment or therapy.

We rely on legitimate interests for call recording. You will be notified at the start of the call that recording is in place and may choose not to continue with the call if you do not agree.

Our call system retains recordings for one year, after which they are automatically deleted in accordance with our system provider’s retention policy.

5. Disclosures of your personal data

We may share your personal data with the parties set out below for the purposes set out in the table in section 4 above.

  • Internal third parties: our group companies Harley Therapy Holdings Ltd, Harley Therapy Ltd and Harley Therapy Platform Ltd.
  • External third parties: our approved practitioners. Where we share your information with an independent practitioner so that they can provide services to you, that practitioner will usually act as an independent controller for the clinical records they create and hold. They are responsible for complying with their own professional and data protection obligations in relation to those records.
  • Specific third parties listed in section 3 above.
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy notice.
  • Service providers acting as processors who provide IT and system administration services.
  • Advertising partners, including Google and Meta, where you have consented to advertising and measurement cookies. These partners may act as joint or independent controllers for the data collected through their advertising technologies and process it in accordance with their own privacy policies.
  • Professional advisers acting as processors or joint controllers, including lawyers, bankers, auditors and insurers, who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities based in the United Kingdom.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes, and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. International transfers

Some of our external third parties are based outside the UK, so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by relying on at least one of the following safeguards:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection by the UK Government ("UK adequacy regulations");
  • where we use providers in countries without UK adequacy regulations, we put in place appropriate safeguards, such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment where required; and
  • for transfers to the United States, we may rely on providers certified under the UK Extension to the EU-US Data Privacy Framework.

Please contact us if you want further information on the specific mechanism used when transferring your personal data out of the UK.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach, and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data retention

How long will you use my personal data for?

We normally keep basic client records, including Contact, Identity, Financial and Transaction Data, for 7 years after you cease being a client, unless we need to retain them for longer for legal, regulatory, safeguarding, complaint-handling or professional record-keeping reasons.

Some records, including certain clinical records and records relating to clients who were under 18, may be retained for longer in line with professional and regulatory guidance. Our full retention schedule is set out in our internal Data Protection Policy and is available on request.

In some circumstances you can ask us to delete your data (see "Request erasure" below). In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use this information indefinitely without further notice to you.

9. Your legal rights

Under certain circumstances, you have rights under data protection law in relation to your personal data:

  • Request access to your personal data (a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data we hold about you. This enables you to have any incomplete or inaccurate data corrected, though we may need to verify the accuracy of new data you provide.
  • Request erasure of your personal data where there is no good reason for us to continue processing it. We may not always be able to comply for specific legal reasons, which will be notified to you at the time.
  • Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request restriction of processing of your personal data, enabling you to ask us to suspend processing in certain circumstances.
  • Request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use, or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

If you wish to exercise any of these rights, please contact us at help[at]harleytherapy.co.uk

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive.

What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests, in which case we will notify you and keep you updated.

10. Glossary

Lawful basis

Legitimate interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the most secure experience. We consider and balance any potential impact on you and your rights before processing your personal data for our legitimate interests, and we do not use your personal data where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Performance of contract means processing your data where it is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Special category data means personal data revealing particularly sensitive information, including data concerning health. We process this only where we have both a lawful basis under Article 6 and an additional condition under Article 9 of the UK GDPR (in our case, the provision of health and social care under Article 9(2)(h), or your explicit consent).