Privacy Policy

Emma Brooke Gilding Ltd Registered in England and Wales No: 14696747 Registered Address: 128 City Road, London, EC1V 2NX, United Kingdom

Last updated: 7th April 2026

1. About This Policy

This privacy policy explains how Emma Brooke Gilding Ltd (“we,” “us,” or “our”) collects, uses, stores and protects your personal information. It applies to all visitors to emmabrooke.net, all clients and prospective clients of our counselling, psychotherapy, and coaching services, all users of our web applications (including My Journal at myjournal.emmabrooke.net), and all purchasers of our digital products.

Emma Brooke Gilding Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO), registration number ZB541905. Our principal, Emma Brooke Gilding, is based in Portugal and delivers services internationally via secure online platforms.

If you have any questions about this policy or your personal data, please contact us at emma@emmabrooke.net.

2. What Information We Collect

The information we collect depends on how you interact with us.

Website visitors: We collect anonymised usage data through cookies and analytics (see Section 7 below).

Mailing list subscribers: We collect your name and email address when you subscribe to our mailing list.

Prospective clients: When you enquire about our services, we collect your name, email address, and any information you choose to share in your initial message.

Clients: When you become a counselling, psychotherapy, or coaching client, we collect additional information necessary to provide our services safely and ethically. This may include your name, date of birth, contact details (including email, phone number, and address), emergency contact details, GP or medical provider details, information about your mental and physical health, medication, and any other information you share during the course of our work together. Some of this information constitutes special category data under data protection law (for example, health data), which we process with additional safeguards as described below.

My Journal app users: When you create an account on My Journal, we collect your email address and password (stored securely via Firebase Authentication). Through your use of the app, we store the journal entries you create (including text, checkbox selections, star ratings, and emoji selections), your template configurations, push notification preferences and device tokens (if you enable reminders), and subscription and payment data processed via Stripe. Your journal content is personal to you and stored under your unique user account.

Digital product purchasers: When you purchase a digital product (such as a guided meditation, course, or publication), we collect the information necessary to process your order and deliver the product, including your name, email address, and payment details (processed by Stripe).

3. Why We Collect Your Information and Our Legal Basis

We process your personal information on the following legal bases:

Performance of a contract: When you engage us for counselling, psychotherapy, or coaching services, subscribe to My Journal, or purchase a digital product, we process your personal data as necessary to deliver those services, manage bookings and accounts, communicate with you, and process payments.

Legitimate interests: We process certain data where it is in our legitimate business interests to do so, provided those interests are not overridden by your rights. This includes maintaining internal records, improving our services and applications, ensuring the security of user accounts (including login notification emails), and managing our business operations.

Consent: Where you have given us your explicit consent — for example, by subscribing to our mailing list or enabling push notifications in My Journal — we process your data on that basis. You may withdraw consent at any time by emailing emma@emmabrooke.net, using the unsubscribe link in any marketing email, or disabling notifications in the app. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Legal obligation: We may process your data where required by law, for example in response to a court order or regulatory requirement.

Vital interests: In rare circumstances, we may process your data to protect your vital interests or those of another person — for example, in a safeguarding situation where there is a risk of serious harm.

Special category data (health information): Where we process special category data such as information about your mental or physical health, our legal basis is explicit consent (provided when you complete your consultation form and agree to these terms) together with the substantial public interest condition relating to the provision of health and social care services.

4. How We Use Your Information

We use your information to:

  • Deliver counselling, psychotherapy, and coaching services to you
  • Manage bookings, scheduling, and session communications
  • Provide and maintain My Journal and any other web applications we operate, including user authentication, data storage, push notifications, and subscription management
  • Process payments securely for services, subscriptions, and digital products
  • Send login notification emails to protect the security of your account
  • Maintain clinical records in accordance with our professional and insurance obligations
  • Comply with the National Counselling & Psychotherapy Society (NCPS) Code of Ethics regarding safeguarding and record-keeping
  • Send you periodic emails about our services, blog posts, or other information we believe may be of interest to you (only where you have subscribed to our mailing list)
  • Improve our website, applications, and services
  • Comply with legal and regulatory requirements

We will never sell or lease your personal information to third parties.

5. Who We Share Your Information With

We only share your personal information where necessary for the purposes described in this policy. The third parties who may process your data on our behalf are:

Practice Better (client management, booking, session notes, forms, and client communication) — hosted in Canada. Practice Better processes data under contractual obligations and in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). Canada has been granted a partial adequacy finding by the European Commission for commercial organisations operating under PIPEDA.

Firebase / Google Cloud (user authentication, database storage, push notifications, and cloud functions for My Journal and other web applications) — operated by Google LLC, based in the United States. Google LLC is certified under the EU–US and UK–US Data Privacy Framework.

Stripe (payment processing for therapy sessions via Practice Better, My Journal subscriptions, and digital product purchases) — based in the United States. Stripe is certified under the EU–US and UK–US Data Privacy Framework. Stripe processes your payment card details directly; we do not store card information on our systems or in our databases.

Mailerlite (email marketing) — a Lithuanian company with data hosted within the European Union. Transfers from the UK to the EEA are covered by the UK’s adequacy regulations for EEA countries.

Google (Gmail) (email communications — received via mail forwarding and sent via alias) — based in the United States. Google LLC is certified under the EU–US and UK–US Data Privacy Framework.

Google Analytics (website analytics) — based in the United States. See Section 7 for further details.

Netlify (hosting for My Journal and other web applications) — based in the United States. Netlify may process server access logs including IP addresses. Netlify, Inc. is certified under the EU–US and UK–US Data Privacy Framework.

SendGrid (transactional emails including login notifications and account-related communications) — based in the United States, operated by Twilio Inc. Twilio is certified under the EU–US and UK–US Data Privacy Framework.

In addition to the above, we may share your information with:

  • Our professional counselling supervisor(s), who are bound by the same duty of confidentiality, as required by our membership of the NCPS and our commitment to ethical practice
  • Regulatory bodies, law enforcement agencies, or courts where we are legally required to do so
  • Other professionals where there is a significant concern for your safety or the safety of others (particularly minors), as described in Section 9 below

We will not share your information with any other third party without your prior consent unless required to do so by law.

6. International Data Transfers

Emma Brooke Gilding Ltd is a UK-registered company with its principal operating from Portugal, serving clients internationally. Your data may be transferred to and processed in countries outside the UK and the European Economic Area (EEA), including Canada and the United States, as described in Section 5.

Where your data is transferred outside the UK, we ensure that appropriate safeguards are in place. These include:

  • Transfers to the EEA: covered by UK adequacy regulations recognising EEA countries as providing adequate protection
  • Transfers to Canada: covered by the European Commission’s partial adequacy decision for commercial organisations subject to PIPEDA
  • Transfers to the United States: our US-based processors (Stripe, Google/Firebase, Netlify, SendGrid) are certified under the EU–US and UK–US Data Privacy Framework

If you would like further information about the specific safeguards applied to international transfers of your data, please contact us at emma@emmabrooke.net.

7. Cookies and Website Analytics

Our website uses cookies — small files placed on your device — to help us understand how visitors use the site and to improve your experience.

Google Analytics: We use Google Analytics to collect anonymised data about website traffic, including which pages are visited, how long visitors spend on the site, and how visitors arrive at the site. Google Analytics uses cookies to collect this information. The data collected is aggregated and does not personally identify you. Google Analytics data is processed by Google LLC in the United States under the Data Privacy Framework. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on (available at https://tools.google.com/dlpage/gaoptout).

Essential cookies: Our website and web applications may use essential cookies required to function correctly (for example, session and authentication cookies). These do not track you for marketing purposes.

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies, though this may affect your experience of the website or applications.

8. How Long We Keep Your Information

We retain your information only for as long as necessary for the purposes for which it was collected.

Client records (therapeutic records, session notes, consultation forms, and related correspondence): We retain these for a minimum of ten (10) years from the date of your last session. This is to comply with the requirements of our professional liability insurance and to enable the proper handling of any claims that may arise. After this period, records are securely deleted.

My Journal app data: Your journal entries, templates, emoji data, and account information are retained for as long as your subscription is active. If you register an account but do not complete checkout to start a subscription, your account and any associated data will be automatically deleted 30 days after registration. If you start a subscription and later cancel, your data will be retained for 30 days following the end of your paid subscription period, after which it will be automatically deleted. You may request early deletion of your data at any time by emailing emma@emmabrooke.net. If you wish to export your data before deletion, the app provides built-in export tools (JSON and CSV formats).

Mailing list data: We retain your name and email address for as long as you remain subscribed. If you unsubscribe, your data will be removed from our mailing list. Mailerlite may retain anonymised statistical data (such as open and click rates) after unsubscription.

Website analytics data: Google Analytics data is retained in anonymised, aggregated form. Individual user data is automatically deleted after 14 months.

Payment records: Transaction records processed by Stripe are retained in accordance with applicable financial and tax regulations.

Enquiry correspondence: If you contact us as a prospective client and do not go on to become a client, your initial enquiry email is deleted promptly after we respond. Sent replies are retained within our email system (Gmail) and automatically purged within 30 days of deletion. We do not retain enquiry correspondence beyond this period unless you become a client, at which point relevant correspondence forms part of your client record.

9. Confidentiality and Its Limits

All information you share with us — whether in therapeutic sessions or within our applications — is treated as confidential. This is central to the therapeutic relationship and to our professional ethics.

Confidentiality will only be broken in the following circumstances:

  • Where there is a significant risk to your life or safety, or to the life or safety of another person (particularly a minor or vulnerable adult)
  • Where we are required to do so by law (for example, by court order or under anti-terrorism or anti-money laundering legislation)
  • In the context of professional supervision — we discuss cases with our qualified counselling supervisor(s) as part of our commitment to ethical practice and as required by our NCPS membership. Supervisors are bound by the same duty of confidentiality.
  • Anonymised material may occasionally be used for the purposes of professional development, peer supervision, or academic assessment. If you would prefer this not to happen, please let us know in writing.

For clarity, journal entries created within My Journal are private to your account and are not accessed, read, or reviewed by us unless you specifically request our assistance or we are required to do so by law.

10. Your Rights

Under data protection law (UK GDPR and, where applicable, EU GDPR), you have the following rights in relation to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may ask us to correct any inaccurate or incomplete data.
  • Right to erasure: You may ask us to delete your personal data, subject to our legal and professional obligations to retain certain records (see Section 8).
  • Right to restrict processing: You may ask us to limit how we use your data in certain circumstances.
  • Right to data portability: You may request that we provide your data in a structured, commonly used, machine-readable format. My Journal includes built-in export tools to facilitate this.
  • Right to object: You may object to the processing of your data where we are relying on legitimate interests as our legal basis.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at emma@emmabrooke.net. We will respond to your request within one month. There is no fee for making a request, though we may charge a reasonable fee if a request is manifestly unfounded or excessive.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with:

  • UK clients: The Information Commissioner’s Office (ICO) — ico.org.uk
  • EU/EEA clients: Your local data protection authority. For Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD) — cnpd.pt

11. Changes to This Policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Where changes are significant, we will notify existing clients and app users by email. It is your responsibility to review this page periodically to stay informed of any updates.

12. Contact

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact:

Emma Brooke Gilding via Emma Brooke Gilding Ltd at emma@emmabrooke.net