Tree of LifeCounselling & Psychotherapy

Legal · Last updated May 2026

Privacy Policy

Your privacy and the confidentiality of what you share in therapy matter deeply to me. I work with clients across the island of Ireland, so this notice covers your rights under both the EU General Data Protection Regulation (GDPR) and, for clients in Northern Ireland and the rest of the UK, the UK GDPR and Data Protection Act 2018.

1. Who I am (the Data Controller)

Anne Marie Sweeney, trading as Tree of Life Counselling & Psychotherapy, is the data controller responsible for your personal information.

  • Practitioner: Anne Marie Sweeney BSc (Hons), Counsellor & Psychotherapist
  • Member of the Irish Association for Counselling and Psychotherapy (IACP)
  • Practising across the island of Ireland (Republic of Ireland and Northern Ireland)
  • Contact: via the contact page
  • Registered with the Data Protection Commission (Ireland) and, where applicable, the Information Commissioner's Office (UK).

2. What information I collect

To deliver therapy safely and ethically, I collect:

  • Identity & contact data: name, email, phone number, emergency contact (where you choose to provide one).
  • Health and therapy data (special category data):session notes, the reasons you are seeking therapy, relevant medical or mental-health history you choose to share, and any safeguarding information that arises.
  • Booking & payment data: appointment dates and times, session type, payment confirmations. Card details are processed by Stripe — I never see or store your card number.
  • Technical data: basic website usage (see the cookie policy) and email-delivery logs (e.g. confirmations, reminders).

3. Lawful bases for processing

Under EU/UK GDPR I rely on the following lawful bases:

  • Contract (Art. 6(1)(b)) — to arrange and deliver your sessions, take payment and send appointment communications.
  • Legal obligation (Art. 6(1)(c)) — to keep records required by tax law and to comply with safeguarding duties.
  • Legitimate interests (Art. 6(1)(f)) — to keep confidential clinical notes for continuity of care and supervision, and to keep my practice secure.
  • Explicit consent (Art. 9(2)(a)) and provision of health care (Art. 9(2)(h)) — for processing health/therapy data you share with me.
  • Vital interests (Art. 6(1)(d) / Art. 9(2)(c)) — in the rare event there is a serious risk to your life or someone else's.

4. Confidentiality

What you share in sessions is confidential. The only circumstances in which I would breach confidentiality without your consent are:

  • risk of serious harm to you or another person (including children or vulnerable adults);
  • disclosure of certain crimes (e.g. terrorism, money laundering);
  • where required by a court order.

I discuss my work in regular clinical supervision, as required by the IACP Code of Ethics and Practice. Supervision is itself confidential and you are never identified by name.

5. How long I keep your data

  • Clinical notes: retained for 7 years after the end of our therapeutic work, in line with professional guidance.
  • Booking & financial records: 6 years after the end of the relevant tax year (Revenue / HMRC requirement).
  • Email enquiries: deleted within 12 months if they do not lead to a booking.

6. Who I share data with

I use a small number of trusted processors to run my practice:

  • Stripe — payment processing.
  • Lovable Cloud / Supabase — secure hosting of booking data and the website backend (EU-hosted).
  • Email delivery — to send appointment confirmations and reminders from notify.annemariesweeney.life.
  • Video platform — for online sessions, using an end-to-end encrypted service.
  • My clinical supervisor — anonymised case discussion only.

I never sell your data and I do not use it for marketing without your explicit consent.

7. International transfers

Where a processor is based outside the EEA or the UK, the transfer is protected by appropriate safeguards such as the EU Standard Contractual Clauses and, where relevant, the UK International Data Transfer Addendum.

8. Your rights

Under EU/UK GDPR you have the right to:

  • access the personal data I hold about you;
  • have inaccurate data corrected;
  • request erasure (subject to my legal obligation to retain clinical and financial records);
  • restrict or object to processing;
  • data portability for data you have provided;
  • withdraw consent at any time.

To exercise any of these rights, please contact me via the contact page. You also have the right to lodge a complaint with a supervisory authority — the Data Protection Commission in Ireland (dataprotection.ie) or, if you are in the UK, the Information Commissioner's Office (ico.org.uk).

9. How I keep your data safe

  • Encrypted storage and TLS in transit.
  • Strong, unique passwords and two-factor authentication on all systems.
  • Devices are encrypted and password-protected.
  • Paper notes (if any) are kept in a locked cabinet.

10. Changes to this policy

I may update this notice from time to time. The "Last updated" date at the top will always reflect the current version.