Key Takeaways
The essentials — without legal language
- We never sell your data. To anyone. Ever.
- Analytics are enabled only after your explicit consent.
- Clinical data is stored encrypted and inaccessible to third parties.
- You can request a copy, correction, or deletion of your data at any time.
- We comply with UK GDPR and EU GDPR standards.
Who We Are
Mentallect is an online centre for clinical assessment and psychotherapy. We work with clients in the United Kingdom and European Union countries.
Data controller: Mentallect Ltd. Contact address for personal data enquiries: privacy@mentallect.com.
We comply with UK GDPR (Data Protection Act 2018) and EU GDPR (Regulation 2016/679). Where any conflict arises, the stricter standard applies.
What Data We Collect
Data you provide
- Name and contact details (email, phone) — when booking or contacting us
- Request information — what you describe when booking or in a contact form
- Payment details — processed by Stripe; we do not store card numbers
Data collected automatically
- IP address — stored only in hashed form (SHA-256), not in its original form
- Technical session data — browser, device, visit time
- Analytics data — only with your consent (see Cookie Policy)
How We Use Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email, phone | Service delivery, appointment communication | Performance of contract (Art. 6(1)(b)) |
| Clinical data | Providing therapy and assessment | Explicit consent (Art. 9(2)(a)) |
| IP address (hash) | Security, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics data | Improving site and services | Consent (Art. 6(1)(a)) |
Clinical Data
Information about your health belongs to a special category of data under GDPR. We process it only with your explicit consent, given separately from the general terms of use.
Technical protection: clinical data is stored encrypted (AES-256-GCM at field level). Only authorised Mentallect specialists have access.
We do not share clinical data with third parties, advertising networks, analytics platforms, or CRM sub-processors.
Your Rights
Under UK/EU GDPR you have the right to:
- Access — obtain a copy of your personal data
- Rectification — request correction of inaccurate data
- Erasure — "right to be forgotten" (subject to clinical record retention requirements)
- Restriction of processing — suspend processing while accuracy is contested
- Data portability — receive data in a machine-readable format
- Objection — to processing based on legitimate interest
- Withdrawal of consent — at any time, without affecting the lawfulness of prior processing
To exercise any of these rights, email privacy@mentallect.com. We will respond within 30 days.
Storage & Retention
| Category | Retention Period | Basis |
|---|---|---|
| Clinical records | 7 years after end of work | BACP/UKCP recommendations |
| Financial records | 7 years | HMRC legislation (UK) |
| Inactive client data | 12 months — then anonymised | Data minimisation |
| Consent records | 3 years | Proof of consent obtained |
| Analytics data | 14 months | PostHog EU standard |
International Transfers
Mentallect infrastructure is hosted on servers in Helsinki, Finland (Hetzner Cloud) — within the EU. Data is not transferred to countries outside the EEA without appropriate safeguards.
Stripe (payment processor) operates in accordance with PCI DSS and GDPR standards. PostHog (analytics) — EU-hosted, data does not leave the EU.
Contact & Complaints
For data processing enquiries: privacy@mentallect.com
If you believe your rights have been violated, you may lodge a complaint with the supervisory authority: ICO (ico.org.uk) for UK clients, or the national DPA for EU clients.
Questions about how we handle your data? We are happy to clarify.
Contact us →