"Privacy Policy | Tabla Psychology"

Welcome to the Tabla Psychology Privacy Policy

Last updated: May 2026

Tabla Psychology Limited takes the privacy rights of clients seriously and adopts a high standard of confidentiality, data protection and professional care when handling personal data. This Privacy Policy explains how we collect, use, store, share and protect personal data when you make an enquiry, use our website, complete forms, attend appointments, upload information, communicate with us, or use our psychological, educational, neurodevelopmental, assessment, consultation or support services.

This Privacy Policy should be read alongside our Terms and Conditions, consent forms, assessment information and any other fair processing information we provide.

1. Who We Are

Tabla Psychology Limited is the Data Controller responsible for your personal data. In this Privacy Policy, “we”, “us” and “our” refer to Tabla Psychology Limited.

Data Protection Officer: Dr Tamasine Black
Full name of legal entity: Tabla Psychology Limited
Email: admin@tablapsychology.co.uk
Postal address: The Old Dairy, Whitedale Farm, East Street, Hambledon PO7 4RZ
Telephone: 023 9204 1876

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

We keep this Privacy Policy under regular review. Please tell us if your personal data changes during your relationship with us so that we can keep our records accurate and up to date.

2. Personal Data We Collect

Personal data means any information about an individual from which that person can be identified. In the course of providing our services and operating our website, we may collect, use, store and transfer different types of personal data.

This may include:

Identity Data: first name, last name, title, date of birth, gender, pronouns, relationship to the child, images, video and audio recordings where relevant to our services or clinic safety procedures.

Contact Data: address, email address, telephone number and other contact details.

Financial and Transaction Data: payment details, invoices, amounts paid, services purchased and related financial records.

Technical and Usage Data: IP address, browser type, device information, website usage, cookies and analytics data.

Marketing and Communications Data: your preferences in receiving information from us and your communication preferences.

Sensitive Data and Special Category Data: information about health, development, psychological functioning, neurodevelopmental presentation, medical history, psychiatric history, medication, disability, learning needs, education, family background, safeguarding information, reasons for assessment or support, assessment findings, formulation, recommendations and any other relevant information needed to enable us to provide our services.

We process special category data only where we have a lawful basis under UK GDPR and a relevant special category condition. This may include explicit consent and/or processing necessary for the provision, management and documentation of health, psychological, educational or care-related services, depending on the context. We may also process such information where necessary to comply with legal, regulatory, safeguarding or professional obligations.

We do not intentionally collect information about criminal convictions or offences unless this is relevant to safeguarding, risk, legal proceedings, professional obligations or the services being provided.

3. How We Collect Personal Data

We may collect personal data through:

direct contact with you, including forms, appointments, telephone calls, emails, letters, website enquiries and uploaded documents;
assessment, consultation, support or therapy sessions;
questionnaires, screening forms and consent forms;
information provided by parents, carers, young people or adult clients;
information provided, with appropriate permission or lawful basis, by schools, nurseries, colleges, local authorities, health professionals, social care professionals, legal representatives or other relevant professionals;
payment providers and other administrative systems;
website cookies, analytics and similar technologies.

4. How We Use Personal Data

We use personal data to:

respond to enquiries;
register clients and manage bookings;
provide psychological, educational, neurodevelopmental, assessment, consultation and support services;
gather background information and assessment evidence;
liaise with parents, carers, schools, professionals, legal representatives and relevant agencies where appropriate;
prepare clinical notes, reports, letters, recommendations and related documentation;
manage payments, invoices and accounts;
keep accurate clinical and administrative records;
meet safeguarding, legal, regulatory and professional obligations;
manage complaints, concerns, amendments and service queries;
evaluate and quality assure our services;
provide supervision and professional consultation in line with professional standards;
manage and protect our website, systems and business;
send marketing communications where permitted by law and your preferences.

We will only use personal data where the law allows us to do so. The lawful bases we may rely on include performance of a contract, legitimate interests, legal obligations, consent and, where special category data is processed, an appropriate special category condition under UK GDPR.

5. Lawful Bases for Processing

We may process personal data using one or more of the following lawful bases:

Performance of a contract: where processing is necessary to provide services you have requested or commissioned.

Legitimate interests: where processing is necessary for our legitimate interests, such as running our practice, maintaining accurate records, providing safe and effective services, recovering unpaid fees, improving services, managing correspondence and protecting the safety of clients and staff, provided your rights and interests do not override those interests.

Legal obligation: where processing is necessary to comply with legal, regulatory, tax, accounting, safeguarding or professional obligations.

Consent: where we ask for consent for a specific purpose, such as certain marketing communications or specific aspects of information sharing.

Special category condition: where we process health, psychological, developmental, educational or other special category data, we will rely on an appropriate special category condition. This may include explicit consent and/or processing necessary for the provision, management or documentation of health, psychological, educational or care-related services, depending on the context.

6. Use of Secure Digital Systems and AI-Assisted Documentation Tools

Tabla Psychology Ltd uses secure digital systems, including Semble, to manage appointments, questionnaires, uploaded documents, correspondence, clinical records, invoicing and practice administration.

Where appropriate, we may also use approved AI-assisted documentation tools, including Heidi where used in connection with Semble, to support clinical note-taking, transcription, drafting, summarising and organisation of clinical documentation. Where such tools are used during or following an appointment, they may process information discussed or provided as part of the appointment, including personal data and special category health, developmental, educational, psychological, family or safeguarding-related information, where this is necessary and proportionate for the delivery and documentation of our services.

AI-assisted documentation tools are used to support documentation only. They do not make clinical decisions, determine diagnoses, replace professional judgement, assess safeguarding risk, or generate final recommendations independently. All outputs are reviewed, corrected where necessary and approved by a qualified clinician before being added to the clinical record, report, letter or correspondence.

For general-purpose AI tools used outside the clinical record system, such as ChatGPT or similar tools, Tabla Psychology Ltd uses only anonymised or strongly de-identified information unless a specific approved governance arrangement is in place. Identifiable client information must not be entered into general-purpose AI tools.

Tabla Psychology Ltd remains the Data Controller for client information. Third-party digital and AI providers used to support our work act under appropriate contractual and data protection safeguards. We apply access controls, data minimisation, supplier due diligence, professional oversight, retention controls and review of generated outputs.

7. Use of Security and Monitoring Systems

To support safeguarding, lone-working protection and the safety of clients, children, families and staff, in-person sessions at our clinic are passively recorded using discreet video and audio recording equipment. This forms part of our standard clinic safety procedures.

These recordings are not used for assessment, diagnosis, clinical formulation, supervision or training. They are accessed only where necessary in relation to a safeguarding concern, safety incident, serious complaint, legal requirement, regulatory matter or investigation.

The legal basis for this processing is our legitimate interest in maintaining a safe and secure clinic environment, protecting clients and staff, and responding appropriately to safeguarding or safety concerns.

Recordings are stored securely and are automatically deleted after 30 days unless they need to be retained for a safeguarding, legal, regulatory, complaint-related or safety reason. Where cloud-based storage or third-party systems are used, appropriate data protection safeguards are applied.

8. Sharing Personal Data

We may share personal data where necessary and appropriate with:

employees, associates, contractors and clinicians working for or on behalf of Tabla Psychology Ltd;
schools, colleges, nurseries, local authorities, health professionals, social care professionals, legal representatives or other professionals involved in the service, where appropriate;
service providers acting as processors or sub-processors who provide IT, practice-management, clinical-record, AI-assisted documentation, transcription, secure communications, hosting, payment, website, analytics and system-administration services, including Semble and, where used, Heidi;
professional advisers, including lawyers, accountants, insurers, auditors and clinical supervisors;
HM Revenue & Customs, regulators, courts, tribunals, safeguarding agencies, the police or other authorities where required or permitted by law;
third parties involved in any business sale, transfer, restructuring or merger, where relevant.

We require third-party service providers to respect the security of personal data and to process it only for specified purposes and in accordance with our instructions, unless they are acting as independent controllers under their own professional or legal obligations.

9. International Transfers

Some of our service providers may process personal data outside the UK. Where this involves a restricted transfer under UK GDPR, we ensure that appropriate safeguards are in place. These may include adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.

Please contact us if you would like further information about the safeguards used for a particular provider.

10. Data Security

We have put in place appropriate security measures designed to prevent personal data from being accidentally lost, used, accessed, altered or disclosed without authorisation. We limit access to personal data to staff, clinicians, associates, contractors and third parties who have a legitimate need to know.

We have procedures to deal with suspected personal data breaches and will notify affected individuals and/or the ICO where we are legally required to do so.

11. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including clinical, safeguarding, legal, regulatory, tax, accounting, insurance, professional and reporting requirements.

Clinical records relating to children and young people are ordinarily retained until the young person reaches the age of 25, or age 26 if they were 17 when the service ended, unless a longer retention period is necessary for safeguarding, legal, regulatory, professional, insurance, complaint-related or litigation reasons.

Adult clinical records are ordinarily retained for 8 years after the end of care or last meaningful contact, unless a longer retention period is necessary for safeguarding, legal, regulatory, professional, insurance, complaint-related or litigation reasons.

Basic financial and transaction records are usually retained for at least 6 years for tax and accounting purposes.

Where we no longer need to retain identifiable personal data, we will securely delete, archive or anonymise it in accordance with our retention procedures. Anonymised information that can no longer identify an individual may be retained indefinitely.

12. Marketing

We may send you information about our services, resources, events or updates where permitted by law and in line with your communication preferences.

You can ask us to stop sending marketing communications at any time by contacting us. We will not sell your personal data to third parties for marketing purposes. We will obtain express opt-in consent before sharing personal data with any third party for their own direct marketing purposes.

13. Cookies and Website Tracking

Our website uses cookies and similar technologies to improve functionality, understand how visitors use the site and support website performance. We may use trusted third-party services, such as analytics providers, to help us understand website usage and improve user experience.

You can control or disable cookies through your browser settings. Some parts of the website may not function properly if cookies are disabled. please refer to our Cookie Policy or Cookie Settings for more information.

14. Your Legal Rights

Under data protection law, you may have rights in relation to your personal data, including the right to:

request access to your personal data;
request correction of inaccurate or incomplete personal data;
request erasure of personal data in certain circumstances;
object to processing in certain circumstances;
request restriction of processing;
request transfer of personal data in certain circumstances;
withdraw consent where processing is based on consent.

These rights are not absolute and may be subject to legal, professional, safeguarding, clinical record-keeping or regulatory limitations.

If you wish to exercise any of these rights, please contact us using the details in this Privacy Policy.

We may need to request information from you to confirm your identity before responding. We try to respond to legitimate requests within one month. If a request is particularly complex or you have made several requests, it may take longer, and we will notify you where this applies.

15. Third-Party Links

Our website may include links to third-party websites, plug-ins or applications. Clicking on those links may allow third parties to collect or share data about you. We do not control third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.

16. Contact Us

If you have any questions about this Privacy Policy or how we handle personal data, please contact:

Dr Tamasine Black
Data Protection Officer
Tabla Psychology Limited
The Old Dairy, Whitedale Farm, East Street, Hambledon PO7 4RZ
Email: admin@tablapsychology.co.uk
Telephone: 023 9204 1876

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.