Privacy policy

Who we are

Bluecove Practice is the shared trading name used by Dr Jacquelyn Yang and Dr Ceyla Karamanci, both HCPC-registered Clinical Psychologists. We are based in London, United Kingdom. The practice currently operates through two individual sole traders.

For the purposes of the UK GDPR and the Data Protection Act 2018, Jacquelyn and Ceyla act as joint controllers for this website, the contact form, and initial shared enquiries about therapy, workshops, consultancy, or organisation work. This means we jointly decide how those initial enquiry details are handled.

If you later work with either Jacquelyn or Ceyla individually for therapy, that psychologist handles your clinical information and therapy records separately as the controller for that part of the work. The details are set out in the separate Therapy Agreement or contract shared before any clinical work begins.

For data-protection matters, email us at hello@bluecovepractice.com, or use the contact form and mark your message "data protection".

What this policy covers

This policy explains how we handle personal data collected through:

• Browsing this website (anonymous, cookieless analytics)
• Submitting the contact form
• Initial enquiries about workshops, consultancy, or organisation work

It does not cover the clinical records we keep if you later become a client. Those are described in the separate Therapy Agreement or contract we share at the start of any work together.

Website analytics

We use PostHog to understand, in aggregate, how people use the site so we can improve it. We've configured it with privacy controls:

• No cookies are set for analytics.
• No persistent identifier is stored on your device.
• Your IP address is truncated at ingest and not retained in a form that identifies you.
• We do not use cross-site tracking, fingerprinting, or advertising identifiers.
• We may use heatmap and click data to understand whether the website is working clearly. We do not record sessions or replay your browser, and the contact form is blocked from analytics capture.
• We may record UTM parameters from inbound links (for example ?utm_source=...) so we can understand which campaigns or pages sent traffic to us. These are attached to anonymous page events only, never to a person.
• When you submit the contact form, we do not pass your name, email, message, or any other personal detail to the analytics service. The two systems do not share identifiers. At most we record an anonymous event that the form was submitted, so we can tell how well the page works.

What we see, in aggregate: which pages are visited, approximate country from a truncated IP, coarse browser and device type, and anonymous interactions such as scrolls and clicks. Where heatmap features are available, we may see page layout and interaction patterns, not the content you type into the contact form. None of this is linked to you as an individual.

Lawful basis: legitimate interests under Article 6(1)(f) of the UK GDPR (improving the service). Because our analytics are anonymous and do not set or read device storage, no consent banner is required under the UK Privacy and Electronic Communications Regulations (PECR). If you'd rather not be counted at all, you can enable "Do Not Track" in your browser or block the analytics host at a network level.

Appearance preferences (local storage)

To remember your chosen colour palette and contrast setting, we store two small values on your own device using your browser's local storage (bluecove:palette and bluecove:contrast). These stay on your device, are never sent to us or any third party, and are not used to identify or track you — so they fall under the strictly-necessary / appearance exception and need no consent. You can change them at any time using the palette switcher on the site, or remove them by clearing your browser's site data for this website.

Contact form and shared enquiries

When you write to us through the contact form we collect:

• Your name
• Your email address
• Your interest (therapy, workshops, or consultancy)
• An optional therapist preference
• The message you write to us
• Your consent to handle this data
• Limited technical metadata — your browser's user-agent string — saved with the submission to help us investigate spam and abuse
• The IP address used to submit the form, retained for up to 30 days to help us investigate spam, abuse, or misuse of the form

We also use Cloudflare Turnstile to protect the form from spam and abuse. Turnstile checks technical information about the request and returns a verification token to us. We use that token only to decide whether to accept the form submission. We store the IP address used to submit the form for up to 30 days so we can investigate spam, abuse, or misuse. We also keep a short-lived, hashed rate-limit key so we can slow down repeated submissions. You can read Cloudflare's Turnstile privacy addendum at cloudflare.com/turnstile-privacy-policy .

Lawful basis: your explicit consent under Article 6(1)(a) of the UK GDPR, given by ticking the consent checkbox on the form. Because enquiries about therapy may reveal information about your health, we also treat this as special-category data under Article 9 UK GDPR and rely on your explicit consent under Article 9(2)(a) as our lawful basis for that too.

Purpose: we use your message to reply to you, decide who is best placed to respond, arrange an initial appointment where relevant, or discuss a workshop or consultancy brief. We do not use it for marketing and we do not share it with anyone outside the practice.

Storage. Submissions are stored in Cloudflare D1, with the database created under Cloudflare's EU jurisdiction setting. Access is restricted to server-side service credentials held by the practice. We do not log the contents of your messages in application or infrastructure logs, including monitoring and error tracking. We may use Brevo to send us a transactional notification email when a new enquiry arrives. By default, that notification does not include the message text, but it may include basic reply details such as your name, email address, enquiry type, and submission ID.

Retention. Contact-form submissions are automatically deleted after 90 days. The IP address stored with a contact-form submission is cleared after 30 days. The transactional notification email we receive, and any reply correspondence in our email inbox, are kept only as long as we need them to deal with your enquiry and are then deleted — these are separate from the 90-day database deletion. If we begin working together, any clinical records we then keep are held separately in line with professional requirements and described in the therapy contract.

Who sees it. Jacquelyn and Ceyla may both access contact-form submissions and shared organisation enquiries so that we can respond appropriately. If you then work individually with one of us, any clinical information and therapy records are handled separately by that psychologist. We do not sell, rent, or share enquiry data with any third party for marketing, directories, or lead brokerage.

What we do not do

• We do not use tracking or advertising cookies.
• We do not sell or share enquiry data with third parties.
• We do not use automated decision-making or profiling.
• We do not record website sessions or replay visits.
• We do not buy or rent contact lists.

When we might need to share data

As Clinical Psychologists, we may be required by law to disclose personal information in limited circumstances, even without your consent. These include:

• A formal court order or similar legal obligation
• A serious and imminent risk to your life or to another person's life
• Safeguarding concerns involving a child or vulnerable adult
• Counter-terrorism obligations

These exceptions apply to every Clinical Psychologist registered with the HCPC and we do not use them lightly. Where it is safe and lawful to do so, we will tell you before we disclose.

Processors and international transfers

We rely on a small number of service providers to run the site:

• Vercel (website hosting). Handles request routing and edge caching. Short-lived operational logs (request URL, timestamp, coarse location) are retained briefly by Vercel for availability and abuse prevention.
• Cloudflare (Turnstile anti-spam checks, D1 contact-form storage). The D1 database is configured with EU jurisdiction for stored enquiry data.
• Google Workspace (practice email inbox). Used to receive direct enquiries and contact-form notification emails, and to reply to enquiries.
• Brevo (transactional email notifications for contact-form submissions). Used so the practice knows when a new enquiry has arrived.
• PostHog (anonymous analytics). We use PostHog's EU datacenter, so analytics data stays in the EEA.

Where a provider is based outside the UK, we rely on their Data Processing Addendum and appropriate safeguards for international transfer, including the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

Your rights

Under the UK GDPR you have the right to:

• Access the personal data we hold about you
• Ask us to correct it
• Ask us to delete it (the right to erasure)
• Object to, or restrict, our processing of it
• Receive a copy in a portable format
• Withdraw your consent at any time, without giving a reason
• Not be subject to automated decision-making (we don't do this anyway)

To exercise any of these, email us at hello@bluecovepractice.com or write via the contact form. Mention which right you'd like to use. We'll respond within one calendar month and usually much sooner.

Security

We use industry-standard protections: TLS in transit, AES-256 at rest, service-credential-only database access, least-privilege admin access, and routine review. No system is entirely risk-free; if you learn of a security concern, please tell us.

Children

This website and our contact form are intended for adults aged 18 and over, and we do not knowingly collect personal data from children through the site. If you believe a child has submitted information to us, please contact us and we will delete it.

Our workshops and talks may be delivered to groups that include people under 18, but those sessions are arranged with the host organisation under a separate agreement that covers safeguarding. We do not collect children's personal data through this website in connection with them.

Terms of use

The website's usage terms and regulatory disclosures live on the terms of use page.

Changes to this policy

We'll update this page when the way we handle data changes. The "last updated" date at the top reflects the most recent substantive change.

Complaints

If you'd like to complain about how we've handled your data, please contact us first; we'd value the chance to put things right. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.