Privacy policy

Who we are

Bluecove is the shared practice name used by Dr Jacquelyn Yang and Dr Ceyla Karamanci, both HCPC-registered Clinical Psychologists. We are based in London, United Kingdom. The practice currently operates through two individual sole traders.

For the purposes of the UK GDPR and the Data Protection Act 2018, Jacquelyn and Ceyla act as joint controllers for this website, the contact form, and initial shared enquiries about therapy, workshops, consultancy, or organisation work. This means we jointly decide how those initial enquiry details are handled.

If you later work with either Jacquelyn or Ceyla individually for therapy, that psychologist handles your clinical information and therapy records separately as the controller for that part of the work. The details are set out in the separate Therapy Agreement or contract shared before any clinical work begins.

For data-protection matters, email us at hello@bluecovepractice.com, or use the contact form and mark your message "data protection".

What this policy covers

This policy explains how we handle personal data collected through:

• Browsing this website (anonymous, cookieless analytics)
• Submitting the contact form
• Initial enquiries about workshops, consultancy, or organisation work

It does not cover the clinical records we keep if you later become a client. Those are described in the separate Therapy Agreement or contract we share at the start of any work together.

Anonymous website analytics

We use PostHog to understand, in aggregate, how people use the site so we can improve it. We've configured it to be privacy-preserving:

• No cookies are set for analytics.
• No persistent identifier is stored on your device.
• Your IP address is truncated at ingest and not retained in a form that identifies you.
• We do not use cross-site tracking, fingerprinting, or advertising identifiers.
• We do not record sessions, replay your browser, or capture form inputs.
• We may record UTM parameters from inbound links (for example ?utm_source=...) so we can understand which campaigns or pages sent traffic to us. These are attached to anonymous page events only, never to a person.
• When you submit the contact form, we do not pass your name, email, message, or any other personal detail to the analytics service. The two systems do not share identifiers. At most we record an anonymous event that the form was submitted, so we can tell how well the page works.

What we see, in aggregate: which pages are visited, approximate country from a truncated IP, coarse browser and device type, and anonymous interactions such as scrolls and clicks. None of this is linked to you as an individual.

Lawful basis: legitimate interests under Article 6(1)(f) of the UK GDPR (improving the service). Because our analytics are anonymous and do not set or read device storage, no consent banner is required under the UK Privacy and Electronic Communications Regulations (PECR). If you'd rather not be counted at all, you can enable "Do Not Track" in your browser or block the analytics host at a network level.

Contact form and shared enquiries

When you write to us through the contact form we collect:

• Your name
• Your email address
• Your interest (therapy, workshops, or consultancy)
• An optional therapist preference
• The message you write to us
• Your consent to handle this data

Lawful basis: your explicit consent under Article 6(1)(a) of the UK GDPR, given by ticking the consent checkbox on the form. Because enquiries about therapy may reveal information about your health, we also treat this as special-category data under Article 9 UK GDPR and rely on your explicit consent under Article 9(2)(a) as our lawful basis for that too.

Purpose: we use your message to reply to you, decide who is best placed to respond, arrange an initial appointment where relevant, or discuss a workshop or consultancy brief. We do not use it for marketing and we do not share it with anyone outside the practice.

Storage. Submissions are stored in a managed PostgreSQL database (Neon), encrypted at rest (AES-256) and in transit (TLS). Access is restricted to service credentials held by the practice. We do not log the contents of your messages in application or infrastructure logs, including monitoring and error tracking.

Retention. Contact-form submissions are automatically deleted after 90 days. If we begin working together, any clinical records we then keep are held separately in line with professional standards (typically seven years for adults) and described in the therapy contract.

Who sees it. Jacquelyn and Ceyla may both access contact-form submissions and shared organisation enquiries so that we can respond appropriately. If you then work individually with one of us, any clinical information and therapy records are handled separately by that psychologist. We do not sell, rent, or share enquiry data with any third party for marketing, directories, or lead brokerage.

What we do not do

• We do not use tracking or advertising cookies.
• We do not sell or share enquiry data with third parties.
• We do not use automated decision-making or profiling.
• We do not record website sessions or replay visits.
• We do not buy or rent contact lists.

When we might need to share data

As Clinical Psychologists, we may be required by law to disclose personal information in limited circumstances, even without your consent. These include:

• A formal court order or similar legal obligation
• A serious and imminent risk to your life or to another person's life
• Safeguarding concerns involving a child or vulnerable adult
• Counter-terrorism obligations

These exceptions apply to every Clinical Psychologist registered with the HCPC and we do not use them lightly. Where it is safe and lawful to do so, we will tell you before we disclose.

Processors and international transfers

We rely on a small number of service providers to run the site:

• Vercel (website hosting). Handles request routing and edge caching. Short-lived operational logs (request URL, timestamp, coarse location) are retained briefly by Vercel for availability and abuse prevention.
• Neon (managed Postgres for contact-form submissions). United States.
• PostHog (anonymous analytics). We use PostHog's EU datacenter, so analytics data stays in the EEA.

Where a provider is based outside the UK, we rely on their Data Processing Addendum and appropriate safeguards for international transfer, including the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

Your rights

Under the UK GDPR you have the right to:

• Access the personal data we hold about you
• Ask us to correct it
• Ask us to delete it (the right to erasure)
• Object to, or restrict, our processing of it
• Receive a copy in a portable format
• Withdraw your consent at any time, without giving a reason
• Not be subject to automated decision-making (we don't do this anyway)

To exercise any of these, email us at hello@bluecovepractice.com or write via the contact form. Mention which right you'd like to use. We'll respond within one calendar month and usually much sooner.

Security

We use industry-standard protections: TLS in transit, AES-256 at rest, service-credential-only database access, least-privilege admin access, and routine review. No system is entirely risk-free; if you learn of a security concern, please tell us.

Children

This site and the practice are intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has submitted information to us, please contact us and we will delete it.

Terms of use

The website's usage terms and regulatory disclosures live on the terms of use page.

Changes to this policy

We'll update this page when the way we handle data changes. The "last updated" date at the top reflects the most recent substantive change.

Complaints

If you'd like to complain about how we've handled your data, please contact us first; we'd value the chance to put things right. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.