Privacy Policy | Serennu Therapies

Serennu Therapies Ltd

Privacy & GDPR Policy

Last reviewed: April 2026

This policy should be read alongside our Terms and Conditions. We value privacy and are committed to protecting your personal information. This policy explains what information we collect, why we collect it, how it is stored and shared, how long we keep it, and what your rights are.

1 Who is Serennu Therapies?

Serennu Therapies Ltd is a limited company providing independent speech and language therapy services in Wales, UK. The company is directed by two registered speech and language therapists.

Our directors are registered with the Health and Care Professions Council (HCPC) and are members of the Royal College of Speech and Language Therapists (RCSLT). Serennu Therapies Ltd is registered as a Data Controller with the Information Commissioner's Office (ICO) in the company's name. As data controller, the company is responsible for deciding how and why your personal information is processed.

2 What Personal Information Do We Collect?

We collect personal information about the children and families we work with to provide our services. Information is collected verbally or in written form from parents and carers. With parental consent, it may also be collected from other professionals working with your child (e.g. teachers, NHS SLTs, GPs, paediatricians).

Clinical and family information
  • Child's name, age, date of birth, and home address
  • Medical history, diagnoses, and developmental milestones
  • Speech, language, and communication history
  • Educational details, including EHCPs, IDPs, school reports, and test scores
  • Parent/carer names, phone numbers, email addresses, and home addresses
  • Family set-up, languages spoken, and family history of communication or learning difficulties
Financial information
  • Name of bill payer, client name, and address
  • Record of invoices raised and payments received
  • Bank details where required for payment processing
  • Online purchasing history related to our services
Website and digital contact information
  • Name and email address submitted via our website contact form or lead capture
  • Name, email address, and/or phone number passed on by third-party referral services (such as SALTROAD), where a parent or carer has agreed to their contact details being shared for the purpose of making initial contact with a therapist. No clinical or sensitive information is shared at this stage.
  • Information submitted when purchasing digital products or courses
  • Cookie and analytics data collected via our website (see Section 9)

3 How Do We Use Personal Information?

Personal information is used to:

  • Prepare, plan, and deliver speech and language therapy appropriate to your child's needs
  • Communicate with you via post, email, phone, or SMS to book appointments, share resources, send invoices, and communicate between sessions
  • Share password-protected, child-relevant documents securely
  • Complete clinical audits and reflective practice
  • Communicate with other relevant professionals with your prior consent
  • Fulfil legal obligations, including safeguarding disclosures (the only circumstance in which information will be shared without your permission)
  • Process payments and maintain financial records
  • Deliver digital products, courses, and associated email communications to those who have purchased or opted in

We will always aim to minimise personal identifiers where possible — for example, using a child's initials rather than their full name in non-essential documents.

4 Lawful Basis for Processing

4a. General personal data (Article 6, UK GDPR)

Our lawful basis for processing general personal data is Legitimate Interests (Article 6(1)(f) UK GDPR). We cannot adequately plan or deliver a speech and language therapy service without processing your personal information.

Where safeguarding concerns arise, processing may also occur under Legal Obligation (Article 6(1)(c)) without the need for your consent.

Under the Data (Use and Access) Act 2025, safeguarding vulnerable individuals is now a Recognised Legitimate Interest, meaning this processing does not require a separate balancing test.

4b. Health and special category data (Article 9, UK GDPR)

Health information is classified as Special Category Data under Article 9 of the UK GDPR and requires an additional lawful basis. We rely on two conditions:

  • Article 9(2)(h): Processing necessary for the provision of health or social care — as registered HCPC clinicians providing health services.
  • Article 9(3): Processing by a professional bound to a duty of confidentiality — speech and language therapists are legally and professionally bound to keep client information confidential under HCPC standards.

5 How Do We Store Personal Information?

5a. Electronic records

Clinical records are stored electronically in WriteUpp, a GDPR-compliant cloud-based practice management system. Electronic records may also be held on password-protected devices owned by the treating therapist. All electronic devices are password-protected. Clinical software is accessed via secure login. Virus protection is maintained on all devices used for practice purposes.

5b. Paper records

Any paper records are stored in a lockable filing cabinet at the treating therapist's office or home address. If paper records are taken off-site, they remain with the therapist at all times or are kept in a locked location.

5c. Communications

We communicate via email, phone, SMS, and video call. Documents shared electronically are password-protected. Our email is hosted within the UK.

If you choose to contact us via WhatsApp or SMS, please be aware that these platforms are not encrypted end-to-end at rest; we recommend not sharing sensitive clinical information via these channels. Your phone number may be stored on the therapist's password-protected mobile device for the purposes of appointment communication.

6 Video and Audio Recordings

Video recordings, audio recordings, or screen captures may be made during or in relation to therapy sessions. These will only ever be made with your explicit written consent.

  • Recordings made for clinical analysis or home programme purposes will be deleted as soon as they are no longer needed, or transferred to the child's secure clinical record.
  • Recordings made with your consent for clinical supervision will be stored securely and deleted following the supervision session.
  • Recordings made with your written consent for training or educational purposes will be stored securely. You may withdraw this consent at any time.

We do not share recordings with third parties without your explicit written consent.

7 Third-Party Processors

We use a small number of carefully selected third-party services to help us operate our practice. These providers act as data processors on our behalf and are contractually required to comply with UK GDPR.

Processor Purpose Data location
WriteUppClinical record managementUK
GoHighLevelDigital course delivery, email marketing, and payment processingUSA (see Section 8)
Stripe & PayPalSecure payment processingUSA/EEA (see Section 8)
Google Meet, Zoom & Microsoft TeamsRemote therapy session deliveryUSA/EEA (see Section 8)
TermlyCookie consent managementUSA (see Section 8)

We do not sell, rent, or trade your personal information with any third party. We share information with other professionals only with your prior consent, or where legally required (e.g. safeguarding).

8 International Data Transfers

Some of our third-party processors (including GoHighLevel) store or process data outside the United Kingdom. Under the Data (Use and Access) Act 2025, transfers outside the UK are permitted where the destination country or organisation meets the UK's data protection test — that is, where the standard of data protection is not materially lower than in the UK.

Where we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or equivalent mechanisms approved under UK law. We do not transfer clinical health records outside the UK.

9 Cookies and Website Data

Our website (www.serennutherapies.co.uk) may use cookies — small text files stored on your device — to help the website function and to understand how visitors use it.

9a. Types of cookies we may use

  • Essential cookies: Required for the website to function. These do not require your consent.
  • Analytics cookies: Help us understand how visitors use our website. These require your consent and will not be activated before you have accepted them.
  • Marketing/tracking cookies: Used by third-party platforms (e.g. GoHighLevel) for our digital products. These require your consent.

9b. Your cookie choices

When you visit our website, you will be asked to accept or decline non-essential cookies via our cookie banner. You can change your preferences at any time by clicking the cookie preferences icon at the bottom of the page. Declining cookies will not affect your access to our services.

10 Digital Products and Email Marketing

If you purchase a digital course, download a resource, or subscribe to our mailing list, your name and email address will be collected and processed for the purpose of delivering that product or communication.

  • This data is held in GoHighLevel and is subject to their own GDPR-compliant data processing terms.
  • You may unsubscribe from marketing emails at any time using the link in any email, or by contacting us at [email protected].
  • We will not send you marketing communications without your explicit consent.
  • Unsubscribing from marketing will not affect any ongoing clinical service.

11 Data Retention

11a. Clinical records

In line with our professional obligations and NHS Wales records management guidance, clinical records are retained as follows:

  • Until the child's 25th birthday — or
  • Until the child's 26th birthday if they were still receiving treatment after their 17th birthday.

After this time, all clinical records will be securely destroyed.

11b. Financial records

Financial records are retained for 7 years from the end of the relevant tax year, in line with HMRC requirements (Article 6(1)(c) UK GDPR — Legal Obligation).

11c. Marketing and digital contact data

Email addresses and contact data collected for marketing or digital product purposes are retained for as long as you remain subscribed or your account is active. You may request deletion of this data at any time.

12 Children's Data

We primarily process data about children under 13. The following additional considerations apply:

  • For children under 13, consent for data processing is sought from the person(s) with parental responsibility.
  • Children have the same data protection rights as adults. When a child reaches an age where they are competent to make decisions about their own data (typically 13 or older), they may exercise their own rights directly.
  • Where consent was originally given by a parent or carer, a competent child has the right to withdraw that consent themselves.
  • The right to request erasure of data collected when someone was a child is given particular weight.

We do not use children's personal data for any purpose other than delivering services to them directly.

13 Your Data Protection Rights

You can exercise any of these rights by contacting us at [email protected].

Your RightWhat This MeansApplies?
Right to be informedTo know how and why we use your data — this policy fulfils that right.Yes
Right of accessTo request a copy of your personal data (Subject Access Request). Free of charge, responded to within one month.Yes
Right to rectificationTo ask us to correct inaccurate or incomplete data.Yes
Right to erasureLimited for clinical records (retained under professional obligations). Applies in full to marketing data.Partial
Right to restrict processingTo ask us to limit how we use your data in certain circumstances.Yes
Right to data portabilityTo receive your data in a commonly used, machine-readable format where processing is based on consent or contract.Partial
Right to objectTo object to processing based on legitimate interests.Yes
Right to complainTo raise a complaint with us first, then escalate to the ICO if unsatisfied.Yes

We will respond to all requests within one month. Exercising your rights is free of charge.

14 Data Breaches

We take all reasonable steps to protect personal data from loss, unauthorised access, or disclosure. In the event of a personal data breach, we will:

  • Assess the risk to individuals affected without delay
  • Report the breach to the ICO within 72 hours where it is likely to result in a risk to individuals' rights and freedoms
  • Inform affected individuals directly where the breach is likely to result in a high risk to their rights and freedoms

We maintain a record of all data breaches, including those that do not require notification.

15 Data Protection Complaints

If you have a concern about how we have handled your personal data, please contact us in the first instance.

How to make a complaint to us:

1 Submit your complaint in writing to [email protected], clearly describing your concern.
2 We will acknowledge your complaint within 30 days of receipt.
3 We will investigate and respond fully without undue delay.
4 If you remain unsatisfied, you have the right to escalate your complaint to the Information Commissioner's Office (ICO).

You can contact the ICO:

  • Online: ico.org.uk/concerns
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

16 How to Contact Us

Serennu Therapies Ltd

Email: [email protected]

Website: www.serennutherapies.co.uk

This policy is reviewed annually and updated in line with changes to UK data protection law and ICO guidance. Last reviewed: April 2026.