top of page

Privacy Policy

Controller:  Maria Varallo
Contact:  info@mariavarallo.co.uk

Effective from: 15th June 2025 · Version: 2.0

​

This explains what I collect, why I collect it, how I use and store it, how long I keep it, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).

​

What I collect - 

  • Your name, email, phone, and your message.

  • Your contact details, any accessibility needs, agreement form, invoices and payment records.

  • Records of dates of our meetings, attendance and brief session/meeting notes.

​​

I aim to collect only what is necessary. At the end of our meetings or program I shred all notes.

Why I collect it (purposes) and lawful bases -

  • Responding to enquiries and arranging appointments. 

  • Providing coaching and keeping appropriate records – necessary to deliver an excellent service as a professional, I’m also bound by confidentiality. 

  • Business operations  - to ensure I am running a safe and effective business. Where I use Legitimate Interests, I have balanced your rights and expectations against my interests and found the impact on you to be low.

​

Who receives your data -

  • My Supervisor – I may share material, stories from and about clients always in anonymised form to maintain confidentiality and for my professional development.

  • Service providers – secure email, website hosting/forms, cloud storage, and video‑conferencing, usually Teams. I do not sell your data.

  • Only when necessary with your explicit consent, to protect you or others from serious harm, or when required by law or a court order. Where possible I will discuss this with you first.

  • ​

How long I keep your data (retention) -

  • Adult client records: usually 3 years from our last contact, then securely destroyed.

  • Enquiries that do not proceed: up to 3 months, then deleted.

  • Financial records: 6 years to meet tax requirements. This may be extended if a legal claim is in progress. When a period ends, I securely delete or shred the data.

​​

Your rights

You have the right to access your data, rectify inaccuracies, erase data in certain circumstances, restrict or object to processing, and data portability for information you have provided. To exercise a right, contact me using the details above; I will respond within one month. I will ask for ID before releasing information. Some rights may be limited, for example, where disclosure would adversely affect another person or where I must keep data for legal reasons.

​

Security

Paper notes are stored in a locked cabinet within a locked room. Digital records are stored on encrypted devices with strong passwords and two‑factor authentication, with encrypted backups. Access is restricted only to me. 

For online sessions I usually use Teams, however, I can use Zoom or FaceTime with additional security controls (waiting room, no default recording).

​

Complaints

If you have concerns about how I handle your data, please contact me first – info@mariavarallo.co.uk.

You also have the right to complain to the Information Commissioner’s Office (ICO).

bottom of page