top of page

Privacy Policy

Effective Date: 26/03/2025 Review Date: 26/03/2026

Speech Esteem is committed to protecting your personal data and respecting your privacy. This policy outlines how your information is collected, used, stored, and shared in line with the UK GDPR and Data Protection Act 2018. It applies to anyone using our speech and language therapy services and explains your rights and how we keep your information safe. 

1. Who We Are

Speech Esteem is a private speech and language therapy service based in the UK. 

For the purposes of data protection law, the Data Controller is: 

​

Natalia Cavajdova 
Speech and Language Therapist – Speech Esteem 
Email: info@speechesteem.com  
ICO Registration Number: ZB883693 

​

As the Data Controller, I am responsible for ensuring that all personal data is processed lawfully, securely, and in accordance with the UK GDPR and Data Protection Act 2018. 

2. What Data We Collect

A healthcare record refers to all information collected, processed, and held in both manual and electronic formats relating to the service user and their care. Speech and language difficulties can be complex, and a wide range of information may be required to deliver effective support. To maintain a high-quality, evidence-based service that meets best practice and legal requirements, Speech Esteem may collect and securely store the following categories of data. This list is not exhaustive and may vary depending on the individual needs of each client. 

​

2.1. Personal and Contact Information 

  • Client’s full name, date of birth, and gender 

  • Parent/guardian or carer’s name, relationship to client 

  • Address, email, and telephone number(s) 

  • Emergency contact information 

​

2.2. Health and Developmental Information 

  • Relevant medical history (e.g. diagnoses, allergies, sensory needs, medications) 

  • Birth history and developmental milestones 

  • Mental health information (where relevant to therapy) 

  • Hearing and vision information 

  • Feeding and swallowing history (if applicable) 

​

2.3. Educational and Social Background 

  • School or early years setting name, year group 

  • Details about learning needs and support (e.g. SEN status, EHCPs, support plans) 

  • Behavioural observations and reports 

  • Languages spoken at home and cultural considerations 

​

2.4. Therapy-Related Records 

  • Case history forms and assessment notes 

  • Standardised test results and therapy plans 

  • Session notes, observations, and clinical decisions 

  • Reports written by or for Speech Esteem (e.g. EHCP reports, discharge summaries) 

​

2.5. Communication and Correspondence 

  • Emails, phone call summaries, and messages relating to therapy, scheduling, or concerns 

  • Notes from conversations with families or professionals 

  • Consent forms and signed documents 

​

2.6. Administrative and Financial Data 

  • Invoices, billing information, and payment records (excluding bank or card details) 

  • Session booking history 

  • Notes relating to missed or cancelled sessions 

  • Information needed for accounting or HMRC purposes 

​

2.7. Website Visitor Data 

Visitors to the Speech Esteem website may have certain data collected automatically or voluntarily when using the site, including: 

  • IP address, browser type, and device information 

  • Website usage data (e.g. pages visited, session duration) via cookies or analytics tools 

  • Information submitted through website forms (e.g. contact enquiries or sign-up forms) 

​

This information is collected to improve user experience, respond to enquiries, and understand how the site is used. Cookies are only used with your consent, and full details are provided in the Cookies and Website Tracking section of this policy. 

3. How We Collect Data

Speech Esteem collects personal data through the following lawful and transparent methods: 

​

3.1. Directly from You 

  • During initial contact or enquiry (via phone, email, website form) 

  • When completing online forms, such as intake forms or case history questionnaires 

  • During in-person or virtual therapy sessions 

  • Through signed consent forms or written communications 

  • When registering for webinars via Eventbrite and submitting payment details through secure third-party payment processors. 

Online forms are hosted securely using Microsoft Forms, and may be integrated into our website using GDPR-compliant tools. These forms are encrypted and do not store data on the website itself. 

​

3.2. From Professionals Involved in Your Child’s Care 

With your explicit, informed consent, we may collect relevant information from other professionals such as: 

  • NHS or private speech and language therapists 

  • General practitioners (GPs) or paediatricians 

  • Educational professionals (e.g. teachers, SENCOs, educational psychologists) 

We will always explain what information is being requested, from whom, and for what purpose before seeking or sharing data. 

 

3.3. Automatically Through Website Use 

When you visit the Speech Esteem website, limited technical data may be collected automatically (e.g. IP address, browser type, device model). This is done through cookies or analytics tools and is only activated with your consent. See the Cookies and Website Tracking section for more detail. 

​

3.4. Legal or Emergency Exceptions 

In rare cases, we may collect or share information without your consent if required by law or in emergency safeguarding situations (e.g. where there is a serious risk to health or life). 

4. Why We Collect Data

Speech Esteem collects and uses personal data to provide a safe, effective, and legally compliant speech and language therapy service. Under the UK General Data Protection Regulation (UK GDPR), we are required to identify the lawful basis for processing personal data. 

The following lawful bases may apply: 

​

4.1. Consent 

You have given clear, informed consent for us to process your personal data for a specific purpose — for example, to share information with your child’s school or another professional involved in their care. Where the client is under 18, we will obtain informed consent from a parent or legal guardian. Where appropriate, we may also involve the child in understanding the nature of consent, depending on their age and capacity to do so. Consent can be withdrawn at any time unless there is another lawful basis for processing. 

 

4.2. Contract 

We process your data to fulfil our service — for example, to: 

  • Deliver therapy sessions (in-person or online) 

  • Manage scheduling, communication, and billing 

  • Write clinical reports or update therapy plans 

 

4.3. Legal Obligation 

We must keep certain data to follow the law. This includes: 

  • Keeping records for tax and accounting purposes (for example, for HMRC) 

  • Storing financial information for audits or legal checks 

  • Following rules set by professional bodies (like HCPC) 

  • Meeting our responsibilities around safeguarding and child protection 

If needed, we may share limited information (such as names, invoices, or payment history) with a trusted accountant or bookkeeper to help manage our records. They will only access what’s necessary and must keep your data safe and confidential. 

​

4.4. Vital Interests 

In rare cases, we may process or share data without consent if it is necessary to protect someone’s life or prevent serious harm — for example, in a safeguarding emergency. 

 

4.5. Legitimate Interests 

We may process data when it is necessary for our legitimate business interests — such as maintaining accurate records, improving our services, or defending against legal claims — provided that this does not override your rights and freedoms. 

 

4.6. Special Category Data 

Health and developmental information is classified as special category data under UK GDPR. We only process this data where it is necessary for the provision of our services, in accordance with Article 9(2)(h), and in compliance with relevant confidentiality laws and professional codes of conduct. 

5. How We Use Your Data

Speech Esteem uses your data only for as long as necessary to provide safe, effective, and professional speech and language therapy services and meet legal or professional requirements. 

​

5.1 Clinical Records 

Clinical records include any information relating to the provision of assessment and therapy services, including case history forms, session notes, reports, assessments, observations, and communications relating to clinical care. 

  • Clinical data is stored in secure electronic systems. If physical records are kept, they are stored in locked cabinets accessible only by the Data Controller. 

  • For children and young people under 18, clinical records are retained until the child reaches age 25 (or 26 if the child was 17 at the date of last contact). 

  • For adult clients, clinical records are retained for a minimum of 7 years after the last date of service provision. 

  • Audio or video recordings used for clinical purposes are stored securely and retained only as long as necessary for clinical use. These are deleted once analysis is complete, unless explicit written consent has been given for longer-term use in training or supervision. 

  • If data is used for training, supervision, or anonymised research purposes, separate written consent will be obtained. You may withdraw consent for such uses at any time. 

​

5.2 Financial and Administrative Records 

Financial records include invoices, payment logs, billing communications, and any contact information required to administer those records. 

  • Financial and associated contact records are retained for 6 years from the end of the relevant tax year, in line with HMRC recordkeeping obligations. 

  • Financial data (excluding card or bank details) may be disclosed to HMRC or legal professionals where required by law (e.g. for audits, disputes, or debt recovery proceedings). 

  • Notes relating to missed or cancelled appointments may be retained alongside billing records for audit and safeguarding reference. 

  • Personal data relevant to invoicing, payment, and tax compliance may be shared with trusted service providers such as: Accountancy software, Registered accountants or bookkeepers, Banking institutions (e.g. payment references). These services are used solely for lawful business operations and are bound by confidentiality and data protection standards. No sensitive clinical data is shared for financial or tax purposes. 

  • Payment records and registration details for online events may be collected and processed via secure third-party platforms such as Stripe and Eventbrite. These are used solely to administer your attendance and issue access links. 

​

5.3 Exceptions and Legal Holds 

  • If a safeguarding concern, complaint, or legal claim arises — or is reasonably anticipated — all relevant data will be retained beyond the standard period until the issue is fully resolved. This is in line with Article 17(3)(e) of UK GDPR, which permits continued retention where necessary for the establishment, exercise, or defence of legal claims. 

  • Records subject to active investigation (e.g. by safeguarding authorities or HCPC) will be retained in their original format until all processes are complete. 

  • In the context of lone working, your address may be securely stored or accessed through a GDPR-compliant safety app or check-in system. This is solely for the therapist’s personal safety during home visits and is not shared with third parties outside of this purpose. 

6. How We Share Your Data

Speech Esteem only shares personal data where it is necessary, lawful, and proportionate. Data is shared on a case-by-case basis, and only for the purposes outlined in this policy. 

We may share your data with the following people or organisations: 

​

6.1 With Your Consent 

  • With your written permission, we may share relevant information with professionals directly involved in your child’s care. This may include NHS speech and language therapists, GPs, paediatricians, school staff (e.g. SENCOs, teachers), educational psychologists, or private therapists. 

  • Where appropriate, we will discuss with you what will be shared, with whom, and why. 

  • You may withdraw consent for data sharing at any time unless there is a legal obligation to disclose. 

​

6.2 Without Consent – Legal or Safeguarding Exceptions 

We may share data without consent where we are legally required or permitted to do so, including when: 

  • There is a serious safeguarding concern involving a child or vulnerable adult 

  • Disclosure is necessary to prevent serious harm or a risk to life 

  • We are required to comply with legal, regulatory, or insurance obligations (e.g. HCPC investigation, HMRC audit, court order)

​

6.3 Trusted Service Providers (Data Processors) 

Where third-party systems are used, these providers act as data processors under contract and are bound by data protection agreements to ensure your information is secure and processed only under instruction from the Data Controller. Speech Esteem does not sell or share your information for marketing or advertising purposes. 

Trusted third-party platforms used may include: 

  • Microsoft 365 (forms, emails, data storage and processing) 

  • Eventbrite (event registration and ticketing platform) 

  • Stripe (secure online payment processing associated with Eventbrite) 

7. How We Store and Protect Your Data

Speech Esteem takes the security and confidentiality of personal data seriously. All personal and clinical information is stored securely, in accordance with the UK GDPR, Data Protection Act 2018, and relevant professional standards. 

​

7.1 Storage Methods 

  • Electronic records are stored in a secure, cloud-based system (Microsoft 365), which is password protected and GDPR-compliant. 

  • Online forms (e.g. intake or case history) are submitted securely through Microsoft Forms and stored within the same secure cloud environment. 

  • Physical records, if used, are stored in locked filing systems accessible only by the therapist. 

  • Any sensitive documents (e.g. assessment forms, reports) sent by email are encrypted and password-protected. 

  • Therapy reports and session notes are not stored on personal devices. 

  • For safety during home visits, your address may be stored temporarily in a secure lone-working or check-in app, which is used only for therapist safety. 

​

7.2 Access Control and Cybersecurity 

  • Access to data is limited to the Speech and Language Therapist (the Data Controller) only. 

  • All digital systems are secured with password protection and two-factor authentication where possible. 

  • Devices used to access client data (e.g. laptop, tablet, phone) are encrypted, password-protected, and regularly updated with antivirus and security software. 

  • Data is not accessed or viewed in public places or over unsecured Wi-Fi networks. 

​

7.3 Online Sessions and Communication 

  • Online therapy sessions are conducted using secure, GDPR-compliant platforms. 

  • Clients are advised to ensure privacy during online sessions to protect confidentiality. 

  • Session recordings are only made with written consent and stored securely. 

  • Emails, forms, and messages containing sensitive information are handled with care and stored appropriately. 

​

7.4 Breach Notification 

In the unlikely event of a data breach involving personal data that could result in a risk to your rights or freedoms, you will be informed without undue delay. The breach will be reported to the Information Commissioner’s Office (ICO) within 72 hours, as required under Article 33 of UK GDPR. If you suspect your personal data has been compromised in any way, you should contact the Data Controller as soon as possible. 

 

7.5 International Transfers 

Speech Esteem primarily stores and processes personal data within the UK and the European Economic Area (EEA). However, some third-party services used to deliver therapy and manage communications may transfer data outside the UK or EEA. 

When this occurs, these services are carefully selected and required to: 

  • Store and process data in countries that are covered by an adequacy decision under UK GDPR, or 

  • Operate under legally binding agreements that include approved international data transfer safeguards. 

Speech Esteem only uses reputable, GDPR-compliant service providers and ensures that personal data remains secure and protected to UK standards at all times. 

If you would like more information about international data transfers or the safeguards in place, please contact the Data Controller. 

8. Cookies and Website Tracking

Our website (www.speechesteem.com) uses cookies and similar tracking technologies to provide a better browsing experience and to understand how visitors use the site. 

​

8.1. What are cookies? 
Cookies are small text files stored on your device that help websites function and collect useful information (e.g. analytics). 

​

8.2. Types of cookies we may use: 

  • Essential cookies – Required for the website to work properly (e.g. page navigation, security). 

  • Analytics cookies – Help us understand how the website is used so we can improve it.  

  • Preference cookies – Remember your choices to improve user experience (e.g. language settings). 

​

You can accept or decline non-essential cookies when prompted by the cookie banner on our website. You may also adjust your browser settings to block or delete cookies at any time. We do not use cookies to track you for marketing purposes or share cookie data with third parties. If you have any questions about website tracking or cookies, please contact the Data Controller. 

9. Your Rights Under UK GDPR

As a client (or parent/carer of a client) of Speech Esteem, you have the following rights regarding your personal data under the UK General Data Protection Regulation (UK GDPR): 

​

  • The right to be informed – You have the right to know how and why your data is being collected and used. 

  • The right of access – You can request a copy of the personal data held about you or your child. 

  • The right to correct information – You can ask for your data to be corrected if it is inaccurate or incomplete. 

  • The right to delete data – In certain circumstances, you can request that your data is deleted. 

  • The right to restrict processing – You can ask for the use of your data to be limited in specific situations. 

  • The right to data portability – You may request that your data be transferred to another provider in a structured, commonly used, and machine-readable format. 

  • The right to object – You can object to certain uses of your data, including for legitimate interest purposes. 

  • Rights related to automated decision-making and profiling – Speech Esteem does not use automated decision-making or profiling. 

 

Children’s Rights: Children have the same data protection rights as adults. For younger children, parents or legal guardians usually act on their behalf. Where appropriate, older children may be involved in decisions about their data if they are able to understand their rights. 

You can exercise these rights at any time by contacting the Data Controller using the contact details provided at the end of this policy. 

10. Contact Information

If you have any questions about this privacy policy, your personal data, or if you wish to exercise any of your data protection rights, you can contact: â€‹

Speech Esteem – Data Controller 
Natalia Cavajdova 
Email: info@speechesteem.com  
ICO Registration Number: ZB883693 
Website: www.speechesteem.com  

If you are not satisfied with how your data is handled, you have the right to make a complaint to the Information Commissioner’s Office (ICO): https://www.ico.org.uk 

HOME | ABOUT | SERVICES | CONTACT US | PRIVACY POLICY | FAQs

Speech Esteem, 2025

Logo of Association of Speech Therapists in Independent Practice
© Copyright
Health Care Professions Council Logo
Royal College of Speech and Language Therapists Logo
  • Instagram
  • LinkedIn
  • Youtube
bottom of page