1) Who I am
I, Paulina Trevena, operate Dr Paulina Trevena at www.paulinatrevena.com. I am the data controller for the personal data I process about clients, prospective clients, and website visitors.

Address: 24 Cartside Road, G76 8QQ, Clarkston, UK
Email: [email protected]

2) How my data processing works
To provide my website, bookings, messaging, and client management, I use HypnoPilot as my service platform. HypnoPilot acts as my data processor and operates the system on my instructions.

3) What data I collect
a) Data you provide

Contact and booking details: name, email, phone number, preferred times, appointment history.

Messages and preferences: enquiries, support requests, consent choices, marketing preferences.

Session information: intake answers, goals, progress notes and other information shared during our work. These can include health-related details that you choose to disclose.

Payments (if enabled): billing details and transaction confirmations. I do not store full card numbers. Payments are processed by the payment provider(s) I have enabled, such as Stripe or PayPal.

b) Data collected automatically

Technical data: IP address, device and browser type, pages viewed, timestamps.

Cookies and similar technologies: used for essential site functions, analytics, and marketing, managed via the platform cookie banner.

c) Minors
My services are designed for adults. If a minor engages my services, I only process their data with verified parental or legal guardian consent. By default, I treat individuals under 18 as minors for consent purposes.

4) Why I process data and legal bases

Provide services and manage bookings (contract or steps before contract).

Client communication such as confirmations, reminders and follow-ups (contract or legitimate interests; SMS only with explicit consent).

Maintain records and session notes (legitimate interests; for special-category data, I rely on your explicit consent).

Email marketing and updates like newsletters, tips or announcements (consent, with double opt-in for email).

Analytics and ads measurement to improve my website and measure campaigns (consent via the cookie banner for non-essential cookies).

Legal and compliance purposes, including tax records and handling legal claims (legal obligation or legitimate interests).
You can withdraw consent at any time. This will not affect prior lawful processing.

5) Cookies and tracking
A cookie banner is used to request and record your choices under the UK Privacy and Electronic Communications Regulations (PECR).

Essential cookies are necessary for the site to function.

Analytics and marketing cookies such as Google Analytics, Meta Pixel and Google Ads are used only with your consent in the UK.
You can change or withdraw consent at any time in the cookie banner.

6) Who processes data for me
I share data with carefully selected service providers to run my services. They act on my instructions and under data processing agreements. Depending on my configuration, I may use one or more of the following categories:

Platform operations: HypnoPilot as my processor.

CRM, automations, messaging infrastructure: a platform provider engaged by HypnoPilot as its sub-processor.

Email and messaging: internal email infrastructure within the platform, a professional email host and an SMS or voice provider.

Email marketing (if enabled): a newsletter provider with double opt-in.

Payments (if enabled): one or more payment providers such as Stripe or PayPal.

Analytics and ads (if enabled): analytics and advertising measurement tools with consent.
A current, detailed list of providers, including links to their privacy notices and data processing terms, is available at: https://hypnopilot.com/sub-processors. I do not sell personal data.

7) Communications and messaging compliance
I use my own account settings and sender IDs to send service messages and, if enabled, marketing messages. I review and approve message content before sending. I am responsible for obtaining and recording the consent required by applicable laws.

a) Types of messages

Service messages such as booking confirmations, reminders and follow-ups.

Marketing messages (if enabled) such as newsletters or offers, only with prior consent.

b) Consent

Email: marketing email uses double opt-in and includes an unsubscribe link.

SMS: I send SMS only with explicit opt-in consent collected at the point of sign-up, for example on a form or during booking. At sign-up I explain who is messaging, what you will receive, that message and data rates may apply, that message frequency varies and how to opt out.

c) Opt-out and help
You can opt out of SMS at any time by replying STOP. For help, reply HELP or email [email protected]. Message frequency varies. Message and data rates may apply.

d) Responsibility and applicable rules
I comply with the UK GDPR and PECR for electronic communications. Where messages are sent to numbers in other regions, I also follow local rules such as TCPA, CTIA guidelines and CAN-SPAM where applicable. HypnoPilot does not initiate or control messages on my behalf.

e) Mobile number use
I do not share mobile numbers or SMS opt-in data with third parties for their marketing. Mobile data is shared only with messaging providers as needed to deliver the service. See the current providers list at https://hypnopilot.com/sub-processors.

8) Special-category data
Some information you share may reveal health-related details. I process such special-category data only with your explicit consent for the purpose of providing hypnotherapy services. Access is limited to authorized personnel only.

9) International data transfers
Some providers may process data outside the UK. Where this happens, appropriate safeguards are used, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and where applicable UK adequacy regulations (including the UK-US Data Bridge). If you would like details about specific safeguards for a given provider, contact me and I will provide them.

10) How long I keep data
I set retention so that I keep data no longer than necessary for the purposes described above and to meet professional and legal obligations.

General enquiries and non-client messages: up to 24 months after the last contact.

Booking and service records: typically 6 to 10 years to meet tax and accounting requirements and professional guidance.

Session notes and health-related data: ordinarily 7 years from the last session, unless local rules require a different period.

Marketing data: until you withdraw consent or after 24 months of inactivity.
I will delete or anonymize data earlier where I no longer need it, subject to legal retention duties.

11) Your rights
Under the UK GDPR and the Data Protection Act 2018, you have the right to access, rectify, erase, restrict processing, object to processing and port your data, and to withdraw consent at any time.
To exercise your rights, email [email protected].
You also have the right to complain to the UK Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/.

12) Security
I apply appropriate technical and organizational measures to protect your data, including encryption in transit, access controls, least-privilege user permissions, multi-factor authentication where supported, regular access reviews and secure backups. I also require my processors to implement suitable safeguards.

13) Third-party links and embedded content
My website may include links to third-party sites or embedded content. Those services operate under their own privacy policies.

14) Changes to this policy
If I update this policy, I will change the effective date above and, where appropriate, notify you.

15) Contact
Dr Paulina Trevena
24 Cartside Road, G76 8QQ, Clarkston, UK
Email: [email protected]