top of page

Privacy Policy

Your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your personal information when you visit our website or use our services. By continuing to use our site, you agree to the practices described here.

Become Your Change.png

1. Who We Are

Become Your Change Ltd (Company No. 16444553) is operated by Bronwyn Evans, a Specialist Mental Health Nurse registered with the Nursing and Midwifery Council (NMC Pin: 19D0976E).¹ Bronwyn Evans is the Data Controller for all personal information processed through this practice and is registered with the Information Commissioner's Office (ICO Registration: ICO:00012712789).⁶

 

All data processing is carried out in accordance with the NMC Code,¹ UK GDPR as amended by the Data (Use and Access) Act 2025,¹⁰ ¹⁸ the Data Protection Act 2018,¹¹ and ICO guidance.⁶

2. What Personal Data We Collect

We collect only what is needed to provide safe, ethical, and effective support. Nothing more.

 

2.1 Identifying and Contact Information

  • Full name, date of birth, and contact details including email address and telephone number

  • Emergency contact details

  • GP name and surgery details

 

2.2 Special Category Health Data

As a healthcare provider, we process special category data under Article 9(2)(h) of UK GDPR, which covers processing necessary for the provision of health or social care.¹⁰ This includes:

  • Physical and mental health history, including current and previous diagnoses

  • Medication information, including any recent changes

  • Risk assessment information

  • Clinical session notes, including assessment and treatment planning records

  • Correspondence relevant to your care

 

2.3 Administrative Data

  • Booking and appointment records

  • Payment records including amounts and dates. Payment card details are not retained by us

  • Email correspondence relating to our work together

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under UK GDPR, as amended by the Data (Use and Access) Act 2025:¹⁰ ¹⁸

 

  • Article 6(1)(b)  |  processing necessary for the performance of our agreement with you

  • Article 6(1)(c)  |  processing necessary to meet a legal obligation, including NMC record-keeping requirements and the NHS Records Management Code of Practice 2023¹⁷

  • Article 6(1)(f)  |  legitimate interests in practice administration and communication

  • Article 9(2)(h)  |  processing of special category health data necessary for the provision of healthcare

 

Where processing is based on your consent, you can withdraw it at any time. Withdrawing consent does not affect any processing already carried out, and some data must be retained regardless to meet legal and professional obligations.

4. How We Use Your Information

Your information is used only for the following purposes:

  • Providing, planning, and reviewing your therapeutic or clinical care

  • Risk assessment and safeguarding decisions

  • Clinical record-keeping in line with the NMC Code¹ and NHS Records Management Code of Practice 2023¹⁷

  • Appointment scheduling and administrative communication

  • Compliance with legal and regulatory obligations

  • Anonymised discussion within clinical supervision

  • Anonymised use in professional training assessments. Your identity is never disclosed

 

Your information is never used for marketing, research, or any commercial purpose. It is not shared with third parties without your explicit consent, except where the law or our professional obligations require it.

5. AI-Assisted Note-Taking and Transcription

Become Your Change Ltd uses AI-assisted transcription tools during or following sessions to support accurate and timely clinical record-keeping. The tools currently in use are Heidi¹³ and Fireflies.¹⁴

 

These tools are a clinical necessity and a reasonable adjustment. They allow Bronwyn to remain fully present with you during the session while ensuring your clinical record is accurate and professionally maintained. Their use is disclosed here in full transparency, in line with ICO guidance on AI and data processing.⁶

 

Both platforms operate in full compliance with UK GDPR¹⁰ and the relevant Standard Contractual Clauses for international data transfer. In practice this means:

  • Only Bronwyn Evans has access to session transcriptions

  • Temporary transcription data is held for no more than seven days then permanently deleted

  • Formal clinical notes are retained in line with the schedule in Section 7

  • No audio or video is saved unless explicitly agreed in advance

  • All stored data is encrypted and access-controlled

 

By engaging with our service you are confirming your awareness and acceptance of the use of these tools. Please raise any questions or concerns before your first session.

 

5.1 Recording by Clients

You are welcome to make written notes during sessions. However, Bronwyn does not consent to any audio or video recording of sessions by clients, whether covert or otherwise. Recordings made without consent may constitute a breach of UK data protection law and could result in immediate termination of the therapeutic relationship. Where an unauthorised recording has been shared beyond the session, Become Your Change Ltd reserves the right to take appropriate legal action.

6. Data Storage and Third-Party Processors

6.1 Clinical Records

All clinical records are held electronically within WriteUP,¹⁵ a specialist clinical records platform operating in accordance with UK GDPR. WriteUP acts as a data processor on behalf of Become Your Change Ltd. No paper records are maintained. WriteUP provides encrypted, secure storage of all clinical notes and correspondence, a unified eight-year retention period for all records, compliant and secure destruction at the end of the retention period, and affiliated executor services in support of Bronwyn's Clinical Will arrangement.

 

6.2 Administrative and Booking Systems

Practice administration is managed across two platforms. Google Workspace is used for email communication, calendar management, and appointment scheduling. Google Calendar and Google Meet both operate to EU and UK GDPR standards. WriteUP is also used for clinic scheduling and booking management alongside its clinical records function, ensuring administrative and clinical records are held within a single compliant system.

7. Data Retention

Data is retained only for as long as is necessary for the purpose for which it was collected, in line with professional and legal obligations.

  • Clinical records  |  Minimum 8 years from end of treatment as per NHS Records Management Code of Practice 2023¹⁷

  • AI transcription data  |  Maximum 90 days then permanently deleted

  • Administrative and booking records  |  3 years

  • Email correspondence  |  3 years from last contact, unless clinically relevant

 

The right to erasure under UK GDPR Article 17 cannot override the legal obligation to retain clinical healthcare records for the mandatory minimum period.¹⁰ All records are securely and permanently deleted on expiry of the applicable retention period.

8. When We Share Your Information

Your information is treated as strictly confidential. It is shared only in the following circumstances.

 

8.1 With Your Explicit Consent

  • Communication with your GP or other treating healthcare professionals

  • Referral letters or clinical summaries to other services

  • Insurance, occupational health, or medico-legal reports

 

8.2 Legal or Safeguarding Requirement

Confidentiality may be broken without your consent where required by law or where there is a risk of serious harm to you or others. This includes obligations under safeguarding legislation,⁷⁸⁹ the Proceeds of Crime Act 2002,¹⁶ and the NMC Code.¹ Where it is safe to do so, you will always be told before a disclosure is made.

 

8.3 Anonymised Disclosure

  • Anonymised clinical material may be discussed with Bronwyn's clinical supervisor. Your identity is not disclosed

  • Anonymised case material may be used in assessed professional training work. Your identity is never disclosed

 

Your information is never sold, rented, or used for any commercial purpose.

9. Your Rights Under UK Data Protection Law

You have the following rights in relation to the personal information we hold. These are set out under UK GDPR as amended by the Data (Use and Access) Act 2025:¹⁰ ¹⁸

 

  • Right of access  |  request a copy of your data via a Subject Access Request

  • Right to rectification  |  request correction of inaccurate or incomplete information

  • Right to erasure  |  request deletion where there is no legitimate reason to continue processing, subject to retention obligations

  • Right to restriction  |  request that processing be limited in certain circumstances

  • Right to data portability  |  receive your data in a structured, machine-readable format where applicable

  • Right to object  |  object to processing based on legitimate interests

  • Right to withdraw consent  |  where processing is based on consent, withdraw it at any time

 

9.1 How to Make a Request

To exercise any of these rights, please contact contact@becomeyourchange.com with your full name, a description of the request, and proof of identity. We will acknowledge your request within 30 days as required under the Data (Use and Access) Act 2025.¹⁸ Where a request is complex, the response period may be extended by a further two months and you will be informed.

 

Under the DUAA you also have the right to raise a data privacy complaint directly with us. We are obliged to acknowledge it within 30 days and take appropriate steps to investigate without undue delay.

 

In some circumstances, such as where a Subject Access Request is manifestly unfounded or excessive, we may request clarification, charge a reasonable fee, or decline to respond. We will always explain our reasons in writing if this occurs.

 

9.2 Complaints to the ICO

If you are not satisfied with our response, you have the right to raise a complaint with the Information Commissioner's Office:

ico.org.uk/make-a-complaint  |  0303 123 1113

10. Record of Processing Activities

As a healthcare data controller, Become Your Change Ltd maintains a Record of Processing Activities (ROPA) as required under UK GDPR Article 30.¹⁰ This internal document records the categories of personal data processed, the purposes for processing, data flows, retention periods, and the technical and organisational measures in place to protect your information. It is available to the ICO on request.

11. Data Breaches

In the unlikely event of a data breach affecting your personal information, we will act promptly and transparently. Where a breach is likely to put your rights and freedoms at risk, the Information Commissioner's Office will be notified within 72 hours in line with UK GDPR Article 33.¹⁰ Where the risk to you as an individual is high, you will also be contacted directly as soon as possible.

12. Practitioner Unavailability and Clinical Will

A Clinical Will arrangement is in place through WriteUP's affiliated executor services.¹⁵ In the event that Bronwyn Evans becomes unable to practise due to illness, incapacity, or death, appropriately qualified professionals bound by the same confidentiality standards will have access to your records solely to ensure continuity of care or meet legal obligations. You will be informed if this situation applies to your records.

13. Website and Cookies

The Become Your Change Ltd website at www.becomeyourchange.com is hosted on Wix. The site may use cookies and analytics tools in line with Wix's standard data practices. By using the website you accept the use of cookies as described in the Wix cookie policy, accessible via the website footer.

14. Changes to This Policy

This policy is reviewed regularly and updated to reflect changes in legislation, professional guidance, or practice. The current version is always available at www.becomeyourchange.com. Material changes will be communicated to existing clients at least 28 days before they take effect.

References

[1]  NMC Code of Professional Standards of Practice and Behaviour for Nurses, Midwives and Nursing Associates (published 2018, visual refresh 2023, substantive content unchanged and current)  https://www.nmc.org.uk/standards/code/

[6]  Information Commissioner's Office (ICO)  https://ico.org.uk

[7]  Care Act 2014  https://www.legislation.gov.uk/ukpga/2014/23/contents

[8]  Children Act 1989 and 2004  https://www.legislation.gov.uk/ukpga/2004/31/contents

[9]  Mental Capacity Act 2005  https://www.legislation.gov.uk/ukpga/2005/9/contents

[10]  UK General Data Protection Regulation (UK GDPR)  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

[11]  Data Protection Act 2018  https://www.legislation.gov.uk/ukpga/2018/12/contents

[13]  Heidi Health  |  AI clinical documentation  https://www.heidihealth.com

[14]  Fireflies.ai  |  AI meeting and clinical notes  https://fireflies.ai

[15]  WriteUP  |  Clinical Records Platform  https://writeup.io

[16]  Proceeds of Crime Act 2002  https://www.legislation.gov.uk/ukpga/2002/29/contents

[17]  NHS Records Management Code of Practice 2023  https://transform.england.nhs.uk/information-governance/guidance/records-management-code/

[18]  Data (Use and Access) Act 2025  https://www.legislation.gov.uk/ukpga/2025/16/contents

bottom of page