Privacy Policy

Information on the Processing of Personal Data Collected Through This Website

Last updated: 15 January 2026

Dear Visitor,
pursuant to EU Regulation 2016/679 (GDPR) and the UK GDPR, this privacy notice describes how the personal data of users who visit the website evagalzerano.com and use the contact form are processed.
This notice applies exclusively to this website and does not extend to any other websites that may be accessed via external links.

DATA CONTROLLER
Eva Galzerano
CBT Psychologist and Psychotherapist
Practice address: 9 Lisbon Avenue – TW2 5HR, Twickenham – London, United Kingdom

Contact details
Email: info@evagalzerano.com
Phone: +44 755 34 94855
HCPC Registration: PYL36628
Registered with the Order of Psychologists of Lazio (Italy) no. 15324 since 2004.
Eva Galzerano operates in the United Kingdom as a self-employed professional registered with HMRC (Her Majesty’s Revenue and Customs).

1. What is the lifecycle of personal data?

Personal data processed, purposes, and legal bases

1.1 What personal data do we process?

When you use the contact form on evagalzerano.com, we collect the following personal data:

Common personal data (Art. 6 GDPR / UK GDPR):

• First and last name
• Email address
• Phone number (optional)
• Preferred therapy format (online, in-person, no preference) – optional

Mental health–related data (Art. 9 GDPR / UK GDPR):

Special categories of personal data

The contact form optionally asks you to indicate the area of interest or issue for which you are seeking support by selecting one or more of the following:

• Anxiety and panic attacks
• Depression and mood disorders
• Expatriation stress
• Obsessive-compulsive disorder
• Relationship and couple difficulties
• Personal growth and low self-esteem

You may also choose to include additional information in the free-text message field:
“Write here if you wish to share something in advance.”

Important

All checkboxes relating to issues are OPTIONAL. You may choose not to select any option and provide only general information in the message. We recommend reserving detailed clinical information for the initial consultation in a protected setting.
These data reveal information about your mental health and are considered special category data, which receive enhanced protection under Art. 9 GDPR / UK GDPR.

1.1bis Website statistical analysis

To understand how our website is used and improve user experience, we use Koko Analytics, a privacy-respecting web analytics tool.

Privacy-friendly features

Koko Analytics does NOT use cookies and does NOT track individual users.

Data collected (in anonymous and aggregated form)

• Number of page views for each page
• Traffic source (e.g., search engines, direct access, links from other websites)
• General technical information (device type, browser used)

Privacy protection

• No cookies installed on your device
• No individual user tracking
• No profiling
• Completely anonymous data
• Data stored exclusively on our server
• No sharing with third parties
• Automatic deletion after 12 months

Legal basis

Art. 6(1)(f) GDPR – Legitimate interest

Our legitimate interest is to improve the website and understand which content is most useful for visitors, without compromising your privacy.

Detection method: Cookieless tracking

Your consent is not required for this form of analysis as no cookies or personal tracking technologies are used.

Data controller for analytics: Data is collected and stored directly on our server. We do not use third-party providers for web analytics.

For more information about the technology used: https://www.kokoanalytics.com/privacy/

1.2 Why do we process your personal data?

Your personal data are collected and processed for the following purposes:

A) Responding to your booking request

Legal basis for common personal data

Art. 6(1)(a) GDPR – Consent
By completing the contact form, you consent to the processing of your common personal data (name, email, phone number, preferred therapy format).

Legal basis for health-related data

Art. 9(2)(a) UK GDPR – Explicit consent
If you select one or more issue-related checkboxes or include information about your mental health in the message, you provide your explicit consent to the processing of these health-related data.
Explicit consent is collected through the mandatory checkbox in the form:
“I have read the Privacy Policy. I consent to the processing of my health-related data exclusively for the management of the professional request, in full compliance with Professional Secrecy and the GDPR.”
You may withdraw your consent at any time by contacting Eva Galzerano.
Data type: Name, email, phone number, selected issue (optional), message content
Purpose: Management of pre-contractual requests, provision of information about services
Retention: 30 days if no therapeutic pathway is initiated

B) Management of the therapeutic pathway

Legal basis for common personal data

Art. 6(1)(b) GDPR – Performance of a contract

Legal basis for health-related data

Art. 9(2)(h) UK GDPR – Preventive medicine, diagnosis, healthcare, or treatment
If you decide to start a therapeutic pathway, your data will be necessary for:

• Provision of psychotherapy services
• Appointment management
• Maintenance of clinical documentation (therapy notes, assessments, progress)
• Compliance with tax and insurance obligations

Health-related data are processed by a healthcare professional (psychologist registered with the Italian Order of Psychologists and practicing in the UK), subject to professional secrecy under:

• Italian Psychologists’ Code of Ethics (Art. 13)
• HCPC Standards of Conduct, Performance and Ethics (where applicable)

Data type: Personal data and mental health data (history, clinical notes, assessments, therapeutic progress)
Purpose: Provision of psychological and psychotherapeutic services
Retention: 7 years after the end of treatment (adults) / until the 25th birthday (minors)

1.3 What happens if you do not provide the data?

MANDATORY DATA (name, email):
Without these data, we cannot respond to you.
OPTIONAL DATA (phone number, message details):
You may choose not to provide them. We will still reply by email.

Mental health information

It is not necessary to include clinical details in the first message. These can be shared during the initial consultation in a protected and confidential setting.

2. How are personal data processed?

Your personal data are processed using manual, electronic, and telematic tools, strictly related to the purposes indicated above and in any case in a manner that ensures data security and confidentiality.

2.1 Security measures adopted

For data collected via the contact form:

• SSL/HTTPS secure connection (encryption in transit)
• Password-protected WordPress database
• FluentForms plugin with GDPR-compliant security measures
• Regular encrypted backups
• Access restricted to authorised persons only

For health-related data (therapeutic pathway):

• Password-protected and encrypted digital archive
• Computers and mobile devices protected by password/biometrics
• Emails (Serverplan) sent with TLS encryption
• Paper documents stored in a locked cabinet
• Compliance with professional secrecy (Art. 13 Italian Psychologists’ Code of Ethics)

3. Who processes personal data?

3.1 Data Controller

Eva Galzerano – Psychologist and CBT Psychotherapist

3.2 Data Processors

The following providers process personal data on behalf of the Data Controller:
SERVERPLAN S.R.L.
Function: Website hosting, database, and email service (info@evagalzerano.com)
Location: Italy (European Union)
Compliance: GDPR compliant
Privacy Policy: https://www.serverplan.com/privacy-policy/
Serverplan provides the full technical infrastructure for the website, hosting the site, the WordPress database containing contact form data, and managing the professional email service. It is contractually bound to comply with GDPR requirements.

FLUENTFORMS (WordPress plugin)
Function: Contact form management and submission storage
Location: Database hosted on Serverplan servers (Italy, EU)
Compliance: GDPR compliant
All data processors are contractually bound to comply with GDPR / UK GDPR and operate according to the Data Controller’s instructions.

TECHNICAL NOTE
The technical management of the website is entrusted to professional service providers operating under the Data Controller’s supervision and in compliance with received instructions.

3.3 Clinical supervisor

During professional supervision (a deontological obligation), clinical cases may be discussed in anonymised form, without names or identifying details. The supervisor is also bound by professional secrecy.

To exercise your rights or for any request relating to the processing of your personal data, you may contact the Data Controller, Eva Galzerano, directly.

4. Who may access personal data?

Your personal data may be accessed exclusively by:

4.1 Information requests (contact form)

• Eva Galzerano (to respond to your request)
• Serverplan (technical provider for hosting, database, and email), solely as data processor

4.2 Therapeutic pathway

• Eva Galzerano (service provision)
• Clinical supervisor (anonymised form, deontological obligation)
• Accountant/tax advisor (administrative data only, no clinical data)
• Professional liability insurer (only in the event of a claim)

4.3 Limits to confidentiality

As provided by the Italian Psychologists’ Code of Ethics and UK regulations, professional secrecy may be breached only in the following exceptional cases:

• Serious and imminent danger to your life or that of others
• Order from a judicial authority (legal obligation)
• Protection of minors (reporting to social services in case of risk of abuse or neglect)

Whenever possible, you will be informed in advance, unless prevented by legal obligation or urgency.

Your data will never be:

• Sold to third parties
• Used for unauthorised marketing
• Transferred outside the EU/UK without adequate safeguards
• Shared with other professionals without your explicit consent

5. Do you have the right to access, rectify, or delete your personal data?

Yes. Pursuant to Articles 15–22 of the GDPR and UK GDPR, you have the following rights:

5.1 Your rights

Right of access

You may request a copy of your personal data.

Right to rectification

You may request correction of inaccurate or incomplete data.

Right to erasure

You may request deletion of your data (“right to be forgotten”), subject to legal retention obligations.

Important note

For data relating to therapeutic pathways, deletion may not be possible for 7 years after the end of treatment due to legal obligations related to:

• Professional liability protection
• Insurance requirements
• Italian Order of Psychologists regulations
• UK HCPC guidelines (where applicable)

Right to restriction of processing

You may request temporary limitation of processing in case of disputes.

Right to object to processing

You may object to processing for legitimate reasons.

Right to data portability

You may receive your data in a structured, readable format.

5.2 How to exercise your rights

You may exercise your rights at any time by emailing the Data Controller with the subject:
“Request to exercise GDPR / UK GDPR rights.”

Required documentation

• Copy of a valid ID document
• Clear specification of the right you wish to exercise

You will receive a response within 30 days.

5.3 Complaint to the supervisory authority

If you believe your data are processed in violation of GDPR / UK GDPR, you may lodge a complaint with:

For services provided in Italy
Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)
Piazza Venezia, 11 – 00187 Rome
Email: garante@gpdp.it
Phone: +39 06 696771
Website: https://www.garanteprivacy.it

For services provided in the United Kingdom
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Email: casework@ico.org.uk
Phone: 0303 123 1113
Website: https://ico.org.uk/

Eva Galzerano is registered with the Information Commissioner’s Office (ICO).
ICO Registration Number: C1877023
Registration Date: 20 January 2026
This registration demonstrates our commitment to data protection and compliance with UK data protection laws.

6. How long are personal data retained?

6.1 Retention periods

A) Information requests not followed by therapy

Contact form data: 30 days from receipt
After 30 days, if no therapeutic pathway is initiated and no response is received, your data will be automatically deleted from the FluentForms database and email archive.
Reason for 30 days:

• Reasonable time to respond and decide
• Data minimisation (GDPR principle)
• Reduced risk of data breaches

B) Therapeutic pathway (active or completed clients)

Personal data and clinical notes: 7 years after the end of treatment
This period is required for:

• Legal obligations of the Italian Order of Psychologists
• UK HCPC guidelines (where applicable)
• Professional insurance coverage
• Protection against potential disputes

For minors
Data will be retained until the client reaches 25 years of age (or 26 if treatment ended at 17), in accordance with NHS and BPS guidelines.

C) Tax and administrative data

Invoices, receipts, payments: 10 years (Italian/UK tax obligation)
These data are stored separately from clinical data and include only administrative information.

6.2 Data deletion

At the end of retention periods:

• Digital archives: permanent deletion (hard delete with overwriting)
• Backups: deletion from all backups
• Paper documents: secure destruction via shredder

7. Transfer of data outside the EU/UK

Your personal data are stored and processed exclusively within:

• The European Union (EU)
• The United Kingdom (UK)

Personal data are not transferred outside the EU/UK unless you explicitly request online therapy services involving platforms with servers outside the EU/UK. In such cases, you will be informed in advance and your explicit consent will be requested.

8. Changes to this Privacy Policy

This Privacy Policy may be updated periodically to reflect:

• Regulatory changes (GDPR, UK GDPR, ePrivacy)
• Changes in services offered
• New website features
• User feedback

Last updated: 15 January 2026
Any substantial changes will be communicated via a notice on the website.
Please check this page regularly to stay informed.

8bis. Cookies and Similar Technologies

This website uses only technical cookies strictly necessary for the proper functioning of the site.

8bis.1 Technical cookies used

1. Session cookie (PHPSESSID)

• Purpose: Maintain your active session while navigating between different pages
• Duration: Automatically deleted when you close your browser
• Necessity: Strictly necessary for site functionality
• Provider: Serverplan (hosting)

2. Language cookies (wpml_browser_redirect, _icl_current_language)

• Purpose: Remember your language choice (Italian or English) so you don’t have to select it on every visit
• Duration: 1 year
• Necessity: Essential functionality for multilingual website (WPML)
• Provider: WPML (WordPress plugin)

3. Administrative cookies (wp-settings-*, wordpress_logged_in_*)

• Purpose: Used only when site administrators access the WordPress control panel
• Duration: Variable (session or persistent)
• Necessity: Backend management only
• Provider: WordPress

8bis.2 Consent

These cookies are strictly necessary for the website to function and do not require your consent under Art. 122 of the Italian Privacy Code (Legislative Decree 196/2003 as amended) and GDPR/UK GDPR.

As provided by the Italian Data Protection Authority Cookie Guidelines (10 June 2021) and the ICO (UK), technical cookies are exempt from the consent requirement.

8bis.3 Profiling and marketing cookies

This site does NOT use:

• Profiling cookies
• Marketing or advertising cookies
• Behavioral tracking cookies
• Third-party analytics cookies (including Google Analytics)
• Remarketing or retargeting cookies
• Web beacons, pixel tags, or similar tracking technologies

8bis.4 How to manage cookies

You can block or delete cookies through your browser settings. However, please note that blocking technical cookies may prevent you from using all website features correctly (e.g., language selection, contact form).

Instructions for common browsers:

• Chrome: chrome://settings/cookies
• Firefox: about:preferences#privacy
• Safari: Preferences → Privacy → Manage Website Data
• Edge: edge://settings/privacy

Detailed guides:

• Italian Data Protection Authority: https://www.garanteprivacy.it/cookie
• ICO (UK): https://ico.org.uk/for-the-public/online/cookies/
• All About Cookies: https://www.allaboutcookies.org/manage-cookies/

8bis.5 Cookieless analytics

For web traffic analysis, we use Koko Analytics in cookieless mode (see section 1.1bis). This tool does not install any cookies and does not require consent.

9. Applicable jurisdiction

This Privacy Policy is governed by:

• UK GDPR (for services provided in the UK)
• EU GDPR 2016/679 (for services provided in Italy/EU)
• Italian Psychologists’ Code of Ethics
• HCPC Standards of Conduct, Performance and Ethics (where applicable)

In the event of disputes relating to personal data processing, jurisdiction shall lie with the Courts of London for UK services or the Courts of Rome for Italy/EU services.