Home About Services Fees Book a consultation Qualifications Research Writing Teaching and Supervision Clinicians Media Contact Dr Michael Yates
Legal

Privacy policy

How your information is used on this website

Last updated 11 June 2026

This privacy policy applies to drmichaelyates.co.uk. It explains how information you provide through this website is collected, used and stored. It does not cover the separate privacy arrangements that apply once you become a clinical patient. Clinical engagements are managed in a dedicated clinical practice management system (Jane Practice Management) and are governed by a separate privacy notice provided to you at the start of clinical engagement.

Who is responsible for your data

Michael Yates Psychology Limited (Company No. 16755269, registered in England and Wales, registered office 71-75 Shelton Street, Covent Garden, London WC2H 9JQ) is the data controller for information collected through this website. For data-protection queries, please use the contact form on this website.

Michael Yates Psychology Limited is registered with the Information Commissioner's Office (ICO) as a data controller. Registration number: 00014402605.

What information this website collects

This website collects only the information you actively provide through one of its two forms, plus standard technical data about your visit.

Through the contact form: your name, email address, the reason for contact you select from a dropdown (general category only, such as personal enquiry, clinical referral, supervision, media), and the content of the message you write.

Through the booking form: your name, email address, phone number (optional), who the request is for, days and times that suit you, an optional free-text note, and an optional service area you are interested in. The service area field includes a “Prefer not to say in writing” option so that you can avoid disclosing specific clinical detail in writing if you would rather discuss it in conversation.

Technical data: your IP address, browser type, device type, and pages visited. This is standard for any website and is used to understand how visitors find and use the site. Where analytics is enabled it operates only after you have given consent through the cookie banner.

Cookies and similar storage: only strictly necessary cookies are set before consent. Analytics and any other non-essential storage are loaded only after you click Accept on the cookie banner. You can change your choice at any time by clicking the link in the footer.

Lawful bases for processing

For your name, email address, phone number, message content, reason for contact, days and times of availability, and technical data: the lawful basis is legitimate interests (Article 6(1)(f) UK GDPR) — responding to your enquiry, arranging any consultation you request, and operating the website.

For the optional service area on the booking form: if you choose to disclose a specific clinical area of interest, this constitutes special-category data under Article 9 UK GDPR (information relating to health or sexual orientation). The lawful basis in that case is explicit consent (Article 9(2)(a) UK GDPR) — your active choice to share that information with us so that we can arrange the right kind of consultation. You may avoid this by selecting “Prefer not to say in writing” instead, in which case no special-category data is processed via this website. You can withdraw your consent at any time by contacting us through the form.

How your information is used

Your information is used solely to respond to your enquiry, arrange any consultation you request, and where applicable manage the resulting booking. It is not used for marketing, not shared with any third party except the data processors named below, and is not added to any mailing list.

Analytics data is used in aggregate to understand how the site is performing and how to improve it. It is not used to identify individual visitors.

Who processes your information

Three data processors are involved in handling information submitted through this website.

Netlify, Inc. hosts the website and processes form submissions. Submissions are stored briefly in Netlify's systems and then emailed to the practice inbox. Netlify's privacy practices are documented at netlify.com/privacy.

Proton AG (Proton Mail) holds the email inbox to which form submissions are delivered. Proton is a Swiss company providing end-to-end encrypted email. Their privacy practices are documented at proton.me/legal/privacy.

Google LLC provides Google Analytics 4, which collects aggregate visitor analytics only after consent. Their practices are documented at policies.google.com/privacy.

If you proceed to engage clinically following an enquiry, your clinical record is held separately in the clinical practice management system (Jane Practice Management) under a distinct privacy notice provided to you at the start of clinical engagement. The Jane system and its data protection arrangements are separate from this website and are not described further here.

How long your information is kept

Form submissions are deleted from Netlify after thirty days. The corresponding email in the practice inbox is kept only for as long as is needed to respond to your enquiry and for a reasonable record-keeping period after that, then deleted.

Analytics data is retained for fourteen months, in line with the default Google Analytics 4 setting.

If you become a clinical patient, separate retention rules apply under the clinical practice management system, including a typical seven-year clinical record retention period required by professional indemnity insurance and clinical governance standards. This is covered separately at the start of clinical engagement.

Your rights under UK GDPR

You have the right to: access the personal data held about you; correct inaccurate data; request deletion of your data; restrict how your data is used; object to processing; receive your data in a portable format; and withdraw consent at any time (where consent is the lawful basis).

To exercise any of these rights, please use the contact form on this website. Responses are typically within thirty days.

If you are not satisfied with how a complaint has been handled, you have the right to escalate to the Information Commissioner's Office: ico.org.uk/make-a-complaint or call 0303 123 1113.

International transfers

Two of the processors named above (Netlify and Google) are based in the United States. Where personal data is transferred outside the UK, that transfer is covered by appropriate safeguards under UK GDPR (in particular, the UK’s adequacy framework with the US under the UK Extension to the EU-US Data Privacy Framework, and standard contractual clauses where applicable). Proton AG is based in Switzerland, which is recognised by the UK as providing an adequate level of data protection.

Children

This website is not aimed at and does not knowingly collect information from anyone under the age of eighteen. Clinical services are for adults only.

Updates to this policy

This policy may be updated from time to time. The “last updated” date at the top of the page will reflect any changes. Material changes affecting how your data is used will be highlighted.

Make an enquiry · Cookies policy