Privacy Policy

Privacy at Within Hypnotherapy

Within Hypnotherapy ("we", "our", "us") is committed to protecting your privacy and handling your personal information with care, transparency, and respect.

This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what rights you have. It applies to our website within-hypnotherapy.com and to any hypnotherapy services, consultations, or digital products we provide.

We comply with the South African Protection of Personal Information Act, 2013 ("POPIA") and, where applicable to clients based in the United Kingdom or European Union, with the UK General Data Protection Regulation ("UK GDPR") and the EU General Data Protection Regulation ("EU GDPR").

​

1. Who We Are

Responsible Party / Data Controller: Within Hypnotherapy

Practitioner: Angie Todd, Certified Clinical Hypnotherapist (C.C.H.)

Location: Sandton, Johannesburg, South Africa, 2191

Information Officer: Angie Todd

Contact for data protection queries: help@within-hypnotherapy.com |  +27 84 582 7831

​

2. Information We Collect

We only collect information that is necessary for the purposes described in this policy.

​

2.1 Information You Provide Directly

​

• Identity and contact details: name, surname, email address, phone number, country of residence.

• Booking information: preferred session times, the reason you are seeking hypnotherapy, and any information you choose to share in enquiry forms.

• Health and wellbeing information: information you disclose before or during a session, including medical history, mental health background, current medication, and any conditions relevant to your suitability for hypnotherapy. Under POPIA, this is treated as "special personal information" and is handled with the highest level of care.

• Session notes: confidential notes we make during or after a session for the purpose of continuity of care.

• Payment information: we do not store card details. Payments are processed by a secure third-party payment provider. We retain proof of payment (date, amount, reference) for accounting purposes.

• Testimonials and feedback: only where you have expressly chosen to share these.

2.2 Information Collected Automatically

​

• Website usage data: IP address, browser type and version, device type, pages visited, time spent on pages, and referring URLs.

• Cookies and similar technologies: see section 9.

2.3 Information from Third Parties

If you contact us through social media (Instagram, Facebook, LinkedIn), we may receive basic profile information from those platforms in accordance with their privacy settings.

​

3. Why We Collect Your Information and Lawful Basis

We process your personal information only where we have a lawful basis to do so. The lawful basis depends on the type of information and the purpose:

​

4. How We Use Your Information

We use your information to:

​

• Book, manage, and deliver hypnotherapy sessions.

• Communicate with you about your bookings, including confirmations, reminders, and rescheduling.

• Assess your suitability for hypnotherapy and provide appropriate care.

• Maintain confidential session notes for continuity of care.

• Process payments and maintain accounting records.

• Respond to your enquiries.

• Send you marketing communications or newsletters, but only where you have opted in;

• Improve our website and services.

• Comply with our legal and regulatory obligations.

5. How We Protect Your Information

We take the security of your information seriously and apply reasonable technical and organisational measures, including:

• Secure, password-protected storage of digital records.

• Encrypted email for confidential communications where practical.

• Sessions conducted on reputable video platforms with end-to-end or transport-layer encryption.

• Restricted access: only the practitioner has access to client records.

• Regular review of data-handling practices.

• Secure disposal of records at the end of the retention period.

Despite our efforts, no method of transmission or storage is 100% secure. In the unlikely event of a personal information breach affecting your data, we will notify you and the relevant regulator (the South African Information Regulator, and where applicable, the UK Information Commissioner's Office) as soon as reasonably possible and in accordance with applicable law.

​

6. How Long We Keep Your Information

We retain your personal information only for as long as necessary for the purposes set out in this policy, or as required by law.

Type of information/Retention period

​

Client session notes and health information - 7 years from the date of your last session (in line with generally accepted clinical record-keeping standards) Booking and contact records - 7 years since the date of your last interaction

Payment and accounting records - 5 years (in line with South African tax law)

Marketing subscriber data - Until you unsubscribe, then deleted within 30 days

Website analytics data - As per our analytics provider's standard retention (typically up to 26 months)

Enquiry emails where no booking is made - 12 months, unless you ask us to delete sooner

At the end of the applicable retention period, records are securely deleted or anonymised.

​

7. Sharing Your Information

​

We do not sell, rent, or trade your personal information. We share it only in the limited circumstances below, and only to the minimum extent necessary.

​

7.1 Third-Party Service Providers (Operators)

We use reputable third-party providers to help us operate the practice. These providers act as "operators" under POPIA (and "processors" under UK/EU GDPR) and are contractually required to protect your information. They include:

​

• Wix.com Ltd - website hosting, contact forms, email subscribers.

• Video conferencing platforms (e.g. WhatsApp) - for the delivery of online sessions.

• Email providers - for sending and receiving correspondence.

• Payment processors - for handling payments securely. We do not receive or store your full card details.

• Accounting and bookkeeping services - for financial record-keeping.

7.2 Clinical Supervision

As part of ethical professional practice, we may discuss client work with a clinical supervisor. Any identifying information (name, contact details, specific life details) is removed or generalised so that you cannot be personally identified.

​

7.3 Legal and Regulatory Requirements

We may share your information where required by law, by court order, or to comply with a legitimate request from a regulator or law enforcement.

​

7.4 Safeguarding

If we have reasonable grounds to believe that you or another person is at risk of serious harm, we may share limited information with appropriate emergency services or medical professionals. This is consistent with our ethical obligations as clinical practitioners.

​

8. International Transfers of Information

Some of our service providers (for example WhatsApp) are based outside South Africa and may process your information in the United States, the European Economic Area, the United Kingdom, or other jurisdictions.

When we transfer your information outside South Africa, we ensure that adequate safeguards are in place, in line with Section 72 of POPIA and, where applicable, UK/EU GDPR requirements. This may include:

​

• Transfers to countries with an adequate level of data protection.

• Contracts with service providers incorporating appropriate safeguards (such as Standard Contractual Clauses); or

• Your explicit consent to the transfer.

9. Cookies and Similar Technologies

Our website uses cookies and similar technologies to improve functionality, remember your preferences, and analyse how visitors use the site.

​

The types of cookies we use may include:

​

• Strictly necessary cookies - required for the website to function (e.g. security, load balancing). These cannot be disabled.

• Functional cookies - remember your choices (e.g. language, region).

• Analytics cookies - help us understand how visitors use the site. We may use tools such as Google Analytics.

• Marketing cookies - only used where you have given consent.

You can control cookies through your browser settings, and you can withdraw cookie consent at any time via the cookie banner on our site. Please note that disabling certain cookies may affect how the website works for you.

​

10. Your Rights

You have meaningful rights over your personal information. Under POPIA (and, for UK/EU clients, under the UK/EU GDPR), you have the right to:

​

• Be informed about how we collect and use your information.

• Access the personal information we hold about you.

• Correct inaccurate or incomplete information.

• Request deletion of your information (subject to legal or ethical record-keeping obligations, such as clinical record retention).

• Object to the processing of your information in certain circumstances.

• Restrict processing of your information.

• Data portability receives your information in a structured, machine-readable format (UK/EU GDPR only)

• Withdraw consent at any time where processing is based on consent.

• Lodge a complaint with a data protection authority.

To exercise any of these rights, please email us at help@within-hypnotherapy.com. We will respond within 30 days.

​

11. Marketing Communications

We only send marketing emails to people who have explicitly opted in. Every marketing email includes an "unsubscribe" link, and you can unsubscribe at any time. Unsubscribing from marketing will not affect communications relating to your bookings or sessions.

​

12. Children's Privacy

Our services are intended for adults (18 years old). We do not knowingly collect personal information from children under 18. If a minor is a client, sessions are only offered with the written consent and continued involvement of a parent or legal guardian, in line with ethical clinical practice. If you believe we have collected information from a child without appropriate consent, please contact us and we will delete it.

​

13. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on the Website with a revised "Last updated" date. For material changes, we will make reasonable efforts to notify you directly (for example, by email to active clients).

​

14. How to Contact Us or Lodge a Complaint

If you have any questions about this Privacy Policy, or if you would like to exercise any of your rights, please contact:

​

Within Hypnotherapy - Information Officer: Angie Todd

Email: help@within-hypnotherapy.com

Phone / WhatsApp: +27 84 582 7831

Address: Sandton, Johannesburg, South Africa, 2191

If you are not satisfied with how we have handled your information or a request, you have the right to lodge a complaint with the relevant regulator.

​

South Africa (POPIA)

The Information Regulator (South Africa)

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Email: complaints.IR@justice.gov.za

Website: https://inforegulator.org.za

​

United Kingdom (UK GDPR)

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: https://ico.org.uk

​

Online hypnotherapy sessions are available across South Africa and internationally. If you are ready for lasting change in a safe space, book your first session.