This is the privacy policy for Glenn Harrison — a sole-trader therapy practice and web services business based in Murwillumbah, NSW. It explains what information I collect about you, why I collect it, how I keep it safe, and the rights you have over it.
It is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, with particular care for health information — which is treated as sensitive information under Australian law.
i. Who we are
Glenn Harrison trades as Glenn Harrison — Therapy Practice and Web Services, a sole-trader business operating from Murwillumbah, New South Wales, Australia (ABN 30 161 705 578). In this policy, "I", "we", "us", and "our" refer to Glenn Harrison; "you" and "your" refer to the person using this website, booking a session, completing an intake form, or engaging me for web services.
You can reach me by phone on +61 415 655 108 or by email at glenn@glenn-harrison.com.
ii. Scope of this policy
This policy applies to:
- Visitors to glenn-harrison.com and any subpages
- People who contact me by phone, email, text, or contact form
- Therapy clients and prospective therapy clients (massage, hypnotherapy, counselling)
- Web services clients (practitioners I build websites for)
- Anyone who completes an intake form, books a session, or signs up for correspondence
It does not cover websites I link to or third-party services you use directly. Those services have their own privacy policies, which I encourage you to read.
iii. Information we collect
General personal information
This includes your name, email address, phone number, postal or street address (if you supply one), the suburb or city you're in, and any details you give me when you contact me or book a session.
Health and sensitive information
If you become a therapy client or complete a clinical intake form, I collect information about your physical and mental health — including your presenting issue, relevant medical history, current medications, contraindications for treatment, and emergency contact details. Under Australian law, this is "sensitive information" and gets a higher level of protection than general personal data.
Technical information
When you visit the site, your browser sends standard technical information — your approximate location (city level), the type of browser and device you're using, and the pages you visit. This is collected by the hosting provider for security and basic analytics, not for advertising or tracking.
Recordings (if applicable)
I sometimes record hypnotherapy sessions for clinical notes or supervision purposes. Recordings only happen with your specific written consent at the time of the session — never automatically. You can withdraw consent at any time and ask for any existing recording to be deleted.
iv. How we collect it
I collect information directly from you when you:
- Fill in the contact form on this site
- Book a session through Cal.com or Calendly
- Complete the clinical intake form before your first session
- Email, call, or text me
- Engage me for web services and supply business or personal information for the project
- Provide consent for session recording
I do not buy, scrape, or otherwise acquire information about you from other sources. If a referral comes through a colleague, I only retain what you choose to give me when we make contact directly.
v. Why we collect it
I only collect information for purposes that are reasonably connected to providing therapy services or web services. In practice, this means:
- To respond to your enquiries
- To schedule and confirm appointments
- To assess suitability for treatment, plan sessions, and provide safe care
- To meet my obligations as a practitioner under my professional association's code of ethics
- To issue invoices and keep accounting records as required by Australian tax law
- To send transactional communications (booking confirmations, reminders, intake forms)
- To send you marketing communications, but only if you have specifically opted in
I do not use your information for purposes outside these unless I get your consent first, or unless I am legally required to.
vi. Consent
For sensitive (health) information, I rely on your express consent, captured through a clearly-worded consent block on the intake form. There are no pre-ticked boxes. You actively tick to consent, and you can withdraw consent at any time.
For general personal information you supply when contacting me, your consent is implied by the act of contact — but I still only use it for the purpose for which you supplied it.
vii. Storage and security
I take the security of your information seriously and apply reasonable steps to protect it from misuse, loss, and unauthorised access.
Specifically:
- The website is served over HTTPS (encrypted connection) at all times
- Intake form submissions are transmitted over an encrypted connection and stored either as encrypted email or in a secured database (Supabase, located in the Asia-Pacific region) with row-level access controls so only I can see them
- Files at rest are encrypted by the hosting and database providers
- Access is limited to me as the sole practitioner; no staff, contractors, or assistants have access to client health records
- Paper records (where unavoidable) are kept in a locked location
- Backups of the database are taken daily and retained for 30 days
I retain client records for the period required under Australian law and my professional association's record-keeping obligations — generally seven years from the date of last contact, or longer if a client was a minor at the time of treatment. After that, records are securely destroyed.
viii. Who we share with
I do not sell your information. I do not share it with marketers or data brokers. Ever.
I do use a small number of trusted third-party service providers to operate the practice. These are:
- Netlify — for website hosting and intake form submissions
- Google Analytics 4 (Google LLC) — for anonymised analytics on website use, only if you have accepted the cookie prompt; no advertising network, no ad personalisation, IP anonymisation enabled, no phone numbers or email addresses ever sent
- Cal.com — for online appointment booking
- Microsoft 365 — for my business email at glenn@glenn-harrison.com
- Google Workspace — for calendar synchronisation
- My professional supervisor — only with your specific written consent, and only to discuss your care
- My accountant — for invoicing and tax compliance, sharing only what is necessary (typically your name and the amount of the transaction)
For my web services work (where I build websites for other practitioners), I additionally use AI-assisted development tools including Anthropic's Claude (claude.ai, Claude Code, and related products). These tools support code authoring, debugging, and content drafting. They are not used to process therapy clients' health information, intake submissions, or any clinical data — only the source code and content of websites, and only with the consent of the practitioner I'm building for.
I will also disclose information if required by law — for example, in response to a subpoena, court order, or where there is a serious and imminent threat to safety.
ix. Overseas disclosure
Some of the third-party services listed above are based outside Australia or store data on servers outside Australia. Specifically:
- Netlify is operated by Netlify, Inc., based in the United States
- Google Analytics is operated by Google LLC; analytics events are processed on Google infrastructure that may be located in the United States or other Google regional data centres
- Cal.com is operated from the United States, with data stored in the United States or European Union
- Microsoft 365 is operated by Microsoft Corporation, which stores data globally with regional preferences
- Google Workspace is operated by Google LLC, which stores data globally
- Anthropic (Claude AI tools) is based in the United States; conversations may be processed on US servers
By using this website or providing me with information through these services, you acknowledge that some of your information may be stored or processed overseas. Each provider is contractually committed to data protection obligations equivalent to those required under Australian law.
x. Direct marketing
If you choose to subscribe to a newsletter or other marketing list, I will only send you the kind of communications you've opted in to. Every marketing email includes a working unsubscribe link, processed within five business days of your request, in line with the Spam Act 2003 (Cth).
Booking confirmations, intake form delivery, and other transactional emails are not marketing — they're the messages you need in order to receive the service you've asked for. These continue to be sent for as long as you're an active client.
xi. Cookies
This website uses Google Analytics 4 for anonymised analytics — and only if you accept the cookie prompt that appears on your first visit. There is no Facebook Pixel, no advertising network, no ad personalisation, no third-party advertising script of any kind.
If you accept, GA4 collects:
- Anonymised page views and the order in which pages are visited
- Approximate location at country and city level (IP anonymisation is enabled)
- Counts of specific intent actions — phone-link clicks, email-link clicks, "Book a session" clicks, opening the menu — without recording the actual phone number or email address; only the location of the link on the page and, for booking, which service was clicked
If you decline, no analytics cookies are set and no per-visit data is collected. Google's Consent Mode v2 is configured so that even cookieless modelled signals are not used until you opt in. You can change your mind by clearing this site's cookies and reloading; the prompt will reappear.
Beyond GA4, some essential cookies may be set by services you actively use — for example, the booking platform may use a cookie to keep you logged in during a booking flow. These are functional, not advertising.
xii. Your rights
Under the Australian Privacy Principles, you have the right to:
- Access the personal information I hold about you
- Correct information that is inaccurate, out of date, or incomplete
- Withdraw consent for the processing of your information, where processing is based on consent (note: this may end my ability to provide therapy services to you)
- Request deletion of your information, subject to my legal record-keeping obligations as a practitioner
- Lodge a complaint if you believe your privacy has been mishandled
To exercise any of these rights, contact me directly. I will respond within 30 days. There is no charge for reasonable access requests.
xiii. Data breach response
Australia has the Notifiable Data Breaches scheme — a legal obligation to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of any data breach likely to result in serious harm.
If a breach occurs, I will:
- Contain the breach as quickly as possible
- Assess whether it is likely to cause serious harm
- If yes, notify you and the OAIC without unreasonable delay, with details of what happened and what you can do to protect yourself
- Take steps to prevent recurrence
xiv. Complaints
If you believe your privacy has been mishandled, please contact me first. I will treat the complaint seriously and respond within 30 days.
If you are not satisfied with my response, you can lodge a complaint with the Office of the Australian Information Commissioner — oaic.gov.au — or by phone on 1300 363 992.
xv. Updates to this policy
I may update this policy from time to time — for example, if I add a new third-party service, change my data handling practices, or in response to changes in the law. The "Last reviewed" date at the top of this page will always show the current version.
If a change is significant — particularly anything affecting how I handle your sensitive information — I will let active clients know directly by email.
xvi. Contact
For any privacy-related question or request, the best path is to email me directly. I am the sole privacy officer for the practice.