Mindfully Holistic is committed to ensuring that your privacy is protected. Should you provide certain information by which you can be identified, it will only be used in accordance with this privacy statement.

This privacy notice sets out how Mindfully Holistic collects, processes and protects any personal data that you provide via this website, by telephone, SMS text, email/electronic mail or clinic form. This is in accordance with the General Data Protection Regulation (GDPR) May 2018.

Data controller: Judith Crook

Contact details: judith@mindfullyholistic.co.uk

Mobile: 07763 185413

What We Do

Mindfully Holistic provides holistic wellbeing therapies including, but not limited to, clinical reflexology, aromatherapy and therapeutic massage to clients who wish to improve their physical, mental and emotional health. We focus on preventative supportive healthcare management. We provide these services within the scope of our practice and qualification. We do not treat, diagnose or cure medical conditions and do not give advice on prescribed medication. Our approach is holistic to health and wellbeing and can be applied alongside conventional treatment methods/care.

What Data We Collect - Personal data provided by you

Personal data means any information that can directly or indirectly identify and individual. It does not include anonymised data.

We may collect the following personal data from you:

• Identity data such as your full name, maiden name, marital status, title, date of birth and gender
• Contact details such as your postal address, email address, telephone numbers, and contact details of your next of kin
• Details or contact we have had with you such as referrals and appointments
• GP's name, address and contact information
• Treatment details and related notes
• Feedback regarding our services

We collect and process this data in accordance with the "legitimate interest" condition. This means that the lawful basis of our holding your personal data is for legitimate interest.

Special Category Data/Sensitive Data

Special category data is personal data which according to the GDPR is considered more sensitive and therefore needs more protection.

Such data includes details about your race or ethnic origin, religious views and beliefs, sex life or sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

We collect the following sensitive data about you:

• health information provided by you including your previous and present medical history covering your physical and mental health, and details of diagnosed conditions
• dietary and lifestyle habits and supplementation details
• details on your past and present medication
• clinic notes and health improvement programmes

We use this information to provide you with healthcare support. Even though, we may seek you explicit consent for processing, our primary condition for processing is "preventative healthcare and health management", and the lawful basis of our holding your personal data is for legitimate interest.

On occasions, we may also obtain sensitive data from other healthcare providers or individuals authorised by you to give out such information. The provision of this information is subject to you giving us your express consent. If we do not receive this consent from you, we will not be able to coordinate your healthcare with these providers.

We also understand that collecting, processing and holding your special category data requires us to comply with the "common law of confidentiality", independently of the GDPR regulations.

How we collect your personal data

We may collect your personal data in the following ways:

• by completing a health, medical and lifestyle questionnaire
• during a personal on-on-one consultation
• by completing surveys

Our purpose of collecting your data through the above ways is to provide you with supportive healthcare, and the legal basis of our holding your personal data is for legitimate interest.

Email: We use Gmail by Google, which is based outside the UK. They have committed to complying with all applicable privacy laws, and details of their commitment can be found here: https://policies.google.com/privacy

Website: Our website is provided through PhD Interactive and Webhealer Solution. They do not hold any personal data on our behalf, and while any emails received via our website are done so via the Webhealer mail system for privacy reasons they are not accessible to staff at Webhealer and are not stored on any of their systems. The full privacy statement from PhD Interactive can be found here: https://www.phdinteractive.co.uk/privacy/

How long do we hold your data

Following completion of your wellbeing treatments, we will hold records of your personal data for at least 7 years following the last occasion on which treatment was given. In the case of treatment to minors, we will keep the records at least 7 years after they reach the age of majority (18).

This is in accordance with our professional association's and insurance company's policy, and it enables us to process any complaint you may make. In this case the lawful basis of our holding your personal data is for legitimate interest.

You have the right to object and the right to request your data to be erased. However, such requests will be declined under provisions of the GDPR which gives us the overriding right to hold your data in order to comply with legal obligations.

How we use your personal data

We act as a data controller for use of your personal data to provide supportive healthcare. We also act as a controller and processor in regards to the processing of your data from third parties such as other healthcare providers.

We undertake at all time to protect your personal data, including any health, medical, identity and contact details, in a manner which is consistent with our duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR) concerning data protection. We will also take reasonable security measures to protect your personal data storage.

We may use your personal data where there is an overriding public interest in using the information e.g. in order to safeguard and individual, or to prevent serious crime. We will do this in accordance of the "vital interest" condition. We will also be obliged to share your data when there is a legal requirement such as a formal court order. This will be on the basis of "legal obligation". We may sue your data for marketing purposed such as newsletters, but this would be subject to you giving us your express consent.

Disclosure of your personal data

We will keep information about you strictly confidential and will not disclose your data with other third parties without your express consent.

Exceptions to this apply for the following categories of third parties.

• Our professional association we are a member of and our insurance company for the processing of a complaint made by you
• Your GP, healthcare providers, police, social services in the case when we believe your life is in danger on the lawful basis of vital interest
• Anyone to whom we may transfer our rights and duties under any agreement we have with you
• Any legal or crime prevention agencies and/or to satisfy any regulatory request if we have a duty to do so or if the law allows us to do so

On occasions, we may share a brief summary of your health problems in an anonymised form for the purpose to seek professional health opinion in order to provide you with better healthcare, or for the purpose of professional development. This may be at clinical supervision meetings, conferences, private and professional health forums. In such cases your personal data and identity will not be disclosed and will remain fully confidential. We will seek your explicit consent before processing your data in this way.

Your legal rights

Every individual has the right to see , amend, delete or have a copy of the data held that can identify you, with some exceptions. You do not need to give a reason to see your data.

The GDPR defines the following rights in relation to your personal data:

• The right to be informed: To know how your information will be held and used (this notice)
• The right of access: To see your therapist's records of your personal information, so you know what is held about your and can verify it.
• The right to rectification: To tell your therapist to make changes to your personal information it it is incorrect or incomplete.
• The right to erasure (also called "the right to be forgotten"): For you to request your therapist to erase any information they hold about you
• The right to restrict processing of personal data: You have the right to request limits on how your therapist uses your personal information
• The right to data portability : Under certain circumstances you can request a copy of personal information held electronically so you can reuse it in other systems
• The right to object: To be able to tell your therapist you don't want them to use certain parts of your information, or only to use it for certain purposes
• Rights in relation to automated decision-making and profiling
• The right to lodge a complaint with Information Commissioner's Office: To be able to complain toe the ICO if you feel your details are not correct, if they are not being used in a way that you have given permission for, or if they are being stored when they don't have to be.

Full details of your rights can be found at: https://ico.org.uk/for-organisations/guide/guide-to-the-gneral-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of these rights, please use the contact details given above.

If you are dissatisfied with the response you can complain to the Information Commissioner's Office; their contact details are at: www.ico.org.uk

Our Rights

Please note:

• If you don't agree to your therapist keeping records of information about you and your treatments, or if you don't allow them to use the information in the way they need to for treatments, the therapist may not be able to treat you.
• Your therapist must keep your records of treatment for a certain period, as described above, which may mean that even if you ask them to erase any details bout you, they might have to keep these details until that period has passed
• Your therapist can move their records between their computers and IT systems, as long as your details are protected from being seen by others without your permission.

Data Protection and Security

We only use information that may identify you in accordance with the GDPR. This requires us to process personal data only if there is a lawful basis for doing so and that any processing must be fair and lawful.

As a "health or health-related professional" within the health sector, we are also obliged to follow the "common law of confidentiality", which means that where identifiable information about you has been given on confidence, it should be treated as confidential and only shared for the purpose of providing supportive healthcare. We will ensure that your information is protected and is only used in a way which complies with the law and our privacy policy.

We have put in place appropriate security measures to prevent your personal data form being accessed, changed or sued in an unauthorised way. We keep a paper copy of your personal data, including sensitive data in a secure filing system accessible only by us. We may also keep a copy of such data electronically on a laptop with encryption (which masks data so that unauthorised users cannot see or make sense of it). We use email providers who use encryption to secure cyber transit of your personal data and we take responsibility for the protection of your data upon receipt.

However, we do not take responsibility for the security measures you are taking when you provide your data to us electronically.

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Cookies

Cookies are small pieces of data stored in encrypted test files and located in browser directories. Their purpose is to make the website easier to use, help analyse web traffic or remember your preferences wither for single visit (through session cookies) or for repeated visits (through persistent cookies).

If you are not happy with this, you can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please not that some parts of this website may become inaccessible or not function properly.