Privacy Policy
1. INTRODUCTION
Herbal Therapy Sheffield is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, the lawful bases we rely on, who we may share it with, how long we keep it, and your rights under UK data protection law.
For the purposes of data protection law, Herbal Therapy Sheffield is the data controller responsible for your personal data.
2. TYPES OF INFORMATION COLLECTED BY HERBAL THERAPY SHEFFIELD
We collect and process personal data through our website, booking tools, online shop, newsletter sign-up forms and related digital services.
a) Personal Data
Personal data means information that identifies you, or could reasonably be used to identify you. This may include your name, postal address, email address, telephone number, appointment details, order details and payment-related information.
We collect this information directly from you when you contact us, complete a form, make a booking, subscribe to our newsletter or place an order. We use this information to respond to your enquiries, provide requested services, manage appointments, process orders and maintain our customer records.
If you choose to include health-related information in a contact form or enquiry, we will only process that information where necessary to respond to your enquiry, provide requested services, or otherwise in accordance with applicable data protection law.
If you subscribe to our newsletter, we may use your contact details to send you updates, news and marketing communications. You can unsubscribe at any time by using the unsubscribe link in any email or by contacting us at sarahoakleywallis@gmail.com.
Where consent is required for electronic marketing, we will rely on your consent. In other cases, we will only send marketing communications where permitted by applicable law, including the Privacy and Electronic Communications Regulations (PECR).
b) Digital Information
Digital information includes technical and usage data collected when you visit our website, such as your IP address, browser type, device information, pages viewed, referral source, website interactions, cookie preferences and approximate location information derived from your IP address.
If you subscribe to our newsletter, we may also collect information about whether emails are opened and links are clicked.
Our website is hosted on Squarespace, which provides website functionality including forms, analytics, commerce tools and cookie banner features. We also use Google Search Console to review aggregated information about how our website performs in Google Search.
c) Non-Personal Data
We may also use aggregated or anonymised information that does not identify you in order to understand website usage, improve our services and support business administration.
d) Health Information and Patient Notes
As part of providing our services, we may collect and keep personal information about you, including information relating to your health, wellbeing, symptoms, medical history, lifestyle and treatment needs. This information may include handwritten patient notes made during or after consultations and appointments.
We collect and use this information to assess your needs, provide services safely and appropriately, maintain accurate treatment records, communicate with you about your care, manage bookings and follow-up, and comply with our legal, professional, insurance and safeguarding obligations where applicable.
Because health information is a special category of personal data, we only process it where permitted under UK data protection law. In most cases, processing will be necessary for the provision of health or therapeutic care and treatment, together with an applicable condition under Article 9 UK GDPR and Schedule 1 of the Data Protection Act 2018. Depending on the circumstances, we may also process health information to comply with legal obligations, protect vital interests, establish, exercise or defend legal claims, safeguard individuals, or where you have provided explicit consent when required.
We keep handwritten patient notes securely for seven years from the date of your last appointment. Where appropriate, handwritten notes are recorded using initials and patient numbers rather than full names to reduce direct identification from the notes alone.
Access to these records is restricted to authorised persons only. At the end of the applicable retention period, your records will be securely destroyed unless we are required or permitted to retain them for longer for legal, regulatory, insurance, safeguarding, complaint handling or professional record-keeping purposes.
We take appropriate steps to protect patient information and keep it confidential. However, we may disclose information where required or permitted by law, where necessary for safeguarding, where needed for insurance or legal purposes, or where you have given your consent.
3. PURPOSES FOR WHICH WE HOLD YOUR DATA
a) Non-Personal Data
We use aggregated or anonymised information to understand how our website and services are used, improve content and functionality, and support internal reporting and administration.
b) Personal Data
We use personal data to respond to enquiries, provide appointments and other requested services, manage bookings, process orders and payments, maintain appropriate business and client records, and communicate with you about our services.
Depending on the circumstances, we rely on one or more lawful bases under UK data protection law, including:
• taking steps at your request before entering into a contract;
• performing a contract with you;
• complying with legal obligations;
• pursuing our legitimate interests in running and improving our business; and
• your consent where this is required.
c) Digital Information
We use digital information to operate, maintain and secure our website, manage cookie preferences, analyse website performance and engagement, improve our services, administer newsletter communications, manage bookings through Acuity Scheduling, process purchases through Squarespace commerce features and connected payment providers, and monitor website visibility through Google Search Console.
Depending on the circumstances, this processing is carried out on the basis of our legitimate interests, your consent, contractual necessity, or legal obligations.
4. STORAGE OF INFORMATION
Information provided by you may be stored either manually or electronically.
Where information is stored manually, it will be kept in a locked and secure location.
Electronic information may be stored on secure third-party platforms that we use to operate our website and services, including Squarespace and integrated tools such as Acuity Scheduling, newsletter services and payment processors.
Although we take reasonable steps to protect personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we implement appropriate technical and organisational measures designed to protect personal data.
5. SECURITY
We take appropriate measures to ensure that personal data is kept secure, including measures designed to prevent personal data from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way.
Where payments are made through our website, payment information may be processed by Squarespace commerce features and/or connected third-party payment providers. We do not store full payment card details unless this is strictly necessary for a transaction we are handling and permitted by law.
6. RETENTION
We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including responding to enquiries, managing bookings, fulfilling orders, complying with legal, tax, accounting and record-keeping obligations, resolving disputes and enforcing our rights.
As a general guideline, personal data collected through website contact enquiries is retained for up to three years unless a longer retention period is required or justified by the nature of the relationship or by law.
Clinical records and patient notes are retained separately in accordance with the Health Information and Patient Notes section of this Privacy Policy.
7. THIRD-PARTY PLATFORMS AND PROCESSORS
We use third-party service providers to support our website and business operations.
These include:
• Squarespace for website hosting and operation, forms, analytics, cookie banner functionality and online shop features;
• Acuity Scheduling for appointment booking and management;
• newsletter service providers where applicable; and
• payment providers used in connection with online orders.
We also use Google Search Console to review aggregated search performance information.
These providers may process personal data on our behalf as processors, or in some circumstances as independent controllers, in accordance with their own privacy information and applicable data protection law.
International Transfers
Some of our service providers may process personal data outside the United Kingdom.
Where personal data is transferred internationally, we will ensure that appropriate safeguards are in place in accordance with UK data protection law. These safeguards may include adequacy regulations, the UK International Data Transfer Agreement (IDTA), or other lawful transfer mechanisms recognised under UK data protection legislation.
Clinics held at the Nether Edge Herbarium
I offer some clinics at the Nether Edge Herbarium. For these clinics, your name and contact information will be shared with the online appointment software and the herbariums dispensary management software. For more information please see https://traditionalherbalist.com/privacy-policy
Under UK data protection law, you have a number of rights in relation to your personal data, subject to certain conditions and exemptions.
You have:
• the right to be informed about how your personal data is used;
• the right of access to your personal data;
• the right to rectification of inaccurate personal data;
• the right to erasure in certain circumstances;
• the right to restrict processing in certain circumstances;
• the right to object to processing, including the right to object to direct marketing at any time;
• the right to data portability in certain circumstances; and
• where we rely on consent, the right to withdraw your consent at any time.
Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.
To exercise any of these rights, please contact us at sarahoakleywallis@gmail.com. We may need to verify your identity before responding to your request.
9. UK GDPR RIGHTS AND COMPLAINTS
You are entitled to exercise your UK GDPR rights free of charge in most cases. We will respond without undue delay and, in any event, within one month of receiving your request unless an extension or exception applies under data protection law.
If you are unhappy with how we use your personal data, please contact us first and we will do our best to resolve your concern.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection matters.
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk
10. CHILDREN'S PRIVACY
Our website and online services are not intended for children under the age of 13. We do not knowingly collect personal data from children through our website without appropriate parental or guardian involvement.
If you believe that a child has provided us with personal information without appropriate consent, please contact us so that we can take appropriate action.
11. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in legal requirements, business practices or the services we provide.
Any updates will be published on our website and will take effect from the date of publication.