Privacy Policy
1. Who we are
This policy explains how CARLA LOVE ACUPUNCTURE & CHINESE HERBAL MEDICINE (“we”, “us”, “our”) collects and uses your personal data, including your health information, when you book, attend, or enquire about treatment, or use our website www.herbsandacupuncture.co.uk.
· Data controller: Carla Love
· Address: 172 Southworth Road, Rear of Progress House, Newton-le-Willows, WA12 0BS
· Professional body / registration: British Acupuncture Council, reg. no.960005
· Contact: info@herbsandacupuncture.co.uk / 07743670144
We are the “controller” of your personal data, meaning we decide how and why it is processed. We are bound by our professional body’s code of conduct and a duty of confidentiality.
2. The personal data we collect
Standard personal data:
· Identity and contact data — name, date of birth, email, phone, address.
· Appointment and payment records.
· Communications — enquiries, messages, feedback.
Health information (special category data):
· Your health history, symptoms, and presenting conditions.
· Medications, allergies, and relevant medical history.
· Lifestyle information relevant to treatment (e.g. sleep, diet, stress).
· Treatment notes and your response to treatment.
· GP or other practitioner details, where you provide them.
We treat all health information as confidential and apply extra protection to it (see Section 9).
3. How we collect your data
· Directly from you — on booking, in consultation/intake forms, and during treatment.
· From our website — when you submit an enquiry or booking form.
· From third parties — only where you have asked us to (e.g. a referral or your GP).
4. Our lawful bases
Under UK GDPR we need a lawful basis under Article 6, and because health data is special category, an additional condition under Article 9.
1. Who we are
This policy explains how CARLA LOVE ACUPUNCTURE & CHINESE HERBAL MEDICINE (“we”, “us”, “our”) collects and uses your personal data, including your health information, when you book, attend, or enquire about treatment, or use our website www.herbsandacupuncture.co.uk.
· Data controller: Carla Love
· Address: 172 Southworth Road, Rear of Progress House, Newton-le-Willows, WA12 0BS
· ICO registration number: [NUMBER] (practitioners handling health data are very unlikely to be exempt from registering — check at ico.org.uk)
· Professional body / registration: British Acupuncture Council, reg. no.960005
· Contact: info@herbsandacupuncture.co.uk / 07743670144
We are the “controller” of your personal data, meaning we decide how and why it is processed. We are bound by our professional body’s code of conduct and a duty of confidentiality.
2. The personal data we collect
Standard personal data:
· Identity and contact data — name, date of birth, email, phone, address.
· Appointment and payment records.
· Communications — enquiries, messages, feedback.
Health information (special category data):
· Your health history, symptoms, and presenting conditions.
· Medications, allergies, and relevant medical history.
· Lifestyle information relevant to treatment (e.g. sleep, diet, stress).
· Treatment notes and your response to treatment.
· GP or other practitioner details, where you provide them.
We treat all health information as confidential and apply extra protection to it (see Section 9).
3. How we collect your data
· Directly from you — on booking, in consultation/intake forms, and during treatment.
· From our website — when you submit an enquiry or booking form.
· From third parties — only where you have asked us to (e.g. a referral or your GP).
4. Our lawful bases
Under UK GDPR we need a lawful basis under Article 6, and because health data is special category, an additional condition under Article 9.
Purpose Article 6 basis Article 9 condition (health data)
Booking and providing your
treatment Performance of a contract Explicit consent — Art. 9(2)(a)
Keeping clinical records of
your care Legitimate interests / Legal obligation Explicit consent — Art. 9(2)(a)
Contacting you about
appointments Performance of a contract n/a
Marketing (newsletters,
offers) Consent n/a
Meeting legal, tax, and
insurance duties Legal obligation Explicit consent / as required
If relying on 9(2)(h) instead: replace “Explicit consent — Art. 9(2)(a)” with “Provision of health care/treatment — Art. 9(2)(h)” and confirm you meet its conditions (delivered by or under a health professional subject to a duty of confidentiality).
Your explicit consent: before we record your health information we will ask for your clear, specific consent. You can withdraw it at any time, though we may need to keep existing clinical records for the retention periods below.
5. Marketing
We only send marketing where you have consented. You can opt out at any time via the unsubscribe link or by contacting info@herbsandacupuncture.co.uk. We never use your health information for marketing.
6. Who we share your data with
We keep your health information confidential and share it only where necessary and lawful:
· With your explicit consent — e.g. with your GP or another practitioner.
· Service providers (processors) — our website host (Thrifty Web Design), booking/diary software, and email tool, under written contracts.
· Professional advisers / insurers — where strictly necessary, e.g. to defend a claim.
· Authorities — where required by law or to protect someone’s vital interests.
We do not sell your data.
7. International transfers
Some providers may process data outside the UK/EEA. Where so, we rely on appropriate safeguards (UK IDTA, the UK Addendum to the EU SCCs, or UK “adequacy”).
8. How long we keep your data
We keep clinical records as required by our professional body and our insurer.
· Adult clinical records: 6 years after your last treatment
· Records for children: until age 25
· Appointment/financial records: 6 years (HMRC).
· Marketing consent: until you withdraw it.
When no longer needed, records are securely destroyed.
9. How we protect your health information
We apply extra safeguards to special category data, including: confidential/locked storage, encryption of digital records, access limited to the practitioner, secure booking software, and our professional duty of confidentiality. No system is fully secure, but we take these duties seriously.
10. Data Protection Impact Assessment (DPIA)
Because we process health data, we have carried out a DPIA to assess and reduce privacy risks.
11. Your rights
You have the right to access, rectify, erase (subject to our duty to retain clinical records), restrict, object, and data portability, and to withdraw consent. To exercise any right, contact info@herbsandacupuncture.co.uk. We respond within one month.
12. Cookies
See our Cookie Policy at [LINK].
If your site uses analytics or other non-essential cookies, you must have a consent banner that blocks them until the visitor accepts — e.g. CookieYes.
13. Complaints
Contact us first at info@herbsandacupuncture.co.uk. You can also complain to the Information Commissioner’s Office (ICO) — ico.org.uk, 0303 123 1113.
See our separate Data Protection Complaints Procedure — required from 19 June 2026.
14. Changes to this policy
We may update this policy. The “last updated” date shows when. Material changes will be notified [e.g. by notice on our website].Booking and providing your treatment Performance of a contract Explicit consent — Art. 9(2)(a)
Keeping clinical records of your care Legitimate interests / Legal obligation Explicit consent — Art. 9(2)(a)
Contacting you about appointments Performance of a contract n/a
Marketing (newsletters, offers) Consent n/a
Meeting legal, tax, and insurance duties Legal obligation Explicit consent / as required
If relying on 9(2)(h) instead: replace “Explicit consent — Art. 9(2)(a)” with “Provision of health care/treatment — Art. 9(2)(h)” and confirm you meet its conditions (delivered by or under a health professional subject to a duty of confidentiality).
Your explicit consent: before we record your health information we will ask for your clear, specific consent. You can withdraw it at any time, though we may need to keep existing clinical records for the retention periods below.
5. Marketing
We only send marketing where you have consented. You can opt out at any time via the unsubscribe link or by contacting info@herbsandacupuncture.co.uk. We never use your health information for marketing.
6. Who we share your data with
We keep your health information confidential and share it only where necessary and lawful:
· With your explicit consent — e.g. with your GP or another practitioner.
· Service providers (processors) — our website host (Thrifty Web Design), booking/diary software, and email tool, under written contracts.
· Professional advisers / insurers — where strictly necessary, e.g. to defend a claim.
· Authorities — where required by law or to protect someone’s vital interests.
We do not sell your data.
7. International transfers
Some providers may process data outside the UK/EEA. Where so, we rely on appropriate safeguards (UK IDTA, the UK Addendum to the EU SCCs, or UK “adequacy”).
8. How long we keep your data
We keep clinical records as required by our professional body and our insurer.
· Adult clinical records: 6 years after your last treatment
· Records for children: until age 25
· Appointment/financial records: 6 years (HMRC).
· Marketing consent: until you withdraw it.
When no longer needed, records are securely destroyed.
9. How we protect your health information
We apply extra safeguards to special category data, including: confidential/locked storage, encryption of digital records, access limited to the practitioner, secure booking software, and our professional duty of confidentiality. No system is fully secure, but we take these duties seriously.
10. Data Protection Impact Assessment (DPIA)
Because we process health data, we have carried out a DPIA to assess and reduce privacy risks.
11. Your rights
You have the right to access, rectify, erase (subject to our duty to retain clinical records), restrict, object, and data portability, and to withdraw consent. To exercise any right, contact info@herbsandacupuncture.co.uk. We respond within one month.
12. Cookies
See our Cookie Policy at [LINK].
If your site uses analytics or other non-essential cookies, you must have a consent banner that blocks them until the visitor accepts — e.g. CookieYes.
13. Complaints
Contact us first at info@herbsandacupuncture.co.uk. You can also complain to the Information Commissioner’s Office (ICO) — ico.org.uk, 0303 123 1113.
See our separate Data Protection Complaints Procedure — required from 19 June 2026.
14. Changes to this policy
We may update this policy. The “last updated” date shows when. Material changes will be notified [e.g. by notice on our website].