1. Introduction

1.1

In this policy, “we”, “us” and “our” refer to Shaun Higgins (the business). “You” refers to website visitors, email subscribers and clients of our services.

1.2

We are committed to safeguarding the privacy of our website visitors, email subscribers and individual clients.

1.3

This policy applies where we are acting as a data controller with respect to your personal data – in other words, where we determine the purposes and means of processing that personal data. We act as a data controller in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.4

Our website incorporates privacy controls that affect how we process your personal data, particularly in relation to direct marketing. You may choose to subscribe to email marketing by completing a form. If you contact us regarding services, you can also choose whether or not to receive direct marketing communications.

2. Credit

2.1

This document was created using a template from Docular and has been adapted to reflect our specific data-processing activities.

https://seqlegal.com/free-legal-documents/privacy-policy

3. The Personal Data That We Collect

3.1

This section sets out the general categories of personal data that we may process.

3.2 Contact data

We may process data that enables us to contact you, including your name, email address, telephone number, postal address and/or social media account identifiers. You are the source of this data. It is stored within our CRM/email marketing platform in accordance with UK GDPR requirements.

3.3 Transaction data

We may process information relating to payments you make to us, including your name, contact details, payment date, payment method and amount. This data is stored within our accounting records in line with UK GDPR and HMRC requirements.

3.4 Communication data

We may process information contained in or relating to communications that you send to us or that we send to you, including emails, messages and webform submissions. This may include communication content and associated metadata. Where a website webform is used, metadata generated by that interaction is also processed. This data is stored within our CRM/email marketing platform.

3.5 Usage data

We may process data about how you use our website and services. Our website hosting provider, Brizy Cloud, may log IP addresses as part of normal infrastructure and security logs. Brevo, our CRM/email marketing platform, also provides analytics relating to direct marketing communications.

3.6 Health-related data (special category data)

This includes any information you voluntarily disclose about your medical condition, symptoms, health history or treatment preferences. This data is treated as special category personal data under UK GDPR.

3.7 Therapy, coaching and case record data (special category data)

We may process additional personal data relating to therapy and coaching services, including intake forms, health questionnaires, case histories, session notes, treatment records, coaching notes, progress tracking and reflective records. This data may include physical or mental health information, emotional wellbeing information, lifestyle details and other personal history relevant to the provision of therapy or coaching services. This data is classified as special category personal data under UK GDPR.

4. Bases and Purposes of Processing

4.1

UK GDPR requires that at least one lawful basis applies whenever personal data is processed. The lawful bases include consent, contract, legal obligation, vital interests, public task and legitimate interests.

4.2 Operations

We process personal data to operate our website, provide services, process orders, generate invoices and manage payments. The lawful basis is our legitimate interests in operating and administering the business, and contract where processing is necessary to provide agreed services.

4.3 Accountancy and tax reporting

Transaction and accounting data is processed to meet statutory obligations, including reporting to HMRC. The lawful basis is legal obligation, supported by legitimate interests for administrative purposes.

4.4a Relationships and communications (non-marketing)

We process contact, transaction and communication data to manage relationships, communicate with you, provide support and handle complaints. The lawful basis is contract and legitimate interests.

4.4b Therapy and coaching communications

When you contact us regarding craniosacral therapy or coaching, we process communication data to arrange sessions, tailor services, provide follow-up and maintain appropriate records. The lawful basis is consent and contract. Where health information is provided, the additional lawful basis is explicit consent under Article 9(2)(a) UK GDPR.

4.4c Therapy, coaching and case records

We process therapy and coaching records, including case histories, intake information, session notes, treatment records and coaching notes, to deliver safe and appropriate services, monitor progress, and meet professional, ethical and insurance requirements. The lawful basis under Article 6 UK GDPR is contract. Where this processing involves health or other special category data, the additional lawful basis is explicit consent under Article 9(2)(a) UK GDPR.

4.5 Direct marketing

We process contact data for marketing communications only where you have given explicit consent. You may withdraw this consent at any time.

4.6 Research and analysis

Usage and transaction data may be processed to analyse and improve our website and services. The lawful basis is legitimate interests.

4.7 Record keeping

Personal data is processed to maintain business records and backups. The lawful basis is contract and legitimate interests.

4.8 Security and fraud prevention

Data may be processed to protect our website, services and business. The lawful basis is contract and legitimate interests.

4.9 Insurance and risk management

Personal data may be processed to obtain insurance coverage and professional advice. The lawful basis is legitimate interests.

4.10 Legal claims

Personal data may be processed where necessary for the establishment, exercise or defence of legal claims. The lawful basis is legal obligation and legitimate interests.

4.11 Legal compliance and vital interests

We may process personal data where necessary to comply with legal obligations or to protect vital interests.

4.12 Processing of special category data

We process special category personal data only where necessary and with appropriate safeguards in place. This includes health and wellbeing information provided in the context of therapy or coaching. Such data is processed solely for the purposes of delivering services, maintaining appropriate records, and meeting professional and legal obligations. We do not use special category data for marketing or unrelated purposes.

4.13 Confidentiality and professional records

Therapy and coaching records are treated as confidential. Access to such records is restricted to the business owner unless disclosure is required by law or necessary to protect vital interests, including where there is a serious risk of harm to you or others. Confidentiality may also be limited by safeguarding obligations.

5. Providing Your Personal Data to Third Parties

5.1

We may disclose personal data to insurers and professional advisers where reasonably necessary.

5.2

Contact, transaction and communication data is stored within our CRM provided by Brevo, which acts as a data processor and processes data only on our instructions. Website forms are embedded using Brevo. Our website is hosted by Brizy Cloud. Brevo also provides analytics relating to marketing communications. All processors are bound by Data Processing Agreements requiring appropriate technical and organisational security measures.

5.3

Payments are processed by Stripe. Payment data is handled securely by Stripe and does not pass through our servers. Stripe processes limited device and transaction data for fraud prevention and service operation. Stripe privacy information: https://www.stripe.com/gb/privacy

5.4

We may disclose personal data where required to comply with legal obligations or to protect vital interests.

5.6 Sharing of therapy and health-related data

Therapy, coaching and health-related data is not shared with third parties without your explicit consent, except where disclosure is required by law, necessary for safeguarding purposes, or required for insurance, professional advice or legal claims. We do not sell or rent therapy or health-related data to third parties.

5.5 Current sub-processors

• Brizy Cloud – website hosting (data-centres: EEA and USA)
• Brevo – CRM, email marketing and analytics (data-centres: EEA)
• Stripe – payment processing (data-centres: UK and EEA)

6. International Transfers of Personal Data

6.1

Personal data is primarily stored within the UK and EEA. Some providers may process data in the USA. Where transfers outside the UK/EEA occur, they are protected by Standard Contractual Clauses approved by the ICO or by adequacy regulations where applicable.

6.2

Stripe processes data primarily in the UK and EEA depending on user location. Further details are available in Stripe’s privacy documentation.

7. Retaining, Deleting and Protecting Personal Data

7.1

Personal data is retained only for as long as necessary for the purposes described.

7.2 Retention periods

(a) contact data will be retained for a maximum period of three years, following the financial year from the date of the last active response we had from you.

(b) transaction data will be retained for six years in line with HMRC requirements.

(c) communication data will be retained for five years unless longer retention is required.

(d) safeguarding-related records are retained in line with statutory safeguarding guidance.

(e) usage data will be retained for up to one year.

(f) therapy, coaching and case records will be retained for a period appropriate to professional, ethical and insurance requirements, typically for a minimum of seven years following the last session, unless a longer period is required by law or safeguarding obligations. After this period, records will be securely deleted or anonymised.

7.3

Retention periods are reviewed regularly.

7.4 Security measures

Website and forms use HTTPS/TLS encryption. Email accounts are protected by strong passwords and two-factor authentication. Access to stored data is restricted to the business owner or authorised roles, with encryption and access controls used where provided by processors.

7.5 Data breaches

If a personal data breach occurs that is likely to result in a risk to your rights or freedoms, we will take prompt steps to contain it and notify the ICO within 72 hours where required. Affected individuals will be informed where legally necessary.

8. Your Rights

8.1

You have the right to access your data, rectify inaccuracies, request erasure, restrict processing, object to processing, data portability, withdraw consent and complain to the ICO. Requests can be made using the contact details below. We will respond within one month unless an extension is permitted.

9. Cookies

9.1

Cookies are small text files stored on your device. Some cookies are essential for website operation; others are optional and require consent.

10. Cookies We Use

10.1

Our website uses a small number of cookies. Some are essential for the site to function correctly, while others are used only with your consent to help us understand how the site and our communications are used.

10.2 Essential Cookies

Essential cookies are required for core website functionality, security and form submissions. These cookies cannot be switched off. They are usually session-based or retained only as long as necessary for the website to operate.

10.3 Analytics and performance cookies (set only with consent)

We use analytics and performance cookies provided by Brevo (formerly Sendinblue) when you consent via the cookie banner. These cookies help us understand how visitors interact with the website and our email communications so we can improve our services. They do not involve advertising or social media tracking.

The analytics and performance cookies in use may include the following:

Cookie name: _sbsync

Purpose: Used by Brevo to support form functionality and to track interactions with embedded scripts and forms on the website.

Duration: Session or short-term

Provider: Brevo (first-party)

Cookie name: _sc and _se

Purpose: Used to associate website visits with email interactions or form submissions where Brevo tracking features are enabled.

Duration: Session or short-term

Provider: Brevo (first-party)

Cookie name: _fbp (only if present via embedded scripts)

Purpose: Used for measuring and understanding interactions with website content and communications where analytics scripts are embedded.

Duration: Approximately 3 months

Provider: Brevo or embedded third-party script

Additional analytics or performance identifiers

Purpose: Used in aggregate form to count visits, understand traffic sources and measure website performance.

Duration: Up to 12 months

Provider: Brevo

We do not use advertising cookies or social media tracking cookies.

You can manage your cookie preferences at any time using the cookie banner or through your browser settings. Refusing analytics cookies will not affect your ability to use the website, but some forms or analytics features may be limited.

10.4

No advertising or social-media tracking cookies are used.

11. Managing Cookies

11.1

You can accept or reject analytics cookies when you first visit the site. You can also change cookie settings through your browser at any time. Disabling essential cookies will prevent the contact form from working correctly.

12. Amendments

12.1

This policy may be updated periodically. Significant changes will be communicated via the website or email where appropriate.

13. Contact Details

Email: contact@shaunhiggins.net

If you are dissatisfied with our response, you may complain to the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Wycliffe House, Water Lane

Wilmslow, Cheshire SK9 5AF

Phone: 0303 123 1113

Website: https://ico.org.uk/