GDPR Privacy Policy

GDPR Privacy Notice

Policy Purpose
This policy outlines my data protection policy, and thus how I comply with the GDPR.

GDPR Registration
I have investigated whether to register with the ICO and have been told that this is not necessary but I must still adhere to the Regulations. Karen Scott Reflexology is a company registered in England and Wales for the purposes of the Data Protection Act 1998 or any subsequent UK legislation resulting from EU General Data Protection Regulations (GDPR).

This policy sets out the basis on which any personal data I collect from you, or that you provide to me, will be processed only by me. Karen Scott Reflexology is committed to protecting and respecting the privacy of my clients. Please read this privacy policy carefully so you can understand my views and practices regarding my personal data and how I will treat it. This document outlines my privacy guidelines, to which you agree by navigating this site. Regular updates of the privacy policy are completed, requiring you to check back on this policy from time to time.

Identity and contact details of the Controller
Purposes for which Personal data is collected, processed, used and disclosed by Karen Scott Reflexology.
Karen Scott Reflexology may receive or collect your personal data including but not limited to your name and contact details (i.e address, home and mobile numbers, e-mail address), age, date of birth, details. On occasions, this may also include special categories of personal data (i.e sex), medical information.
I may collect this information from you (for example, by filing in forms or by corresponding with me by phone, email or otherwise). This information is held, processed, used and disclosed by me as follows:

  1. to provide my services to you;
  2. to improve my customer service and to make my services more valuable to you (including tailoring treatments to enrich your personal experience);
  3. To enable me to develop and market other products and services and where you have consented to being contacted for such purposes;
  4. to answer your questions and enquiries;
  5. To maintain records and to comply with legal, regulatory and corporate governance obligations;
  6. to maintain my business relationship, where you are a client;
  7. to fulfil contractual obligations with my clients;
  8. to maintain, expand and develop my business;
  9. to process data where I am legally obliged to process such data or where the processing is necessary for the purposes of carrying out my obligations or exercising my rights in the field of employment and social security and social protection law;
  10. In certain circumstances, I will release personal information to third parties if I believe in good faith that I am required by law to disclose it in connection with the detection of crime, in order to comply with any applicable law or order of a court of competent jurisdiction, or in connection with legal proceedings; the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
  11. respond to and defend against legal claims;
  12. to notify you about changes to my service;

Legal basis for processing personal data:
My legal basis for the processing of personal data is as follows:
  1. for the purposes of my legitimate interests or those of a third party. I have set out my legitimate interests above under the section titled “Purposes for which Personal data is collected, processed, used and disclosed by me”;
  2. for compliance with a legal obligation to which I am subject. This includes for the purposes of detecting crime, the collection of taxes or duties, and in order to comply with any applicable law;
  3. Where you give my consent to the processing of your personal data for one or more specific purposes, for example, some marketing activities I undertake. Should I want or need to rely on consent to lawfully process my data I will request my consent orally, by email or by an online process for the specific activity I require consent for and record my response on my system. Where consent is the lawful basis for my processing you have the right to withdraw my consent to this particular processing at any time;
  4. for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Where your information is held
All the personal data I process is processed by myself (Karen Scott Reflexology). However, as part of the services offered to you, the information you provide to me is not held electronically. In addition. Except as set out in this privacy policy, I will not disclose any personally identifiable information without your permission unless I am legally entitled or required to do so (for example, if required to do so by legal process or for the purposes of prevention of fraud or other crime) or if I believe that such action is necessary to protect and/or defend my rights, property or personal safety and those of my customers etc.

How long I will keep your data
  1. claims occurring insurance: for which I am required to keep my records for 7 years after the last treatment.
  2. law regarding children’s records: for which I am required to keep my records until the child is 25, or if 17 when treated then until they are 26.
  3. registration with The AoR (for my work as a Reflexologist): for which I am required to retain information for 8 years.

I will only hold your personal data for as long as is necessary to fulfil the purposes I collected it for, including for the purposes of complying with applicable legal or reporting requirements (for example, my obligations to the medical authorities and nationality laws), my contractual obligations or my legitimate interests as a controller. Some categories of personal data I hold will need to be retained for longer than others. To determine the appropriate retention period for personal data, I consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purpose for which they are processed, the applicable legal requirements and my contractual obligations. Other personal data will be held for no longer than is necessary to protect my legitimate interest as a controller.

Privacy Notice
Individuals need to know that their data is collected, why it is processed and who it is shared with. This information in included in my privacy notice which is signed and presented at my first consultation with my client.

I have written a privacy notice for my clients, and have ensured that the privacy notice includes all of the information included in the ICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table

Security
I take the security of my data seriously. I have internal policies and controls to protect your personal information from unauthorised access, improper use or disclosure, unauthorised modification or unlawful destruction or accidental loss. I will update these measures as new technology becomes available, as appropriate.

Data Breach Policy
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. I understand that I only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, I will notify those concerned directly and without undue delay. In all cases I will maintain records of personal data breaches, whether or not they were notifiable to the ICO.

Marketing
I may periodically contact you by telephone, email or other digital means for marketing purposes relating to my services, my website, and/or to research opinion on proposed business developments. You have the right to withdraw my consent if you do not want to be contacted for such purposes (see Opt-Out below). Opt-Out – you are entitled to opt-out from receipt of marketing communication at any time and free of charge by sending an email to karen@karenscottreflexology.com.

Website Cookies – You are surfing a dynamically generated website that includes third-party advertising. Placement of tracking technologies such as and not limited to cookies and / or web beacons is permitted to third party advertising companies. These third-party advertising companies may use such technologies to gather anonymous website statistics about my visits to this and other websites. These statistics are used by these third-party advertising companies to provide ads of relevance to you.

My advertisers and us may have the occasion to collect information in regards to my computer for my services. The information is gained in a statistical manner for my use or advertisers on my site. Data gathered will not identify you personally. It is strictly aggregate statistical data about my visitors and how they used my resources on the site. No identifying personal information will be shared at any time via cookies. You may elect to decline all cookies via my computer. Every computer has the ability to decline file downloads like cookies. My browser has an option to enable the declining of cookies. Any of my advertisers may also have a use for cookies. I are not responsible, nor do I have control of the cookies downloaded from advertisements. They are downloaded only if you click on the advertisement.

Links on my site that belong to third parties may be found. These websites have their Privacy Policy, which you agree to when you link to the site. You should read this third-party policy. I do not accept claims of liability or responsibility in any way for these policies or links, as I have no way to control the third-party sites.

Data Protection Policy
This document forms my data protection policy and shows how I comply with GDPR. This is a live document and will be amended as and when any changes to my data processing takes place, at the very least it will be reviewed annually. As the only member of staff, I believe that I have done an appropriate amount of research around the implications of the new GDPR, including taking heed of the advice and guidance provided by my professional membership organisations (AoR for my work as a Reflexologist) And FHT for my work as a Complementary Therapist.

Your rights
  1. You may request access to the information I hold about you. All individuals will need to submit a written request to access their personal data - either by email or by letter. I may ask you to verify your identity and for more information about your request. I will provide that information without delay and at least within one calendar month of receipt. I can extend this period by a further two months for complex or numerous requests (in which case the individual will be informed and given an explanation). I will identify the client using reasonable means, which because of the special category under which I process data, will be numeric ID. I will keep a record of any requests to access personal data.
  2. I will use reasonable endeavours to ensure that my personal data is maintained and up to date. However, you are under a duty to inform me of any and all changes to your personal data to ensure that it is up to date and I will update or delete my personal data accordingly.
  3. You may, in certain circumstances (for example, where I have processed my data unlawfully) have the right to request that I erase your personal data. I will respond to your request within the timescale required by applicable data protection laws and will only disagree with you if certain limited conditions apply. If I agree to your request, I will delete my data but will generally assume that you would prefer me to keep a note of your name on my register of individuals who would prefer not to be contacted. That way, I will minimise the chances of you being contacted in the future where my data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
  4. Where I process your data on the basis of consent you have provided to me, you have the right to withdraw your consent at any time and have such data deleted. Where I am legally permitted to do so, I may refuse your request and will give you reasons for doing so.
  5. If you wish to exercise any of these rights or raise a complaint on how I have handled your personal data, you can contact me on karen@karenscottreflexology.com
  6. If you are not satisfied with my response or any of my data processing activities, you can complain to the Information Commissioners Office at:

Information Commissioner's Office
Wycliffe House
Water Lane
WilmslowSK9 5AF

To find out more about how our ad feed provider uses data on partner sites, please click here.

ALL CLIENT INFORMATION IS CONFIDENTIAL BETWEEN THE CLIENT AND KAREN SCOTT REFLEXOLOGY AND NOT SHARED WITH ANYONE ELSE