1. INTRODUCTION

Welcome to Spume & Soul. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services or visit our website.

We are committed to protecting your privacy and handling your data with care, transparency, and in full compliance with UK data protection laws, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Who We Are

Practice Name: Spume & Soul

Data Controller: Huda Abdelrahman

Email: [email protected]

Website: www.spumeandsoul.com

As the data controller, we are responsible for deciding how we hold and use your personal information. If you have any questions about this Privacy Policy or how we handle your data, please contact us using the details above.

2. WHAT INFORMATION WE COLLECT

We collect different types of information depending on how you interact with our practice:

Personal Identification Information:

•       Full name

•       Email address

•       Phone number

•       Postal address

•       Date of birth

•       Gender

Health & Wellness Information:

•       Current health concerns and symptoms

•       Medical history

•       Lifestyle information (diet, exercise, sleep patterns)

•       Mental and emotional wellbeing

•       Health goals and objectives

•       Information about medications, supplements, or treatments

•       Menstrual cycle and hormonal health information

•       Family medical history (where relevant)

•       Previous test results or medical reports you share with us

Financial Information:

•       Payment card details (processed securely through our payment provider)

•       Billing address

•       Payment history and transaction records

Communication Information:

•       Emails, messages, or other correspondence with us

•       Responses to forms and questionnaires

•       Notes from telephone conversations or video consultations

Technical Information (Website):

•       IP address

•       Browser type and version

•       Device information

•       Pages visited on our website

•       Date and time of visits

3. HOW WE COLLECT YOUR INFORMATION

We collect information in the following ways:

Directly From You:

•       When you complete our discovery call application form

•       When you book an appointment or service

•       When you fill out intake forms or health questionnaires

•       During consultations (in-person or virtual)

•       When you communicate with us via email, phone, or contact forms

•       When you sign up for our newsletter or email updates

Automatically:

•       Through cookies and similar technologies when you visit our website (see Section 11)

•       From our booking and scheduling platform

From Third Parties:

We do not purchase or receive your data from third-party sources

4. LEGAL BASIS FOR PROCESSING YOUR DATA

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal grounds:

Contract (Article 6(1)(b)):

Processing is necessary to provide you with our health and wellness services. This includes scheduling appointments, preparing for consultations, providing personalized recommendations, and communicating about your care.

Consent (Article 6(1)(a) and Article 9(2)(a)):

For special category data (health information), we obtain your explicit consent. You have the right to withdraw this consent at any time, though this may affect our ability to provide services. For marketing communications, we rely on your consent, which you can withdraw at any time.

Legal Obligation (Article 6(1)(c)):

We are required to keep clinical records for a specified period to comply with professional standards and regulations for healthcare practitioners.

Legitimate Interests (Article 6(1)(f)):

We process some data based on legitimate business interests, such as:

•       Improving our services and website

•       Preventing fraud

•       Managing our business operations

•       Ensuring network and information security

We always balance our legitimate interests against your rights and freedoms.

5. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

To Provide Our Services:

•       Assess your suitability for our programs through discovery calls

•       Prepare for and conduct health consultations

•       Create personalized nutrition and wellness plans

•       Monitor your progress and adjust recommendations

•       Maintain accurate clinical records

•       Provide ongoing support and follow-up care

To Manage Our Business Relationship:

•       Schedule and confirm appointments

•       Send appointment reminders

•       Process payments

•       Respond to your questions and requests

•       Manage cancellations and rescheduling

To Communicate With You:

•       Send relevant health and wellness information

•       Share educational resources and blog content

•       Provide updates about our services (with your consent)

•       Send newsletters and wellness tips (with your consent)

To Improve Our Services:

•       Understand how our website is used

•       Improve our booking and consultation processes

•       Develop new programs and resources

For Legal and Regulatory Compliance:

•       Maintain records as required by professional bodies

•       Respond to legal requests or prevent fraud

•       Protect our legal rights

6. HOW WE STORE AND PROTECT YOUR INFORMATION

We take data security seriously and have implemented appropriate technical and organizational measures to protect your information.

Platform Security:

Go High Level (GHL):

We use Go High Level as our client management, booking, and scheduling platform. GHL collects and stores:

•       Personal contact information (name, email, phone, address)

•       Discovery call and intake form responses

•       Appointment and booking information

•       Basic health information provided through forms

GHL is a secure, cloud-based platform that employs industry-standard security measures including encryption, secure data centers, and regular security audits.

Cliniko:

We use Cliniko as our primary clinical records management system. Cliniko houses:

•       Detailed health and medical information

•       Consultation notes and treatment records

•       Clinical assessments and progress notes

•       Sensitive health data and treatment plans

Cliniko is designed specifically for healthcare practitioners and complies with healthcare data protection standards. It provides:

•       End-to-end encryption

•       Secure cloud storage

•       Access controls and audit trails

•       Regular security updates and compliance monitoring

Security Measures We Implement:

•       Strong password protection and two-factor authentication

•       Limited access to your data (only authorized personnel)

•       Regular security updates and software patches

•       Secure backup procedures

•       Encrypted data transmission (SSL/TLS)

•       Regular review of our security practices

No Absolute Security:

While we implement robust security measures, please understand that no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security but will notify you promptly if we become aware of any data breach affecting your information.

Where Your Data Is Stored:

Your data is stored on secure servers located in data centers that may be outside the UK/EEA. Both GHL and Cliniko use reputable cloud service providers with appropriate security certifications and safeguards in place.

7. DATA RETENTION - HOW LONG WE KEEP YOUR INFORMATION

We retain your information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy and to comply with legal and professional obligations.

Clinical Records:

We retain clinical health records for 8 years from the date of your last consultation. This aligns with professional guidance for healthcare practitioners and protects both your interests and ours in case of any future queries or legal matters.

Financial Records:

Payment and transaction records are kept for 6 years to comply with UK tax law.

Marketing Communications:

We keep your contact information for marketing purposes until you unsubscribe or withdraw consent. If you unsubscribe, we'll keep a suppression record to ensure we don't contact you again.

Inactive Accounts:

If you haven't engaged with our services for 8 years, we will securely delete your information unless we have a legal obligation to retain it.

After the retention period expires, we will securely delete or anonymize your information so it can no longer identify you.

8. WHO WE SHARE YOUR INFORMATION WITH

We respect your privacy and do not sell, rent, or trade your personal information to third parties.

We may share your information only in the following limited circumstances:

Service Providers:

We work with trusted third-party service providers who help us run our business:

•       Go High Level - client management, booking, and scheduling platform

•       Cliniko - clinical records management system

•       Payment processors - to process secure payments (we do not store full payment card details)

•       Email service providers - for sending newsletters and communications (with your consent)

•       Make.com - for automated data synchronization between platforms

These providers are carefully selected and are required to:

•       Process your data only on our instructions

•       Implement appropriate security measures

•       Comply with GDPR and data protection laws

Professional Requirements:

In limited circumstances, we may share information:

•       With professional supervisors or mentors (anonymized where possible) for clinical supervision

•       With professional indemnity insurers if required

•       With regulatory or professional bodies if legally required

Legal Obligations:

We may disclose your information if required by law, court order, or regulatory authority, or to:

•       Protect our legal rights

•       Prevent fraud or criminal activity

•       Protect the safety of you or others

With Your Consent:

If you ask us to share your information with another healthcare provider or practitioner, we will do so with your explicit consent.

We Do NOT:

•       Sell your data to third parties

•       Share your data for third-party marketing purposes

•       Use your health information for any purpose other than providing care and meeting our professional obligations

9. INTERNATIONAL DATA TRANSFERS

Some of our service providers (such as Go High Level) may store or process data outside the United Kingdom and European Economic Area (EEA), including in the United States.

When we transfer your data internationally, we ensure appropriate safeguards are in place:

•       Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO)

•       Adequacy decisions where the destination country is deemed to provide adequate data protection

•       Service providers that comply with recognized international security frameworks

Your data receives the same level of protection regardless of where it is processed.

10. YOUR RIGHTS UNDER GDPR

You have important rights regarding your personal information:

Right to Access (Subject Access Request):

You can request a copy of the personal data we hold about you. We will provide this free of charge within one month of your request.

Right to Rectification:

If any information we hold about you is inaccurate or incomplete, you can ask us to correct it.

Right to Erasure ("Right to Be Forgotten"):

You can request that we delete your personal data. However, this right is not absolute - we may need to retain certain information to:

•       Comply with legal obligations (e.g., keeping clinical records for 8 years)

•       Establish, exercise, or defend legal claims

•       Fulfill our professional responsibilities as a healthcare practitioner

Right to Restrict Processing:

You can ask us to limit how we use your data in certain circumstances, such as while we verify the accuracy of information you've disputed.

Right to Data Portability:

You can request to receive your personal data in a structured, commonly used, and machine-readable format, and have it transferred to another service provider where technically feasible.

Right to Object:

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Right to Withdraw Consent:

Where we rely on consent to process your data (such as for marketing), you can withdraw consent at any time. This won't affect the lawfulness of processing before withdrawal.

Rights Related to Automated Decision-Making:

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

How to Exercise Your Rights:

To exercise any of these rights, please contact us at [email protected]

We will respond within one month. If your request is complex, we may extend this by two months and will let you know.

11. COOKIES AND WEBSITE TRACKING

Our website uses cookies and similar technologies to improve your experience and understand how visitors use our site.

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help the website remember your preferences and provide useful functionality.

Types of Cookies We Use:

Essential Cookies:

These are necessary for the website to function properly (e.g., booking system, secure areas). You cannot opt out of these.

Analytics Cookies:

We use these to understand how visitors interact with our website, which pages are most popular, and how to improve user experience. These may include Google Analytics or similar services.

Marketing Cookies:

If you've consented, we may use cookies to show you relevant content or track the effectiveness of our communications.

Managing Cookies:

You can control cookies through your browser settings. However, blocking certain cookies may affect website functionality.

For detailed information about cookies, visit www.aboutcookies.org or www.allaboutcookies.org

12. CHILDREN'S PRIVACY

Our services are designed for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18 without parental consent.

If you are under 18 and wish to use our services, please have a parent or guardian contact us to discuss appropriate arrangements.

If we become aware that we've collected information from a child under 18 without proper consent, we will take steps to delete it promptly.

13. THIRD-PARTY LINKS

Our website or communications may contain links to third-party websites, resources, or services.

Please note:

•       We are not responsible for the privacy practices of other websites

•       This Privacy Policy applies only to Spume & Soul

•       We encourage you to read the privacy policies of any third-party sites you visit

Clicking on third-party links is at your own risk.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in:

•       Our practices

•       Legal or regulatory requirements

•       The services we offer

•       Technology we use

When We Make Changes:

•       We will update the "Last Updated" date at the top of this policy

•       For significant changes, we will notify you by email or through a prominent notice on our website

•       Continued use of our services after changes indicates acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. HOW TO CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

Email: [email protected]

Website: www.spumeandsoul.com

We will respond to your inquiry as promptly as possible, typically within 5 working days.

16. YOUR RIGHT TO COMPLAIN

We are committed to resolving any concerns you have about our data practices. However, you have the right to lodge a complaint with the UK data protection authority:

Information Commissioner's Office (ICO)

Website: www.ico.org.uk

Telephone: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

You can also use the ICO's online reporting tool at: https://ico.org.uk/make-a-complaint/

CONSENT AND ACKNOWLEDGMENT

By using our services, visiting our website, or providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy.

For health information specifically, we will obtain your explicit consent through our intake forms and consultation agreements.