top of page
Alma (7).png

Privacy Policy

Marie Smith,  Alma.

www.mariesmithalma.co.uk

Contact: mariesmithalma@gmail.com

 

Your privacy is important to Alma, and I take my responsibility regarding the security of your personal information very seriously.  I am committed to protecting your personal information and to being transparent about the information I collect from you and what I do with it.

This policy outlines Marie Smith's procedures for collecting, storing and processing personal data. ('personal data' means data which relates to a living individual who can be identified from the data or from other information from that data) in order to comply with the Data Protection Act ('DPA') 2018

This policy covers all the principles under DPA.  These are known as the 'data protection principles' and ensures information is:

used fairly and lawfully
used for limited, specifically stated purposes
used in a way that is adequate, relevant and not excessive
kept for no longer than is necessary
kept safe and secure
not transferred outside the European Economic Area (EEA) without adequate protection


Contact details of the person responsible for taking the lead on compliance:

 

Marie Smith. mariesmithalma@gmail.com . Is also responsible for personal data, information on procedures dealing with both internal and external access request and how the information collected is used.

What is meant by privacy:

 

Physical privacy - the ability of a person to maintain their own physical space or solitude.  Intrusion can come in the form of unwelcome searches of a person's home or personal possessions, bodily searches or other interference, acts of surveillance and the taking of biometric information.

 

CCTV is used outside the premises.

 

Informational privacy - the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information, disclosure of personal information without consent and misuse of such information.  It can include the collection of information through the surveillance or monitoring of how people act in public or private spaces and through the monitoring of communications whether by post, phone or online and extends to monitoring the records of senders and recipients as well as the content of messages.

 

Why I need the information I hold about an individual:

 

I need to request and store your details in order to administer and deliver the service you have requested, and to comply with any legal or professional body responsibilities that ensue in the delivering of that service.

 

What data is held about you:

 

Your name, address, phone numbers, email address, date of birth, 
An emergency contact's name and phone number
Your GP name and contact details
Relevant medical information, past and present
Session notes
Payment information
Emails, recorded messages and social media contact


What I am going to use your Data for:

 

I will use your data in order to:

 

Make contact with you, to record the relevant personal contact details you give consent for me to hold, to record emergency contact information, where applicable to make clinical assessments and record clinical notes.
Process payment transactions to enable you to purchase products or services.
Send you customer communications about products or services you have bought.
Enable me to perform a contract with you and respond to enquiries relating to my services or products.
Reply to any enquiries you make about my services or products.
Keep records of services  received and products purchased.
Keep records of communications.
Bring legal claims against you if you fail to make payment.
Comply with any legal obligations I am subject to or as required by a government authority.
Obtain or maintain insurance policies.
Manage my business.
Obtain professional advice.
NHS Track & Trace


Lawful Ground of Processing:

 

Under the General Data Protection Regulations, I am only legally able to process your personal data if I have a lawful ground for doing so.

Lawful grounds of processing are:

 

In relation to Customer Data that I have obtained in relation to you receiving a treatment or product with me that I hold for the purpose of fulfilling that contract, informing you about updates to the product or service and keeping records of the contract, the processing is necessary for the performance of a contract to which you are subject and for legitimate interests in informing you about updates to the product or service, record keeping and to establish, pursue or defend legal claim as responsible business operations.

 

In relation to Prospect Data that I have obtained when you enquired about my services or products (whether  that be through my website or otherwise) and that I process in order to reply to your enquiry and keep records of this, the processing is necessary in order to take steps at your request prior to entering into a contract and for legitimate interests in record keeping and to establish, pursue or defend legal claim.

In relation to your data that I process in order to comply with legal requirements or as required by a government authority, the processing is necessary for compliance with a legal obligation to which I am subject.

 

In relation to keeping records, this processing is either necessary for compliance with a legal obligation that I am subject to or for legitimate interests in responsible business operations or defending, pursuing or establishing a legal claim.

 

In relation to obtaining professional advice and insurance, this processing is necessary for  legitimate interests in order to protect and grow my business.

 

Sensitive data - Client notes showing date, and a brief outline of session content are recorded in a hand-written paper file format which has an anonymised code system (no name/contact etc) The anonymised client notes are used for my own clinical supervision, to comply with my professional body and good ethical practice.  I share details about the client case, but not the client's personal details unless a legal or safeguarding requirement requires me to do so.

 

Information is stored securely:

 

I store clients name, contact details, emergency number, medical history, payment details, treatments given and session notes on paper consultation record cards, filed in a locked cabinet.  On-line consent forms are stored securely on Amazon servers based in the EU using Faces Consent. Your contact details may also be stored on a mobile phone, IPAD, laptop and Imac. All devices are password protected. 

 

Website emails I receive are deleted from my email system once I have made contact with you. These may be printed before deleting.  Please do not include any sensitive information.

Wix Ascend is used for contacting purposes and promotions. 

 

Phone recorded messages are deleted once I have made contact with you.

 

Client notes showing date, and a brief outline of session content for some treatments are recorded in a hand-written paper file format which has an anonymised code system (no name/contact etc) and stored in a separate folder to the one with your personal details on it.

 

Photos taken in session ( with your permission) and phone, email and social media communication are also stored/noted/printed and saved in the anonymised client notes.

 

The anonymised client notes are used for my own clinical supervision, to comply with my professional body and good ethical practice.  I share details about the client case, but not the client's personal details unless a legal or safeguarding requirement requires me to do so.

 

Christian or full name are used to identify income source in my accounts for HMRC tax return purposes and on Free Agent which can be viewed by my Accountant.

 

Payments made by bank transfer will contain your name in the reference and shown on my bank statements.

 

If you have chosen or been invited to 'like' or 'follow' me on my business social media sites including Face book, Twitter, Instagram and LinkedIn, I do not hold data about that outside of that social media setting. See Social Media Usage.

 

Messages posted either on the news feed or sent as private through Messenger will be deleted after I have made contact with you.  Please do not include any sensitive data.

 

About the security of my website:

 

I may use technology to track the patterns of behaviour of visitors to my site.  This can include using  'cookie' which would be stored on your browser.  You can usually modify your browser to prevent this happening.  The information collected in this way can be used to identify you unless you modify your browser settings.

 

Social Media usage:

 

I have official profiles on social media platforms, users are advised to verify authenticity of such profiles before engaging with, or sharing information with such profiles.  Users are advised to conduct themselves appropriately when engaging with me on social media.  There may be instances where my website features social sharing buttons, which help share web content directly from web pages to the respective social media platforms.  You use social sharing buttons at your own discretion and accept that doing so may publish content to your social media profile feed or page.

 

How up to date the information is that I hold about you:

 

The personal information stored is as given to me on initial contact, and updated as and when you inform me of any changes.

 

Notes will be up to date usually on the day and no more than within fourteen days of delivery of such service.

 

When and how I delete the information I hold about you:

 

I will only hold on to your personal data for as long as necessary to fulfil the purpose I collected it for, including for the purpose of satisfying any legal, accounting, or reporting requirements.

 

My professional guidelines for holding your data is for seven years after our last contact.  I delete by electronic means and destroy paper records by shredding.  Clients under the age of eighteen, notes are kept until your 26th birthday or seven years after last contact whichever is the later.

 

For Tax purposes the law requires me to keep basic information about clients for six years after they stop being clients.

 

For Hypnotherapy treatments I anonymise your personal data and use a code system.

 

Disclosure of your personal data:

 

I may have to share your personal data with the parties set out below.

 

Service providers who provide IT and system administration services.

 

Professional advisers including lawyers, bankers, accountants and insurers.

 

Government bodies that require me to report processing activities or otherwise disclose your personal data.

 

NHS Track & Trace.

 

If during my contact time with you I become aware that there is a safeguarding risk to either you or another person I will contact the emergency contact given and/or school, college, professional body, emergency services where appropriate.

 

My supervisor will be handed all of my Hypnotherapy related paperwork should I become indisposed, and will contact you and then destroy notes accordingly.  Your name will never be tied to any personal information about you.

 

Chris Smith and/or Shirley Walton will be handed all my Beauty and Holistic Therapy and Skincare related paperwork should I become indisposed and will contact you and then destroy notes accordingly.

 

Where you request me to do so

 

Personal information is limited only to those with a strict need to know.

 

How you can obtain a copy of information I hold about you or have it removed:

 

Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, restriction, transfer, to object to processing, to portability of data and to withdraw consent where the lawful ground of processing is consent.  You can request to be removed from my records, however I need to keep some of your data in order to comply with my legal, insurance and tax obligations.

 

You can see more about these rights at :

 

https://ico.org.uk/for-the-public/personal-information/

bottom of page