Introduction

 

Living In Full Bloom is committed to protecting and respecting your privacy and maintaining the trust of all those we work with. This policy explains how we collect, use, protect, and manage your personal information in accordance with the Data Protection Act 2018, the UK General Data Protection Regulations (UK GDPR), and NICE Guidelines for therapeutic practice.

 

Scope

 

This policy applies to all personal information collected and processed by Living In Full Bloom through:

• Our website and online services

• Direct interactions with clients and service users

• Therapeutic relationships and sessions

• Employment and recruitment processes

• Marketing and communications activities

 

Definitions

 

• Personal data: Any information relating to an identifiable person who can be directly or indirectly identified from that information

• Special categories of personal data: Data concerning health, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/biometric data

• Data processing: Any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, or erasure

• Therapeutic records: Documentation of therapeutic sessions, assessments, and client progress

 

Data Protection Principles

 

We process all personal data according to these core principles:

 

1. Lawful, fair, and transparent processing

2. Purpose limitation - collected for specified, explicit, and legitimate purposes

3. Data minimisation - adequate, relevant, and limited to what's necessary

4. Accuracy - kept accurate and up to date

5. Storage limitation - kept no longer than necessary

6. Integrity and confidentiality - processed securely

7. Accountability - taking responsibility for complying with GDPR

 

Types of Information We Collect

 

We collect different types of information depending on how you interact with us. This includes information you provide directly, information we receive from third parties (such as payment processors and booking platforms), and information we collect automatically through our website.

 

Client Data

• Personal details (name, contact information, date of birth)

• Medical and health information

• Session notes and therapeutic records

• Payment information

• Emergency contact details

 

Employee Data

• Personal details and contact information

• Employment history and qualifications

• References and background check results

• Performance records

• Training and development records

 

Website Users

• IP addresses and browser information

• Usage data and cookies

• Contact form submissions

• Newsletter subscriptions

 

Financial Data and Payment Processing

• Payment card information

• Bank account details

• Transaction history

• Membership status and history

• Course registrations and purchases

 

We use trusted third-party payment processors:

• Wix Payments for online transactions (memberships, courses, online bookings)

• SumUp for in-person payments

 

These processors handle your financial data according to PCI DSS (Payment Card Industry Data Security Standard). Living In Full Bloom does not store or have direct access to your complete payment card details. We only retain necessary transaction records for accounting and tax purposes.

 

Third-Party Services

 

We work with trusted third-party service providers who assist us in delivering our services:

1. Payment Processing

   • Wix Payments: Handles online payments through our website

   • SumUp: Processes in-person card payments

   • These providers are PCI DSS compliant and have their own privacy policies

2. Website and Booking Platform

   • Wix: Hosts our website and provides booking functionality

   • Processes membership data and course registrations

 

We ensure all third-party providers:

• Have appropriate data protection measures in place

• Process data only for specified purposes

• Comply with UK GDPR requirements

• Maintain appropriate security standards

 

Lawful Bases for Processing

 

We process personal data under the following lawful bases:

1. Consent - freely given, specific, informed, and unambiguous

2. Contract - necessary for fulfilling our contractual obligations

3. Legal obligation - required by law

4. Vital interests - protecting someone's life

5. Legitimate interests - where necessary for our legitimate business purposes

 

Therapeutic Records and Confidentiality

 

In accordance with NICE Guidelines:

 

• Detailed session notes are maintained securely for each client

• Records are factual, objective, and distinguish between fact and opinion

• Information is recorded in a way that clients could read their notes without confusion or distress

• Records are maintained for 7 years after the last contact with adult clients, or until age 25 for children

• Access to therapeutic records is strictly controlled

 

Data Security

 

We implement appropriate technical and organisational measures including:

 

• Password protection and encryption of electronic data

• Secure physical storage for paper records

• Access controls and user authentication

• Regular security updates and backups

• Staff training on data protection

• Incident response procedures

 

Security Procedures

1. All hard copy personal information must be kept in locked storage

2. Electronic data must be password-protected and encrypted

3. No personal data to be stored on unencrypted portable devices

4. Regular security audits and updates

5. Clear desk policy enforcement

 

Data Subject Rights

 

You have the right to:

1. Be informed about how your data is used

2. Access your personal data

3. Rectification of inaccurate data

4. Erasure (the 'right to be forgotten')

5. Restrict processing

6. Data portability

7. Object to processing

8. Rights related to automated decision making

 

International Data Transfers

 

If we transfer data outside the UK/EEA, we ensure:

• Adequate safeguards are in place

• Privacy rights are protected

• Compliant data processing agreements exist

• Transfer mechanisms meet GDPR requirements

 

Data Breaches

 

We maintain a Data Breach Register and will:

• Report significant breaches to the ICO within 72 hours

• Notify affected individuals when legally required

• Document all breaches and remedial actions

• Review and update security measures as needed

 

Children's Privacy

 

We take special care when processing children's data:

• Parental consent required for children under 16

• Age-appropriate privacy notices provided

• Extra safeguards for sensitive data

• Regular review of children's data processing

 

Training and Awareness

 

All staff receive:

• Initial data protection training

• Regular updates and refresher sessions

• Specific training for handling sensitive data

• Guidance on security measures

 

Review and Updates

 

This policy is reviewed annually or when significant changes occur. Updates will be:

• Posted on our website

• Communicated to staff and stakeholders

• Recorded in our policy register

 

Contact Information

 

For questions about this policy or to exercise your rights, contact:

Data Protection Officer - Julie Edwards

Living In Full Bloom

Email: living-in-full-bloom@outlook.com

 

Complaints

 

If you have concerns about our data practices:

1. Contact our Data Protection Officer

2. If not satisfied, contact the Information Commissioner's Office (ICO)

3. Visit https://ico.org.uk for guidance

 

Last Updated: January 2025

Version: 2.0