Privacy Policy

This Privacy Policy explains how I collect, use, and protect your personal information in line with the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025. I am committed to handling your data responsibly, transparently, and securely.

For any privacy related queries my contact details can be found here

 

Information I Collect & Why

To give professional reflexology treatments I will need to ask and keep information about your health. I will only use this for informing reflexology treatments and for any advice I give about your treatment.

I may collect and store:

  • Contact details: name, email, phone number, emergency contact

  • Health information: medical history, lifestyle details, treatment notes

  • Booking and payment information: appointment records, invoices (no card details stored)

  • Website or social media enquiries: messages, forms, or feedback

Your information is used to:

  • Provide safe and effective reflexology and Indian head massage treatments

  • Manage bookings, communication, and payments

  • Meet legal, insurance, and professional obligations

  • Send optional updates or newsletters (only with your consent)

Lawful Basis for Processing

I process your personal data under:

  • a) Consent (e.g., receiving newsletters) - you can remove you consent any time by con tacting me directly in writing by email Contact / Venue info

  • b) Contractual obligation (providing treatments and managing bookings)

  • c) Legal obligation (insurance, HMRC requirements)

1.1 'Claims occurring' insurance - records kept for 7 years after the last treatment

1.2 Law regarding children's records - kept until they aged 25

1.3 CNHC requires I keep records for 8 years

  • d) Special category data (health information processed under Article 9(2)(h): healthcare provision) - to fulfill my role as a healthcare practitioner bound under AOR confidentiality and AOR code of conduct.

  • e) Recognised Legitimate Interests (DUAA 2025) only for:

1.1 to provide the best possible treatment options and advice

1.2 Safeguarding vulnerable individuals

1.3 Responding to emergencies that pose a risk to life or health

I will only share information in these situations when necessary and appropriate.

Protecting Your Data

 

  • Paper records are stored securely and accessible only to me

  • Digital records are encrypted and password‑protected

  • Data is never shared with third parties unless legally required or with your explicit consent

  • Records are retained for 7 years in line with insurance and HMRC rules

  • After the period of retention, records are then permanently deleted including all medical records & documents from my secure cloud based server, and all emails from my email provider. 

 

Your Rights

You have the right to:

  • Access your personal data

  • Request corrections or deletion

  • Withdraw consent for communications

  • Make a Subject Access Request (SAR) SARs will be handled using a reasonable and proportionate search, and I may pause the response deadline if I need more information from you.

GDPR Complaints Process (DUAA Requirement)

If you have concerns about how your personal information has been handled, you can raise a data protection complaint by contacting me at: 

Contact / Venue info

I will:

  • Acknowledge your complaint within 30 days

  • Investigate without undue delay

  • Explain the outcome clearly

  • Record the complaint in my GDPR complaints log

If you remain dissatisfied, you may escalate your concern to the Information Commissioner’s Office (ICO): www.ico.org.uk

Cookies (website

If my website uses analytics cookies, these may operate without explicit consent under DUAA, but you will always have the option to opt out. Your browser settings can also control cookies.

GDPR Complaints Procedure

At Simple Step Reflexology, I take data protection seriously. If you have concerns about how your personal information has been handled, you have the right to raise a complaint.

This procedure explains how to do that and what you can expect.

You can raise a data protection concern by contacting me directly:

Email: simplestepreflexology@gmail.com

Owner: Alex Cronk, Sole Trader

Location: Roundhill, Brighton, UK

Please include:

  • Your name

  • What your concern relates to

  • Any relevant dates or details

What Happens Next

I will:

  • Acknowledge your complaint within 30 days

  • Review and investigate the issue without undue delay

  • Contact you with a clear explanation of the outcome

  • Record the complaint in my GDPR Complaints Log (required under DUAA 2025)

If You Are Not Satisfied

If you are unhappy with the outcome, you may escalate your concern to the Information Commissioner’s Office (ICO):

Website: www.ico.org.uk Phone: 0303 123 1113

Under the DUAA 2025, clients must raise concerns with the organisation first before contacting the ICO.