PRIVACY POLICY


For Soul Harbor Therapies (www.soulharbortherapies.com)
Last Updated: 25.11.2025
Effective Date: 25.11.2025

 

1. INTRODUCTION & DATA CONTROLLER DETAILS

Soul Harbor Therapies is the data controller of your personal information.

This privacy policy explains how we collect, use, and protect your data in compliance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Privacy and Electronic Communications Regulations (PECR) 2003

Data Controller:
Soul Harbor Therapies Clinic
[Full Business Address]
Email: soulharbortherapies@proton.me
ICO Registration Number: [ZXXXXXXX] 

2. WHAT INFORMATION DO WE COLLECT?

We collect and process the following categories of data:

Data Category

Examples Collected

Legal Basis (UK GDPR)

Identity Data

Name, date of birth

Consent (Article 6(1)(a))

Contact Data

Address, email, phone

Consent, Contract (Article 6(1)(b))

Health Data (Special Category)

Medical history, therapy notes, stoma details

Explicit Consent (Article 9(2)(a))

Technical Data

IP address, browser type

Legitimate Interest (Article 6(1)(f))

Payment Data

Bank details (processed securely)

Contract (Article 6(1)(b))

Important: We DO process special category health data (contrary to previous statement) as required for our therapy services.

3. LAWFUL BASIS FOR PROCESSING

We rely on these lawful bases under UK GDPR:

  1. Consent: Where you explicitly agree (e.g., marketing emails)

  2. Contract: To deliver services you've requested

  3. Legal Obligation: For record-keeping and tax purposes

  4. Legitimate Interest: For website security and service improvement

  5. Vital Interests: In emergency situations (rare)

For special category health data, we require explicit consent under Article 9(2)(a) of UK GDPR.

4. HOW WE USE YOUR INFORMATION

Purpose

Legal Basis

Retention Period

Provide therapy services

Contract

7 years (clinical records)

Appointment management

Contract

2 years

Payment processing

Contract

6 years (HMRC requirement)

Website analytics

Legitimate Interest

26 months (anonymised)

Marketing communications

Consent

Until withdrawn

Legal compliance

Legal Obligation

As required by law

5. DATA SHARING & DISCLOSURE

We only share your data in these limited circumstances:

  1. Service Providers:

    • Payment processors (PCI DSS compliant)

    • Booking systems (with UK GDPR-compliant contracts)

  2. Legal Requirements:

    • Healthcare regulators (e.g., CNHC, GHR)

    • Court orders or safeguarding obligations

  3. Business Transfers:

    • With your consent or as required by law

  4. Emergency Services:

    • If we believe there's a serious threat to life

We never sell your personal data.

6. INTERNATIONAL DATA TRANSFERS

All data processing occurs within the UK/EEA. If we use third-party services based outside the UK:

  • We ensure they have UK adequacy decisions or Standard Contractual Clauses (SCCs)

  • We require equivalent data protection standards

7. DATA SECURITY

We implement appropriate technical measures:

  • Encryption for sensitive data (SSL/TLS)

  • Secure servers with access controls

  • Regular security assessments

  • Staff training on data protection

8. YOUR DATA PROTECTION RIGHTS

Under UK GDPR, you have the right to:

  1. Access your personal data (Subject Access Request)

  2. Rectify inaccurate information

  3. Erase your data ("right to be forgotten")

  4. Restrict processing

  5. Data portability (receive data in machine-readable format)

  6. Object to processing

  7. Withdraw consent at any time

To exercise these rights:
Email: soulharbortherapies@proton.me
Subject: "Data Rights Request"
We'll respond within 30 days as required by law.

9. DATA RETENTION

We retain data only as long as necessary:

  • Clinical records: 7 years (or 10 years for minors)

  • Financial records: 6 years (HMRC requirement)

  • Marketing data: Until consent withdrawn

  • Website analytics: 26 months (then anonymised)

10. CHILDREN'S PRIVACY

We do not:

  • Intentionally collect data from under-18s

  • Market to children

  • Provide therapy to minors without parental consent

If we discover we've collected a child's data, we'll delete it immediately.

11. COOKIES & TRACKING

Our Cookie Policy (linked below) explains:

  • What cookies we use

  • Their purpose

  • How to control them

  • Compliance with PECR

12. COMPLAINTS

If you're unhappy with our data handling:

  1. Contact us first: soulharbortherapies@proton.me

  2. If unresolved, contact the ICO:
    Information Commissioner's Office
    Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
    Helpline: 0303 123 1113
    Website: ico.org.uk

13. CHANGES TO THIS POLICY

We review this policy annually and update it when:

  • Laws change

  • Our practices evolve

  • New technologies emerge

The "Last Updated" date shows the most recent revision.

14. CONTACT INFORMATION

Data Protection Officer (DPO):
Andrea Robertson-Begg

General Enquiries:
Soul Harbor Therapies

Email: soulharbortherapies@proton.me