GDPR Privacy Notice

I, Lucy Chapman, am the data controller for Pica Massage. Your privacy matters to me in both the physical and digital sense, therefore I take your data privacy very seriously. More and more companies, websites etc are asking for identifying data under the guise of safety, so I want to outline how and why I use your data in a transparent way so that you can make an informed decision. This privacy notice tells you what to expect us to do with your personal information:

• Contact details

• What information I collect, use, and why

• Lawful bases and data protection rights

• How I use your data

• Where I get personal information from

• How long I keep information

• How to complain

This notice applies to the website (www.picamassage.co.uk), it’s linked booking system (AcuityScheduling) and the New Client Intake form.

Contact details

Telephone - 07511700993

Email - pica.massage@proton.me

What information we collect, use, and why

I collect or use the following information services (i.e. massage treatments):

·   Name and contact details

·   Pronoun preferences

·   Health information (including medical conditions, allergies, medical requirements and medical history)

·   Information about care needs (including disabilities, medication and general care provisions)

·   Payment details (including card or bank information for transfers and direct debits)

·   Records of meetings and decisions relevant to treatments.

I also collect the following special category information. This information is subject to additional protection due to its sensitive nature:

·   Health information (as mentioned above).

Lawful bases and data protection rights

Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis I rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

·   Your right of access - You have the right to ask me for copies of your personal information. You can request other information such as details about where I get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

·   Your right to rectification - You have the right to ask me to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

·   Your right to erasure - You have the right to ask me to delete your personal information. Read more about the right to erasure.

·   Your right to restriction of processing - You have the right to ask me to limit how I can use your personal information. Read more about the right to restriction of processing.

·   Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

·   Your right to data portability - You have the right to ask that I transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

·   Your right to withdraw consent – When I use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, I must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact me using the contact details at the top of this privacy notice.

How I use your data

Below I will outline how I use each piece of your data.

Name and contact details - In order to contact you about your appointment (rescheduling, cancellation, queries included). I will not share this information with anyone and it will be stored within the AcuityScheduling software which is password protected (both the account and my laptop).

Pronoun preferences - to be able to refer to you correctly in my notes.

Health information (including medical conditions, allergies, medical requirements and medical history) - So that I am aware of any medical conditions that might prohibit me from massaging you (total contraindications like fever, pregnancy, recent surgery/injury etc) or that may impact the scope of the massage (localised contraindications e.g., tattoos, localised skin conditions etc). To prevent exacerbation of acute or chronic conditions (e.g. varicose veins). I will not share this information with anyone and these notes will be kept on a memory stick that will not leave my flat and is password protected.

Information about care needs (including disabilities, medication and general care provisions) - To prevent exacerbation of acute or chronic conditions e.g. fibromyalgia, spinal cord injuries, arthritis etc. Some medications can cause low/high blood pressure, therefore moving off the couch after treatment can cause dizziness. Understanding what provisions will make your treatment more enjoyable, such as using a massage chair vs a couch, staying clothed or wearing noise-cancelling earbuds, is very important to me. I will not share this information with anyone and these notes will be kept on a memory stick that will not leave my flat and is password protected.

·   Payment details (including card or bank information for transfers and direct debits) - in order to secure your appointment, card details must be taken for payment via bank transfers or payments via the AcuityScheduling system. I will not use these details for any other purpose other than for payment or refunds. This information will be stored within the AcuityScheduling software which is password protected (both the account and my laptop).

·   Records of meetings and decisions relevant to treatments - Via the New Client Intake form (online or in-person), in-person consultations and ongoing discussions about your treatments, I will make notes of relevant information e.g. new, ongoing or resolved medical conditions, medications, preferences that will help me tailor the treatment to your preference. I will not share this information with anyone and these notes will be kept on a memory stick that will not leave my flat and is password protected.

My lawful bases for the collection and use of your data

My lawful bases for collecting or using personal information to provide services are:

·   Consent - I have permission from you after I gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time - consent is an on-going agreement not a one-time decision.

·   Legitimate interests - I’m collecting or using your information because it benefits you, the client and me, the therapist without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

o  Health and disability information is collected to ensure I do not aggravate or worsen pre-existing conditions, that I do not unknowingly spread any infections between clients and to allow me to provide the proper access provisions to the client. Email addresses and phone numbers are collected to allow communication between me, the massage therapist and the client. This includes rescheduling or cancelation of appointments and answering any queries. Card details are collected by Acuity Scheduling which allows me to take deposits before any appointments. This acts to secure the time and date of the client's appointment, as well as reducing the likelihood of no-shows. Additionally, it allows me to refund the client should the need arise.

For more information on my use of legitimate interests as a lawful basis you can contact me using the contact details set out above.

Where we get personal information from

·   Directly from you via the New Client Intake form, via verbal consultation/ongoing communication, emails or other communications. By signing the New Client Intake form, confirming you have read through the form and giving your consent, this is deemed as consent for the collection, use and storage of your data.

How long we keep information

As per my insurance policy, I will keep your data for seven (7) years after our final treatment together. GDPR requires me to retain data for no longer than reasonably necessary, therefore your data will disposed of after this time period has elapsed, unless invoke your right to erasure before the end of the seven (7) years.

Duty of confidentiality

I am subject to a common law duty of confidentiality. However, there are circumstances where I will share relevant health and care information. These are where:

·   you’ve provided us with your consent to do so (I have taken it as implied to provide you with care, or you have given it explicitly for other uses).

How to complain

If you have any concerns about my use of your personal data, you can make a complaint to me using the contact details at the top of this privacy notice.

If you remain unhappy with how I’ve used your data after raising a complaint with me, you can also complain to the ICO.

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint