Privacy and cookies policy 

  1. Last updated 25 July 2024. 

  1. We respect your privacy and are committed to protecting your personal data. This policy explains how which we collect, process and protect your personal data. We will collect and use personal data when you: 

  • Sign up to any of our courses; 

  • Engage us to provide our services, including without limitation our therapy and mentoring services; 

  • Make a purchase from us; 

  • Visit our website; 

  • Contact us by email, post, phone or via social media. 

  1.  

  1. We have explained in this policy what your privacy rights are and how the law protects you. We have also explained how we handle your sensitive personal data related to health, to make sure we comply with data protection laws. 

  1. By providing us with your personal data, you’re indicating that you’ve read and accepted the information in this policy. If you have any questions about anything in this policy, please contact us at innerglowtherapy@hotmail.com

  1.  

Who are we? 

  1. This is the privacy and cookies policy of Lauren Baird trading as Inner Glow Therapy of 82 Drumsmittal Road, North Kessock, Inverness, Inverness-Shire, Scotland, IV1 3JU and Therapy Business Hub Ltd, a company registered in Scotland under company number SC812581 with its registered office at 82 Drumsmittal Road, North Kessock, Inverness, Inverness-Shire, Scotland, IV1 3JU (“we”, “us” or “our”). We are the controller responsible for your personal data, so it means we choose what personal data we collect from you. 

  1. There are laws in the UK that we need to follow for data protection reasons. These are the EU law retained version of the General Data Protection Regulation ((EU) (2016/679) (“UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directives) Regulations 2023. If any of these laws are replaced, we will also comply with those. 

  1. We take your privacy seriously and are registered with the Information Commissioner’s Office (ICO), the UK organisation that makes sure your data is protected (ico.org.uk). Inner Glow Therapy’s registration number is ZB555310 and Therapy Business Hub Ltd’s registration number is ZB722252. If you have any questions or worries about your data, please talk to us first. We are here to help and can be reached at innerglowtherapy@hotmail.com

 

What is personal data and what information do we collect? 

  1. Personal data/information means any information about an individual from which that person can be identified. It doesn’t include anonymous data. The types of data that can be collected, used, stored and transferred are grouped together in the following categories: 

  • Identity Data includes full name, title, gender, date of birth, professional affiliations, school and educational institution, your username. 

  • Contact Data includes email address, phone number, billing address, delivery address. 

  • Financial Data includes bank account and payment card details. 

  • Transaction Data includes details about payments to and from you and what you have bought from us. 

  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.  

  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.  

  • Usage Data includes information about how you use our website and services.  

  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. 

  • Aggregated Data: We also collect, use, and share Aggregated Data, like statistical or demographic data which is not personal data because it doesn’t directly identify you. For example, we might look at how many people use a certain feature on our website to help us improve it. 

We don’t automatically collect information about criminal convictions and offences as part of our services, but it is possible that you may share such details during the course of receiving our services. While this isn’t considered ‘special category data,’ it is handled with the utmost care in line with our legal and professional obligations. 

 

Do we collect special categories of personal data? 

Under UK GDPR, there are certain types of personal data is likely to be more sensitive and so these are given additional protections. These are referred to as ‘special category data’ and include the following: 

  • personal data revealing racial or ethnic origin

  • personal data revealing political opinions

  • personal data revealing religious or philosophical beliefs

  • personal data revealing trade union membership

  • genetic data

  • biometric data (where used for identification purposes); 

  • data concerning health

  • data concerning a person’s sex life; and 

  • data concerning a person’s sexual orientation

 

Although we don’t automatically collect these types of personal data about you, it is possible that you may share these kinds of information with us during the course of receiving our services, including without limitation during therapy services. This data is processed with the utmost care and in compliance with data protection law requirements and our regulator, the British Association for Behavioural and Cognitive Psychotherapies (BABCP). We also owe you a duty of confidentiality, which is explained in our client contracts. Accordingly, we adhere strictly to our professional and legal obligations to maintain confidentiality, except where disclosure is required by law or where there is a risk of harm to you or others. 

By discussing the sensitive data with us, you are giving us your express consent to process that sensitive data. We therefore rely on consent and the performance of a contract as our legal bases for processing this personal data. You have certain rights over this data, but there are circumstances under which our professional obligations override our obligation to delete personal data. This is explained under ‘What are your legal rights to your personal data?’ 

We will only use the personal data for the reason it was first collected which, in the case of receiving our services, is to provide you with therapy, for instance. 

 

How do we collect personal data? 

  1. There are different ways we can collect data from and about you including through: 

  • From you. You may give us your Identity Data and Contact Data when you make a purchase from us, you contact us via email, post, phone or social media. In the case of receiving therapy services, you may also give us Special Category Data. 

  • Automatically by using our website. As you use our website and services, we automatically collect Technical Data about your devices, browsing actions, and patterns. We collect this personal data using cookies, server logs, and other similar technologies. We might also receive Technical Data about you if you visit other websites that use our cookies. 

  • From others or from public sources. We may receive your personal data from various third parties and public sources, such as Google, Companies House, or the electoral register. 

 

If we receive your personal information from third parties, we’ll protect it in the same way as we do the personal information we might collect directly, as explained in this policy. 

 

How do we use your personal data? 

  1. When we use your personal data, we must make sure we have a legal reason to do so. The most common ones that we rely on are: 

  • Because it’s needed for a contract: We rely on this where we need it to perform the contract with you, such as enabling you to receive our services or to make a purchase from us. 

  • Because we have a legitimate interests: We will rely on this when it is important for our business (or for a third party) and when your interests and basic rights do not outweigh those business needs. This means we have a ‘legitimate interest.’ 

  • Because it’s our legal obligation: We will rely on this when we need to comply with a legal obligation. 

  • Because you have given us your consent: We will rely on consent only where we have obtained your active agreement to use your personal data for a particular reason, as explained above about collecting Special Category Data. 

 

When will we use your personal data? 

  1. In the table below, we have set out the times when we will use your personal data and the legal bases we rely on: 

  1.  

Purpose/Activity 

Type of data 

Lawful basis for processing including basis of legitimate interest 

So you can contact us with an enquiry in any way, including email, post, phone, or social media  

Identity  

Contact 

Contract 

Legitimate Interests (to enable us to respond to your enquiry) 

So you can receive our services  

Identity  

Contact  

Special Category Data 

Financial 

Profile 

Marketing and Communications 

Contract 

Legitimate Interests (so we can receive our services) 

Consent (in relation to Special Category Data) 

 

So we can manage our relationship with you which will include: 

(a) Dealing with payments 

(b) Notifying you about changes to our terms and conditions or this privacy and cookies policy 

(c) Asking you to leave a review or take a survey 

Identity  

Contact  

Financial 

Profile  

Marketing and Communications 

Contract 

Legal Obligation 

Legitimate Interests (to keep our records updated and to study how customers use our services) 

So you can register for our mailing list/email marketing 

Identity 

Contact 

Marketing and Communications 

Contract 

Legitimate Interests (to enable us to provide you with the newsletter/email marketing and present you with information, or services we consider you will be interested in) 

So we can administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)   

Identity 

Contact 

Technical 

Legitimate Interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) 

Legal Obligation 

So we can deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you 

Identity  

Contact  

Profile  

Usage  

Marketing and Communications  

Technical  

Legitimate Interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy) 

So we can use data analytics to improve our website, services, marketing, customer relationships and experiences 

Technical  

Usage  

Legitimate Interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) 

So we can make suggestions and recommendations to you about goods or services that may be of interest to you 

Identity  

Contact  

Technical  

Usage  

Profile  

Marketing and Communications 

Legitimate Interests (to develop our products/services and grow our business) 

 

Do we send out marketing?  

  1. If you've asked us for information or become a customer of our services, we might send you marketing communications. Don't worry, though - we'll always ask for your permission before sharing your personal data with any third parties for marketing purposes. If you ever want to stop receiving marketing messages, you can use the opt-out links provided in any marketing message. Just so you know, if you opt out of these messages, it won't affect any personal data we've collected from you in relation to a purchase or other transaction. 

  1.  

Does our website use cookies? 

  1. Our website does (as does every website). We use cookies on our website to make sure you have the best experience possible while browsing. Cookies are small files that contain letters and numbers and are stored on your computer if you give us permission. This helps us recognise you from other website visitors and lets us improve our website for you. We want to make sure you have a great experience on our website, and cookies help us do just that. The cookies we use are: 

  • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services. 

  • Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. 

  • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). 

Please note that some other companies might also use cookies, which we can't control. These other companies could be advertising networks or providers of services like web traffic analysis. Their cookies might be used to help us understand how people use our website or to show you adverts. 

We will always ask for your permission to use cookies that are not essential for the website to work. If you decide not to allow these cookies, some parts of the website might not work as well, and you might miss out on some features like video ads. You can also turn off our cookies any time you want by changing the settings on your browser or by using the pop-up that appears on the website. 

  1.  

  1. How can you control cookies? 

You can stop cookies from being used by changing the settings on your web browser. This lets you refuse the use of all or some cookies. However, if you block all cookies, including the essential ones, you might not be able to use all parts of our website. You can find more information at these links depending on the browser you’re using: Google Chrome / Microsoft Edge  / Internet Explorer / Firefox / Safari / Safari Mobile / Opera

 

When might we share your personal data? 

  1. There may circumstances under which we can share your personal data with others: 

  • If we decide to sell our business or company, we can share your information with the potential buyer. 

  • We can share it with other businesses in our group, as defined by the UK Companies Act 2006. 

  • We can share it if we have a professional or legal duty to do so, or to protect other people’s property, safety, or rights. An example is where you receive our therapy services and we need to disclose information you’ve share with us because there is a risk of harm to you or others. 

  • We can share information with others to protect against fraud or risks related to credit. 

  • We can share your Special Category Data with our regulator, the BABCP, and with any supervisors whose role it is to oversee/monitor the provision of our services. In this case, any personal data we share will be anonymous, so that you can’t be identified from the information we share. 

  1.  

  1. We use different third-party services to help with our business activities, so we might share your personal data with these third parties. Here are some types of third parties we might use: 

  • Companies or individuals that assist us in providing our services, including without limitation employees, contractors, workers. 

  • Companies that help us understand how people use our website (analytics service providers). 

  • Companies that help us manage events or campaigns. 

  • Companies that help us manage our website. 

  • Companies that provide information technology and related infrastructure. 

  • Companies that help us send emails. 

  • Our auditors and legal advisors. 

  1. It’s important to know that all these third parties are required to protect your personal data. If we hire any third parties to help us with our services, we will make sure they sign a contract that includes strong data protection obligations to keep your data secure. 

 

How do we secure your personal data? 

  1. Keeping your data safe is very important to us. We have put in place proper physical, electronic, and managerial steps to safeguard and protect the data we collect. We also limit access to your personal data to those employees, agents, contractors, and other third parties who need to know. They will only use your personal data according to our instructions and are required to keep it confidential. We have procedures to handle any suspected data breaches and will let you and any relevant regulator know if we are legally required to do so. 

  1. If we find out that there has been a data breach, we will let you know as soon as possible. We will then take all necessary steps, including informing the Information Commissioner's Office (ICO), to limit the extent of the breach and prevent it from happening again. 

 

Do we transfer your personal data internationally? 

  1. Sometimes, we may need to send your personal data outside of the UK or the European Economic Area (EEA) to get help from other companies, like for services or payments. Whenever we send your personal data out of the UK or EEA, we make sure it stays protected by either only sending your data to countries that are considered safe for personal data, or using special contracts that make sure your data gets the same protection as it would in the UK. If you want more details on how we protect your data when we send it outside the UK or EEA, please contact us. 

 

How long do we hold on to your personal data for? 

  1. We will only keep your personal data for as long as necessary to do what we collected it for, including any legal, regulatory, tax, accounting, or reporting needs, and within the bounds of our professional obligations.  

  1. Where you receive our therapy services, we generally adhere to the guidelines provided by the BABCP, and accordingly we retain our therapy records (which will include your personal data and Special Category Data) for a minimum of seven years after the last contact with you. For children and young people, we may keep records until the individual reaches the age of 25. 

  1. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation concerning our relationship with you. 

  1. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements. 

  1.  

 

What are your legal rights to your personal data? 

Your personal data is protected by legal rights, including your rights to: 

  • Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we’re lawfully processing it. 

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. 

  • Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.  

  1. There are exceptions to the right to erasure, which are set out here. As such, we may not always be able to comply with your request for erasure for specific legal or professional reasons which we will notify you of, if applicable, at the time of your request. This is because our professional obligations may override the right to erasure. For instance, where you have received our therapy services, we will retain your records for at least seven years after our contact with you ends, or until a child reaches the age of 25.  

  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object. 

  • You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes

  • Request the transfer of your personal data to you or to a third party. We’ll provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. 

  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios: 

  • If you want us to establish the data's accuracy. 

  • Where our use of the data is unlawful but you don’t want us to erase it. 

  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims. 

  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. 

 

Your rights will depend on the lawful basis we rely on when we process your personal data. 

 

For more information or to exercise your data protection rights, please email innerglowtherapy@hotmail.com. You won’t have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. 

 

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data isn’t disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. 

 

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we’ll notify you and keep you updated. 

 

What about links on our website? 

This policy only covers our website, our services and our business. Sometimes, we might have links on our website that take you to other websites. These other websites will have their own rules and privacy policies. You should read their privacy policies before sharing your personal data with them. 

 

Do we change this policy? 

  1. We might need to update this policy from time to time if the laws change or if we make changes to our website or services. If we make important changes to this policy and need your consent, we will contact you by email to let you know.