Hidden Gem Massage Therapy — Privacy Policy
Version 1.1 — Last updated May 2026
This policy is written in accordance with UK GDPR and the Data Protection Act 2018.
Hidden Gem Massage Therapy is committed to protecting your privacy. This policy explains how your personal information is collected, used, stored, and protected.
Hidden Gem Massage Therapy is the Data Controller for your personal information.
Acuity Scheduling (Squarespace) acts as a secure Data Processor for appointment and intake information.
1. Information We Collect
We collect only the information necessary to provide safe and effective treatment and to meet legal and professional obligations.
Contact details
Name
Date of birth
Address
Contact number(s)
Email address
Emergency contact
Health information
Medical history
Medications
Details of your condition
Lifestyle and activity information
Physical examination findings
2. Lawful Basis for Processing
Under UK GDPR, our lawful bases include:
Explicit consent (for special category health data)
Legitimate interest (to provide safe and effective treatment)
Legal obligation (record‑keeping requirements for healthcare professionals)
3. How We Use Your Information
Your information is used to:
Provide safe and appropriate treatment
Maintain a legal record of care
Ensure continuity of care
Communicate with you about appointments, treatment, or relevant services
Conduct internal audits using anonymised data
We never share your information for commercial purposes.
4. How We Store Your Information
Records are stored securely in paper and/or electronic formats.
Electronic data may be stored on secure, password‑protected systems such as Acuity Scheduling, Squarespace, or encrypted email services.
We also securely store some electronic records using encrypted cloud‑based services such as Google Drive and/or Microsoft OneDrive. These services act as Data Processors and comply with UK GDPR requirements.
5. Sharing Information
We may share information with your GP, consultant, or insurance provider only with your explicit consent.
If we provide a letter for you to pass on, you are responsible for keeping it secure.
6. Retention of Records
Adult records: kept for 8 years after your last treatment
Children/young people: kept until age 25, or 8 years after death
Electronic records may be retained indefinitely to maintain treatment history
7. Your Rights
You have the right to:
Request a copy of the information we hold
Request corrections to inaccurate information
Withdraw consent at any time (except where records must be retained by law)
To exercise your rights, please contact us in writing.
If you have concerns about how your data is handled, you may contact the Information Commissioner’s Office (ICO) at ico.org.uk.
8. Additional Notes
Website Links
Our website may contain links to external sites. These sites have their own privacy policies, and we are not responsible for their content or how they handle your data.
Cookies
Our website uses cookies to collect standard internet log information and track visitor behaviour. You may disable cookies in your browser settings, although some features may not function correctly.
Security of Electronic Communications
We use secure, encrypted online forms (such as Acuity Scheduling) for collecting personal and health information, and these are the preferred method for submitting sensitive details.
General electronic communications (such as standard email, SMS, or messaging apps) cannot be guaranteed 100% secure. Please avoid sending sensitive medical information through these channels unless necessary.
Policy Updates
This policy may be updated periodically to reflect changes in legislation or practice. The most recent version will always be available on our website.