Hidden Gem Massage Therapy — Privacy Policy

Version 1.1 — Last updated May 2026

This policy is written in accordance with UK GDPR and the Data Protection Act 2018.

Hidden Gem Massage Therapy is committed to protecting your privacy. This policy explains how your personal information is collected, used, stored, and protected.

  • Hidden Gem Massage Therapy is the Data Controller for your personal information.

  • Acuity Scheduling (Squarespace) acts as a secure Data Processor for appointment and intake information.

1. Information We Collect

We collect only the information necessary to provide safe and effective treatment and to meet legal and professional obligations.

Contact details

  • Name

  • Date of birth

  • Address

  • Contact number(s)

  • Email address

  • Emergency contact

Health information

  • Medical history

  • Medications

  • Details of your condition

  • Lifestyle and activity information

  • Physical examination findings

2. Lawful Basis for Processing

Under UK GDPR, our lawful bases include:

  • Explicit consent (for special category health data)

  • Legitimate interest (to provide safe and effective treatment)

  • Legal obligation (record‑keeping requirements for healthcare professionals)

3. How We Use Your Information

Your information is used to:

  • Provide safe and appropriate treatment

  • Maintain a legal record of care

  • Ensure continuity of care

  • Communicate with you about appointments, treatment, or relevant services

  • Conduct internal audits using anonymised data

We never share your information for commercial purposes.

4. How We Store Your Information

Records are stored securely in paper and/or electronic formats.

Electronic data may be stored on secure, password‑protected systems such as Acuity Scheduling, Squarespace, or encrypted email services.

We also securely store some electronic records using encrypted cloud‑based services such as Google Drive and/or Microsoft OneDrive. These services act as Data Processors and comply with UK GDPR requirements.

5. Sharing Information

We may share information with your GP, consultant, or insurance provider only with your explicit consent.

If we provide a letter for you to pass on, you are responsible for keeping it secure.

6. Retention of Records

  • Adult records: kept for 8 years after your last treatment

  • Children/young people: kept until age 25, or 8 years after death

  • Electronic records may be retained indefinitely to maintain treatment history

7. Your Rights

You have the right to:

  • Request a copy of the information we hold

  • Request corrections to inaccurate information

  • Withdraw consent at any time (except where records must be retained by law)

To exercise your rights, please contact us in writing.

If you have concerns about how your data is handled, you may contact the Information Commissioner’s Office (ICO) at ico.org.uk.

8. Additional Notes

Website Links

Our website may contain links to external sites. These sites have their own privacy policies, and we are not responsible for their content or how they handle your data.

Cookies

Our website uses cookies to collect standard internet log information and track visitor behaviour. You may disable cookies in your browser settings, although some features may not function correctly.

Security of Electronic Communications

We use secure, encrypted online forms (such as Acuity Scheduling) for collecting personal and health information, and these are the preferred method for submitting sensitive details.

General electronic communications (such as standard email, SMS, or messaging apps) cannot be guaranteed 100% secure. Please avoid sending sensitive medical information through these channels unless necessary.

Policy Updates

This policy may be updated periodically to reflect changes in legislation or practice. The most recent version will always be available on our website.