PRIVACY NOTICE 

MH Massage Therapy Ltd, trading as Massage Therapy MH


Last updated : 1 January 2025


This Privacy Notice for MH Massage Therapy Ltd, trading as Massage Therapy MH ('we', 'us', or 'our'), describes how and why we collect, store, use, and/or share ('process') your personal information when you use our services, including when you: 


  • Visit our website https://massagetherapymh.co.uk
  • use our client portal via Zanda Health 
  • when you use any only platform or mobile application to book an appointment other, or other website that links to this Privacy Notice 
  • Buy an e-Gift Card 
  • Engage with us in other related ways, including any sales, marketing, or events 


This privacy notice might not be applicable in full if we provide our services as part of an event, as part of a charitable fundraising including but not limited to services being offered as a price of a raffle, corporate wellbeing programs, our services are not directly booked online on our webpage or by using the client portal and/or we collaborate with a third party to offer our services. 


SUMMARY OF KEY POINTS 


This summary provides key points from our Privacy Notice, a further detailed description about the personal data we collect, process, use, store and our data processors will follow after the summary of these key points. 


What personal information do we process? 

Personal information provided by you and how it is processed is depending on the interaction with us and/or use of services we provide. Please see ‘Privacy Notice in Full’ for a full list of personal data we process and data processors we use. 


Do we process any sensitive personal information? 

We collect and process sensitive personal information to ensure that there are no contraindications which prevent or restrict massage therapy. This information will be provided by yourself by completing the intake/consultation form, which includes your medical history, medical conditions, prescribed medication and allergies. This means that the personal information we collect and process includes special categories of personal data as defined in the UK GDPR. 


Do we collect any information from third parties? 

Any information coming from third parties will be provided to us on your behalf and/or based on your request. An example could be a written note from your medical practitioner confirming that your medical condition is not a contraindication for massage therapy. 


In what situations and with which parties do we share personal information? 

We collaborate with third party vendors, data processors, to process and store the personal data we collect. We will only share your personal data with a healthcare professional if a referral is required and only after you give explicit consent for us to do so. There might be circumstances where personal data is shared with our insurance company and/ or legal advisors. 


How do we keep your information safe? 

We do have a range of security measures in place to protect your personal information from unauthorised access, use, or loss. Two-step verification, where available, is in place to increase data security and minimise the risk of unauthorised use of access to the personal data we hold.


Reasonable steps have been taken to assess third party vendors, who are categorised as data processors in the UK GDPR, to ensure they are compliant and have appropriate data protection safeguards in place to protect your personal data. 


We will review our security measures in place on a regular basis and adjust and/ or implement additional security measurements if they become available.


How can I get my personal data? 

Under the UK General Data Protection Regulation you have rights when it comes to your personal data. The right to access your personal data we hold is one of them. You right to access of personal data hold us can be exercised by submitting a Data Subject Access Request on our webpage : DSAR | Massage Therapy MH 


Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about the information we collect and store, to enable us to deliver our services. 


FURTHER DETAILS


Table of contents 

  1. Collecting personal information 
  2. Legal bases we rely on
  3. Data processors and processing of personal data
  4. Other third parties we share information with 
  5. Cookies and other tracking technologies
  6. Data retention 
  7. Your Privacy rights under the UK GDPR
  8. Updates to our privacy notice
  9. Contact details in relation to our privacy notice and your rights
  10. How to raise an official complain with the UK Regulator


1. Collecting personal information 

We collect  personal information provided by you for a variety of reasons. Which information and how it is being collected, processed, used and/or retained, depends on the interaction, the nature of the interaction and/or the service we are providing.


We request you to provide us with personal information if we believe there is valid reason to do so and have been taken the following into account when determining the required information:

  • Is it lawfully, fairly and transparently 
  • Relevant and limited ,we don’t ask for more information in relation to its purpose
  • Legal restrictions on using personal information shared for a different purpose


2. Legal bases we rely on

The UK GDPR is outlining our requirement to explain the valid legal bases we rely on in order to process your personal information. Valid legal bases we rely on are contractual obligations, to be able to provide you with our servers or consent given by yourself. 


Special rules apply for sensitive personal data like medical information, which falls under the so-called special category of personal data in the UK GDPR. Processing and use of this data will be based on your explicit consent. 


3. Data processors and processing of personal data

We use third party vendors and service providers for hosting our webpage, online appointment bookings, client management, payment gateway, cookie consent management, email delivery, newsletter and marketing email delivery and accounting. In the UK GDPR they are defined as our data processors. 


Website

One.com is the hosting service for our webpage and email delivery service, excluding marketing emails and automated emails in relation to a booked appointment. The online booking system powered by Acuity is embedded and one.com is therefore not the hosting service of this tool


We use Termly for our cookie management system. Please see the cookies we use for more detailed information.


Online booking system

Acuity scheduling from Squarespace is our online booking system which is embedded in our webpage. The personal data collected such as name, telephone number, address and telephone number will enable us to contact you and to deliver to mobile massage therapy. The details will be entered manually in our practice management software from Zanda Health. Square is the payment gateway we use for all appointments booked via Acuity Scheduling and payments made when ordering massage packages and/or massage certificates. 


More information on SquareSpace Terms of service Terms of Service – Squarespace and Data Processing Addendum Data Processing Addendum – Squarespace


Client Portal/ Online intake/ consultation form/ 

The Client Portal is part of Zanda Health, and clients can login to their account to make an appointment, view future appointments and invoices. Stripe is processing payments made through the client portal. 


Information about your medical history, medical conditions, recent surgery, ongoing treatments and/or allergies are collected when you complete the online consultation form. We collect and process sensitive personal information to ensure that there are no contraindications preventing or restricting massage therapy. 


All personal information that you provide to us must be true, complete and accurate. You must notify us of any changes to such personal information, including any changes to your health and medication. 


We might further store information and documentation in relation to the massage therapy such as; result of any postural assessment, reason for visit, findings, treatment plans, recommendations, other non physical conditions shared which could impact your current physical condition. 


Concession types might be used where a discounted price has been offered to volunteers of a local charity. 


More information on Zanda Health’s Terms of Use | Practice Management Software | Zanda, Privacy Policy - Zanda Health and a EU Standard Contractual Clause UK Addendum is in place. 


Payment Gateway/ payment processors

The necessary date to process your payments for our services will be handled and stored by Stripe and Square. We don’t have access to your card details when you book an appointment on our webpage, when using the client portal or use tap to pay in-person. 


The privacy policy of Stripe is available on https://stripe.com/gb/privacy 


Square’s privacy policy can be found here https://squareup.com/gb/en/legal/general/privacy-no-account? country_redirection=true. 


Newsletter/ Marketing related emails

Receiving the newsletter or any marketing related emails will require you to subscribe to them separately. Your date is processed and stored with MailChimp and is not linked to your client profile in our practice management system. An unsubscribe link can be found at the footer of those emails. 


Mailchimp Data Processing Addendum is avaible Mailchimp Data Processing Addendum Preview | Mailchimp


4. Other third parties we share information with

We might need to share personal information with our insurance company and/or legal advisors if a claim has been made. We will only share your personal data with a healthcare professional if a referral is required and only after you give explicit consent for us to do so. 


5. Cookies and other tracking technologies

We use termly for our cookie consent management including the consent banner. Termly is using two different cookies for:

  • TERMLY_API_CACHE is used to store visitor’s consent results in order to improve performance of the consent banner.
  • And one which  Assigns a random ID number to each visitor so that their policy consent and cookie consent preferences can be saved
  • Csrf_token Protects against hacking and malicious actors

We might in the future make use of other cookies and/or tracking technologies, to track the efficiency of marketing campaigns. 


6. Data retention

All personal data we collect, store and use, and which is directly related to massage treatments provided, will be retained for 10 years. Submitting contact forms, emails will be saved for a maximum of 3 months if not related to a massage treatment provided. 


7. Your Privacy rights under the UK GDPR

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
  • Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
  • Your right to erasure - You have the right to ask us to delete your personal information.
  • Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information.
  • Your right to object to processing - You have the right to object to the processing of your personal data.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.


Right to be informed

  • You have the right to be informed about the collection and use of your personal data, which this privacy notice is providing 


Right of access to personal data we hold

  • You have the right to request the personal data we hold by submitting a Data Subject Access Request. We will not charge you for the administrative costs unless it is manifestly unfounded or excessive in which case we are allowed to charge a reasonable fee and will inform you beforehand about the costs.


Right to rectification of inaccurate or incomplete personal data

  • You have the right of rectification of any inaccurate or incomplete personal data we hold. All personal information that you provide to us must be true, complete and accurate as mentioned before. You must notify us of any changes to such personal information, including any changes to your health and medication. Sensitive personal information should however not be shared via email unless password protected/ encrypted. 


Right to object

  • You have the right to object to processing of your personal data and an absolute right to object to the processing of your personal data if it is for direct marketing purposes, including profiling. 


We collect and process your personal data to provide your mobile massage services or any other services. The personal information collected will not be used for marketing purposes, including profiling. Unless you have subscribed to our newsletter and marketing by completing the form on our webpage Newsletter | Massage Therapy


The newsletter and/or direct marketing emails do include a link to unsubscribe, if you no longer would like to receive the newsletter or any other marketing related emails from us. 


More information about your rights can be found on the  ICO webpage. 


UK Regulator

The Information Commissioner’s Office is the regulator of data protection and other information rights legislation in the UK. A copy of our ‘Data Protection Registration Certificate is available on their website. 


More information about the UK GDPR and other regulation in relation to Data protection is available on the Information Commissioner’s Office (ICO) website, https://ico.org.uk


If you still have any questions or concerns, please contact us by sending us an email with your questions or concerns. Our email address is GDPR at massagetherapymh.co.uk. 


Exercising your rights

You right to access of personal data hold us can be exercised by submitting a Data Subject Access Request on our webpage : DSAR | Massage Therapy MH 


For any other requests in relation to your rights, you can contact us by telephone, email or post. We will consider and act upon any request in accordance with your rights under the UK GDPR. A further detailed description of each of your rights can be found in the ‘Privacy Notice in Full’


8. Updates to our privacy notice

We will update our privacy notice when required due to changes, but not limited to, the nature of our services and/or, the way we process your information and the data processors we use and/or any changes in applicable regulations in the UK. Changes will be incorporated in our Privacy notice and included in the overview of amendments of the original Privacy Notice at the end of this document. 


9. Contact details in relation to our privacy notice and your rights


MH Massage Therapy Ltd / trading as Massage Therapy MH

Registered Address :  71-75 Shelton Street Covent Garden, WC2H 9JQ London

Telephone number 07783998298 

Email : GDPR at massagetherapymh.co.uk


Additionally you can use the contact form available on our webpage, Contact-Form, where you have the option to select your preference when you would like to be called back. 


10. How to complain

    If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

    The ICO’s address:           

    Information Commissioner’s Office
    Wycliffe House, Water Lane, Wilmslow
    Cheshire, SK9 5AF

    Helpline number: 0303 123 1113

    Website: https://www.ico.org.uk/make-a-complaint


    Updates

    Any updates and/or amendments will be listed here and incorporated in our privacy notice. 

    PRIVACY NOTICE

    Privacy policy

    OK