Privacy Policy

1. Who This Policy Applies To

This policy applies to:

• prospective clients who contact us or make an enquiry;
• clients who book and attend Sessions; and
• visitors to our website at coastly.co.uk.

All clients of Coastly Women’s Health are aged 18 or over. We do not knowingly collect personal data from children.

2. What Personal Information We Collect

2.1 Information You Give Us Directly

When you contact us, make a Booking, or attend a Session, we collect:

• Identity data: full name
• Contact data: email address, telephone number
• Location data: postcode (and, where relevant, address details you provide)
• Booking data: Session dates/times, attendance records, cancellations, reschedules
• Financial data: payment records (amounts paid, method of payment, dates). We do not store full card details.
• Communications: emails and other correspondence with us
• Health and session record data (Special Category data): health history, symptoms, relevant medical history, pregnancy or postnatal status, surgical history, medications, pelvic floor or musculoskeletal concerns, movement observations, session notes, and exercise programmes

2.2 Information We Collect Automatically (Website Use)

When you visit our website, we may collect limited technical information, such as:

• IP address
• browser type and version
• device type
• pages viewed and approximate time spent on the site
• referring website

This information may be collected through strictly necessary cookies and similar technologies used for security and site functionality. See section 11 (Cookies).

2.3 Health Intake Form

Before or at your first Session, you will be asked to complete a health intake form. The information you provide forms part of your client record and is treated as Special Category health data. Providing this information is a condition of us being able to provide the Services safely.

2.4 Photographs and Recordings

We will not photograph, film, or record you without your explicit written consent. Any marketing use of images or recordings is handled separately and you may withdraw that consent at any time.

2.5 Emergency Contact Details (If You Provide Them)

If you choose to provide emergency contact details, we will process that information for safety purposes only. You confirm you have permission to provide that person’s details.

2.6 Doorbell Camera (Home Practice)

We use an external doorbell camera for home security at the entrance to the premises. It may record video and/or audio of visitors approaching the entrance. Recordings are used for security and incident management, are accessed only when necessary, and are retained for 1 year unless required for an incident or legal claim.

3. Why We Collect Your Information and Our Lawful Bases

UK GDPR requires us to have:

• a lawful basis under Article 6 for processing personal data; and
• an additional condition under Article 9 for processing Special Category health data.

3.1 Standard Personal Data — Article 6 Lawful Bases

3.2 Special Category Health Data — Article 9 Conditions

We process health data only where an Article 9 condition applies. The conditions we rely on are:

(a) Explicit consent — Article 9(2)(a)
We rely on your explicit consent to collect and use your health information to provide the Services safely (including tailoring movement support and maintaining your client record). You provide explicit consent when you complete the intake process and provide the required consent confirmation.

(b) Vital interests — Article 9(2)(c)
In a medical emergency where you are unable to give consent, we may share relevant information with emergency services if necessary to protect your vital interests.

(c) Legal claims — Article 9(2)(f)
Where necessary, we may retain and use limited health information to establish, exercise, or defend legal claims (for example, in relation to complaints, disputes, or insurance matters).

Withdrawing consent and impact on Services:
You can withdraw explicit consent at any time (see section 9). If you withdraw consent for us to process health data that is essential to provide the Services safely, we will be unable to continue providing future Sessions. Withdrawal of consent does not affect processing already carried out. We may still retain limited records where necessary for legal claims, tax/accounting, or other lawful purposes described in this policy.

4. Special Category Health Data — Additional Safeguards

Because health data is particularly sensitive, we apply additional protections including:

• access limited to the practitioner (and, where strictly necessary, trusted professional support under confidentiality obligations, such as insured professional advisers)
• password-protected devices and accounts
• secure storage, and where applicable encryption and secure backups
• physical security for any paper records (locked storage)
• no sale of personal data and no commercial sharing of health data
• minimisation: we collect only what is necessary to deliver the Services safely
• staff access control: as a sole practitioner practice, we do not have general staff access to client records

We also maintain an internal written policy covering how we handle Special Category data (security, access, retention, and disposal).

5. Booking System, Website Forms, and Data Storage

Our website uses a booking system that stores booking and form information within our local administrative environment.

We do not store full card numbers or payment credentials. Card payments are processed using a card reader/payment provider.

6. How Long We Keep Your Information (Retention)

We keep personal information only for as long as necessary for the purposes in this policy, after which it is securely deleted or destroyed.

Why we keep health records for 7 years: This period helps protect both you and us in case of a later complaint, dispute, insurance matter, or legal claim. Where you request deletion, we will consider the request and, where we must retain records, we will restrict access and retain only what is necessary.

7. Who We Share Your Information With

We do not sell your personal data and we do not share health information for commercial purposes.

We may share personal information in limited circumstances, including:

7.1 Service providers (processors)

We use third-party service providers to operate and secure the website and run the practice. These providers process personal data on our behalf under written contracts and only under our instructions. Categories include:

• email and communications (email hosting/delivery)
• payment providers (card reader/payment processing)
• professional advisers (accountant, insurer, legal adviser) where necessary
• IT/security support where strictly necessary for troubleshooting or incident response

We do not allow processors to use your personal data for their own purposes.

7.2 Legal and regulatory disclosures

We may disclose information where required by law, court order, or to comply with legal obligations.

7.3 Safeguarding and emergencies

Where we have a reasonable concern for safety, or in an emergency, we may share relevant information with appropriate services (including emergency services), where permitted or required by law.

7.4 Referrals

Where you ask us to refer you to another professional, we will do so only with your explicit consent and will share only the relevant information necessary for the referral.

8. International Transfers

Some service providers we use may process data outside the UK, or may allow access from outside the UK (for example, where a provider operates global infrastructure).

Where personal data is transferred outside the UK, we will ensure appropriate safeguards are in place, such as:

• the UK International Data Transfer Agreement (IDTA); and/or
• the UK Addendum to the EU Standard Contractual Clauses; and/or
• other safeguards permitted under UK GDPR.

If you want more information about specific safeguards used with a particular provider, you can contact us at legal@coastly.co.uk.

9. Your Rights

Under UK GDPR, you have rights in relation to your personal data. You can exercise these rights by contacting us at legal@coastly.co.uk.

You have the right to:

• access (request a copy of your data)
• rectification (correct inaccurate or incomplete data)
• erasure (request deletion in certain circumstances)
• restriction (limit how we process data in certain circumstances)
• data portability (receive certain data in a structured, commonly used format)
• object (to processing based on legitimate interests; absolute right to object to direct marketing)
• withdraw consent (where processing is based on consent)

We respond to rights requests within one calendar month. In complex cases, this may be extended by up to two further months; if so, we will tell you within the first month.

There is no charge for exercising your rights unless a request is manifestly unfounded or excessive, in which case a reasonable fee may apply.

10. Data Security

We take security seriously given the sensitive nature of health information. Measures include:

• access controls and strong passwords
• secure devices and accounts
• secure backups and updates for our website platform
• minimised access (sole practitioner access by default)
• prompt investigation of suspected incidents

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it. Where required, we will also notify you without undue delay.

11. Cookies and Similar Technologies

Our website may use cookies and similar technologies.

Strictly necessary cookies: used to make the website and booking system function and to help protect the site from security threats. These do not require consent.

Optional cookies: We do not use advertising/remarketing pixels (such as Meta Pixel) or Google Ads conversion tracking on this website.

Analytics: We use analytics cookies only with your consent to understand how visitors use the website and to improve it. Full details are in our Cookies Policy at coastly.co.uk/cookie-policy/.

You can manage cookie preferences using the cookie banner and/or your browser settings. Full details are set out in our Cookies Policy.

12. Marketing

We will only send marketing communications (such as service updates or offers) if you have explicitly opted in.

You can withdraw marketing consent at any time by:

• emailing legal@coastly.co.uk; or
• using the unsubscribe link in any marketing email.

Withdrawing marketing consent does not affect how we process personal data for other purposes.

13. Do You Have to Provide Your Information?

You are not legally required to provide personal data to us. However:

• to make a Booking, we require your name and contact details; and
• to provide the Services safely, we require the intake and relevant health information.

If you choose not to provide required information, we may be unable to accept your Booking or provide the Services.

14. Automated Decision-Making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects about you.

15. Complaints

If you have a concern about how we handle your personal data, contact us first at legal@coastly.co.uk.

You also have the right to complain to the ICO:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

16. Changes to This Policy

We may update this policy from time to time to reflect changes in law, services, or our data practices. The “Last updated” date shows when it was last revised. Where changes are significant, we will notify active clients by email.

This Privacy Policy should be read alongside our Terms & Conditions and Cookies Policy.