Privacy Policy - Zest Acupuncture & Holistic Medicine. Ease Pain, Release Stress, Restore Calm

ZEST Acupuncture & Holistic Medicine

Last Updated: December 2025

1. INTRODUCTION

ZEST Acupuncture & Holistic Medicine (“we,” “us,”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website zestavupuncture.co.uk (the “Site”), book a consultation, download resources, or engage with our services.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Site or services.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

When you book a session:

Name
Email address
Phone number

When you download resources:

Email address
Name
Optional: Health interests or concerns

When you sign up for our newsletter:

Email address
First name
Optional: Health interests

When you contact us:

Name
Email address
Message content
Any attachments you provide

During consultation:

Health assessment
Treatment notes and progress
Photographs of the tongue, ears and hands (if you consent to before/after documentation)
Any personal or sensitive health data you share

2.2 Information Collected Automatically

Through our website:

IP address
Browser type and version
Operating system
Pages visited and time spent
Links clicked
Referrer information
Device type and identifiers
Cookies and similar tracking technologies

Through the booking system (Neetocal):

Booking history
Appointment reminders
Communication records

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

We use your information to:

Provide Healthcare Services:

Create and maintain your patient record
Diagnose and treat your health conditions
Track your treatment progress
Provide acupuncture, bodywork, herbal medicine, and related services
Follow up on your treatment outcomes
Provide emergency care if needed

Communication:

Send appointment reminders and confirmations
Communicate about your treatment plan
Answer your questions and inquiries
Send newsletters (only if you’ve opted in or come for a session)
Provide educational resources relevant to your care

Administrative & Legal:

Process payments and invoices
Maintain accurate patient records (required by law)
Comply with UK health regulations
Fulfil legal obligations
Prevent fraud and protect our practice

Continuous Improvement:

Understand how you use our website
Improve our services and website functionality
Analyse trends and usage patterns
Gather feedback to enhance client experience

3.2 Legal Basis for Processing

We process your information based on:

Contract Performance (GDPR Article 6(1)(b)): To provide agreed healthcare services
Consent (GDPR Article 6(1)(a)): For newsletter, non-essential communications, and photography
Legal Obligation (GDPR Article 6(1)(c)): To maintain patient records, comply with health regulations
Legitimate Interests (GDPR Article 6(1)(f)): To improve our services, prevent fraud, analyse website usage
Vital Interests (GDPR Article 6(1)(d)): To protect your health or life in emergencies

4.1 Third Parties We May Share With

Healthcare Providers (with your consent ONLY):

Your GP or specialist doctor (if you authorise)
Other practitioners you’re seeing

Service Providers:

Neetocal (booking/scheduling system) – processes booking data
Email provider (for newsletters and communications)
Payment processor – processes payments securely
Website hosting provider – stores website data
Analytics provider (if applicable) – tracks website usage

Legal Requirements:

Law enforcement (if legally required)
Regulatory bodies (health authorities, ATCM)
Courts (if legally ordered)

4.2 What We DO NOT Do

We do not:

Sell your personal data to third parties
Share your health information for marketing purposes
Share data outside the UK/EU without appropriate safeguards
Use your data for profiling or automated decision-making
Disclose your data without your consent (except where legally required)

4.3 International Data Transfers

Any data transfers outside the UK/EU are protected by:

Standard contractual clauses approved by the ICO
Your explicit consent
Adequacy decisions where applicable

You have the following rights regarding your personal data:

5.1 Right of Access (Article 15)

You can request a copy of your personal data we hold. We will respond within 30 days of your request.

How to request: Email ela@zestacupuncture.co.uk with “Data Access Request” in the subject line.

5.2 Right to Rectification (Article 16)

You can correct inaccurate or incomplete data. We will update your information promptly.

5.3 Right to Erasure (Article 17)

You can request deletion of your data, except where:

We have a legal obligation to keep it
It’s necessary for healthcare purposes
It’s needed for legal claims

5.4 Right to Restrict Processing (Article 18)

You can limit how we use your data while we investigate disputes or verify information accuracy.

5.5 Right to Object (Article 21)

You can object to processing for:

Marketing communications (you can unsubscribe at any time)
Analytics and tracking
Legitimate interest processing

5.6 Right to Withdraw Consent (Article 7)

If we’re processing based on your consent, you can withdraw it at any time. This doesn’t affect data already processed.

5.8 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to automated decision-making. Our practice does not use automated profiling.

To exercise any of these rights, contact:
Ela Pękalska

ZEST Acupuncture & Holistic Medicine
ela@zestacupuncture.co.uk
+44 777 580 6677

We will respond within 30 days as required by law.

6. DATA RETENTION

We retain your personal information for:

6.1 Health Records

Retention period: Minimum 7 years after your last appointment, as required by UK health regulations.

Reasons:

Legal obligation under health data protection laws
Potential future healthcare needs
Legal claims or complaints
Professional indemnity insurance requirements

6.2 Newsletter Subscribers

Retention period: Until you unsubscribe or request deletion.

You can unsubscribe at any time using the link in every newsletter email.

6.3 Website Analytics & Cookies

Retention period: Typically 2 years for aggregate analytics data.

6.4 Communication Records

Retention period: 2 years unless legally required to retain longer.

6.5 Deleted Data

Once the retention period expires, we delete data securely using:

Secure file shredding
Encrypted database deletion

7. SECURITY OF YOUR INFORMATION

We implement comprehensive security measures:

7.1 Technical Security

SSL/TLS encryption for website data transmission
Encrypted databases for patient records
Secure password protection for client portals
Regular security updates and patches
Firewall protection against unauthorised access
Backup systems to prevent data loss

7.2 Administrative Security

Access controls: Only authorised staff can access personal data
Staff training: All team members trained on data protection and GDPR
Confidentiality agreements: Staff sign data protection agreements
Secure storage: Physical records stored in locked cabinets
Visitor protocols: Restricted access to areas containing personal data

7.3 Data Processor Agreements

All third-party service providers (Neetocal, email, payment processors) have signed Data Processing Agreements ensuring they meet GDPR requirements.

7.4 What We Cannot Guarantee

No system is 100% secure. While we implement strong protections, we cannot guarantee absolute security against:

Advanced cyber attacks
Insider threats (though we minimise this risk)
Natural disasters

8. COOKIES & TRACKING

8.1 What Are Cookies?

Cookies are small text files stored on your device that help us recognise you and improve your experience.

8.2 Types of Cookies We Use

Essential Cookies (Required):

Session cookies (temporary, deleted when you close browser)
Security cookies (protect against fraud)
Functionality cookies (remember your preferences)

Performance Cookies (Optional):

Analytics cookies (track how you use our site)
You can opt-out of these without affecting site functionality

Marketing Cookies:

We do not use marketing/advertising cookies

8.3 Cookie Consent

When you first visit our site, you see a cookie consent banner. You can:

Accept all cookies
Reject non-essential cookies
Customise cookie preferences

8.4 Managing Cookies

You can control cookies through your browser settings:

Chrome, Safari, Firefox, Edge all allow cookie management
You can delete cookies at any time
Disabling cookies may affect some site functionality

Learn more: www.aboutcookies.org

9. THIRD-PARTY LINKS

Our website may contain links to third-party sites (social media, external resources). We are not responsible for their privacy practices.

When you click external links, you leave our site and are subject to their privacy policies. We recommend reviewing their privacy policies before providing information.

10. CHILDREN’S PRIVACY

Our services and website are not intended for children under 18 years old. We do not knowingly collect personal information from children.

If you are a parent/guardian:

If we discover we’ve collected data from a child, we will delete it immediately
Please contact us if you’re concerned about your child’s data

11. PRIVACY POLICY UPDATES

We may update this Privacy Policy to reflect:

Changes in our practices
New legal requirements
Technological developments
Your feedback

How we notify you:

We’ll update the “Last Updated” date at the top
For material changes, we may email you or display a prominent notice
Your continued use of our services implies acceptance of changes

Current version: December 2024

12. CONTACT US

12.1 Data Protection Inquiries

For questions about this Privacy Policy or how we handle your data:

Ela Pękalska
ZEST Acupuncture & Holistic Medicine
Email: ela@zestacupuncture.co.uk
Phone: +44 7775806677

We aim to respond to all inquiries within 10 business days.

12.2 Complaints to Regulatory Authority

If you’re not satisfied with how we handle your data, you can complaint with the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Phone: 0303 123 1113
Website: www.ico.org.uk
Email: casework@ico.org.uk

You have the right to complaint at any time. We encourage you to contact us first so we can try to resolve your concerns.

13. DATA PROTECTION IMPACT ASSESSMENT

We conduct regular Data Protection Impact Assessments to identify and mitigate risks to your data.

Key findings:

Health data is our highest security priority
Access to health records is strictly controlled
We minimise data collection to what’s necessary
Retention periods are legally compliant
Client consent is obtained for non-essential processing

14. LEGITIMATE INTERESTS ASSESSMENT

For processing based on “legitimate interests,” we’ve conducted assessments confirming:

Website analytics: Improves user experience without compromising privacy
Marketing communications (opt-in only): Helps us share valuable health information
Fraud prevention: Protects our practice and clients
Service improvements: Enhances quality of care

15. YOUR SUMMARY OF RIGHTS

Quick reference—you can:

✓ Ask for a copy of your data
✓ Correct inaccurate information
✓ Request deletion (where legally possible)
✓ Restrict how we use your data
✓ Receive data in portable format
✓ Withdraw consent anytime
✓ Object to specific processing
✓ Complain with ICO

We commit to:

✓ Keeping your data secure
✓ Using data only for stated purposes
✓ Respecting your privacy choices
✓ Responding to requests within 30 days
✓ Notifying you of any data breaches
✓ Complying with UK GDPR

16. FINAL NOTES

This Privacy Policy is compliant with:

UK GDPR (UK General Data Protection Regulation)
Data Protection Act 2018
Privacy and Electronic Communications Regulations 2003 (as amended)
ICO Guidance on health data

Your privacy is our priority. If you have any questions or concerns, please don’t hesitate to contact us.

ZEST Acupuncture & Holistic Medicine
ela@zestacupuncture.co.uk

+44 777 580 6677

This Privacy Policy is effective as of December 2025.