Privacy Notice (GDPR)

 

Danielle Croft trading as Danielle Croft Acupuncture

This Privacy Notice explains how I collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (GDPR). I (Danielle Croft) am the Data Controller for all information collected within my practice.

 

Who this Notice applies to

 

– Current clients
– Prospective clients
– Past clients
– Newsletter subscribers

​​

​

What Personal Data I Collect & Why

 

1. Contact & Identification Details

​

Name, date of birth, address, phone number, email address
Used for:
– Identifying you correctly
– Contacting you regarding appointments
– Sending confirmations and reminders (if you consent)
– Meeting the requirements of the British Acupuncture Council (BAcC)

Stored in:
– Acuity Scheduling (password protected)
– My email contacts (hello@daniellecroft.com)
– My work mobile phone
– Your paper patient file

All devices are password protected and my Google Workspace email uses two-factor authentication (2FA).

 

2. Appointment Information

 

Appointment dates and times are stored in:
– Acuity Scheduling
– A paper diary backup
– Your patient file

Used for:
– Treatment planning
– Insurance and legal requirements
– Continuity of care

​

3. Health & Treatment Information

 

This may include:
– Medical history
– Details about your health condition(s)
– Medication and supplement use
– Lifestyle and wellbeing information
– Diagnostic notes, clinical observations, treatment plans, and consent
– Traditional acupuncture diagnostic notes

 

Stored in:

​

a) Paper patient file

Filing cabinet.

​

b) Secure digital notes

Working notes or diagnostic documents may be stored on:
– My computer’s hard drive (password protected)
– My Google Drive Business account (2FA enabled)

​

c) Email correspondence folder

Any emails that contain health information are moved into an individual, labelled client folder within my Google Workspace Gmail account (2FA enabled).
These are retained only for clinical, legal, or continuity-of-care purposes.

 

Retention

All health records — whether paper or digital — are deleted 7 years after your last appointment, or until age 25 if you were under 18.

 

4. Messages & Communication Channels

 

WhatsApp or Text Messages

If you choose to contact me via SMS or WhatsApp:
– Messages are used only for communication
– They are kept only as long as needed
– They are deleted regularly
WhatsApp uses encrypted messaging; SMS does not.

 

Email Messages

Emails are kept in your dedicated client folder until they are no longer required and then deleted at the 7-year retention point.

 

Facebook Messenger

If used, messages are temporary and deleted when no longer required.
Please note: Messenger is not encrypted end-to-end unless using the “Secret Conversation” feature.

 

5. Emergency Contact & GP Details

​

Kept in your patient file and used only:
– In an emergency
– If there is significant risk of harm
– If required for safeguarding
– If advised by BAcC or legal authorities

​

6. Newsletter Subscription (Mailchimp)

 

If you sign up to my newsletter:
– Your name and email are stored in Mailchimp
– Mailchimp has two-factor authentication (2FA)
– I can see open and click-through data
You can unsubscribe at any time.

Mailchimp Privacy Policy: https://mailchimp.com/legal/privacy/

​

7. Incident & Complaint Records

​

I keep legally required records of:
– Accidents
– Injuries
– Notifiable diseases (RIDDOR)
– Adverse incidents
– Complaints

These may be shared with BAcC, insurers, or legal authorities if required.

 

Lawful Basis for Processing Your Data

​

Under GDPR I rely on the following:
– Contract: to provide treatment
– Legitimate interests: appointment reminders, continuity of care
– Legal obligation: maintaining clinical records, safeguarding
– Consent: for newsletters and non-essential communications

You may withdraw consent at any time for newsletters.

​

How Long I Keep Your Data

​

– Clinical notes: 7 years after last appointment
– Under-18s: until age 26
– Email health correspondence: 7 years
– Newsletter subscribers: until you unsubscribe
– General enquiries/messages: deleted when no longer needed

Paper files are destroyed via confidential shredding.
Digital files are securely deleted and removed from all backups as practicable.

​

How Your Data Is Shared

​

Your information is strictly confidential and will never be sold or used for marketing by third parties.

 

Your data may be shared only if:
– You give explicit consent (e.g., referral to another practitioner)
– Required by law (police, court order, safeguarding)
– Required for serious risk of harm to yourself or others
– Required by BAcC or my insurer in the event of a complaint or claim
– Required by my solicitor for legal defence

​

Your GDPR Rights

 

You have the right to:
– Request a copy of your personal data
– Request correction of inaccurate data
– Request erasure (when legally appropriate)
– Withdraw consent for newsletters
– Be informed of any data breach affecting your data
– Lodge a complaint with the ICO: www.ico.org.uk

​

Contact

​

If you have questions about your data or this Privacy Notice:

Danielle Croft
Email: hello@daniellecroft.com
Phone: 07984 166762