Privacy Policy – BAmazingU

  • INTRODUCTION

This privacy notice provides you with details of how we collect and process your personal data through your use of our sites bamazingu.com, andreabird.me, monkeymind.me, BAmazingU, BAmazingU & BAmazingU group on Facebook, Instagram and Twitter including any information you may provide through our site when you purchase a product or service, attend a workshop or training event or sign up to our newsletter.  It also provides information you may provide in a 1:1 consultation. By providing us with your data, you warrant to us that you are over 13 years of age.

This Business is called BAmazingU. The owner is Andrea and I am responsible for your personal data (referred to as “I”, “we”, “us” or “our” in this privacy notice).

If you have any questions about this privacy notice, please contact Andrea Bird using the details set out below.

Contact Details:

Chester Clinic, 68 Heath Road, Chester CH2 1HX Email: [email protected]

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk) or our insurer: Balens Ltd, Bridge House, Portland Road, Malvern WR14 2TA. Tel: 01684 893006.

We would be grateful if you would contact us first if you do have a complaint, so that we can try to resolve it for you.

It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at [email protected]

  • WHAT DATA DO WE COLLECT ABOUT YOU – WEBSITE AND WORKSHOPS

Personal data means any information capable of identifying an individual. It does not include anonymised data. We may process certain types of personal data about you as follows from website host WordPress, Paypal, Meetup, Eventbrite, Skype, Zoom and Mailchimp.

  • Identity Data may include your first name, maiden name, last name, username, marital status, title, date of birth and gender.
  • Contact Data may include your billing address, delivery address, email address and telephone numbers.
  • Financial Data may include part of your bank account and payment card details.
  • Transaction Data may include details about payments between us and other details of purchases made by you.
  • Technical Data may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access this site.
  • Profile Data may include your username and password, purchases or orders, feedback and survey responses.
  • Usage Data may include information about how you use our website, products and services.
  • Marketing and Communications Data may include your preferences in receiving marketing communications from us and your communication preferences.

We may also process Aggregated Data from your personal data but this data does not reveal your identity and as such in itself is not personal data. An example of this is where we review your Usage Data to work out the percentage of website users using a specific feature of our site. If we link the Aggregated Data with your personal data so that you can be identified from it, then it is treated as personal data.

  • WHAT DATA DO WE COLLECT ABOUT YOU – 1:1

Dependent on the work, you may wish (or need) to provide personal details of a sensitive nature.

As part of the Client Information Form and Client Consent Form, these are retained in printed, handwritten format or saved to a secure hard drive and include your contact details and where appropriate, signature. The sensitive nature of such documents will generally be in relation to health or medical history.

As session notes, these are scant memos handwritten for the purpose of fulfilling our contract and keeping tabs on the work during the session and from one week to the next, filed separately with only initials and date as identifiers so that no other person may connect these details alone to your personal identity.

In both cases, we are required by law and our insurer to retain these records for seven years after the completion of our contract – or in the case of a minor, from seven years beyond the date of their 18th birthday.

  • HOW WE COLLECT YOUR PERSONAL DATA 

We collect data about you through a variety of different methods including:

  • Direct interactions: You may provide data by filling in forms on our site, or by communicating with us by post, phone, email or otherwise, including when you:
    • Make an online purchase as a single purchase, a membership or subscription. This is a contract for our services. Your contact details are dealt with as above (consent, contract, legitimate reasons) – also these, your purchase history and the payment details (sent to me by Paypal, Eventbrite or my bank) are retained for six years beyond the end of the contract for legal reasons (accounting law).
    • Subscribe to our newsletter
    • Request resources or marketing be sent to you
    • Give us feedback about a product, event or service
    • Attend a workshop or training event. This is a contract for our services, so all of the above applies.

We also keep record of your attendance, your certificates earned etc on the legal bases of both contract and legitimate interest – so that we can confirm your certificate status / reissue certification if required, also so that we can send you updates or offers which may be of specific interest to you as an attendee/graduate.

We will only send newsletters or other offers to you if you have expressly consented to this.

Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below

  • Incoming data received from our website host WordPress, Paypal, Eventbrite, Meetup, Skype, Zoom.
  • Analytics providers such as Google and Mailchimp based outside the EU.
  • Contact, Financial and Transaction Data from providers of technical, payment and delivery services [such as Eventbrite/Paypal/my bank].
  • Where you have given us your name and email address either on a handwritten list at a workshop event, or have handed us your business card and requested to be contacted by me.
  • Other data sources:
    • We may receive information from another practitioner or therapist as part of a referral. In such a case, you may be unaware that the consented data transfer has taken place, we will therefore inform you of receipt within 28 days.
  • HOW WE USE YOUR PERSONAL DATA

We will use your personal data:

  • By consent
  • Where we need to perform the contract between us
  • Where it is necessary for our legitimate business interests and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation

You have the right to withdraw consent to marketing at any time by emailing [email protected]

When you work 1:1

Dependent on the work, you may wish (or need) to provide personal details of a sensitive nature.

Client Information Form, Client Consent Form and session notes are filed separately with only initials and date as identifiers so that no other person may connect these details alone to your personal identity.

In both cases we are required by law to retain these records for six years after the completion of our contract – or in the case of a minor, from six years beyond the date of their eighteenth birthday.

Purposes for processing your personal data

Set out below is a description of the ways we intend to use your personal data and the legal grounds on which we will process such data. We have also explained what our legitimate interests are where relevant.

We may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. Please email us at [email protected] if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity

 

Type of data

 

Lawful basis for processing 

 

To register you as a new customer

 

(a) Identity

(b) Contact

 

Performance of a contract with you

 

To work together 1:1

(a) Identity

(b) Contact

(c) Personal health information

(d) Client Notes

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey

 

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications

 

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests to keep our records updated and to study how customers use our products/services

 

To process and deliver your order including:

(a) Manage payments, fees and charges

(b) Collect and recover money owed to us

 

(a) Identity

(b) Contact

(c) Financial

(d) Transaction

(e) Marketing and Communications

 

(a) Performance of a contract with you

(b) Necessary for our legitimate interests to recover money owed to us

 

To administer and protect our business and our site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

 

(a) Identity

(b) Contact

(c) Technical

 

(a) Necessary for our legitimate interests for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business re-organisation or group restructuring exercise

(b) Necessary to comply with a legal obligation

 

To make suggestions and recommendations to you about goods or services that may be of interest to you

 

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Profile

 

Necessary for our legitimate interests to develop our products/services and grow our business

 

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

 

(a) Technical

(b) Usage

 

Necessary for our legitimate interests to define types of customers for our products and services, to keep our site updated and relevant, to develop our business and to inform our marketing strategy

 

 

Marketing communications 

You will receive marketing communications from us if you have asked to subscribe to a newsletter or to be kept informed of workshop/training events.

We will obtain your express opt-in consent before we share your personal data with any third party for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by emailing us at [email protected]

Where you opt out of receiving our marketing communications, this will not apply to personal data provided to us, as a result of a product/service purchase, workshop or training event or other transactions.

Change of purpose

We will only use your personal data for the purposes for which we collected it. If we need to use your personal data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal ground of processing. We may process your personal data without your knowledge or consent where this is required or permitted by law.

  • SHARING YOUR PERSONAL DATA

Your privacy is important and we do not sell your data nor share it except by your consent or under the law. We may have to share your personal data with the parties set out below for the purposes set out in the table above:

  • Other companies who provide IT and system administration services and undertake leadership reporting.
  • Service providers who provide IT and system administration services.
  • HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other relevant jurisdictions who require reporting of processing activities in certain circumstances.
  • In continuation of current UK law on confidentiality I also retain the right and in some
  • cases the legal requirement to breach confidentiality to inform an authority such as the police or your GP of impending harm or illegality.
  • When working together, I may give out elements of your personal information to another practitioner or therapist as part of a referral. This will always only be with your personal consent.

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law.

We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

  • INTERNATIONAL TRANSFERS

We share your personal data – email address, first name, surname –  with companies which involves transferring your data outside the European Economic Area (EEA).

For example, Mailchimp, who generate our newsletters, are based in the United States.

Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

Please find below the privacy policy of mailchimp.

https://mailchimp.com/legal/privacy/#contacts

You can unsubscribe from our newsletters at anytime, using the unsubscribe button at the bottom of our newsletters or by emailing [email protected] 

  • DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

  • DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

In the case of 1:1 personal information this is 7 years or in the case of a minor, 7 years after they turn 18.

In some circumstances, you can ask us to delete your data: see below for further information.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for 1:1 notekeeping, for research or statistical purposes in which case we may use this information indefinitely without further notice to you. 

  • SHARING YOUR DATA – YOUR LEGAL RIGHTS

The GDPR sets out clearly what your rights are. It also lays out deadlines for a reply and other rules which are reproduced for your information at the bottom of this section.

  • We must provide you with privacy information at the time we collect your personal data from you, in other words, it has to be made available to you before you fill in a form or hand over your data such as your email address.
  • If we obtain your personal data from other sources, e.g. by referral or from the payment service provider your selected, we must provide you with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it.
  • The information we provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. Therefore, if there is anything you do not understand, please get in touch.

Right to be informed

You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the GDPR.

We must provide you with information including: my purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with. This ‘privacy information’ is provided above.

Right of access

You have the right to access your personal data and supplementary information. This allows you to be aware of and verify the lawfulness of the processing.

You are entitled to confirmation that your data is being processed, access to your personal data, and

other supplementary information as provided in this privacy notice. 

Right to rectification

You have the right to have the data your personal data corrected if it is incorrect, or completed if it is incomplete.

Right to erasure

You may request, verbally or in writing, to have your data erased. This is also commonly known as ‘the right to be forgotten’. This right only takes effect when:

  • Your personal data is no longer necessary for the purpose for which it was originally collected or processed,
  • you withdraw your consent when the sole legal basis to hold this information is your consent,
  • There is a legitimate interest in processing this data, which does not override your request
  • processing/analysing of the personal data was for direct marketing purposes and this is the use you object to
  • your personal data was processed unlawfully without a proper legal basis
  • There is a legal obligation to comply with your request; or
  • If the personal data was processed to offer information society services to a child.

Right to restrict processing

You have the right to request the restriction or suppression of your personal data. In other words you want to stop the data being used but keep it on file.

In this case, your personal data cannot be used and can only be stored unless:

  • you give your consent;
  • it is for the establishment, exercise or defence of legal claims;
  • it is for the protection of the rights of another person (natural or legal); or
  • it is for reasons of important public interest.

Right to data portability

This allows you to obtain and reuse your personal data for your own purposes across different services.  It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.  Doing this is meant to enable you to take advantage of applications and services that can use this data to find you a better deal or help you understand your spending habits. In general this rule exists for data held by big service providers, such as your call history or insurance or gas bill history. The right also only applies to information you have provided.

If, as a private client you wish to carry a copy of your case notes or other sensitive data to another practitioner or other mental, physical or spiritual health service, these may be provided to you or to the nominated service provider, on request, as an encrypted and password protected document.

Right to object

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

Your objection must be made on grounds relating to your particular situation.

Once you object, your data can no longer be processed, unless

there are demonstrably compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.

You may complain directly to me using the contact details above. If you find the outcome unsatisfactory you are then able to object or complain to:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113 (local rate) or 01625 545 745

Or my insurer:

Balens Ltd, Bridge House, Portland Road, Malvern WR14 2TA

Tel: 01684 893006

You may of course also exercise your right to legal action.

Timelines:

You can claim a right verbally or in writing.

A response should come without delay and at least within one month of receipt. The time limit is calculated from the day after you make the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

I aim to respond within 28 days.

Exceptions:

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within 28 days. Occasionally it may take us longer than a month if your request is particularly complex. In this case, we will notify you and keep you updated.

You can see more about these rights at:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at [email protected]

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within 28 days. Occasionally it may take us longer than a month if your request is particularly complex. In this case, we will notify you and keep you updated. 

  • THIRD-PARTY LINKS

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit. 

  • COOKIES

As our website is being re-designed, we will shortly be setting cookies, we will post further information when this becomes available.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please read the cookie policy on our website.