Your peace of mind

Rest assured that I am not in the business of selling, renting or trading any personal information (including your email) with any other another person or business for marketing purposes. Should you decide to sign up for my newsletter, you can have complete peace of mind that this will never happen. However, as is the case with all businesses, it’s important for me to be able to communicate with my customers. The following policy aims to provide a brief outline of how, when and why I may collect and store personal information, what it’s used for, and the limited conditions under which I may disclose this information to other parties.

Overview

Alchemilla apothecary needs to gather and use certain information about individuals. These can include clients, suppliers, business contacts, employees and any other people that Alchemilla apothecary has a relationship with, or may need to contact. My data protection policy is designed to:

• Comply with current data protection law and follow good practice
• Be completely open about how I store and processes an individual’s data
• Put in place measures to protect against the risk of data breach
• Protect the rights of any staff, clients, or partners

Current data protection law

This Privacy Policy adheres to the EU/UK General Data Protection Regulation (GDPR). Alchemilla apothecary is registered with The Information Commissioner’s Office. More information can be found on the ICO website. The regulations apply to all personal information stored both electronically and on paper. The rights and principles of GDPR are outlined below.

Individuals Rights:

• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• The right not to be subject to automated decision making, including profiling

The Organisations Principles

Data is collected, used, and stored:

• In a fair and transparent manner
• Is collected for specific reasons, and only used for those specified reasons
• Is adequate, relevant, and limited to what is necessary
• Is accurate, and kept up-to-date
• Kept in an identifiable form for no longer than necessary
• Held securely to prevent inappropriate access, loss, or disclosure

Policy scope

This policy applies to Alchemilla apothecary, clients, contractors, suppliers, and other people Alchemilla apothecary has a relationship with. It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the GDPR. This can include:

• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Plus any other information relating to individuals

Responsibilities

Sarah Murphy of Alchemilla apothecary is ultimately responsible for ensuring that Alchemilla apothecary meets its legal obligations.

Sarah is responsible for

• Reviewing all data protection procedures and related policies, in line with the GDPR.
• Handling data protection questions from clients and anyone else covered by this policy.
• Dealing with requests from individuals to see the data that Alchemilla apothecary holds about them.
• Ensuring all systems services and equipment used for storing data meet acceptable security standards.
• Performing regular checks or scans to ensure security hardware and software is functioning properly.
• Evaluating any third-party services the company uses/plans to use to store data.

What data do I collect?

Website cookies

Like most websites, Alchemilla apothecary uses cookies to collect information. Cookies are small data files which are placed on your computer or other devices (such as smart phones or tablets) as you browse this website. They are used to ‘remember’ when your computer or device accesses Alchemilla apothecary’s website. They are also used to tailor the products and services offered and advertised to you, both on my website and elsewhere.

Some cookies collect information about browsing and purchasing behaviour when you access this website via the same computer or device. This includes information about pages viewed, products purchased and your journey around a website. I do not use cookies to collect or record information on your name, address or other contact details. I may collect information about your computer, including where available, your IP address, operating system and browser type, this is for system administration and to report aggregate information to my advertisers. This is statistical data about Alchemilla apothecary’s users browsing actions and patterns, and does not identify any individual. Cookies help me to improve my site and to deliver a better, more personalised service.

They enable me to:

• Estimate my audience size and usage pattern.
• Store information about your preferences, thereby allowing me to customise my site according to your individual interests.
• Speed up your searches.
• Recognise you when you return to my site.

You can refuse to accept cookies by activating the setting on your browser. However, selecting this setting may mean that you are unable to access certain parts of my site. Unless you’ve adjusted your browser setting so that it refuses cookies, my system will issue cookies when you log on to Alchemilla apothecary’s website.

Google analytics

When someone visits Alchemilla apothecary’s website, a third-party service, Google Analytics (GA), collects standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of my site. Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to me. Google Analytics also records your computer’s IP address which could be used to personally identify you, but Google does not share this information with me.

You can read more about Google Analytics’ privacy policy and processes here:

Mailing lists

As part of the registration process for my digital newsletter, I do collect some personal information. This may include your first name, surname, email address and the country in which you reside. I use this information for a couple of reasons:

Using your name allows me to deliver a more personal experience and helps me to identify my customers.

Your email address allows me to communicate with you about stuff you’ve signed up to receive. I may also contact you if I need to obtain or provide additional information, to check my records are up to date and correct, and every now and again ensure you’re happy and satisfied with my services.

I use a third-party provider, MailChimp, to deliver my newsletter. This provider allows me to gather statistics around email opening and clicks using industry standard technologies to help me monitor and improve my newsletter ( and thereby my communication with you.)

You can read all about MailChimp’s privacy policy here:

You can unsubscribe from my mailing list at any time by clicking the unsubscribe link at the bottom of any of my emails or by emailing me directly at sarah@alchemilla.co

Please note that if you are under 16 years of age you MUST obtain parental consent before joining my email newsletter.

Quoting, billing and invoicing

If you are a past/current customer of Alchemilla apothecary and have been invoiced for any work undertaken by myself, then you will have a client profile on my accounting software. This includes your business name, contact name (of the person to correspond with) and email address. In some cases this may also include your physical address and telephone number. Absolutely none of this information is shared…EVER.

I use a third-party provider (Xero) as my accounting software. It is used to monitor payments (in and out), and to send quotes and invoices.

You can read all about Xero’s privacy policy here:

My shop

From time to time kind customers leave product feedback in the form of a testimonial or review in my herb shop. Leaving a review on this page will save the following information to my website database:

• The name and email address you enter with your comment
• Your computer’s IP address, and the time and date that you submitted the comment

This information is only used to identify you as a genuine contributor so that other visitors to the site and potential customers can see that you are real. In this instance only your name will be visible on the public facing website (although, if the supplied email address is linked to a Gravatar account, your Gravatar photo will also be displayed.)

The aforementioned information is never passed on to anyone. Your comments and associated personal data will remain on my website until I see fit to either:

• Remove the comment.
• Remove the item for sale from the shop.

Should you wish to have your comments and associated personal data deleted, please email me directly at sarah@alchemilla.co

Please note that if you are under 16 years of age you MUST obtain parental consent before posting any comments on my website. It is also prudent to avoid entering any personally identifiable information in the actual comment field.

Contact forms and emails

Alchemilla apothecary uses contact forms on the website. This feature asks for your name and email address so that I can respond to your message. The information you provide on the contact form goes directly to my email account and is not stored on my website. Absolutely none of this information is shared…EVER.

I use a third-party provider, G Suite, as my email software.

For more information regarding G Suite’s privacy policy click here:

This website’s server

This website is hosted by Siteground within a UK data centre. Some of the data centre’s more notable security features are as follows: All facilities are well protected by 24/7 human security, biometrics, access control man traps, bulletproof lobbies, and video surveillance. All traffic (transferral of files) between this website and your browser is encrypted and delivered over HTTPS.

You can read Siteground’s Privacy Policy here.

Patient medical records

Clients who book an appointment (either virtual or in person) for the purposes of a health assessment and herbal / nutritional therapy will be asked to complete a short medical intake form for the purposes of communication and ensuring safety in regards to any herbal prescriptions or nutritional advice which may be given. Updates on progress will be recorded on subsequent visits. This form and subsequent records will contain details such as medical prescriptions and personal information about your health (both physical and mental) which falls into the “special category data” section of current GDPR law.

Special category data is any data that includes information about race, ethnic origin, politics, religion, genetics, biometrics, health, sex life or sexual orientation. These records are private and seen only by myself and the patient for the purposes of treatment. In some circumstances (such as in the case of persons who have notifiable communicable diseases or a condition that must be recorded or shared in the interests of public health laws) these records must be shared with a third party who in most instances will be the client’s GP or specialist health care practitioner. If that is the case then the client will be expressly informed. I am duty bound by law to keep such records which must remain on file for a minimum period of 8 years.

More information about legislation relating to the keeping of medical records can be found here:

At the time of making an initial appointment you will be asked to provide your consent for my keeping these records. Unfortunately, for insurance purposes and in order to fulfil my duty as a registered practitioner, I am unable to provide herbal treatment or nutritional advice to anyone who does not wish to give their consent to the keeping of such records.

Electronic storage of patient medical records

All patient medical records are stored electronically on an encrypted medical database known as Healthkit. This platform is fully compliant with current EU GDPR requirements, and is widely used by health professionals for the purpose of managing patient records. This practice management software is protected by bank-grade security and encryption, which means all records, notes and other information is protected to the same level used in banks. All information is stored in securely protected data centres with multiple backups in place. It has strict user access levels which means that records are password protected and can only be accessed by myself or the client (should they make a request to view them.) HealthKit employees do not have access to any patient identifying data but are able to see certain anonymised administrative data such as fees and amounts outstanding on invoices in order to assist practitioners with their queries.

Medical records are stored in the cloud and hosted by Amazon web services who are also fully compliant with GDPR requirements around data protection.

You can read about Healthkit’s privacy and security policies here:

Although you have the right to both view and amend your medical records (both electronic and paper,) you do not have the automatic right to erasure as is the case with other forms of stored data. By law, health care practitioners have a duty of care to keep accurate records of treatment, both for the purpose of the patient’s personal safety and to protect the practitioner. In compliance with my professional liability insurance I have the right to hold these records on file for a minimum of 8 years.

Medical records can be viewed by the client at any time and are stored both in the form of a hard copy (paper file) which is kept under lock and key, and electronically. Formal requests to have medical records kept as a paper version only can be made by sending an email to sarah@alchemilla.co or stating this requirement at the time of your initial appointment. If you are a current client who wishes to view or amend your medical file, you may also do so by sending a formal request to sarah@alchemilla.co . I shall endeavour to provide you with access to your files within a time frame of 21 days. Please note that a set administration fee of £15 will be required for this service.

Accessing, amending or deleting your personal information

You are entitled to view, amend, or delete any personal information that Alchemilla apothecary holds about you (except in the case of your medical records as outlined above.) To request this, please send an email to sarah@alchemilla.co

Provision of such information will be subject to the payment of a fee (currently fixed at £15.00) and the supply of appropriate evidence of your identity.

I may withhold such personal information to the extent permitted by law. You may instruct me not to process your personal information for marketing purposes by sending an email to me. In practice, you will usually either expressly agree in advance to my use of your personal information for marketing purposes, or I will provide you with an opportunity to opt-out of these marketing communications.

My principles

Security of your personal information

Alchemilla apothecary will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. I will store all the personal information you provide on secure (password- and firewall- protected) servers. All electronic transactions you make to, or receive from me, will be encrypted using SSL technology.

Any data stored about you is currently stored in an identifiable fashion; a limitation of the content management system that this website is built on (WordPress.) In the near future, I aim to change the storage of this data to a pseudonymous fashion meaning that the data would require additional processing using a separately stored ‘key’ before it could be used to identify an individual.

Pseudonymisation is a recent requirement of the GDPR which many web application developers are currently working to fully implement. I am committed to keeping it as a high priority and will implement it on this website as soon as I am able to.

Of course, data transmission over the internet is inherently insecure, and I cannot guarantee the security of data sent over the internet. If you are a client who wishes to access their electronic medical records you will be responsible for keeping your own password and user details confidential.

Disclosure

I may disclose information about you to any employee, relevant medical health care professional, officers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes as set out in this privacy policy.

In addition, I may disclose your personal information:

• To the extent that I am required to do so by law
• In connection with any legal proceedings or prospective legal proceedings
• In order to establish, exercise or defend my legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk)
• To the purchaser (or prospective purchaser) of any business or asset that I am (or may in the future) contemplate selling
• To any person who I reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in my reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information

Except as provided in this privacy policy, I will not provide your information to any other third parties.

Data breaches

I will report any unlawful data breach of this website’s database or the database(s) of any of my third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.

Third party websites

My website contains links to other websites. I am not responsible for the privacy policies or practices of third party websites.

International data transfers

Information that I collect may be stored and processed in, and transferred between, any of the countries in which I operate in order to enable me to use the information in accordance with this privacy policy. Information which you provide may be transferred to countries which do not have data protection laws equivalent to those in force in the European Economic Area.

In addition, personal information that you submit for publication on the website will be published on the internet and may be available, via the internet, around the world. I cannot prevent the use or misuse of such information by others. You expressly agree to such transfers of personal information.

My promise to you

Alchemilla apothecary stands by the principles outlined in the GDPR, and as such, ensures that any information held by the organisation is collected, used, and stored securely, and for specific reasons. No information I hold about you is shared, sold, or rented, and is accessible by you upon request. If you would like access to your information, please contact me via email at sarah@alchemilla.co

For current clients: In order to keep your information accurate and up-to-date, I may send you an email requesting that you check and update any information that I hold is correct.

Policy documentation updates

This document was updated on the 10th July 2019. I’ve done my very best to explain clearly and in plain English what I do, what information I collect and why, so that you can feel completely comfortable that any information held or stored is being used exactly in the way you would expect in order to maintain your privacy. If there’s anything here that isn’t clear, or you discover any errors in this document, please reach out to me and I’ll fix it immediately.

This policy will next be reviewed on 10th July 2020 unless circumstances (or the law) changes in the interim time period. Please note that you will not be explicitly informed of any changes, but they will be made freely available on my website. Please check this page from time to time so you can be confident you’re completely happy and satisfied with my processes.

I sincerely hope this update helps you better understand this document, what you’re consenting to, and how I operate.