Introduction and who we are
This Privacy Policy is to provide information to individuals, including clients, prospective clients, their parents, carers or guardians (together “parents”), as well as employees, service providers and others concerned with data use who reside in the UK and EU (“you” / “your”) about our privacy policies in relation to them.
NatureDoc Ltd. is a company registered in England and Wales with number: 09247737 and registered address: 4 Windover House, St. Ann Street, Salisbury, Wiltshire SP1 2DR. Trading address: NatureDoc Ltd. Maddington Street, Shrewton, Wiltshire SP3 4JE. NatureDoc Ltd. is a data controller registered with the Information Commissioner’s Office, with registration number ZA084030. (“the company” / “we” / “us” / “our”)
As well as our physical address, we also operate web sites under the domains naturedoc.com, naturedoc.clinic naturedoc.shop and naturedoc.co.uk.
We take your privacy very seriously and have always done so. This privacy policy explains our policies and practices regarding our processing of your personal data, and explains your privacy rights under applicable privacy and security laws.
This Privacy Policy complements other policies and agreements, which may be used in more specific terms, for example, when collecting data on an online form, or contractual arrangements.
We have a policy of not bombarding people with emails they are unlikely to want. We believe communications should be appropriate to needs and wants, in the light of context. So at the time of writing, when our mailbox is full of other people sending updated privacy policies to us… none of which we will read, we are certain that no one wants ours either, and it is better to leave it for when people access our sites because they want something.
This document is subject to updates, so please check back regularly.
What personal data we collect, why we collect it and how we use it
Personal data definition: Personal data means any information relating to an identified or identifiable living person, based on factors such as the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Special Category data: As part of some activities, we need to process special category personal data (concerning health, ethnicity, religion, genetics or sexual life/preferences) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on us by law, including as regards safeguarding and employment, where explicit consent is given, or in relation to provision of health care pursuant to a contract with a health professional.
Activity 1 – Your general use of our web sites
What personal data we may use
- Name, title, gender.
- Contact details (email address, business address).
- Other personal data that you provide to us in your contact with us through our website, such as your home and business addresses, phone numbers, description of yourself, and your requirements or comments.
- Information about your use of our web sites, such as IP address, technology used and location.
- Information from cookies.
- Information about any consents for us to process personal data.
- Health, genetic or otherwise special category data that you give to us.
Lawful basis for processing
- General personal data processing is necessary for our legitimate interests, to get to know you, manage and respond to communications with you, present location-appropriate information to you, and maintain our websites. We consider there is no other way of achieving the same objects, and that our use of such data is proportionate to your interests, rights and freedoms.
- Special category data processing in general use of our web sites will only occur if you volunteer the information, and as such, we consider that constitutes explicit consent to process it.
For the avoidance of doubt
- If you use our web sites to make special category information public, such as by making comments or reviews to pages, blogs or recipes, then you may lose some rights not to have that information processed by other parties.
- At our discretion, we may moderate or edit your comments or reviews, even if you make factual statements about your health or experience with our products or services, for reasons including reducing the impact of such disclosures, or if we think they could be construed to be medical claims. However we believe in the presumption we should leave what you write intact without good reason to change it. In practice, if you use your real name and state you have bunions, or use a pseudonym and state you have an STD, we will probably not consider that to be serious. But if you use your real name and state that you have an STD, we might edit that for your protection.
Activity 2 – Your wish to receive marketing information
Personal data we may use, in addition to general web data
- Your communication preferences (what types of communication you want to receive, when you want to stop receiving communications, feedback, and requests relating to our communications).
- Any other personal data that you disclose to us, such as dietary requirements, physical disability, comments, or requests
Lawful basis for processing
- We have legitimate interests in getting to know clients, potential clients, and other people concerned with health provision better. We consider there is no other way of achieving the same objects, and that our use of such data is proportionate to your interests, rights and freedoms.
- We also have a legitimate interest in the way we use marketing, which is mostly to provide useful health and nutrition information to people, which can improve their health. We consider there is no other way of achieving the same objects, and that our use of such data is proportionate to your interests, rights and freedoms.
- In some circumstances, we provide marketing information on the basis of consent, where you have specifically agreed to receive communications.
For the avoidance of doubt
- We will not put you on a group mailing list unless you have specifically consented.
- If you make a general enquiry or contact form submission without consenting to marketing or newsletters, we will not put you on a group mailing list.
- If you give us your business card or otherwise personally give us your contact details, we will not put you on a group mailing list, unless, given the context (such as you are a journalist or researcher) it seems appropriate that our legitimate interest balances your interests.
Activity 3 – Customer relationship with our shop
Personal data we may use, in addition to general web data
- Your viewing and purchasing activity
- Location data for calculating delivery and taxes
- Who referred you to our shop
- Delivery preferences
- Payment information
Lawful basis for processing
- We process this data on the basis of legitimate interests prior to a sale. We consider there is no other way of achieving the same objects, and that our use of such data is proportionate to your interests, rights and freedoms.
- After a sale, we process your data on the basis of contract in order to make the transaction with you, and account for it.
- We also may process the data on the basis of legitimate interests after the sale. This may be to analyse it and help ensure we are offering a good service that people want. We may also contact you about your purchases, to make sure you are happy with them. We may tell you about stock availability or offers if we consider that on balance you are likely to be interested, either because you have bought a particular product in the past, or because you have asked to be notified.
Activity 4 – Customer relationship with our clinic
Personal data we may use, in addition to general web data
- Prior to agreeing to a consultation, you may give us general or specific information about your health.
- Once you have agreed to a consultation, we have an extensive health history form, relating to most categories of special category data, including health, ethnicity, sexual life and genetics.
- We may receive information about educational achievements.
- We may receive results of health and genetic testing from third party laboratories.
- We may receive health information and opinions from other health or social care professionals about you.
Lawful basis for processing
- We process this data on the basis of explicit consent to discuss your health prior to your agreeing to a consultation.
- After you have agreed to a consultation, we process the data on the basis of a contract with a health professional.
Activity 5 – Employee, practitioner, contractor or internship relationship
Types of personal data that we may process
- Name, title, gender, date of birth
- Results of background checks including references, qualifications, and to the extent permitted by law, criminal background checks (unspent convictions)
- Passport, work permit, visa, or other immigration documentation
- Contact details (personal, business or educational institution email address, telephone numbers, address)
- Curriculum vitae, including relevant skills and experience
- Reasons for applying
- Any other personal data that you may provide to us through the application process, such as views and interests that you disclose to us in interviews, your responses to questions, and demonstrations of your skills.
Lawful basis for processing
- We have legitimate interests in getting to know employees or potential employees / workers / consultants, and ensuring such people are appropriately qualified for positions or relationships with us.
- Special category data and/or criminal record or background checks that we process are on the basis of explicit consent when you provide it. If you volunteer wider information that we ask for, we consider that constitutes explicit consent to process it.
- We may have a legal obligation to ensure you have a right to work lawfully in the UK.
Activity 6 – Other activities
Personal data we may use, in addition to general web data
- As part of general management of our business, we may come across personal data for various other reasons, such as business management, financial, legal, regulatory and compliance.
Lawful basis for processing
- We process this data on the basis of legitimate interests to manage our business. We consider whether there is any other way of achieving the same objects, and whether our use of such data is proportionate to your interests, rights and freedoms.
- Were appropriate, our basis is by contract.
How we protect, collect, process, transmit and store your personal data
We collect your information online both through your submission of information and by automated information collection. It may be directly from you, or from your parents. In clinic consultations, telephone or email support, we may collect and record personal information.
We store and transmit data using strong encryption where we can and where appropriate. Some of our service providers are located outside the UK or EU, so if you are a UK or EU citizen/resident in the UK or EU, please note that we will transfer your personal data to outside the UK and EU in accordance with UK and EU data protection law requirements by using standard contractual clauses that have been approved by the UK Government and European Commission. Such a transfer may also be necessary in order to perform a contract with you/fulfil your request and/or through obtaining your explicit consent.
Some data is physically stored with third parties but encrypted in such a way that they do not have access to it. We do not consider this to be “sharing”, and we consider that once it is properly encrypted, it is no longer personal information that can be attributed to a living person.
We centralise data as far as possible, so that it is located in as few places as reasonably practicable. The servers we manage are kept with good physical security and disk encryption where practicable. We maintain remote desktop PCs so that anyone working on data we have responsibility for does not have to download it to work on it.
We don’t just rely on luck to avoid data breaches, because we are very careful with your data, but if one were to happen, we would follow appropriate legal and regulatory guidelines, and keep you properly informed.
What third parties we share personal data with
- Direct marketing – Mailchimp in the US
- Web site hosting – Upcloud in the UK, Gridpane in the US
- Clinic database – Cliniko in Australia
- Accounting system – Xero in New Zealand and the US
- Email providers – Microsoft in the US and Amazon SES in the EU
- Other NatureDoc practitioners
- Other healthcare professionals
- Payment service providers – iZettle, Global Payments, Braintree, Paypal, Apple, HSBC
- Shipping services – Royal Mail, Parcelforce, Parcel2Go, DPD Local, DHL, Shiptheory.
- Social Login management (arguably we don’t share with them, you do) – Facebook, Google, Apple.
- Our professional advisers
- Other third parties as required
- We may need to share data to governmental, legal, judicial or regulatory parties for reasons outside our control.
How long we keep your data
We assess all types of data and associated locations, and determine appropriate retention times. For example, special category health data which is submitted on our secure web form is deleted from the live web server within about a second of submission, once it has been transferred to an even more secure server. And when it forms part of a client’s health record, it will be retained according to our policy for that type of data and that type of client.
We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Our Health Records Retention Policy sets out the arrangements for health record retention.
Other personal data will be kept for as long as it is needed for our relationship, and to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
In some cases, even after removal, a limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (called a “suppression record”).
What are your rights?
- You have the right to withdraw consent you have given us to process your data. In some cases, where you originally gave us consent, and another lawful basis for processing the data occurred, such as a contract, the effect of withdrawing consent may be limited.
- You have the right to access rectify, or in some situations, delete your personal data.
- You can restrict the processing of your data if you contest its accuracy, or the basis for processing.
- In certain circumstances, you have the right to have your personal data transferred to another company.
- You can complain to the ICO if you feel your data has been unlawfully processed.
- You can ask us not to use your personal data for direct marketing. To do so, please use the unsubscribe link in marketing emails.
Additional information about rights
- The right of access is only to your own personal data, and some data is exempt from that right of access. This can include information about children, and includes information which could identify others, or information which is subject to legal privilege (for example legal advice given to or sought by us, or documents prepared in connection with a legal action).
- Clients under the age of 18 may make subject access requests to their own personal data, and we will use our reasonable judgement whether they have sufficient maturity to understand the request they are making, but any child may ask a parent to make the request on their behalf. Children aged 13 and over are generally assumed to have the appropriate maturity to make such a request, but this may depend on the child and the type of data.
- Parents may also have additional legitimate interests to information about their children over and above subject access requests, and without the consent of the child. Where parents are separated, we may have to take individual circumstances into account.
- Notwithstanding who is responsible for or caring for an individual, when asking for and getting personal information, the data belongs to the individual to whom it relates. However we will rely on parental authority in most situations and cases, where the child is under 18.
- Similarly, we will assume that the child’s consent is not required for disclosure of their data to and from parents, unless there are specific reasons for confidentiality, one of which would be where a child requests it.
Our cookie policy
We use cookies on our web sites to improve your experience online. Please refer to our cookie policy.
How you can access your data
For any queries about your data, please use our contact form, or send a letter to NatureDoc Ltd. Maddington Street, Shrewton, Wiltshire SP3 4JE.
Last updated 24 August 2021