Privacy Policy for Ed Nicholls Acupuncture

Last Updated: 5/05/2026 Effective Date: 5/05/2026

1. Introduction

Ed Nicholls Acupuncture ("I," "me," or "my") operates the website ednicholls.com and the booking platform at book.ednicholls.com (the "Service"). This page informs you of my policies regarding the collection, use, and disclosure of personal data when you use my Service and the choices you have associated with that data.

I am a sole trader operating under the name Ed Nicholls Acupuncture, based in the United Kingdom. I am registered with the Information Commissioner's Office (ICO) as a data controller, registration number [ZC139617 ].

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information I Collect

I collect the following types of personal data to provide and improve my acupuncture services:

Personal Identification Data:

  • Email address

  • First and last name

  • Phone number

  • Postal address (where relevant)

Health Data (Special Category Data):

  • Reasons for seeking acupuncture treatment

  • Current medications

  • Current health conditions

  • Treatment history and clinical notes recorded during sessions

  • Any other health information you provide via intake forms

Booking and Payment Data:

  • Appointment history, dates, and session types

  • Package purchases and remaining session balances

  • Payment confirmation records (I do not store full card details — these are handled directly by Stripe)

Usage Data:

  • IP address, browser type and version

  • Pages visited on the Service, time and date of visits

  • Device identifiers and diagnostic data

3. Lawful Basis for Processing

Under UK GDPR, I rely on the following lawful bases for processing your data:

For your personal identification, booking, and payment data:

  • Performance of a Contract (Article 6(1)(b)): Processing is necessary to schedule, deliver, and administer the acupuncture services you have requested.

  • Legitimate Interests (Article 6(1)(f)): For service improvements, fraud prevention, and operational communications about your appointments.

  • Consent (Article 6(1)(a)): For optional marketing communications, where applicable.

For your health data (special category data):

  • Provision of Health Care (Article 9(2)(h) of UK GDPR), in conjunction with Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018 (health or social care purposes).

I will only process your health data to the extent necessary to provide your acupuncture treatment safely and effectively.

4. How I Use Your Data

Your data is used for the following purposes:

  • To schedule, manage, and confirm your appointments

  • To provide your acupuncture treatment safely and effectively

  • To maintain accurate clinical records as required by professional and legal obligations

  • To send appointment confirmations, reminders, and changes

  • To process your payments and manage package balances

  • To respond to your enquiries and provide customer support

  • To improve my Service

  • To detect and prevent technical issues

  • To send health tips, newsletters, or other information where you have consented

5. Data Storage, Transfer, and Security

Your data is stored on secure systems with the following technical and organisational safeguards:

Database: Supabase, hosted within the European Union (Stockholm, Sweden). All data is encrypted at rest using AES-256 and encrypted in transit using TLS.

Application-layer encryption: Sensitive clinical notes and intake responses are additionally encrypted at the application layer before being written to the database.

Access controls: Patient data is protected by row-level security — patients can only access their own records. Administrative access is restricted to me and protected by authentication.

Audit logging: Access to and modifications of clinical records are logged for accountability.

Backups: The database is backed up automatically.

Paper records: Where any paper records exist, they are kept in locked physical storage.

All my data processors are based in the European Union, the United Kingdom, or other jurisdictions with adequate data protection standards as recognised by the UK government.

While I take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure, and I cannot guarantee absolute security.

6. Data Retention

I retain your personal data only as long as necessary for the purposes set out in this policy:

  • Clinical records (health data and treatment notes): Retained for 8 years from the date of your last appointment, in line with British Acupuncture Council guidance and Limitation Act 1980 requirements.

  • Booking and payment records: Retained for 6 years to comply with HMRC tax record-keeping requirements.

  • Marketing data (where you have consented): Retained until you withdraw consent or are inactive for 2 years, whichever is sooner.

  • Usage data: Retained for 12 months for analytics purposes.

After these periods, your data is securely deleted from active systems and from backups within the backup retention window.

7. Disclosure of Data

I may disclose your personal data only in the following circumstances:

  • To service providers who help me operate the Service, listed in Section 8.

  • To comply with a legal obligation (e.g., court orders, lawful regulatory requests).

  • To protect the rights, property, or safety of Ed Nicholls Acupuncture, my patients, or the public.

  • In the event of a personal data breach, I will notify the Information Commissioner's Office within 72 hours where required by law, and will inform affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

I do not sell your personal data. I do not use your data for automated decision-making or profiling.

8. Service Providers (Data Processors)

The following third parties process data on my behalf under data processing agreements:

ProviderPurposeLocationSupabaseDatabase hosting, authenticationEU (Sweden)StripePayment processingEU / UK / US (UK adequacy decision)ResendTransactional email (booking confirmations, reminders)EUVercelBooking website hostingEUSquarespaceMarketing website hostingUS (with EU Standard Contractual Clauses)

Each of these providers is bound by contract to process your data only as instructed by me and in accordance with applicable data protection law.

9. Your Data Protection Rights

Under UK GDPR, you have the following rights:

  • Right of access: Request a copy of the personal data I hold about you.

  • Right of rectification: Have inaccurate data corrected.

  • Right to erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention requirements for clinical records.

  • Right to restrict processing: Limit how I use your data.

  • Right to object: Object to certain types of processing (e.g., marketing).

  • Right to data portability: Receive your data in a structured, machine-readable format.

  • Right to withdraw consent: Where I rely on consent, you can withdraw it at any time.

  • Right to lodge a complaint: With the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, contact me using the details in Section 13. I may ask you to verify your identity before responding. I will respond within one month.

10. Cookies and Tracking

The booking platform uses essential cookies only — required for the booking flow to function (e.g., remembering your session). The marketing website (ednicholls.com) may use additional cookies via Squarespace; please review the cookie banner on that site.

You can instruct your browser to refuse cookies or to alert you when cookies are being sent.

11. Links to Other Sites

My Service may contain links to other sites that I do not operate. I am not responsible for the privacy practices of third-party sites.

12. Children's Privacy

My Service is not directed to anyone under the age of 18. I do not knowingly collect personal data from children. If you believe a child has provided me with personal data, please contact me and I will take steps to remove it.

13. Contact Me

For any questions about this Privacy Policy, your data, or to exercise your rights:

By email:acu@ednicholls.comBy post: 1 Hurley Crescent, London SE16 6AL Practice address: Tuscany Wharf, 4a Orsman Rd, London N1 5QJ

If you are not satisfied with my response, you have the right to complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.

14. Changes to This Privacy Policy

I may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated to active patients by email.

This privacy policy describes my actual data practices and is intended to comply with UK GDPR and the Data Protection Act 2018. While I have made every effort to ensure compliance, this is not legal advice; for absolute certainty, consult a data protection lawyer.