1. Introduction

This Privacy Notice sets out information in relation to the processing of data and how privacy of data is protected. The privacy and security of your personal information is extremely important to Sarah Tommany. I want to make sure you are informed and can be confident about giving me your information.

I, Sarah Tommany, am the ‘controller’ of the information which I collect about you (‘personal data’). Being the controller of your personal data, I am responsible for how your data is processed. The word ‘process’ covers most things that can be done with personal data, including collection, storage, use and destruction of that data.

This notice explains why and how I process your data, and explains the rights you have around your data, including the right to access it, and to object to the way it is processed. Please see the section on ‘Your rights as a data subject’ for more information.

Contact Details


Sarah Tommany


[email protected]

The Data Protection Lead is Sarah Tommany, who you can contact at the above address.

2. Scope

This policy applies if you are a client, a visitor to this website, or if you email, call or write to me. In certain circumstances I may also provide an extra privacy notice, which I will always inform you about.

3. Young People

If you are under the age of 16, and would like to use any of the services I offer, I will need to use your personal data for the purpose carrying out the service. An example of personal data would be your name, or email address. Please see section 6 of this policy for more information.

If you are worried, or don’t understand any part of this policy, please talk to me and we will explain how I will use your information and what rights you have.

4. Responsibility for implementation

I, Sarah Tommany, have overall responsibility for the implementation of this policy.

5. Dissemination

As this Privacy Notice applies to anyone contacting me with an enquiry it is available on this website.

6. What is meant by personal data?

‘Personal data’ is any information that can be used to identify a living person. This data can include your name, contact details, and other information we gather as part of our relationship with you.

It can also include ‘special categories’ of data, which is information about a person’s race or ethnic origin, religious, political or other beliefs, physical or mental health, trade union membership, genetic or biometric data, sex life or sexual orientation. The collection and use of these types of data is subject to strict controls. Similarly, information about criminal convictions and offences is also limited in the way it can be processed. Special data is rarely needed for carrying out the services I provide. In situations where special category data is needed or shared during the service, it is stored in accordance with Article 9, section d of the General Data Protection Regulations, which details the legal requirements of holding this type of information.

I am are committed to protecting your personal data, whether it is ‘special categories’ or not, and I only process data if it is needed for a specific purpose, as explained below.

7. How your personal data is collected

a. Information provided by you

Personal data is mostly collected through my contact with you, and the data is usually provided by you when you: enquire about a service; book a Bach Remedy consultation; book a Reiki treatment or you contact me for another reason.

b. Information provided by other people

In some instances, I may receive data about you from other people, e.g. a parent or carer, if you are unable to provide it yourself or you are under the age of 16.

c. Personal data created by your involvement with a service

Making an enquiry or booking a service will result in personal data being created. This could include details of the enquiry, sessions you’ve attended, and details of the service provided.

8. How your information is used

Any information I hold about you will be stored securely and treated in accordance with the relevant legislation (currently the General Data Protection Regulations (GDPR) and the Data Protection Act 2018)).

In general terms, I process your data in order to manage my relationship with you. I will use the information that you give to me:

  • To send you information that you have asked for
  • To understand your situation so I can offer you individually tailored services to meet your needs
  • To contact you about support services which may help you
  • To keep a record of your relationship with me
  • To keep a record of the services you have accessed
  • To ensure I know how you prefer to be contacted

At times, I may further process data which I have already collected. I will only do this if the new purpose for processing it further is compatible with the original purpose that the data was collected for. I will tell you about any further processing before carrying it out. More detailed information on how I use your personal information, including how long I keep it for can be found below.


Information I collect in order to deliver the services I provide. This includes but is not limited to: Details about you including where you live, how to contact you, which of our services you have purchased, etc. This may include special category data relating to the health of yourself and the person you care for or your child.

Why I hold it:

I keep this information to understand your situation so that I can offer you individually tailored services to meet your needs.

How long it will be kept for:

The majority of your data will be kept in our secure database for as long as you are accessing services. Either 6 months after the service you purchased comes to an end, or if I lose contact with you, your record will be archived and kept for a further 7 years before it is deleted. This means that if you contact me within that 7 year period, I can find the information easily if you needed to access a service again.

Lawful basis:

Performance of a contract with regards to personal data. In order to provide a personalised service to you, I will need to collect information surrounding your health and/or emotional state. In this instance, my lawful basis is because processing is necessary for the provision of the services. If you do not wish to provide this information, we will not be able to offer this personalised service to you. For all other categories of special category data, we will ask for your consent.


This is information used to send you my newsletter and other updates. It includes but is not limited to: Your postal address, email, phone number and contact preferences. I will not process special category data for marketing purposes.

Why I hold it:

I keep this information so I can send you general information on about any services, events and activities, such as our newsletter. This counts as marketing under GDPR. I will ask what type of information you want to get from me and aim to provide it in the best format for you.

How long it will be kept for:

I only send newsletters and updates if you have opted in for them. I generate these mailing lists from our secure database (see above for retention period) and if you no longer wish to receive marketing from me, please let me know and I will remove you from the mailing lists within two weeks of receiving your request to unsubscribe.

Lawful basis:



If you purchase a service, I will keep financial records of any payments received. This information includes but is not limited to: Dates and amounts of payments, the account the payment was made from e.g. your PayPal email address or bank transfer details etc.

Why I hold it:

I use this information to meet my legal requirement to keep accurate financial records.

How long it will be kept for:

I am legally obliged to keep this information for a minimum of 7 years.

Lawful basis:

Performance of a contract or legal obligation to keep financial records.


Archived records, i.e. those of people who no longer accessing a service or who I have lost touch with. This may include special categories of data as specified above.

Why I hold it:

I hold this information because I know people often undertake services at irregular intervals, and it is helpful for me to have information on the services you’ve had in the past if you request them again in the future.

How long it will be kept for:

Archive records are kept on my secure database for seven years. If we have not heard from you within 7 years they are securely deleted.

Lawful basis:

Legitimate business interest in retaining information for you, so that I can support you in the best way possible, if you need to come back to me in the seven year period to access further services.

9. Who I share your data with

I will not pass your personal contact details to other people or organisations, or discuss details of the services you receive from me, without first obtaining your consent.

However, where there appears to be a clear risk to your or someone else’s safety I have a legal duty to contact relevant authorities to address this. Where appropriate, I will inform you before I do so.

For some processing purposes I use third party software and systems, which means I need to pass on some of your data to external recipients. The type information we may share, and for what purpose, includes but is not limited to:

  • Contact information: I use third parties to help deliver my services, this includes but is not limited to: a supplier of Bach Remedies when you request a bespoke tincture delivered to your address; postal service or courier when you ask for remedies delivered to your address. This data is limited to your delivery address, phone number for delivery and the remedies you have selected.

10. How I store your data

Your personal data is held only in electronic formats.

Electronic data, including emails, is stored securely on my Google Workspace for Business account.

11. Cookies

Cookies on this website are covered by a separate policy which can be found online by clicking here.

12. Your rights as a data subject

As a data subject, you have the following rights in relation to your personal data processed by me:

  • To be informed about how your data is handled;
  • To gain access to your personal data;
  • To have errors or inaccuracies in your data changed;
  • To have your personal data erased, in limited circumstances;
  • To object to the processing of your personal data for marketing purposes or when the processing is based on the public interest or other legitimate interests;
  • To restrict the processing of your personal data, in limited circumstances;
  • To obtain a copy of some of your data in a commonly used electronic form (sometimes known as data portability), in limited circumstances;
  • Rights around how you are affected by any profiling or automated decisions.

a. Withdrawing consent

If I am relying on your consent to process your data, you have the right to withdraw your consent at any time.

b. Exercising your rights, queries and complaints

For more information on your rights, if you wish to exercise any right or for any queries you may have or if you wish to make a complaint, please contact the Data Protection Lead: Sarah Tommany at [email protected].

c. Complaints to the Information Commissioner

You have a right to complain to the Information Commissioner’s Office (ICO) about the way in which I process your personal data. You can make a complaint on the ICO’s website https://ico.org.uk/.