Privacy Policy

1. Purpose of This Notice

This Privacy Notice explains how Rosemary Tarrant collects, uses, and stores your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025. It applies to all clients, prospective clients, students, and visitors to rosemarytarrant.com.

2. Who I Am

Rosemary Tarrant is a Kinesiologist, Massage Therapist, Homeobotanical Practitioner, Nutritional Advisor and Health Coach operating under the following brands:

•       Down To Earth Health – clinical and therapeutic practice

•       Health School – Kinesiology Foundation and Diploma training

•       Inner Health Hub – online membership community

I am registered with the Association of Naturopathic Practitioners (ANP) and the Kinesiology Association. I am the data controller for all personal information collected and processed across these brands.

3. Information I Collect

To provide safe and effective care, teaching, and membership services, I may collect the following types of information:

•       Personal details: name, address, contact details, date of birth, and GP contact

•       Health and medical history, symptoms, and relevant test results

•       Information about diet, lifestyle, medication, supplements, and wellness goals

•       Consultation notes and correspondence

•       Student enrolment and course progress information (Health School)

•       Membership account details and activity (Inner Health Hub)

•       Payment details where applicable

4. Lawful Basis for Processing

I process your personal data under the following lawful bases:

•       Contract: to provide agreed services, courses, or membership.

•       Legitimate interests: to maintain records and manage my practice safely and professionally.

•       Consent: for processing sensitive (special category) health information. You may withdraw consent at any time.

•       Legal obligation: to comply with legal or insurance record-keeping requirements.

Special category health data is processed under:

•       Article 6(1)(b) UK GDPR – Contract: to provide professional services requested by you

•       Article 9(2)(h) UK GDPR – Provision of healthcare: processing necessary for health and treatment purposes

5. How I Use Your Information

Your information is used to:

•       Provide safe and effective care, therapies, and health coaching

•       Assess suitability of personalised health advice and treatment

•       Communicate with you about your care, course, or membership

•       Keep accurate clinical and administrative records

•       Process payments and manage bookings

•       Deliver Health School training and track student progress

•       Operate the Inner Health Hub membership community

•       Meet professional, insurance, and legal obligations

I will take all reasonable security measures to protect your personal data. Your data will never be sold or used for marketing without your explicit consent.

I may use your personal data where there is an overriding public interest, for example to safeguard an individual or prevent a serious crime.

6. How Your Information Is Stored

All personal information is stored securely using:

•       Encrypted cloud storage with password-protected access

•       Password-protected devices with automatic screen locking enabled

•       Secure Wi-Fi networks; public Wi-Fi is not used for accessing client records

7. Online Consultations and Electronic Communication

Online consultations are conducted using reputable platforms with appropriate security settings enabled. Although all reasonable steps are taken to protect your information, no internet-based communication system can be guaranteed to be completely secure. If you choose to communicate by email, please be aware that standard email is not fully encrypted.

8. How Long Records Are Kept

In line with professional standards and insurance requirements, clinical records are retained for:

•       7 years from the date of last consultation

•       For children: until age 25 (or 26 if aged 17 at the end of treatment)

After this period, records are securely deleted or destroyed. In certain cases, such as where records may be relevant to an insurance claim or legal proceeding, they may be retained for longer.

9. Data Regulations for Minors

Where the client or student is under the age of 18, consent from a parent or legal guardian is required before treatment or enrolment can begin. The child remains the data subject under data protection law. Both parents may have the right to access the child’s records unless there is a legal restriction or court order in place that limits this.

10. Sharing Your Information

I will not share your information with third parties unless:

•       You have given explicit consent (for example, to share with your GP or another healthcare provider);

•       Disclosure is required by law (for example, in cases of serious risk of harm);

•       It is necessary for obtaining functional tests (such as blood or urine) where you have consented;

•       It is required for courier or logistics providers shipping products to you;

•       It is necessary for accounting or administrative purposes with GDPR-compliant providers (e.g. professional indemnity insurer or accountant).

11. Your Rights

Under UK GDPR, you have the right to:

•       Access the personal data I hold about you

•       Request correction of inaccurate information

•       Request deletion of your data (where legally permissible)

•       Restrict or object to certain forms of processing

•       Request to move, copy, or transfer your data to a third party

•       Withdraw consent at any time

•       Make a data protection complaint directly to me (see Section 14 below) – a new right introduced in June 2026

•       Lodge a complaint with the Information Commissioner’s Office (ICO): www.ico.org.uk

Please note that clinical records cannot be deleted where retention is required by law, insurance, or professional standards.

12. Communication and Updates

I may occasionally update this Privacy Notice to reflect legal or procedural changes. The latest version will always be available on request and at rosemarytarrant.com.

13. Reporting Breaches

Any breach of this policy or of data protection laws will be reported as soon as practically possible. I have a legal obligation to report any data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach.

14. Data Protection Complaints

Under the Data (Use and Access) Act 2025, you have a statutory right to raise a data protection complaint directly with me if you believe I have infringed UK GDPR in relation to your personal data. This right is in addition to your existing right to complain to the ICO.

To submit a complaint, please contact me:

•       Email: health@rosemarytarrant.com

•       Post: ℅ 2 Heatherlie Park, Selkirk, Scottish Borders TD7 5AL

Complaints may be received in any form — by email, phone, letter, or in person — and do not need to use the words “data protection complaint” to be treated as one. I will:

•       Acknowledge your complaint within 30 days of receipt

•       Investigate it appropriately and keep you informed of progress

•       Provide a full response without undue delay

If you are not satisfied with my response, you may escalate your complaint to the ICO at www.ico.org.uk.

15. Subject Access Requests

You have the right to request access to the personal data I hold about you. If you make a valid Subject Access Request:

•       A copy of the requested information will be provided free of charge

•       The information will be supplied within one month of receiving the request

•       Where the request is complex or multiple requests are received, this period may be extended by up to two further months; you will be informed within the initial one-month period if an extension is required

•       Identity verification will be required before releasing records

Please note: once a Subject Access Request has been received, the relevant records must not be altered, amended, or deleted. Knowingly changing data following a request may constitute a criminal offence.

16. Cookies (Website Use Only)

When you visit rosemarytarrant.com, cookies may be used to improve your browsing experience.

What are cookies? Cookies are small text files placed on your device when you visit a website. They help the website function properly and may collect limited information about how visitors use the site.

Types of cookies used:

•       Strictly necessary cookies – required for the website to function (e.g. security, booking systems). These do not require consent.

•       Analytics cookies – used to understand how visitors use the site (e.g. Google Analytics). These require your consent.

•       Third-party cookies – some external services such as booking systems or embedded content may place their own cookies.

You can manage your cookie preferences via the cookie banner on this website or through your browser settings. More information: www.allaboutcookies.org

17. International Transfers of Personal Data

Personal data will not be transferred outside the UK without appropriate safeguards in place. If data is stored or processed outside the UK (for example, through certain cloud service providers), this will only occur where the country provides an adequate level of data protection, or appropriate safeguards such as standard contractual clauses are in place.