Privacy Policy

Walnut Tree Farm, Church Road, Carleton Rode, Norfolk. NR16 1RR

07766 88 5631 01953 788722


Meadowsweet Holistic Health is the business name of sole trader, Paula Stone.  I am the Data Controller and Processor for Meadowsweet Holistic Health. When working with individuals via sub contracts (i.e Beacon East) or if I’m employed (rather than self- employed), I will abide by the organisations own GDPR privacy and disclosure requirements and their ethics and code of conduct and other policies.


It is my policy to collect, process and share the personal data (‘data’) provided to me by you in order to carry out the services requested by you and any contact in relation to those services only.

Your data will not be used for any purposes other than those explicitly stated in this Privacy Policy or requested by you in your dealings with us.

This Privacy Policy describes how I collect, use, protect, process and share your data when you book appointments with me, either online or directly, and when you communicate with me throughout the process of treatment and at any other time. This Privacy Policy does not provide exhaustive detail.

However, I am happy to provide any additional information or explanation needed. Any requests for this should be sent to me or email I may update this Privacy Policy at any time to enable me to carry out the services I provide in the most effective and efficient way possible. I will notify you of any changes by revising the date on my published document on my website and in clinic, or for more substantial changes by contacting you via email or text to seek consent.

This Privacy Policy was last reviewed in Aug 2020.

  1. The identity of the data controller

You are hereby informed that the data that you provide is collected, used, protected, processed and shared by Paula Stone of Meadowsweet Holistic Health.

  1. Collection of data

I may collect data about my clients, prospects and visitors. Your data may be collected when you browse my website, contact me via email, phone or in person or through my website.

Data I collect fall into the following categories:

  • Identification information
  • Contact information
  • Medical information
  • Browsing information
  • Individual consultation information

These data are gathered directly from you via online booking and from direct communication with me, eg. client medical form/Life planning questionnaire/Rickter scale profile. Browsing history is  collected via automated methods.

2.1. Information you provide to me

I process data you provide directly to me, in particular when you complete any forms or book to see me. I do not have an online record system. For example, I collect data when you create an appointment to use the services, participate in a therapy or medical herbal consultation session or apply for a course or otherwise communicate with me.

The data may include the following data as well as any other type of information that I specifically request you to provide to me, such as:

  • Basic contact data such as names, address, phone no, date of birth, email
  • Doctor’s details
  • Next of kin/relationship data
  • Medical history
  • Treatment and consultation notes (Information that you give me as part of the work we do

together). Records of what interventions that I use (or potentially do not use) in our sessions

  • Information sent from any third party, eg GP
  • Browsing data. Emails and texts that are sent between us

2.2. Information I collect automatically through cookies and other tracking technology

If you use my website or contact me via email or electronically, cookies, web beacon and other similar technologies may be activated, but I do not knowingly offer any specific online Services to collect information to provide you with the services or products that you have requested.

A “cookie” is a small text file that is placed onto an Internet user’s web browser or device and which is used to record information related to the navigation or the use of a device or a website.

A “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity. They are also sometimes referred to as pixels and tags (also known as “tracking pixels”). It may be used in my services or emails and help deliver cookies, count visits, understand usage and campaign effectiveness and determine whether an email has been opened and acted upon. You can disable them.

Cookies and other similar technologies may be present online to collect information for the purposes described in this Privacy Policy. Some of the cookies are used for the exclusive purpose of enabling or facilitating communication or are only strictly necessary for the provision of online services. These are cookies for authenticating and connecting to online services, as well as memorizing navigation items during a session. They are apparently there to improve our online services and to remember you, for your convenience, when you use our online services.

When you access or use any online services, one or more third-party cookies are likely to be placed on your equipment. I do not sell any items in relation to this.

I inform you that I have no access to, and cannot exercise any control over, third-party cookies. However, I shall ensure that the partner companies agree to process the information collected on our online services in compliance with the GDPR and undertake to implement appropriate measures to secure and protect data confidentiality.

You have the ability to decline cookies by changing the settings on your browser but this might prevent you from benefiting from some elements of online services. You can also consult or destroy cookies if you wish, since they are stored on your hard disk.

I inform you, in particular, that Google Analytics may collect information about use of online services. I do not combine the information collected through the use of Google Analytics with personally identifiable information. I inform you that Google Analytics plants a permanent cookie on your web browser to identify you as a unique user the next time you visit my site, the cookie cannot be used by anyone but Google.

Google’s ability to use and share information collected by Google Analytics about your visits to this site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognizing you on return visits to this site by disabling cookies on your browser. For more information on Google Analytics, please visit Google Analytics.

  1. How I use the data
  • According to the GDPR, the lawful basis for which I keep and process client data is “Legitimate interests”: the processing is necessary for the individual`s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect their personal data which overrides those legitimate interests. So the data is necessary for me to fulfil the contract that we have together (ie to provide therapy, or coaching, or herbal advice or run a course etc) and that it is data that you would reasonably expect me to hold and use I may use information about you for the following purposes:
  • Provide, maintain and improve my services
  • Provide and deliver the service you request, process transactions and send you related

information, including confirmations and invoices

  • Send you technical notices, updates, security alerts and support and administrative messages
  • Respond to your comments, questions and requests, and provide customer service
  • Monitor and analyse trends, usage and activities in connection with my services
  • To personalise and improve the services I provide, I need to process your personal data to comply with my obligations under this contract. For anyone who has not yet contracted, but have asked me to do something as a first step (eg provide information about how/whether I can help), then I will need to process your personal data to do what you ask.
  • The purposes of the processing of data is to fulfil my contract with you and if required for scientific research purposes; and statistical purposes
  • Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation. These special categories of data that I may have to make notes about such as your health, but awaiting a Bill to identify how the specific consent regarding criminal offence data (including allegations, proceedings and convictions) may be changed.

The condition for processing this special data is at present as- “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional” (précised from ICO (b) 2018) (NB: I am registered with The Complementary and Natural Healthcare Council (CNHC) as a “health professional”).I am also a member of the Association of Master Herbalists (AMH) and The National Society of Hypnosis, Psychotherapy & Mindfulness and the General Naturopathic Council(GNC).

  1. How I share your data/Confidentiality

Data is not shared with anyone, except for any reasons covered by the Requirements for Disclosure section as mentioned below. The data is primarily used to enable me to provide therapy for you.

  • The data is confidential. I am bound by the Codes of Ethics and Practice of the above Professional Associations. See links on MHH website. Confidentiality will be maintained within the codes of ethics and legal requirements
  • As part of my code(s) of practice I am required to carry out continuing professional development, and to engage in regular on-going clinical supervision. This is to ensure an ethical and professional service to clients. I may discuss your case in supervision but would not use any identifying details.
  • Confidentiality does not apply where it would mean that I, as your therapist, might break the law or where withholding information means I would breach the codes of ethics. Confidentiality may be breached if I consider there is a risk you may harm yourself or others. In such exceptional circumstances, where there is concern for your wellbeing or that of others, it may be necessary to seek help outside the therapeutic relationship. In such an event where I am considering breaching confidentiality, you will normally be consulted first.
  • In the case of a disclosure concerning acts of terrorism, vulnerable adult or child protection issues or drug trafficking, confidentiality will be breached and such disclosures will be passed onto the relevant authority without delay. Due consideration should be exercised before disclosing anything of a previously unreported criminal nature, as I am obligated to contact relevant authorities.
  • I share your data online if making financial transactions and booking confirmations. My accountant will see bank, credit card records which will contain any information that you submit when making payment. If you would like me to redact your identifiable data before sending to the accountants then please let me know.
  • I will seek your express consent before sharing your information with your GP or other healthcare providers. However, if I believe that your life is in danger then I may pass your information onto an appropriate authority (such as the police, social services in the case of a child or vulnerable adult, or GP in case of self-harm) using the legal basis of vital interests
  • I may share your case history in an anonymised form with my peers for the purpose of professional development. This may be at clinical supervision, conferences, online forums, and through publishing in medical journals. I will seek your explicit consent before processing your data in this way
  • In response to a request for information if I am required by – or believe that disclosure is required by – any applicable law, regulation or legal process, including in connection with lawful requests by law enforcement, national security, or other public authorities or due to safeguarding procedures where either you or others are at risk.
  • It may also be used scientific research purposes and statistical purposes
  • If you were to make a complaint about me to my professional body, I would be entitled to share your notes with any investigation procedures.
  • Please note, that if you bring your mobile phone to a session, others may be able to locate you.
  1. The period of data retention and where data is held and security

Following completion of your healthcare, I retain your personal data for the period of 7 years as stipulated by my insurer Balens, but see your rights as below. After this time any paper records are shredded and computer records permanently deleted. This enables me to process any complaint you may make. In this case, the legal basis of my holding your personal data is for contract administration.

  • Any emails sent between us are held either on my computer’s hard drive or if archived, or in Dropbox which is secure cloud based storage which is itself GDPR compliant. I also have a backup disc, which I keep under lock and key. Any data transmitted is sent encrypted, where possible.
  • Any texts/What`s app messages/Messenger messages sent between us (See Social Media and Electronic Information) are held on my phone which is code protected.
  • Your notes are handwritten and are kept in a locked filing cabinet.

▪ If you use online banking then clearly these systems will hold your data. I will download from these systems for accounting purposes and the resulting Excel spreadsheets are held on my hard drive. When sent to my accountants, they will be password protected.

However I am not in control of data (including emails and texts) which you send me and as mentioned above regarding cookies and Google etal, Apps such as Facebook routinely access any information held and this is beyond my control.

I am committed to taking appropriate measures designed to keep your data secure. My technical, administrative and physical procedures are designed to protect data from loss, theft, misuse and accidental, unlawful or unauthorized access, disclosure, alteration, use and destruction. I follow generally accepted standards to protect the personal information submitted to me, both during transmission and once it is received.

I am the Data Protection Officer! I am registered and pay an annual subscription to ICO and you have the right to complain to them if you have any concerns about the way in which I am processing or storing your data. I have done online training on Data Protection

  1. Data access

Upon receiving a written request from you seeking access to your data, I will provide either a hard or electronic copy of the data that I hold on you, to be sent by registered post or email, respectively. This will include exports of the information held about you on my website. I will provide your data to you within a period of 28 days from the date that I receive your request.

  1. Data amendments

Upon receiving a request from you to update, correct or amend your personal data held by me, I will make the amendments within a period of 7 days from the date that I receive your request. Please note that any of my past clients data, will now also be under these conditions.

  1. Your rights

Under the General Data Protection Regulations 2018 (GDPR), individuals have significantly strengthened rights to:

▪ The right of access. Obtain details about how their data are processed by an organisation or business and obtain copies of personal data that an organisation holds on them. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). ▪ The right to rectification. Have incorrect or incomplete data corrected. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).

▪ The right to erasure. Have their data erased by an organisation where, for example, the organisation has no legitimate reason for retaining the data. An exclusion applies: scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, but this would never include case notes or data such as address/ email/phone. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). The right to restrict processing. This would usually be before correction of any errors or before erasure

▪ The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure

▪ The right to data portability. Obtain their data from an organisation and to have that data transmitted to another organisation but in my case this differs little from the right to access as I am unlikely to be using compatible systems and requirements. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, ie I would send the data to you ▪ The right to object to:

▪ processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);MHH does not engage in these things

▪ not to be subject to (with some exceptions) automated decision making, including profiling and direct marketing. I do not currently use data for any f these purposes and if this ever changes for marketing, you can opt out ▪ processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.

▪ processing of their data by an organisation in certain circumstances In exceptional circumstances, I may be required to provide legal or regulatory authorities with your personal data in order to comply with legal requirements or regulations. Whilst I will be required to comply with any such request, I will use reasonable endeavours (if allowed by law) to ensure that you are first informed about this. Personal data that I hold about you will not be distributed or processed outside of England and Wales.

  1. In the event of a data breach

Every precaution will be taken to avoid a breach of your data. However, if such a breach should occur, it will be documented, assessed as to its severity and appropriate action taken. The Information Commissioner’s Office (ICO) will be informed and you will be contacted to assist you in taking steps to mitigate the risks to yourself if the breach is deemed sufficiently severe to put you or your identity at risk.

If there is any breach of data security, I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.

Walnut Tree Farm, Church Road, Carleton Rode, Norfolk. NR16 1RR

07766 88 5631 01953 788722


  • Our therapeutic relationship will remain a professional one at all times, the boundaries of which (such as contact outside of our sessions) can be agreed between us during our sessions.

This includes work indoors in the `Therapy` room and `On-line` and remotely and if appropriate, our sessions outdoors. Health & Safety & confidentiality are of paramount importance.

  • Notes may be taken during and after each session, which will be kept in accordance with the Data Protection Act (1998) and the GDPR legislation as above. These notes will be securely stored. I will discuss the disposal, retention or otherwise of any such notes at the end of our engagement. They are disclosed to no one other than the clinical supervisor, unless required under a court of law subpoena. You have the right to inspect your records should you so wish, and this request will be fulfilled during a therapy session.
  • I will be always be mindful to manage risks associated with handling, processing and storage of Data, as already mentioned. Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. Confidentiality may be breached if I consider there is a risk you may harm yourself or others. See above. Please note, that if you bring your mobile phone to a session, others may be able to locate you.
  • If you have any doubts or concerns over the way that I hold or process your personal data you have the right to complain to the ICO, I would however hope that you would contact me first with any complaint, and I will use my best endeavours to address this promptly. Please email any concerns to Paula Stone at
  • Endings. Therapy can at times be demanding, frustrating, and emotional. You may at times find this process very difficult, and feel the need to end therapy. Your feedback on the process will be asked for at the end of each session and if you feel unhappy with any aspects of the treatment being offered please do try and communicate this verbally. This gives us both the chance to address and resolve engagement issues. In the normal course of events you will probably know when you are ready to finish therapy/treatments, and we will agree together on the work we need to do, to summarise progress made and any consider strategies to help move forward.
  • I am a member of and adhere to the code of ethics of the Complementary and Natural Healthcare Council (CNHC) and the National College of Hypnotherapy and Psychotherapy (NCHP) and the Association of Master Herbalists (AMH) and the member of the General Naturopathic Council (GNC).
  • If you cannot attend a booked appointment, 48 hours’ notice is required, or the full fee will be payable.

This disclosure statement and any non-contractual obligations arising out of or in connection with this disclosure statement will be governed by the law of England and Wales. You and I both consent to submit to the exclusive jurisdiction of the courts of England and Wales.

Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.

  • I want you to have an easy and positive opt-in process, with no ambiguous pre-ticked boxes or presumptions. This can be done by both of us signing the privacy policy. I want it easy for you to withdraw consent and please tell me by an email.
  • Consent may be sought again, if there are significant changes in the treatment regime or therapy, as it might be anticipated that the information processing requirements of you as the client has changed.
  • Anyone under 18 I will need to see with a consenting adult, who would have the right to access their data as above