Privacy Policy

Effective Date: 4 September 2025

This Privacy Policy explains how Sarah Eglin Nutrition Limited t/a Healthy, Happy and Strong (referred to as "we," "us," or "our") collects, uses, and protects your personal data. We are committed to protecting your privacy and handling your information in a transparent manner, in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

1. Who We Are

·         Data Controller: Sarah Eglin Nutrition Limited (UK Company number: 13902223)

·         Contact Person: Sarah Eglin

·         Registered Address: 28 Clarence Road, Hale, Cheshire, WA15 8SF

·         Email: sarah@healthyhappyandstrong.co.uk

If you have any questions or concerns about this policy or our data practices, please contact us.

2. The Data We Collect and How We Collect It

We collect and process various types of personal data to provide our nutritional therapy and lifestyle medicine

services. This includes:

  • Personal Identification Data: Your name, address, email address, phone number, and date of birth. We collect this when you fill out our contact forms, book an appointment, or sign up for our newsletter.

  • Special Category Data (Health Data): This is a sensitive category of data that includes information about your physical and mental health. We collect this data during our consultations and through health questionnaires, food diaries, and other forms. This may include your medical history, dietary habits, lifestyle, test results, and our session notes.

  • Technical Data: Information about your use of our website, such as your IP address, browser type, and a record of the pages you visit. We collect this data using cookies. Please see our separate Cookie Policy for more information.

  • Financial Data: Your payment details when you purchase our services. This is processed securely by our third-party payment provider and is not stored by us directly.

3. Our Lawful Bases for Processing Your Data

Under the UK GDPR, we must have a legal basis to process your personal data. We rely on the following:

  • For General Personal Data: We process your name, contact details, and appointment information under the Performance of a Contract. This data is necessary to provide you with the services you have requested.

  • For Special Category Data (Health Data): The processing of your health information requires a separate, explicit legal basis. We process this data based on your Explicit Consent. When you become a client, you will be asked to sign an agreement that explicitly consents to our collection and use of your health data for the purpose of providing you with nutritional therapy services. This consent can be withdrawn at any time.

4. The Purposes for Which We Use Your Data

We use your data for the following purposes:

  • To provide you with safe and effective nutritional therapy and lifestyle medicine services.

  • To create and maintain your client record and protocol.

  • To communicate with you regarding your appointments and nutrition and lifestyle medicine protocol.

  • To process payments for our services.

  • To maintain accurate business and financial records.

  • To comply with our professional and legal obligations, including those related to our insurance and professional body.

  • To respond to your inquiries and feedback.

  • To analyse our website's performance and improve our services (with your consent via cookies (see Cookie Policy for more information).

5. Who We Share Your Data With

We will not sell or rent your personal data to any third party. We only share your data in the following circumstances:

  • With your explicit consent: We will only share your health information with other healthcare professionals, such as your GP or a specialist, if you have given us explicit, written consent to do so.

  • Third-Party Processors: We use several secure, third-party services that act as our Data Processors to help us run our business and provide you with services. We have signed Data Processing Agreements (DPAs) with each of these companies to ensure your data is handled securely and in a GDPR-compliant manner. For more information regarding these data processors see Appendix A below.  These third-party processors include:

    • Practice Better: We use this professional practice management platform to securely store your client records, health information, and session notes, as well as to manage our appointments and communications with you. 

    • Google Analytics (GA4): This service helps us analyse website traffic and user behaviour on our website. We use this information to improve our website's performance and the user experience. GA4 automatically anonymises your IP address and we only collect data with your consent via our cookie banner.  More information on cookies can be found in our separate Cookie Policy

    • Google Drive: We use Google Drive, a cloud storage service, to securely store and manage our internal business files and documents, which may include some client-related information. 

    • Microsoft OneDrive: We use OneDrive to securely store certain internal files, which may contain business and client information. OneDrive is a cloud storage service that provides robust security measures, including encryption and access controls.

    • Stripe: We use this service to securely process all financial transactions and payments for our services. We do not store your credit card or payment details on our own systems.

  • For Legal Reasons: We may disclose your data if required to do so by law or in the belief that such action is necessary to comply with a legal obligation or to protect our rights or property.

  • For Clinical Supervision: We may discuss your case in an anonymised form with our clinical supervisor to ensure we are providing the highest standard of care. This will not include any information that could identify you.

6. How We Store and Protect Your Data

We take the security of your data seriously. We have implemented technical and organisational measures to protect your personal information from unauthorised access, accidental loss, disclosure, or destruction.

  • All electronic data is stored on secure, encrypted servers provided by our data processors.

  • No paper records are maintained.

  • We use strong passwords and a secure network for all our business activities.

7. How Long We Keep Your Data

We will retain your personal data for as long as is necessary to provide you with services and to comply with our legal and professional obligations. This includes a retention period of eight years from the last consultation date, as advised by our professional association (BANT). After this period, your data will be securely deleted or destroyed. 

For children, we will retain your personal data until the child's 25th birthday, or until their 26th birthday if they were 17 at the conclusion of the consultation. 

These guidelines are in line with CNHC guidance and UK GDPR and are recognised as the professional standard.

8. Your Rights as a Data Subject

Under the UK GDPR, you have the following rights regarding your personal data:

  • The Right to Be Informed: You have the right to be informed about how we collect and use your personal data.

  • The Right to Access: You have the right to request a copy of the personal data we hold about you.

  • The Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or incomplete.

  • The Right to Erasure: You have the right to request that we erase your personal data, under certain conditions.

  • The Right to Restrict Processing: You have the right to request that we restrict the processing of your data, under certain conditions.

  • The Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions.

  • The Right to Data Portability: You have the right to request that we transfer the data we have collected to another organisation, or directly to you, under certain conditions.

To exercise any of these rights, please contact us using the details provided above. We will respond to your request within one month.

9. Complaints

If you have a complaint about our handling of your data, you can contact us directly. You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO).

  • Information Commissioner's Office (ICO): Website

  • ICO Contact Number: 0303 123 1113

10. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on our website and updating the "Effective Date" at the top. We encourage you to review this policy periodically.

Appendix A: Third Party Processors

Appendix A1: Our Use of Practice Better

We use a professional practice management platform called Practice Better to manage our client relationships, schedule appointments, and securely store client information. Practice Better is a GDPR-compliant service that acts as our Data Processor.

How we use this service:

We use Practice Better to securely process and store the following types of personal data on your behalf:

  • Client records: This includes your name, contact information, and appointment history.

  • Health and wellness data: This may include health forms, intake questionnaires, session notes, food and lifestyle journals, and other sensitive health-related information you share with us.

  • Communications: This includes our secure messages with you through the platform.

  • Billing information: We process payment details through Practice Better's integrated payment systems.

Our Legal Basis for Processing:

The processing of your data through Practice Better is essential for our professional relationship. We rely on the following lawful bases:

  • Performance of a Contract: We process your data to fulfill the services outlined in our agreement with you.

  • Legitimate Interests: We have a legitimate interest in using a secure and efficient platform to manage our professional practice.

  • Explicit Consent: For special category data, such as your health information, we will obtain your explicit consent to collect and process this data as part of our client agreement.

Security and Data Protection:

Practice Better has a robust security framework designed to protect your data. They encrypt all data in transit and at rest, use secure servers, and are committed to complying with GDPR and other data protection regulations. We have a signed Data Processing Agreement (DPA) with Practice Better that legally binds them to protect your data to the high standards required by the UK GDPR.

Data Transfers:

Practice Better is based in Canada. As a result, your data may be transferred to and processed in Canada, a country that has been recognized by the UK as providing an adequate level of data protection. This means that the transfer is safeguarded and your rights remain protected in accordance with the UK GDPR.

Sub-Processors:

Practice Better may use other companies, known as sub-processors, to help them provide their services (e.g., for cloud storage or email communication). They maintain a list of these sub-processors and ensure they also meet strict data protection standards.

Appendix A2: Our Use of Google Analytics GA4

Data Collection and Processing through Google Analytics GA4

To understand how visitors use our website and to improve our services, we use a third-party service called Google Analytics. This service helps us analyse website traffic and user behavior.

How it works:

When you visit our website, Google Analytics places cookies on your device (with your consent, if required by our cookie banner). These cookies collect data on your use of the website, including:

  • Your IP address (anonymised).

  • Pages you visit on our website.

  • The time you spend on each page.

  • The type of device and browser you are using.

  • Your general location (country/city).

Our Legal Basis:

We process this data based on your explicit consent, which is requested through our cookie banner. This consent can be withdrawn at any time via our cookie preferences tool.

Your Data Rights:

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

Data Transfers:

Please note that the data collected by Google Analytics may be transferred to and stored on Google's servers in the United States and other countries. Google has implemented Standard Contractual Clauses and other safeguards to ensure the data remains protected in line with the UK GDPR.

Appendix A3: Our Use of Google Drive

Our Use of Google Drive

We use Google Drive, a cloud storage service provided by Google, to securely store and manage our company's files. These files may contain personal data, such as customer contact details, supplier information, or internal employee data.

How we use it:

Google Drive acts as our data processor, storing the files and information we upload. The data is encrypted both in transit and at rest on Google's servers. Our company maintains strict internal access controls to ensure that only authorized personnel can access this data.

Our Legal Basis:

The processing of personal data on Google Drive is necessary for the performance of our business operations, including contract management, record-keeping, and general administration. Our lawful basis for this processing is our Legitimate Interests in running our business efficiently and securely.

Data Transfers:

As a global service, data stored on Google Drive may be transferred to Google's data centers outside of the UK. We have a Data Processing Agreement (DPA) with Google that incorporates the required Standard Contractual Clauses to ensure that your data is protected to a standard equivalent to the UK GDPR.

Appendix A4: Our use of OneDrive

We use Microsoft OneDrive as a secure, cloud-based platform for storing and managing our business files. This includes data that may contain your personal information.

What we store:

We may store various types of personal data on OneDrive, including but not limited to customer records (names, contact details, and addresses), project files, and internal communications.

Why we use it:

We use OneDrive to securely store our business data, facilitate internal collaboration, and provide our services to you efficiently.

The legal basis:

The legal basis for this processing is our legitimate interests in running our business, ensuring data security, and maintaining business records. In cases where we store data to fulfill a contract with you, our legal basis is the performance of a contract.

Data transfers:

As a global company, Microsoft may process data in various locations outside the UK. We rely on their robust security measures and commitments to the UK GDPR. These include appropriate safeguards for international transfers, such as the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs).