We aim to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information that we collect when you use our services or buy products from us. This information includes personal information as defined in the UK Data Protection Bill.
The policy describes how we manage your information when you use our services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies) or with other online presence (such as Facebook or Twitter). In respect of cookies the policy includes information about the type of cookies that we use and how you may disable those cookies. We use the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Laura Walton is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information. If your questions are not fully answered by this policy, please contact us at email@example.com . If you are not satisfied with the answers from us, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk.
What type of information we have
For us to provide you with goods and services, we need to collect the following information:
- Your name
- For in person and in-water activities your contact details including a postal address, telephone number(s) and electronic contact such as email address. For in-water activities contact details in case of emergency. We may also communicate via social media in which case we will need to know your social media username
- Your payment card details (via payment services such as Stripe and Paypal).
- Details about how you access our website such as the IP address, the browser you use, and which pages you access
How we collect this information
We collect this information directly from you.
We may also collect information about you from third parties; for example, to check your scuba diving certification.
Why do we need to collect your personal data?
We need to collect information about you so that we can:
- Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest.
- Deliver services and products to you. The legal basis for this is the contract with you.
- Process your payment for the services and products. The legal basis for this is the contract with you.
- Verify your identity do that we can be sure we are dealing with right person. The legal basis for this is a legitimate interest.
- Keep accounts of our financial transactions. The legal basis for this is legal requirement.
- Contact you in case there is a problem with your product when we have been informed by the manufacturer. The legal basis for this is a legitimate interest.
- Optimise your experience on our website. The legal basis for this is a legitimate interest.
- Send you information about our services and products. The legal basis for this is legitimate interest
- Provide you with a useful and relevant website. The legal basis for this is legitimate interest.
How do we use the information that we collect?
We use the data we collect from you in the following ways:
- To communicate with you so that we can inform you about your appointments with us we use your name, your contact details such as your telephone number, email address or postal address
- To deliver the correct service to you we use your name, your contact details and the details about your purchases
- To create your invoice using our accounting software we use your name and email address
- To process your payment, we use your name and your payment card details
- To register your certification with a training agency (PADI/DDI/DAN) we use your name, date of birth, telephone number, email and postal address
- To optimise our website so that users can find the information they need
- For the purposes of regulatory or legal proceedings.
- Where I believe there is a risk of harm, for the purposes of safeguarding against such harm.
Where do we keep the information?
We keep your information in the stores described below. Please note that we do not store your payment card details in any of our systems; these are processed by the payment service (e.g Stripe, Paypal).
On cloud storage and computers
We use secure cloud storage and business computers to store your data. These are password protected. Passwords are changed every 90 days and it is company policy that passwords are not shared.
Your customer record for in person courses:
We use online forms to collect data directly from you. This is a program that stores the information in secure storage. The customer record includes the most recent date you purchased something from us and a list of all the services you have purchased.
In our online learning platform
Our online learning platform is hosted by Thinkific. Thinkific is a secure site and has stated that it is GDPR compliant. Its servers are based in Canada.
Your customer record for courses and programs is gathered and held via the online learning platform.
When you sign up for an account in the online learning platform you will need to create an account. You will enter your name and email address. The provider stores that record within their data systems. We are able to access this record for the purpose of delivering the requested service.
In our accounts package
We use an online accounts package that stores the information in a data centre in the US. The company that provides the accounts software has stated that they are compliant with GDPR.
On our mailing list
Those who create an account in the online learning platform are automatically added to the mailing list (Mailchimp). In addition, details are held from those who sign up to the mailing list directly. This is a password protected account, with two-factor authentication and is not passed to third parties.
In our local records
Notes and reports
We take hand-written notes during consultancy and therapy sessions, then write electronic notes in a file on business computer, backed up to the cloud storage. The paper notes are destroyed within a week.
If you purchase a service that includes a written report, we create a report that contains all the information that we gather and our findings and conclusions. Reports that include personal data will be stored on our computers during writing and will be sent to you securely.
How long do we keep the information?
We keep records of payment for seven years as this is the required length to comply with the HMRC requirements. After seven years we delete the payment records using the Xero, Stripe or Paypal delete function.
With your permission we will retain anonymised notes indefinitely. These do not contain any personal data.
Personal and sensitive data from individual consultation and therapy will be deleted 1 year after the last appointment.
For courses and programmes your name and email will be retained for the duration of your contract with us. Your name and email will be held for email updates for that duration. We reserve the right to remove you from our database if there is a legitimate reason (e.g. breach of contract). If you decide to delete your account, you will not have access to the course or programme and your date (name, email) will be removed.
Personal data stored on the mailing list (name & email) will be stored until you unsubscribe, or until we remove this data for legitimate reasons.
Who do we send the information to?
If you complete a PADI course with us, we will send your name, date of birth, address, email and phone number to PADI via their online processing centre.
We may send reports or letters to you electronically. If these contain personal or sensitive data a secure method will be used, (e.g. secure Dropbox, or encrypted email).
When creating an invoice, we may add your name and email address to our online accounts package, Xero.
Our accountant may access invoices and payment information via the online accounts package.
How can I see all the information you have about me?
You can make a subject access request (SAR) by contacting us directly. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests
What if my information is incorrect or I wish to be removed from your system?
Please contact us. We may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format at the subject access request in section
How can I have my information removed?
If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.
Will we send emails and text messages to you?
As part of providing our service to you we will communicate with you via email. Clinical reports or letters will be sent securely. Also, as part of this service, we need to send details of your appointments to you.
We will send emails to you about our services and additional services via the mailing list.
How do I opt out of receiving emails from you?
If you are receiving emails from the mailing list, you may unsubscribe at any time by following the instructions included within the email. When you unsubscribe (i.e. opt out) from email communications, we will suppress your details on our systems to ensure we have a record of your decision to not be contacted in that particular manner. We will not use the email address for such messages again unless you opt back in. When unsubscribing from either email, you should always follow the specific instructions given in the particular email or text that you wish to discontinue receiving.
Your data protection rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal data in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at firstname.lastname@example.org if you wish to make a request.
How to complain
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Last revised 18 October 2019