Carlisle Therapies, 34 Lowther Street, CA3 8DH

Purpose of privacy notice

The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the GDPR) which gives more rights to you as an individual and more obligations to organisations holding your personal data.

One of the rights is a right to be informed, which means we have to give you even more information than we do now about the way in which we use, share and store your personal information.  This means that we have published a new privacy notice so you can access this information, along with information about the increased rights you have in relation to the information we hold on you and the legal basis on which we are using it.

This new privacy notice comes into effect on 25 May 2018. 

Who are we?

Ruth Irving is the data controller for Carlisle Therapies. We endeavour to conform to the new GDPR requirements and only hold data appropriate to the alternative or complementary therapy that you request so that we have sufficient background to provide you with the best possible care.

We do not employ any practitioners or therapists. The practitioners who work from our premises are self-employed with their own professional indemnity insurance cover.  They must comply with GDPR 2018 and you may request from them their Privacy and Data Protection Policies.

Your data is never shared with another person without your consent. The most likely recipient of any initial information is with a practitioner who works from our premises and we will confirm your agreement to pass it on to them.

Whose information does this privacy notice apply to?

This privacy notice applies to information we collect from:

  • people we rent rooms to
  • clients
  • prospective clients
  • former clients
  • people who subscribe to our newsletters
  • visitors to our website

What is personal data?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. Examples of personal data we may hold about you include your contact and appointment details.

Special category data is a sub-category of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Examples of special category data we may hold about you include your patient notes.

How do we process your personal data?

We comply with our obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We use your personal data for the purposes set out below.

Sections 1 - 7 apply to our clients, prospective clients, former clients and visitors to our clinic

  1. We use your name, address, telephone number and email address to answer any queries or pass referrals to practitioners who work from our premises so that they may answer queries or make appointments with you.
  2. We use your name and email address only if we have your explicit consent to send you our newsletter which may include general health information and events running from the centre. You may withdraw this consent at any time.
  3. Some clients and prospective clients tell us about their medical conditions and medication by email or online enquiry forms. We only retain this data long enough to answer any questions or pass referrals to practitioners who work from our premises with your consent. Any e-mails you send are held by Webmail which is password protected. As are all devices upon which the e-mails are accessed. These are only accessed by Ruth Irving our data controller.
  4. People who attend yoga classes run by self-employed instructors from Carlisle Therapies will be asked to provide details of name, address, telephone number, health declaration and name and address of next-of-kin. This information is collected to ensure that you are safe to participate in your class, for insurance and legal purposes. This information may be shared with a locum yoga teacher covering illness/holiday. Your permission will be requested prior to data share. This data is collected on paper and stored in a locked filing cabinet.
  5. Information sent to us via our business Facebook page Carlisle Therapies is accessible only by Ruth Irving our data controller.  This page is password protected as are all the devices upon which Facebook is accessed. Facebook assures that it is GDPR compliant.
  6. Any text messages you send to Carlisle Therapies are received by Ruth Irving our data controller on a secure, password protected device.
  7. We keep accident records for any patients, visitors or staff who are involved in accidents at our clinic in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to comply with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.

Sections 8 & 9 apply to subscribers to our newsletters
(Reference is made in this section to ‘records’ these are paper & electronic records stored securely according to GDPR rules)

  1. We maintain and use records of subscribers to our newsletters, only with their consent, for educational purposes and occasional marketing.
  1. We use a third party provider, MailChimp, to deliver our e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For information, please see MailChimp’s privacy notice here.

Sections 10 - 12 apply to our website users

  1. When someone visits our websitewe use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
  2. We do not use cookies on our website.
  3. Our website is hosted and managed by Keswick Web Design.  For more information about how they process data, please see their privacy notice here.

Section 13 & 14 apply to people we rent rooms to
(Reference is made in this section to ‘records’ these are paper and/or electronic stored securely according to GDPR rules)

  1. We are the data controller for the information for people who rent our rooms
  • All of the information you provide will only be used for the purpose of fulfilling legal or regulatory requirements if necessary.
  • We will not share any of the information you provide with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us whether the information is in electronic or physical format.
  • We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

The information we ask for is used to check your suitability to practice and assure us of your integrity. You will therefore be required to provide: 

  • Proof of your identity – you will be asked to attend our centre with original documents, we will take copies.
  • Proof of your qualifications – you will be asked to attend our centre with original documents, we will take copies.
  1. If we agree to rent our rooms to you the information you provide during the application process will be retained by us for the duration of your rental period plus 5 years after you leave.

Sharing your personal data

Your personal data will be treated as strictly confidential, and will be shared:

  • with named third parties with your explicit consent;
  • with the relevant authority such as the police or a court, if necessary for compliance with a legal obligation to which we are subject e.g. a court order;
  • with your doctor or the police if necessary to protect yours or another person’s life;
  • with the police or a local authority for the purpose of safeguarding a children or vulnerable adults; or
  • with my insurance company in the event of a complaint or insurance claim being brought against me; or
  • my solicitor in the event of any investigation or legal proceedings being brought against me.

For further details about the situations when information about you might be shared please see the Information Commissioner’s website at

How long do we keep your personal data?

We keep your personal data for no longer than reasonably necessary.
We keep records for people who rent our rooms for a period of 5 years in case of legal claims/complaints.

We keep health declarations for yoga classes for up to 1 year after you stop attending our classes.
After the retention period is over we destroy personal data in accordance with GDPR rules.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have certain rights with respect to your personal data as set out below.

  • The right to request a copy of your personal data which we hold about you.
  • The right to request that we correct any personal data if it is found to be inaccurate or out of date.
  • The right to request your personal data is erased where it is no longer necessary for us to retain such data.
  • The right to withdraw your consent to the processing at any time. This right does not apply where we are processing information using a lawful purpose other than consent.
  • The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [This right only applies where the processing is based on consent or is necessary for the performance of a contract with you and in either case the we are processing the data by automated means].
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
  • The right to object to the processing of personal data, (where applicable) [This right only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics].
  • The right to be informed if your data is lost. We shall also inform the Information Commissioner’s Office in accordance with the time limits in the GDPR.
  • The right to lodge a complaint with the Information Commissioner’s Office.

For further details about these rights please see the Information Commissioner’s website at

Further processing

If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

Contact Details

To exercise all relevant rights, queries of complaints please in the first instance contact us at 077 88 616 488, This email address is being protected from spambots. You need JavaScript enabled to view it.

You can contact the Information Commissioners Office on 0303 123 1113 or via email or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.