top of page


Privacy Policy

The processing of personal data is governed by the General Data Protection Regulation 2016/679 (GDPR).

This legislation gives you rights as an individual and obligations to organisations holding your personal data. One of these rights is that you are informed, which means you must be advised of the way in which your personal information is used, shared and stored. This Privacy Policy will explain the rights you have in relation to the information held about you and the legal basis on which it is used.

Who am I?

Zoe Flowers (for Acupuncture – Zoe Flowers) is the data controller. As such, I decide how personal data is processed and for what purposes. If you have any questions about this privacy policy or how your personal data is used, please email;

Whose information does this privacy notice apply to?

This privacy policy applies to information collected from;

  • Current, prospective and former patients.

  • Visitors to the website.


What is personal data?

Personal data is any information relating to an individual who can be directly or indirectly identified by that information (for example name, address, D.O.B, appointment details etc). Special category data is a sub-category of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Examples of special category data about you may be held in your patient notes.


How is your information processed?

GDPR requires that;

  • Personal data is kept up to date.

  • Personal data is stored and destroyed securely.

  • Excessive amounts of data is not collected or retained.

  • Personal data is protected from loss, misuse, unauthorised access and disclosure.

  • Appropriate technical measures are in place to protect personal data.


Your information is stored both electronically and on paper. Please note that I am not able to send or receive encrypted emails, so any emails sent or received may not be protected in transit.

Any emails sent to (including file attachments) will be monitored for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Contact and booking information

  • Your name, address, telephone number and email address to make and rearrange bookings.

  • All appointments for patients attending for treatment are recorded for tax purposes and to secure potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to any of the regulatory bodies.


Your health and treatment information

Former and prospective patients can communicate their medical conditions and medication by email or online enquiry forms.

The following information is used for the purposes of making a full traditional diagnosis, formulating treatment strategy and treatment planning;

  • Your presenting complaint and symptoms reported by you.

  • Any relevant medical and family history.

  • Clinical findings about your health and wellbeing.


A record of treatment, advice and information is kept and may be referred to enable;

  • Review of the full traditional diagnosis, treatment strategy and planning.

  • To secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.


Any decisions made in conjunction with you are recorded to help you to receive the most appropriate treatment and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.

Where relevant records are kept of the patient’s consent to treatment, or the consent of their next-of-kin to be able to prove that the patient (and/or parent/guardian/next of kin) has given informed consent to treatment to secure evidence in the event of a civil claim, criminal prosecution, insurance claim or complaint.

When your information may be shared with others

Your GP’s name and address may be used if we need to contact your GP including in an emergency.

In the event of an adverse incident occurring, the matter is reported to one or more of the regulatory bodies and to the insurance company to enable the insurance company to deal with any potential claims and to help our regulators to develop safe practice guidelines, as well as providing research data and information for our regulators’ insurers and other interested parties.

Your date of birth may be used to help identify patients with the same name to avoid mistakes being made as to safe and appropriate treatment, for identification purposes if referring a patient to another health practitioner, and for identification purposes if writing to another healthcare practitioner so that they correctly identify the patient.

Information about accidents

Accident records are kept for patients or visitors who are involved in accidents during treatment in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to comply with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.

Information about complaints

If a complaint is received, a file will be made containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. The personal information collected is usually only used to process the complaint and to check on the level of service provided. The complainant’s identity must be disclosed to whoever the complaint is about. It may not be possible to handle a complaint on an anonymous basis as personal information collected and processed in relation to complaints usually has to be passed to the regulators or the insurance company. Personal information contained in complaint files will be kept in accordance with retention guidelines. This means information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. Similarly, where enquiries are submitted, the information in the file will only be used to deal with the enquiry and any subsequent issues and to check on the level of service provided. Click here to view the British Acupuncture Council's website/Complaints page for information on how to make a complaint.

Information for marketing purposes

Your information will be used for the following marketing purposes if you have given explicit consent to do so;

  • Your name, address, telephone number and email address to send you marketing materials


Information about visitors to the website

When someone visits the website, a third-party service may be used (Google Analytics) to collect standard internet log information and details of visitor behaviour patterns. This is only done to analyse the number of visitors to various parts of the site at different times of the day. This information is only processed in a way which does not identify anyone. If personally identifiable information is to be collected through the website, this will be made clear in advance.

Website cookies may be used to improve user experience by enabling the website to 'remember' users, either for the duration of their visit or for repeat visits. A third-party service (Wix) is used to maintain the security and performance of the website. To deliver this service it processes the IP addresses of visitors to the website. A third-party service, (Wix), is used to host the website including publishing any blog posts. The site is hosted at Wix, which is run by Wix. Standard Wix service is used to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help improve it.

Sharing your personal data

Your personal data will be treated as strictly confidential, and may be shared;

  • With named third parties with your explicit consent.

  • With any authority such as the police or a court, if necessary for compliance with a legal obligation, for example a court order.

  • With your doctor or the police if necessary to protect yours or another person’s life.

  • With the police or a local authority for safeguarding children or vulnerable adults.

  • With the regulators or insurance company in the event of a complaint or insurance claim.

  • A solicitor in the event of any investigation or legal proceedings.


Click here for further details about situations when information about you might be shared (links to The Information Commissioner’s website).

How long is your personal data kept?

Your personal data is held for no longer than reasonably necessary. Patient records are kept for a 7 years in accordance with the British Acupuncture Code of Professional Conduct.

All other records are kept for a period of 2 years.


Any information held will be updated as quickly as is reasonably possible when you inform us of any changes (for example, a change of address). At any time, you may request that changes are made to your contact details.


Paper records are destroyed by shredding or incineration.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have certain rights with respect to your personal data as set out below;

  • The right to request a copy of your personal data being held.

  • The right to request any personal details are corrected if they are found to be inaccurate or out of date.

  • The right to request your personal data is erased where it is no longer necessary for us to retain such data.

  • The right to withdraw your consent to the processing at any time. This right does not apply where information is processed using a lawful purpose other than consent.

  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.

  • The right to object to the processing of personal data.

  • The right to be informed if your data is lost. The Information Commissioner’s Office will also be informed.

  • The right to lodge a complaint with the Information Commissioner’s Office. For further details about these rights, please see the Information Commissioner’s website at


Further processing

If your personal data is to be used for a new purpose not covered by this Privacy Notice, a new notice will be provided explaining this new use prior to commencing the processing. Where and whenever necessary, your prior consent to the new processing will be sought.

Contact Details

To exercise all relevant rights, queries or complaints, please contact me in the first instance;

07914 101216

You can contact the Information Commissioners Office on 0303 123 1113 or via email;

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Changes to the privacy policy

This privacy policy is kept under regular review and any updates will be advised through the website.


This privacy policy was last updated on 21 March 2019.

bottom of page