Data Processing, Retention and Management Record

1. Data Controller Details

 

Practitioner/Data Controller: Practitioners of the London Feldenkrais Collective
Practice Address: 60A Weston Street, London SE1 3QJ
Email: info@londonfeldenkraiscollective.com
Phone: +44 20 8058 0205
ICO Registration Number: ZB957448

 

2. Categories of Data and Processing Activities

 

2.1 Client Personal and Health Data

What we collect:

• Client names, contact details, and dates of birth

• Health information relevant to Feldenkrais sessions

• Session notes and progress records

 

How we process this data:

• Collected directly from clients via forms and consultations

• Stored electronically in our booking system (Acuity Scheduling at the time of creation of this record)

• Used to provide appropriate Feldenkrais services

• Protected by password and individual logins to the software

• Not shared with third parties except with explicit client consent or as required by law

• For more information on how Acuity handles your data, please see this Squarespace help article.

 

Retention period:

• Health and treatment records: 8 years after last contact

• Contact and identification information: 8 years after last contact

​

2.2 Financial Data

What we collect:

• Payment information from clients

• Financial records, invoices, and receipts

• Business expense records

 

How we process this data:

• Recorded for each client session and business expense

• Stored electronically in the booking system, payment processors or bank accounts (at time of creation of this record: Acuity Scheduling, Square, Monzo)

• Used for payment processing and tax reporting

• Protected by password and individual logins

 

Retention period:

• Financial transactions related to treatments: 6 years (HMRC requirement)

• Business financial records: 6 years as required by HMRC

​

2.3 Business Administration Data

What we collect:

• Email communications with clients

• Appointment schedules

• Marketing consent records

• Enquiries from potential clients

 

How we process this data:

• Managed through email system and scheduling software

• Used to organise practice and communicate with clients

• Protected by password and individual logins

 

Retention period:

• Email communications with clients: 8 years if health-related, or 1 year for general inquiries

• Appointment schedules: Current year plus 1 year

• Marketing consent records: Until consent is withdrawn plus 1 year as evidence

• Unsuccessful enquiries from potential clients: 1 year

​

​

3. Third-Party Data Processors

 

We use the following third-party services that may process personal data:

​​

• Apple iCloud (Email provider)

  • Purpose: Client communications

  • Data processed: Contact information, message content

  • Retention period: Unknown

• Acuity Scheduling (Booking system)

  • Purpose: Appointment scheduling

  • Data processed: Names, contact details, appointment times

  • Retention period: Unknown

• Square (Payment processor)

  • Purpose: Payment processing

  • Data processed: Payment information

  • Retention period: Unknown

• Apple iCloud Drive (Cloud storage)

  • Purpose: Storing client records

  • Data processed: All client data

  • Retention period: Unknown

 

We ensure that we have appropriate agreements with these providers and that they offer adequate data protection.

 

4. Data Security Measures

 

To protect personal data, we implement:

• Password protection on all devices

• Encryption of sensitive files

• Regular software updates

• Secure backup procedures

 

5. Data Subject Rights Management

 

As part of our GDPR compliance, we maintain procedures to respond to data subjects exercising their rights. We keep a simple log of any rights requests received and how we responded.

 

Our Privacy Policy informs clients about their data protection rights and how to exercise them.

 

6. Subject Access Requests

 

If a client requests access to their personal data:

1. We will verify their identity before providing any information

2. We will respond within one calendar month by:

   1. Providing a copy of their personal data

   2. Explaining how and why we process their data

3. We will inform them of their additional rights

4. We will not charge a fee unless the request is excessive or repetitive

5. We will keep a basic log of any requests received and how we responded

 

7. Data Breach Response

 

If a breach of personal data occurs (e.g., lost device, hacked account, lost paperwork):

1. We will immediately:

   1. Identify what happened and what data was affected

   2. Take steps to contain the breach (e.g., change passwords, recover documents)

   3. Document the incident

2. We will assess whether the breach needs to be reported:

   1. To the ICO: If there's a risk to individuals' rights and freedoms, we'll report within 72 hours via ico.org.uk or 0303 123 1113

   2. To affected clients: If there's a high risk to their rights and freedoms

3. We will take steps to prevent similar breaches in the future

 

8. Data Deletion/Destruction

 

When retention periods expire, we ensure secure deletion/destruction:

• Electronic records: Secure deletion from devices and backup systems

• Third-party services: Request confirmation of deletion when applicable

 

We maintain basic records of when data destruction takes place.

 

 

Document approved by: Alice Laidler, Neil Wetherell, Lars Fischer
Date: 14 August 2025

 

 

 

​

Version history

Last updated: 14 August 2025

Created: Aug 2025