Privacy Policy
Privacy Policy for Soul Spa Alchemy
Last Updated: 12 January 2026
1. Who we are
Soul Spa Alchemy (“we”, “us”) provides body based nervous system work, somatic bodywork, structured oil protocols, sound based regulation, and plant-informed ritual in East London, alongside occasional online offerings.
Data controller:
Soul Spa Alchemy
City - London, UK
Email: [email protected]
We are responsible for deciding how your personal information is used and stored.
2. Information we collect
We collect and process information in the following categories:
2.1 Identity and contact information
Name
Email address
Phone number
How you found Soul Spa Alchemy
2.2 Health and wellbeing information (special category data)
To keep the work safe and appropriate, we may collect:
Relevant physical and mental health history
Current symptoms, medications, allergies, and sensitivities
Pregnancy / fertility information where relevant
Nervous system responses, trauma history, and emotional themes you choose to share
Intake and screening form information (e.g. for Somatic Ceremony Immersion)
This is considered special category data under UK GDPR and is treated with extra care.
2.3 Session-related information
Session bookings and attendance
Brief notes about themes, responses, and focus areas from sessions
ZYTO Balance scan results used to prioritise oils and protocols (not a diagnostic tool)
Aftercare recommendations and integration notes
2.4 Payment and transaction information
Payment confirmation from payment providers (e.g. Stripe)
Amount paid, date, and service type
We do not store your full card details on our systems.
2.5 Technical and website usage data
IP address, browser type, device type
Pages visited, time spent on pages, and general usage patterns
Cookies and similar technologies used for basic site functioning and analytics
3. How we use your information and legal bases
We process your information for the following purposes and under these legal bases:
3.1 To provide you with services
Booking and managing appointments
Preparing for sessions and tailoring the work to your needs
Keeping basic session notes and aftercare information
Legal basis: contract (Article 6(1)(b) UK GDPR) – this is necessary to provide the service you request.
3.2 To keep sessions safe and appropriate (special category data)
Assessing suitability for somatic bodywork and plant-informed sessions
Screening for Somatic Ceremony Immersions
Making safe decisions around touch, breath, sound, and plant allies
Legal basis:
explicit consent (Article 9(2)(a)); and
provision of health-related services / complementary care (Article 9(2)(h)).
You can withdraw consent for non-essential elements (e.g. plant allies) at any time.
3.3 To take payment and manage accounts
Processing payments via third-party providers (e.g. Stripe)
Managing refunds where appropriate
Keeping financial records for tax and accounting purposes
Legal basis:
contract (to process your payment);
legal obligation (to maintain tax and accounting records).
3.4 To communicate with you
Sending booking confirmations, reminders, and rescheduling notices
Replying to enquiries and aftercare questions
Sharing important changes to services or terms
Legal basis: contract and legitimate interests (clear communication about your booking and safety).
3.5 For website security and improvement
Monitoring site performance, preventing abuse, and improving user experience
Legal basis: legitimate interests (running a functional, secure website).
3.6 For marketing (if you opt-in)
If you join a newsletter or mailing list, we may use your contact details to send updates about services, events, or resources.
Legal basis: consent.
You can withdraw consent at any time by unsubscribing.
4. How long we keep your information
We keep your information only as long as reasonably necessary for the purposes described above and to meet legal and insurance requirements.
As a guide:
Session notes and health information: typically up to 7 years after your last session (to comply with professional and insurance guidelines).
Financial records and invoices: 6 years from the end of the financial year in which the transaction took place (for tax and accounting).
Enquiries with no booking: usually up to 1–2 years, then reviewed and deleted if no longer needed.
Mailing list details: until you unsubscribe or we close the list.
When we no longer need your information, we will delete or anonymise it securely.
5. How we protect your information
We use a combination of technical and organisational measures to keep your data safe, including:
Password-protected devices and accounts
Encrypted connections where appropriate
Limited access to health and session information
Secure third-party tools for scheduling and payments
No system is 100% secure, but we take reasonable steps to protect your data from loss, misuse, or unauthorised access.
6. When we share your information
We do not sell or rent your information.
We may share limited information with:
6.1 Service providers (data processors)
To run the practice we use trusted third parties, for example:
Website host and builder (e.g. Durable)
Online scheduling system (e.g. Acuity Scheduling)
Payment processor (e.g. Stripe)
Email and document storage providers
These providers only process your data on our instructions and are bound by confidentiality and data protection obligations.
6.2 Professional advisers and legal / regulatory bodies
Accountants, insurers, or legal advisers, where necessary
HMRC or other authorities, where required by law
6.3 Safeguarding
If there is a serious and immediate risk of harm to you or someone else, we may need to share information with relevant services (e.g. emergency services, GP) even without your consent. Wherever possible, this is discussed with you first.
7. International transfers
Some of our third-party providers (for example, scheduling, payment, or hosting services) may store data on servers outside the UK, including in the EU or United States.
Where this happens, we use providers who rely on appropriate safeguards under UK GDPR, such as:
International Data Transfer Agreements (IDTAs) or
Standard Contractual Clauses (SCCs) approved for international transfers.
8. Cookies and website tracking
Our website may use cookies and similar technologies to:
Enable basic site functions
Remember preferences
Gather anonymous statistics on how the site is used
You can control cookies through your browser settings and, where available, through a cookie banner or preferences tool on the site. Disabling some cookies may affect how the site functions.
9. Your rights
Under UK data protection law, you have rights over your personal data, including:
Right of access – to ask for a copy of the personal data we hold about you.
Right to rectification – to have inaccurate or incomplete data corrected.
Right to erasure – to request deletion of your data in certain circumstances.
Right to restriction – to ask us to restrict how we use your data in certain situations.
Right to data portability – to request your data in a structured, commonly used format in some cases.
Right to object – to object to certain types of processing, including direct marketing.
Right to withdraw consent – where we rely on consent (for example, plant allies, mailing list), you can withdraw it at any time.
To exercise any of these rights, or to ask a question about how your data is used, contact:
Alina/ Soul Spa Alchemy
Email: [email protected]
You may be asked to verify your identity before we respond.
You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data:
Website: https://ico.org.uk
10. Children
Soul Spa Alchemy’s services and website are primarily intended for adults (18+). If we ever work with anyone under 18, this will only happen with appropriate consent and safeguards in place.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example if our services or legal obligations change.