Privacy Policy

Thank you for your interest in my Privacy Policy. This Privacy Policy applies to my website, www.lorisutherland.co.uk, operated by me, Lori Sutherland, GF1, Hollyrood Business Park, 146 Duddingston Road West, Edinburgh, EH16 4AP, UK, acting as the data controller, and the third parties I'm using to provide the website (“we”, “us”, “our”). If you have any questions, please contact me using my email: lorisutherlandtherapy@gmail.com

 

BACKGROUND

 

This Privacy Policy describes our privacy practices in plain language, keeping legal and technical jargon to a minimum, to make sure you understand the information provided. However, to achieve this objective I would like to explain to you the following three concepts.

 

What is Personal Data?

Personal Data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute Personal Data.

 

What is Special Category Data?

Special category data is Personal Data that needs more protection because it is sensitive. This includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data. As well as, data concerning health, a person’s sex life; and a person’s sexual orientation. In order to lawfully process Special Category Data, it is necessary to consent to the processing

 

What is Processing?

"Processing" means and covers virtually any handling of data.

 

What law applies?

I act as the data controller in accordance with the UK’s Data Protection Act (“DPA”) and the EU's General Data Protection Regulation (“GDPR”).

 

GENERAL PRINCIPLES

 

Purpose and legal basis of processing

In accordance with the DPA and GDPR we need to have both a purpose and a legal basis to process Personal Data. The purposes are:

 

●      providing the website and its functions and contents,

●      responding to contact requests and communicating with my clients, followers and website users,

●      providing my services, and

●      security measures.

 

 

Of course, we can only do that if we have at least one of the following legal bases or in other words lawful reasons to do so. Unless specifically described below, we typically link the above purposes to one of the following:

 

●      consent,

●      to fulfill our services and carry out contractual obligations,

●      to fulfill our legal obligations, and

●      to protect our legitimate interests.

 

Security

My website uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content or contact requests that you send to us. We have also implemented numerous security measures (“technical and organisational measures”) for example, encryption, or need-to-know access, to ensure the most complete protection of Personal Data processed through my website.

 

Nevertheless, internet-based data transmissions can always have security gaps, so absolute protection cannot be guaranteed. In this sense, databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion.

 

Upon becoming aware of a data breach, I will notify all affected individuals whose Personal Data may have been compromised as expeditiously as possible after which the breach was discovered.

 

Retention and Storage

I retain your Personal Data as necessary in connection with the purposes described in this Privacy Policy and, in particular, for the duration of our business relationship and statutory retention periods in accordance with the UK’s commercial laws and fiscal codes, among others. The retention and documentation periods specified vary between two and ten years.

 

Minors

I do not request Personal Data from minors and children and do not knowingly collect such data or pass it on to third parties.

 

Automated decision-making

Automated decision-making, including profiling, does not take place.

 

Do Not Sell

I do not sell your Personal Data.

 

Special Category Data

Unless specifically required for a particular service and consent is obtained, I do not process special category data.

 

International Transfer

In the course of my website operation, we process data. We usually do not transfer Personal Data to countries outside the UK and the EEA. However, if we do, I will make sure that processing of your Personal Data is governed by Data Processing Agreements that include Standard Contractual Clauses for a high level of data protection.

 

Sharing and Disclosure

We will not disclose or otherwise distribute your Personal Data to third parties unless this is a) necessary for the performance of my services, b) you have consented to the disclosure, c) or if we are legally obliged to do so, e.g., by court order, or if this is necessary to support criminal or legal investigations or other legal investigations or other legal proceedings at home or abroad or to fulfil our legitimate interests.

 

Marketing

If you have given us your separate consent to process your data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.

 

Direct marketing generally takes the form of email but may also include other less traditional or emerging channels. These forms of contact will be managed by us or by our contracted service providers. Every directly addressed marketing message sent or made by us or on our behalf will include a means by which you may unsubscribe or opt out. The legal basis for processing is the initiation of a contract, our legitimate interest, and your consent.

 

DATA COLLECTION AND PROCESSING

 

Data that is collected automatically

i) Log files

Each time you visit my website, our system automatically records the following data from the visiting device and stores it in a so-called log file: i) Name of the retrieved file, ii) date and time of the visit, iii) amount of data transferred, iv) message about successful retrieval, type of browser and version used, v) IP address (identification of the user's device), vi) operating system of the visiting device, vii) Internet service provider of the visiting device, viii) website from which you access my website, and ix) which of my website pages you are accessing. The legal basis for processing is our legitimate interest.

 

ii) Hosting

The hosting services used by us for the purpose of operating my website is Squarespace. In doing so, Squarespace processes inventory data, contact data, content data, usage data, metadata, and communication data of customers, interested parties, and visitors of my website and services, on the basis of our legitimate interests.

 

iii) Content Management System

 

 

We also use the Content Management System (CMS) of Squarespace to publish and maintain the created and edited content and texts on my website. This means that all content and texts submitted to us are transferred to our Weebly server. In addition to texts, this also includes, for example, your data in our forms. The legal basis for this processing is our legitimate interest.

 

iv) Cookies

We use so-called necessary cookies on my website. Cookies are small text files that are stored on your respective device (PC, smartphone, tablet, etc.) and saved by your browser. For further information please refer to my Cookie Policy. The legal basis for the use of necessary cookies is our legitimate interest.

 

v) Links to other websites

Please note that if you use a link from my website to a third-party website, that third party may also set new cookies that are not covered by this policy. In such cases, we recommend that you read the cookie policy on the third-party website itself.

 

vi) Analytics

Lastly, for business reasons, we analyse the data we have on web and server traffic patterns, website interactions, browsing behaviour, etc. The analyses serve us alone and are not disclosed externally and processed using anonymous analyses with summarised and/or anonymised values (“Aggregated Data”). Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy. For this purpose we use Snowplow Analytics from Snowplow Analytics Limited. The legal basis is our legitimate interest and your consent. For further information, please refer to my Cookie Policy.

 

Data from third-party sources

We may obtain data about you from third-party sources, such as from social networks and other third parties. We may use this data to better analyse your user behaviour to improve our ability to provide you with relevant marketing information and services and to prevent and combat fraud.

 

Data that is collected directly

i) Contacting me

You can contact me in various ways, and data is always collected in the process. You provide me with most of the data that we process when you contact me, such as your name and email address. This data is collected and processed exclusively for the purpose of contacting you and processing your request and then deleted again, provided that there is no legal obligation to retain it.

 

Please note:

As a rule, I do not require any Special Category Data, in order to contact you. I would like to ask you not to provide me with such information from the outset. If such information is relevant for making contact, I will process it together with your other data.

 

ii) When using my services

The protection of your data is particularly important to me in the performance of my services. We therefore only want to process as much Personal Data (for example, your name, address, e-mail address, telephone number, etc.) as is absolutely necessary. Nevertheless, we rely on the processing of certain personal data in order to fulfil our contractual obligations to you or to carry out pre-contractual measures. This processing of personal data will always be carried out in accordance with DPA and the GDPR.

 

iii) Administration, financial accounting, and contact management

We process data in the context of administrative tasks and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The processing bases are our legal obligations and our legitimate interest.

 

YOUR RIGHTS AND PRIVILEGES

 

Privacy Rights

You can exercise the following rights:

●      Right to information

●      Right to rectification

●      Right to object to processing

●      Right to deletion

●      Right to data portability

●      Right of objection

●      Right to withdraw consent

●      Right to complain to a supervisory authority

●      Right not to be subject to a decision based solely on automated processing

 

Update your information and withdraw your consent

If you believe that the information I hold about you is inaccurate or request its rectification, deletion, or withdrawal of consent, or object to its processing, please do so by contacting me.

 

Access Request

In the event you want to make a Data Subject Access Request, please contact us. I will respond to requests regarding access and correction as soon as reasonably possible. Should I not be able to respond to your request within thirty (30) days, I will tell you why and when I will be able to respond to your request. If I'm unable to provide you with any Personal Data or to make a correction requested by you, I will tell you why.

 

Complaint to a supervisory authority

You have the right to complain about our processing of Personal Data to a supervisory authority responsible for data protection. The supervisory authority in Scotland is: The Information Commissioner’s Office – Scotland, Queen Elizabeth House, Sibbald Walk, Edinburgh, EH8 8FT, Telephone: 0303 123 1115 www.ico.org.uk However, we would appreciate the opportunity to address your concerns before you contact the ICO.

 

DOES THIS POLICY CHANGE?

 

We may update this policy from time to time. This might be for a number of reasons, such as to reflect a change in the law or to accommodate a change in my business practices and the way we use Personal Data. I recommend that you check here periodically for any changes to this policy. This policy was last updated on Friday, 10th of January, 2025.

 

WHO SHOULD I CONTACT FOR MORE INFORMATION?

 

If you feel that the above is not sufficient or if you have any queries as regards the collection, processing, or use of your Personal Data, we are looking forward to hearing from you. We will make every effort to reply as soon as possible and take into consideration any suggestions from your end.