HEALHQ STUDIO – PRIVACY POLICY
Thank you for checking out our privacy policy. We take our client’s privacy seriously are
committed to protecting your privacy and handling your information in a responsible way while
you use our website and services. We want you to understand that this is a safe place for you to
discuss your feelings and concerns, and we operate in a highly confidential environment. This
policy sets out how data is collected and processed through the use of our website and when you
use our services.
We encourage you to read this policy alongside any other privacy notices we might provide, so
you’re fully in the loop about how and why we use your information.
Who’s in charge of your data?
The controller of your data is HEALHQ Studio (trading name of Jonathan Gunton), and we can be
contacted on:
Business Address: 17 Bushy Park, Totterdown, Bristol, BS4 2EG
Email address: info@healhqstudio.com
ICO Registration Number: ZC093286
Not happy with something?
We’re committed to treating your personal data with respect, transparency, and care. If you ever
have questions or concerns about how your data is used, we want to hear from you, and we’ll do
our best to resolve things quickly and fairly. Under the Data (Use and Access) Act 2025, you have
the right to raise a complaint about how your personal data is handled. Here’s how:
Step 1: Email us at info@healhqstudio.com with a brief description of your concern. You don’t
need to use legal language – just tell us what’s worrying you.
Step 2: We’ll acknowledge your message and respond without undue delay, usually within 10
working days.
Step 3: If you’re not satisfied with our response, you can escalate your concern to the Information
Commissioner’s O^ice (ICO) at www.ico.org.uk.
What type of data do we collect about you?
‘Personal data’ is information that identifies you. If we’ve removed your identity (by making the
data anonymous), it won’t be classed as personal data. We might collect, use, store, and share
various types of personal data about you as follows:
• Identity details such as first and last name.
• Contact details such as your address, email address and telephone number.
• Technical information such as your internet protocol (IP address), your login data,
browser type, version, time zone setting and location, operating system and platform, and
other technology on the devices you use to access our website (if/when our website
becomes live).
• Financial information such as your bank account and payment card details.
2
• Transaction information including details about payments to and from you via Stripe,
PayPal or bank transfer, and other details of services you have purchased from us.
• Usage information about how you use our website and services.
• Marketing information such as your preferences on receiving marketing from us, along
with your communication preferences.
Special Category Data
This includes information about your health, including information about your existing and
previous medical health conditions, medication details, psychiatric history, and any other
relevant health information to enable us to carry out our hypnotherapy and transformational
services to you.
We do not collect any other Special Category Data about you (this includes details about your
race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions,
trade union membership and genetic and biometric data). Nor do we collect any information
about criminal convictions and o^ences.
Consents for Health Data
We require your specific consent to process Special Category Data so, when you submit your
details or sign our Terms and Conditions, we will ask you to confirm your consent to this
processing.
How do we collect your personal data?
We use di^erent methods to collect data from and about you. The majority of the time, our
information is collected directly when you contact us in the following ways:
• When you enquire about and/or apply for our services
• When you fill in any new client onboarding forms or your initial consultation assessment
• When you complete any forms before or during an appointment or session
• Verbally during discussions and hypnotherapy/transformational sessions
• Correspondence with us via post, phone, email or otherwise
• When you subscribe to our service, digital audio products, or newsletter
• When you request marketing communications to be sent to you
• When you give us feedback or contact us
Automated Technologies
Another method we may use to collect data includes the use of automated technologies or
interactions, like website cookies or other similar technologies (if we implement these in future).
This includes information about your equipment, browsing actions and patterns.
This data collection helps us to improve user experience, and to gather information about how
you use our website.
Third-Party Data
3
We may also receive data from third-parties such as:
• Technical information from analytics providers (such as Google)
• Payment processing information from Stripe and Paypal (our payment processors)
What happens if you don’t provide us with the required data?
Where we need to collect personal data by law, or under the terms of a contract we have with you,
and you fail to provide that data when requested, we may not be able to perform the contract we
have or are trying to enter into with you (for example, to provide you with hypnotherapy services
or transformational programmes). In this case, we may have to cancel a service or product you
have with us, but we will notify you if this is the case at the time.
What are the purposes for which we use your personal data?
The purposes for which we will be using your data include:
• To register you as a new client
• To conduct suitability assessments and ensure our services are appropriate for your
needs
• To provide our hypnotherapy and transformational services, including 1:1 sessions, the
90-Day Reset Transformation Programme, and digital audio products
• To process and deliver any orders, including:
o Managing payments, fees and charges via Stripe, Paypal or bank transfer
o Collecting and recovering money owed to us
• To manage our relationship with you, including:
o Notifying you about changes to our Terms and Conditions or this privacy policy
o Asking you to leave a review and/or take a survey
• To send you relevant marketing information about our services (if you have consented or
where we have a legitimate interest)
• To enable you to complete a survey
• To administer and protect our practice and website (including troubleshooting, data
analysis, testing, system maintenance, support, reporting and hosting of data)
• To deliver relevant website content to you
• To use data analytics to improve our website, services, marketing, client relationships and
experiences
• To make suggestions and recommendations to you about services that may be of interest
to you
• To share necessary information with our accountant for tax and accounting purposes
• To share financial transaction data with Xero (our accounting software) which monitors
bank accounts for accounting purposes
4
What is our legal basis for processing your data?
We rely on one or more of the following lawful conditions to process your data as outlined above:
• To fulfil our contract with you (e.g., providing services you’ve booked)
• For our legitimate interests (e.g., running our practice, improving services, preventing
fraud)
• To comply with legal obligations (e.g., tax and accounting requirements)
• Your explicit consent (especially for collecting and processing sensitive health data)
We may process your personal data for more than one lawful reason at a time, depending on the
specific purpose for which we are using your data. If you’d like more information on the specific
legal ground we are relying on, please feel free to contact us.
Our Lawful Basis: Recognised Legitimate Interests
We sometimes process your personal data under what’s called a “recognised legitimate interest”.
This is a lawful basis introduced by the Data (Use and Access) Act 2025. This means we use your
data in ways that support important public or organisational aims, while respecting your rights
and freedoms.
Examples include:
• Helping prevent fraud or misuse of our services
• Supporting safeguarding and professional standards
• Responding to emergencies or protecting wellbeing
• Improving accessibility and inclusion in our resources
• Running and growing our hypnotherapy practice e^ectively
We always carry out a balancing test to make sure our interests don’t override yours. You have the
right to object to this type of processing at any time, and we’ll explain your options clearly.
If you’d like to know more or raise a concern, just email us at info@healhqstudio.com. We’re
committed to transparency and respectful data use.
Do we use Cookies?
Our website is currently not live. When our website goes live in future, we may use cookies to help
make our website work better for you, remembering your preferences and improving your
experience. You will be able to control cookie settings in your browser.
If we do implement cookies, we will update this privacy policy and provide a separate Cookie
Policy with full details.
Do we use AI or Automated Decision-Making?
We do not currently use AI tools or automated decision-making systems in our practice. All
decisions regarding client suitability, treatment approaches, and service provision are made by
Jonathan Gunton personally.
5
If we introduce AI tools or automated systems in future, we will update this privacy policy and
obtain any necessary additional consents.
Do we use your data for marketing purposes?
We may send you marketing communications about our services, programmes, digital audio
products, and other o^erings that may be of interest to you. Our lawful ground for processing your
personal data to send you marketing communications is either your consent or our legitimate
interests (namely to grow our practice).
If we send you marketing communications and you no longer wish to receive them, you can
opt out anytime by:
• Contacting us at info@healhqstudio.com
• Clicking on the ‘unsubscribe’ button in our marketing communications
Do we use third-party links?
Our website (when live) might link to third-party websites, tools and apps. Clicking on these links
may allow third parties to collect or share your data. We do not control said websites and are not
responsible for said websites’ privacy policies. When you leave our website, we encourage you to
read the privacy policy of every website you visit.
Do we ever share your personal data?
We take your data’s security seriously. HEALHQ Studio is a sole practitioner practice with no sta^,
so your data is not shared with employees or team members.
However, we may share your personal data with the following parties for specific purposes:
• Our accountant – for tax, accounting and financial compliance purposes
• Xero (accounting software provider) – which monitors our bank accounts for accounting
purposes. Xero processes data as a processor in accordance with data protection
requirements
• Stripe and PayPal (payment processors) – for processing card payments securely.
Stripe acts as a data processor and has its own privacy policy
• Professional advisers – including lawyers, bankers, auditors and insurers who provide
consultancy, banking, legal, insurance and accounting services
• Professional supervisors – As a registered member of the General Hypnotherapy
Register (GHR), we consult with another hypnotherapy professional for supervision
purposes. This is to ensure we reflect and improve on our practice. When discussing
clients in supervision we only refer to clients by their first name and identifiable
information is minimised
• Healthcare professionals – Sometimes we may need to share details with your GP or
other healthcare professional. We will always get your consent prior to doing this.
However, when the information concerns risk of harm to you or another person, we may
need to disclose information about you without your consent for your own safety or for
the safety of someone else (as set out in our Terms and Conditions, Section 10)
6
• HM Revenue & Customs, regulators and other authorities – who require reporting of
processing activities in certain circumstances
• Courts, legal representatives, or other relevant authorities – where we are required to
do so by law, or where it is necessary to protect vital interests
• Google – we store client data using Google services with two-factor authentication (2FA)
security enabled
All of the above third parties have a requirement to respect the security of your personal data. We
do not permit them to use your personal data for their own purposes – they are only permitted to
process your data for specified purposes in line with our instructions or their legal obligations.
Do we ever transfer your data internationally?
Some of the third-party services we use (such as Google and Stripe) may store or process data
on servers located outside the United Kingdom and European Economic Area (EEA).
Whenever we transfer your personal data out of the United Kingdom, we make sure it is protected
by implementing one or more of the following safeguards:
• We only transfer your personal data to countries that have been deemed to provide an
adequate level of protection for personal data
• Where we use certain service providers, we rely on specific contracts approved by the UK
Information Commissioner’s O^ice which give personal data the same protection it has
in the UK
• We use service providers (such as Google and Stripe) that have robust data protection
frameworks and security measures in place
Please contact us if you want further information on the specific safeguards used when
transferring your personal data out of the United Kingdom.
How secure is your data with us?
We have strong security measures in place to keep your personal information safe:
• All client data is stored securely using Google services with two-factor authentication
(2FA) enabled
• Only Jonathan Gunton has access to your personal data
• Data is processed in accordance with strict confidentiality requirements as a registered
member of the General Hypnotherapy Register (GHR)
• Payment data is processed securely through Stripe, which is PCI DSS compliant
• We maintain appropriate technical and organisational measures to protect against
unauthorised or unlawful processing and against accidental loss, destruction or damage
In the rare circumstances that there is a personal data breach, we have procedures in place and
will notify you, along with the Information Commissioner’s O^ice (ICO), when we’re legally
required to.
7
Children’s Data & Age-Appropriate Design
Our services are only available to clients aged 18 years and over. We do not knowingly collect or
process personal data from children or minors under the age of 18.
If we become aware that we have inadvertently collected personal data from someone under 18,
we will delete that information promptly.
What is our process for retaining your data?
We only keep your data as long as necessary for the reasons we collected it.
• Medical/clinical records (including session notes, health information, and treatment
records): We retain these for 7 years after treatment has finished, in line with
professional standards and regulatory requirements
• Basic client information (including contact, identity, financial and transaction data): We
retain this for six years after you cease being a client, for tax and accounting purposes
• Initial enquiries: If you contact us with an initial enquiry and share personal details but
do not then become a client, we will delete your personal information after four weeks.
If you confirm you do not want to pursue a service within those four weeks, we will destroy
the information immediately
• Accounting and financial records: Retained in accordance with legal requirements
(typically 6-7 years)
For information that does not fall under the above categories, to determine the appropriate
retention time, we consider what kind of data it is, how sensitive it is, the risks if it’s misused, why
we need it, and applicable legal, regulatory, tax, and accounting requirements.
What are your legal rights in relation to your data?
You have the following rights regarding your personal data:
1. Access (Subject Access Request): You have the right to ask us what personal data we hold
about you and to receive a copy of that data. We’ll respond within one calendar month, but if we
need to verify your identity first, we may pause the clock while we do so. This helps protect your
data and ensures we’re sharing it with the right person. To make a request, just email us at
info@healhqstudio.com with the subject line “Subject Access Request” or “DSAR Request”. You
don’t need to use legal language – just let us know what you’d like to see or understand.
2. Correction: If the personal data we have about you is incomplete or incorrect, you can ask us
to correct it.
3. Erasure: You can ask us to delete your personal data. However, there might be legal reasons
that prevent us from fulfilling this request (for example, statutory retention requirements for
clinical and tax records). If such reasons exist, we will inform you when you make your request.
4. Objection: In certain situations, you have the right to object to the processing of your personal
data, particularly where we are processing it based on legitimate interests.
5. Restriction of Processing: You can request that we restrict the processing of your personal
data under specific circumstances.
8
6. Data Portability: You have the right to request the transfer of your personal data directly to you
or to a third party of your choice in a structured, commonly used, machine-readable format.
7. Withdrawal of Consent: At any point where we rely on your consent to process your personal
data (such as for processing health data or marketing), you have the right to withdraw this
consent. Withdrawal of consent will not a^ect the legality of the processing done before the
consent was withdrawn. Should you withdraw your consent, we might be unable to provide you
with certain services. We will inform you if that is the case when you withdraw your consent.
How to exercise your rights
If you wish to exercise any of the rights set out above, please contact us at
info@healhqstudio.com.
We won’t charge any fees for you to request access to your personal data. However, a reasonable
fee may be charged if your request is clearly unjustified, repetitive or excessive.
We try to respond to all legitimate requests within one month. Occasionally it could take us
longer than a month if your request is particularly complex. In this case, we will notify you and
keep you updated.
If you’re unhappy with how we handle your request, you can raise a concern with the Information
Commissioner’s Ofice (ICO) at www.ico.org.uk.
Changes to this Privacy Policy
We regularly review our privacy policy to ensure it remains current and compliant with data
protection laws. Any changes we make will be posted on this page (and on our website when it
goes live).
Please keep us updated if your personal data changes (such as your address, phone number, or
email).
Contact Us
If you have any questions about this privacy policy, how we handle your data, or wish to exercise
any of your rights, please don’t hesitate to contact us:
HEALHQ Studio
Trading name of Jonathan Gunton
17 Bushy Park, Totterdown, Bristol, BS4 2EG
Email: info@healhqstudio.com
ICO Registration Number: ZC093286
Thank you for reading our privacy policy. We’re committed to protecting your privacy and
treating your personal data with the respect and care it deserves.