This Privacy Notice describes how we collect, use, and disclose Personal Data when you interact with us, whether through our website, services or other interactions. Please refer to our key terminology section located at the bottom of this Privacy Notice for explanations of any capitalised words.
1. Who are we?
We run our business out of Constellation Wellbeing Ltd which is incorporated in England & Wales and has the registration number of 12994401 and the registered address of Gate Cottage St Mary Bourne Hampshire SP11 6AU.
We have registered with the Information Commissioner’s Office (“ICO”) which is the data protection supervisory authority in England & Wales. Our registration reference with the ICO is ZB686549.
2. What is our status under Data Protection Laws?
Data Protection Laws have created the concepts of a Data Controller and a Data Processor. Our status is that of a Data Controller. As a Data Controller, we ensure to safeguard your privacy and rights and are also accountable in ensuring compliance with Data Protection Laws.
3. What is our approach to data protection compliance?
We comply with Data Protection Laws not only because of our legal obligations but importantly because we believe that it is essential for us to develop and maintain the trust of the categories of Data Subjects that we interact with in the course of our business.
As we believe that protecting the confidentiality and integrity of Personal Data is a critical responsibility that we must always take seriously, we have built a data protection compliance program. Our data protection compliance program includes a data register / record of processing of activities, notices, policies, procedures and technical security controls.
In the launch and development of our business, we have integrated privacy considerations into the design and development of our services and systems from the outset. We implement privacy-enhanced technologies, conduct data protection impact assessments, apply privacy-preserving measures and embed privacy into our organisation’s culture and practices.
4. What principles under Data Protection Law do we follow?
We adhere to all principles under Data Protection Laws including those outlined below.
We only Process Personal Data lawfully, fairly and in a transparent manner.
We only collect Personal Data which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
We ensure that Personal Data that we collect and maintain is accurate and kept up to date.
We ensure that Personal Data is not kept in a form which permits identification of individuals for longer than is necessary.
We ensure that Personal Data is processed in a manner that ensures its security, using appropriate technical and organisational measures, to protect it against unauthorised Processing and against accidental loss, destruction or damage.
5. Have we appointed a data protection officer?
We have conducted an assessment of our organisation under Data Protection Laws and have determined that we are not required, at this stage, to appoint a data protection officer. This is because we do not conduct regular and systemic monitoring of Data Subjects on a large scale and neither do we conduct large-scale Processing of Special Category Data. We will review our determination on a regular basis and will appoint a data protection officer if necessary.
Please note that while we do not have a data protection officer, we do have a legal & compliance team, along with our management team, that is committed to protecting the privacy and security of your Personal Data.
6. What types of Personal Data do we collect?
We collect, use, store and transfer different kinds of Personal Data depending on our relationship with you.
Examples of the Personal Data which we collect on Data Subjects (based on our relationship with you and the necessity of collecting such Personal Data) include:
Identity Data (e.g., first name, maiden name, last name, title, date of birth).
Contact Data (e.g., phone number, email address, home address, business address and billing address).
Profile Data (e.g., information about your professional background/organisation, agreements you’ve made with us).
Special Category Data (e.g., details concerning your racial or ethnic origin, sexual orientation, and mental and physical health including the details of your doctor/general practitioner).
Criminal Convictions Data (e.g., information on whether you have a criminal conviction or a caution).
Transaction Data (e.g., invoices and payment details).
Financial Data (e.g., bank account details and value-added tax numbers).
Technical & Usage Data (e.g., internet protocol addresses, browser type and version, time zone settings, location and information about your interactions with our website).
Communications & Marketing Data (e.g., your preferences regarding cookies and marketing).
We are committed to protecting the privacy and security of your Personal Data (and especially that which is classified as Special Category Data and Criminal Convictions Data due to its sensitivity).
Where we process Special Category or Criminal Convictions Data, we rely on your explicit Consent, or on specific legal bases such as safeguarding, the provision of health or social care, or compliance with legal obligations, in accordance with Article 9 UK GDPR.
7. Do we aggregate any of your Personal Data?
We do aggregate data such as statistical or demographic data for other purposes including research and analysis. Aggregated data could be derived from your Personal Data but is not considered Personal Data under Data Protection Laws as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Technical & Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, then we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice.
8. What are the categories of Data Subjects that we interact with?
We interact with the following categories of Data Subjects in the course of our business:
Prospective and existing website users.
Prospective employees.
Prospective and existing coaches and other suppliers.
Prospective and existing clients.
Please note that we have an internal privacy notice for existing employees.
9. Are you a prospective or existing website user that is interested to find out more about us?
What do we gather? We gather Technical & Usage Data (for tracking purposes), along with Identity Data, Contact Data, and Communications & Marketing Data (if you choose to contact us).
How do we gather this? When you interact with our website, this data about you is automatically collected through cookies and similar technologies (see Cookies Notice). Additionally, we obtain this data through direct interactions, such as when you reach out to us via our website.
What legal grounds do we have for Processing? One or more of the following:
Consent (i.e., you willingly provide us with your details for contact purposes).
Legitimate Interests (i.e., it’s necessary for our legitimate interests in managing and enhancing our business, including our marketing strategy).
Legal obligation (i.e., it’s necessary for us to comply with a legal obligation, such as honouring your request to cease direct marketing communications).
Please note that where we rely on Consent as the legal grounds for Processing your Personal Data, we do not rely on any other legal grounds in that situation.
10. Are you a prospective employee that wants to join us?
What information do we gather? We collect Technical & Usage Data, Identity Data, Contact Data, and Profile Data (when you submit an application to join us). Additionally, we may collect Special Category Data such as health information if required to implement reasonable adjustments for your interview. We may also collect Criminal Convictions Data, primarily through a Disclosure & Barring Service background screening check. We only collect this type of Personal Data when legally permitted to do so (i.e., with your Consent).
How do we gather this information? Through your interaction with our website (cookies and similar technologies), direct interactions, and third-party sources (e.g., background check providers including uCheck).
What legal grounds do we have for Processing?
Consent (i.e., you choose to provide us with your details so we can contact you regarding a vacancy).
Contract (i.e., this information is necessary for potentially entering into a contract with you).
Please note that where we rely on Consent as the legal grounds for Processing your Personal Data, we do not rely on any other legal grounds in that situation.
11. Are you a prospective or existing coach or other third party that wants to join or work with us?
What information do we gather? We collect Technical & Usage Data, Identity Data, Contact Data, and Profile Data (when engaging your services). Where you are a coach, we may collect Special Category Data (e.g., health information for adjustments) and Criminal Convictions Data (via DBS check).
How do we gather this information? Through cookies and similar technologies, direct interactions with you, and holding data on your staff who have engaged with us.
What legal grounds do we have for Processing?
Consent (e.g., you provide details to join as a coach).
Contract (necessary to enter or fulfil a contract with you).
Legitimate Interests (e.g., maintaining records for business development).
Legal obligation (e.g., compliance with financial, tax, and legal requirements).
12. Are you a prospective or existing client?
What information do we gather? We collect Technical & Usage Data, Identity Data, Contact Data, Financial Data, Transaction Data, Profile Data, Special Category Data, and Communications & Marketing Data.
How do we gather this information? Through cookies and similar technologies, direct interactions with you, and third parties (including clinical providers authorised by you to share your data).
What legal grounds do we have for Processing?
Consent (e.g., you agree for us to share your details with clinical providers to assess suitability for coaching).
Contract (necessary to fulfil a contract with you).
Legal obligation (compliance with financial, tax, and legal requirements).
13. How do we ensure that your Personal Data is protected?
We’ve implemented suitable technical and organisational security measures, including encryption, to safeguard your Personal Data against accidental loss, falsification, unauthorised access, alteration, or disclosure. We restrict access to your Personal Data to authorised personnel, including employees, contractors, and relevant third parties, who require access for business purposes.
We have policies, plans, and procedures to address any suspected or actual breaches of personal data, although we aim to avoid such situations altogether.
14. Who do we share your Personal Data with?
We will only share your Personal Data when necessary with:
Technology companies providing software and support (e.g., Semble, Figma).
Coaches delivering behavioural coaching services.
Mental Health professionals and providers (such as psychotherapists, psychologists, behavioural analysts and psychiatrists) in order for us to provide our clients with services.
Professional advisers (e.g., law firms, banks, accountancy firms).
Regulators and governmental authorities (e.g., Companies House, HMRC, Home Office).
Third parties in the context of mergers, acquisitions or sales.
We only share the minimum amount of Personal Data necessary for each specific purpose, and never more than is required to deliver services or meet our legal obligations.
In rare cases, we may be required to share Personal Data without consent, where necessary to comply with the law, to protect vital interests, or to address safeguarding concerns and serious risks of harm.
15. Do we use artificial intelligence?
We leverage artificial intelligence (such as Fireflies.AI) to enhance efficiency and quality in delivering services. Our processing involves both automated and manual methods. AI supports repetitive tasks (such as note-taking), with human oversight.
We do not use AI or automated decision-making in a way that produces legal or similarly significant effects for individuals. All AI-supported outputs are reviewed by qualified professionals before being relied upon in our services.
16. What do we require of our third parties?
We require all third parties to respect the security of your Personal Data and to treat it in accordance with Data Protection Laws. We enter into contractual agreements with all of our third parties (except regulators and authorities), including data protection clauses. We ensure that third parties put in place appropriate security measures to protect shared data from unauthorised access or misuse.
17. How do we protect Personal Data when it is being transferred across borders?
We ensure that Personal Data is transferred safely and securely at all times.
Whenever your Personal Data travels outside of the UK and/or the EEA, it is protected by one of the following safeguards:
Contracts with organisations outside the UK/EEA requiring equivalent protection.
Transfers only to countries deemed to have adequate protection by the ICO or European Commission.
18. How long do we keep your Personal Data for?
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including meeting any legal, regulatory, tax, accounting, or reporting obligations.
For example, we generally retain client records for 7 years after the last contact, or until a child client reaches the age of 25 (26 if aged 17 at last contact), unless a longer retention period is required by law. Audio recordings (where applicable) will normally be retained for no longer than 3 months, after which they will be securely deleted once written records are complete.
In some cases, we may anonymise your Personal Data for research or statistical purposes, making it impossible to associate with you, and may use this information without further notice.
19. What rights do you have in respect of your Personal Data?
You have the following rights under Data Protection Law:
Right to access your Personal Data.
Right to rectify inaccuracies.
Right to request deletion (subject to limitations).
Right to restrict Processing under certain conditions.
Right to object to Processing, including direct marketing.
Right to data portability where processing is based on Consent or contract and automated.
You may also lodge a complaint with the ICO (www.ico.org.uk) if you believe your rights are not respected.
20. How can you exercise your rights under Data Protection Law?
To exercise your rights, contact us at info@synapsehealth.co.uk.
We do not charge a fee unless a request is unfounded, excessive, or repetitive. We may request verification of identity and additional details to expedite responses. We aim to respond within one month, or longer if complex, with updates provided.
21. What other links and features are on our website?
Our website may contain links to third-party websites and applications. We are not responsible for their privacy notices. We recommend reviewing their policies before providing data.
Our website uses cookies and similar technologies in line with the Privacy and Electronic Communications Regulations (PECR). Where required, we obtain explicit consent via a cookie banner, and you may withdraw consent at any time through browser settings or our Cookies Notice.
22. How do we use your Personal Data in our marketing practices?
We may use your Identity Data, Contact Data, Technical & Usage Data and Profile Data to form a view on services that may interest you.
You will receive marketing communications if you requested information from us or purchased services, and have not opted out. We will obtain your explicit opt-in Consent before sharing data with third parties for marketing. You can withdraw consent or opt out of marketing at any time. Contractual or service-related communications will still be sent where necessary.
23. How did we make our Privacy Notice easier to understand?
We included a glossary of key terms to explain important concepts such as Consent, Data Controller, Legitimate Interests, Personal Data, Processing, and Special Category Data.
Consent refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data relating to them.
Criminal Convictions Data refers to Personal Data relating to criminal convictions and offences and includes Personal Data relating to criminal allegations and proceedings.
Data Controller refers to an organisation that determines when, why and how to Process Personal Data. It is responsible for establishing policies and procedures in line with Data Protection Laws.
Data Processor refers to an organisation that Processes Personal Data on behalf of a Data Controller. It is responsible for establishing policies and procedures in line with Data Protection Laws and also its contractual obligations with Data Controllers.
Data Protection Laws refers to the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to personal data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). It sits alongside the Data Protection Act 2018.
Data Subjects refers to a living, identified or identifiable individuals about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
European Economic Area (“EEA”) refers to the 27 countries in the European Union, Iceland, Liechtenstein and Norway.
Legitimate Interest refers to when an organisation’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.
Personal Data refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes Special Category Data, Criminal Convictions Data and pseudonymised Personal Data. Further examples of Personal Data are included in section 5 of this Privacy Notice. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.
Process or Processing refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Special Category Data refers to information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data of an individual.
24. Want to get in touch with us?
If you wish to learn more about our approach to data privacy, please contact our legal & compliance team at info@synapsehealth.co.uk.
