Confidentiality Policy

Last Updated: 28/05/2026

  1. Purpose

Mystic Wellness Ltd is committed to maintaining the highest standards of confidentiality, privacy, professionalism, and trust across all therapies, treatments, training courses, workshops, mentoring services, and practitioner activities.

This Confidentiality Policy explains how personal, sensitive, and confidential information is collected, handled, stored, shared, and protected by Mystic Wellness Ltd. n accordance with applicable UK data protection and confidentiality laws.

This policy applies to all clients, students, trainees, tutors, practitioners, staff, contractors, volunteers, and any individual attending or participating in services delivered by Mystic Wellness Ltd, whether in person, online, or through blended delivery.

By attending any therapy session, training course, workshop, or service, individuals

acknowledge and agree to the terms of this policy.

Nothing within this policy limits or excludes any statutory rights available under applicable UK law, including rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Human Rights Act 1998, and applicable safeguarding legislation.

This policy applies alongside all other company policies, terms and conditions, safeguarding procedures, privacy notices, data protection policies, and applicable legal obligations.

  1. Commitment to Confidentiality

Mystic Wellness Ltd recognises that trust and confidentiality are essential in both therapeutic and educational environments.

Confidentiality obligations apply to verbal, written, digital, electronic, visual, recorded, and observational information obtained during services or business operations

All personal information, disclosures, discussions, health information, learning records, and shared experiences will be treated respectfully, professionally, and confidentially.

This applies to all services including but not limited to:

  • Sound Bath and Sound Healing
  • Gong Bath Healing
  • Reiki
  • Meditation
  • Mentoring
  • Drumming
  • Practitioner Training Courses
  • Workshops and Group Sessions

All practitioners, tutors, staff, contractors, volunteers, and representatives of Mystic Wellness Ltd are required to uphold strict confidentiality standards and only access information necessary for legitimate business, safeguarding, legal, educational, therapeutic, or administrative purposes.

Confidential information will only be used for lawful, fair, and transparent purposes connected with the delivery, administration, safety, improvement, and legal compliance of services

  1. Client and Student Information

Information that may be collected and held includes:

  • names and contact details;
  • booking and attendance records;
  • health and medical disclosures;
  • therapy session notes;
  • training records and assessment outcomes;
  • certificates issued;
  • payment records;
  • email or written correspondence;
  • emergency contact details where relevant.

Individuals should avoid sharing confidential information belonging to third parties unless they have lawful authority or consent to do so.

Where services are booked on behalf of another person, the individual making the booking confirms they have authority to provide the relevant personal information.

Information collected will be limited to what is reasonably necessary for service delivery, safeguarding, health and safety, administration, legal compliance, insurance requirements, quality assurance, training management, and business operations.

Where special category personal data is collected, including health-related information, such information will only be processed where a lawful basis and additional condition for processing under UK GDPR and the Data Protection Act 2018 applies.

Some services provided by Mystic Wellness Ltd may involve voluntary disclosure of emotional wellbeing, spiritual experiences, therapeutic reflections, or personal development information. Individuals are responsible for choosing what information they wish to disclose during sessions, workshops, mentoring, or training activities.

Where health or wellbeing information is voluntarily provided, such information will only be used for safety, suitability, safeguarding, insurance, service delivery, or legal compliance purposes.

Mystic Wellness Ltd does not provide medical diagnosis, psychiatric services, or regulated healthcare unless expressly stated.

  1. Confidentiality – Children (Under 18) and Vulnerable Adults

Mystic Wellness Ltd recognises that services provided to individuals under the age of 18 and vulnerable adults require enhanced safeguarding measures and a higher duty of care. We

recognises the importance of protecting the privacy, dignity, wellbeing, and confidentiality of children, young people, and vulnerable adults receiving services.

Where services are provided to a child or young person under 18, confidentiality is not absolute and is subject at all times to safeguarding obligations, legal requirements, and the best interests of the child.

Where services are provided to individuals under the age of 18 or to vulnerable adults, personal information, session records, safeguarding information, and communications will be handled sensitively, securely, and in accordance with:

  • UK GDPR;
  • Data Protection Act 2018;
  • applicable safeguarding legislation and guidance; and
  • professional, ethical, and insurance obligations.

For children under 18, parents or legal guardians may have access to certain information where reasonably necessary for safeguarding, consent, welfare, legal compliance, or participation in services, subject to applicable confidentiality and data protection requirements.

Where a vulnerable adult may require support with decision-making or safeguarding, information may be shared with authorised carers, guardians, advocates, healthcare professionals, safeguarding authorities, or other appropriate persons where lawful, necessary, or in the individual’s vital interests.

Confidentiality may be limited where:

  • there are safeguarding concerns involving a child or vulnerable adult;
  • there is risk of harm to the individual or others;
  • disclosure is required by law, court order, regulator, insurer, or safeguarding authority; or
  • disclosure is necessary for crime prevention, legal proceedings, or protection of vital interests.

Any disclosure will be limited to what is reasonably necessary and proportionate in the circumstances.

Photographs, videos, recordings, testimonials, or marketing materials involving children, young people, or vulnerable adults will not be used without appropriate prior consent from the individual and/or parent, legal guardian, or authorised representative where required

  1. Group Training and Group Session Confidentiality

Many training courses and therapies delivered by Mystic Wellness Ltd involve group participation, shared learning, reflective discussion, and personal experiences.

All participants are expected to respect the confidentiality of others.

Participants must not:

  • share personal stories disclosed by others;
  • disclose names or personal details of other attendees;
  • repeat private group discussions outside the session;
  • share screenshots, recordings, or private messages without consent.
  • publish confidential group discussions on social media, messaging applications, forums, or online platforms.

Confidentiality within group environments is essential to creating a safe, respectful, supportive, and professional learning and healing space.

While Mystic Wellness Ltd requires all participants to respect confidentiality, confidentiality within group environments cannot be absolutely guaranteed due to the involvement of third-party participants

Participants are expected to behave respectfully and professionally during all group activities and must not engage in harassment, discrimination, intimidation, abusive conduct, or behaviour that compromises the safety or wellbeing of others.

Mystic Wellness Ltd reserves the right to take appropriate action where this Policy is breached.

Any breach of confidentiality, including group confidentiality within training, workshops, memberships, practitioner programmes, retreats, events, or services, may result in suspension, removal from participation, withdrawal of access, withheld certification, termination of services, or other appropriate action without refund where permitted by law.

Mystic Wellness Ltd reserves the right to take reasonable action where confidentiality breaches may place individuals, practitioners, students, clients, or the business at risk.

  1. Use and Storage of Information

All personal and sensitive data is processed and stored securely in accordance with:

  • UK GDPR
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR) where applicable

Mystic Wellness Ltd will take reasonable technical and organisational measures to protect information from:

  • unauthorised access;
  • accidental loss;
  • misuse;
  • disclosure;
  • alteration
  • destruction;
  • cyber security threats or unauthorised processing.

Records may be stored securely in electronic and/or paper format.

Only authorised personnel will have access to confidential information where necessary for legitimate business purposes. Access to confidential information is restricted on a role-based and need-to-know basis.

Reasonable measures are taken to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services used to process personal information

Electronic records may be protected through password protection, restricted access controls, encryption technologies, secure cloud storage providers, anti-malware protections, and secure backup systems where appropriate

Paper records containing confidential information will be stored securely and disposed of using confidential destruction methods when no longer required.

Personal data will only be retained for as long as reasonably necessary for business, legal, safeguarding, insurance, tax, training, dispute resolution, or regulatory purposes.

Retention periods may vary depending on the nature of the records, legal obligations, safeguarding responsibilities, insurance requirements, and limitation periods under UK law.

Secure disposal procedures will be applied when confidential records are no longer required.

We do NOT store full payment card or banking details. Payments are securely processed by regulated third-party payment providers such as Stripe or PayPal.

 

  1. Safeguarding and Emergency Disclosures

While Mystic Wellness Ltd is committed to maintaining confidentiality and protecting personal data, there are circumstances where confidentiality may need to be limited or information disclosed in accordance with legal, safeguarding, ethical, or professional obligations.

Confidential information may be disclosed where reasonably necessary to:
• protect the vital interests, health, safety, or wellbeing of any individual;
• comply with safeguarding obligations under the Mystic Wellness Ltd Safeguarding Policy;
• prevent or reduce a serious risk of harm to a client, student, practitioner, staff member, or another person;
• report safeguarding concerns involving a child or vulnerable adult;
• comply with legal, regulatory, insurance, or professional obligations;
• cooperate with lawful investigations, court orders, regulatory authorities, insurers, safeguarding authorities, or law enforcement agencies;
• prevent, detect, or report suspected abuse, neglect, exploitation, terrorism, fraud, money laundering, or other criminal activity;
• establish, exercise, or defend legal claims or legal rights.

Where lawful, appropriate, and reasonably practicable, the individual concerned may be informed before information is disclosed.

Any disclosure will be limited to information reasonably necessary and proportionate for the relevant lawful purpose and handled in accordance with:

  • UK GDPR;
  • Data Protection Act 2018;
  • Children Act 1989;
  • Care Act 2014;
  • Safeguarding Vulnerable Groups Act 2006;
  • Counter-Terrorism and Security Act 2015;
  • and any other applicable UK legal or safeguarding obligations.

Where appropriate, Mystic Wellness Ltd may seek safeguarding, legal, regulatory, insurance, or professional advice before making disclosure decisions.

All disclosure decisions will be made on a case-by-case basis, taking into account legal obligations, safeguarding duties, necessity, proportionality, confidentiality, and the rights and safety of all parties involved.

Mystic Wellness Ltd reserves the right to refuse, pause, adapt, or discontinue services where participation may present a health, safety, safeguarding, ethical, legal, or wellbeing concern.

  1. Recording and Confidentiality (Training sessions)

Where online sessions are delivered through third-party platforms such as Zoom, Microsoft Teams, Google Meet, or similar technologies, participants acknowledge that electronic communications may involve inherent security risks outside the reasonable control of Mystic Wellness Ltd.

Clients and students may not record therapy sessions, training sessions, workshops, or group discussions without prior written permission.

Any authorised recordings made by Mystic Wellness Ltd will be managed in accordance with the company’s Recording Policy and relevant data protection legislation.

Unauthorised recording, photography, screen recording, livestreaming, copying, sharing, or distribution of confidential, private, training, session, or participant content is strictly prohibited and may result in immediate suspension or removal from services, training, events, memberships, or programmes, together with legal, disciplinary, or regulatory action where appropriate..

Any intellectual property rights relating to authorised training materials, recordings, course content, manuals, presentations, worksheets, or educational resources remain the property of Mystic Wellness Ltd unless otherwise agreed in writing.

  1. Use of Children’s and Vulnerable Adults’ Images, Photos, and Video Recordings

We do not use photographs, video recordings, audio recordings, testimonials, or any other visual or media content of children, young people, or vulnerable adults for marketing, promotional, advertising, training, social media, or publicity purposes without appropriate prior consent.

For individuals under the age of 18, consent must be obtained from a parent or legal guardian with parental responsibility.

For vulnerable adults, consent must be obtained from the individual themselves where they have capacity to provide informed consent, or from an authorised representative, guardian, attorney, advocate, or other appropriate person where lawful and appropriate.

Where consent is provided, it must be:

  • explicit and informed;
  • specific to the intended use, including where, how, and for how long the content may be used or published; and
  • obtained in accordance with applicable safeguarding, privacy, and data protection requirements.

Images, recordings, or related content involving children or vulnerable adults will never be used without appropriate safeguarding consideration and compliance with:

  • UK GDPR;
  • Data Protection Act 2018; and
  • applicable safeguarding obligations, professional standards, and best practice guidance.

We will take reasonable steps to ensure that any such content is used respectfully, appropriately, securely, and in a manner that does not compromise the individual’s dignity, privacy, safety, wellbeing, or safeguarding.

Consent may be withdrawn at any time by the individual, parent, legal guardian, or authorised representative, subject to any lawful use already undertaken prior to withdrawal.

  1. Use of Images, Photos, and Video Recordings (Adults)

We may use photographs, video recordings, testimonials, or other visual media of individuals aged 18 and over for marketing, promotional, and business purposes only where lawful basis and appropriate consent have been obtained.

Where consent is required, it will be:

  • freely given, specific, informed, and unambiguous;
  • obtained prior to use of any image or recording; and
  • clearly explained in relation to how and where the content may be used (including website, social media, or promotional materials).

Individuals may withdraw their consent at any time. Where consent is withdrawn, we will cease further use of the relevant image or recording for future marketing materials where reasonably practicable. Withdrawal of consent will not affect any lawful use carried out prior to withdrawal.

We will ensure that all images and recordings are used in a professional, respectful manner and do not misrepresent the individual or their experience.

We do not sell personal images or recordings to third parties.

  1. Staff and Practitioner Responsibilities

All practitioners, staff, contractors, and volunteers working with Mystic Wellness Ltd must:

  • maintain professional confidentiality at all times;
  • only access information necessary for their role;
  • securely handle all personal and confidential records;
  • avoid discussing confidential matters in public or inappropriate settings;
  • comply with this policy and applicable legal obligations.
  • report suspected confidentiality breaches, data breaches, or safeguarding concerns promptly;
  • complete any confidentiality, safeguarding, cyber security, or data protection training required by the business.
  • follow safeguarding procedures and act in the best interests of children, young people, and vulnerable adults at all times;
  • ensure appropriate consent, supervision, and safeguarding requirements are met before providing services to children or vulnerable adults;
  • maintain appropriate professional boundaries, confidentiality, and respectful conduct when working with children or vulnerable adults; and
  • report, escalate, and record any safeguarding concern, disclosure, risk of harm, or welfare concern in accordance with safeguarding procedures and applicable law.

All individuals handling confidential information are expected to exercise professional judgement and maintain appropriate professional boundaries at all times.

Staff and representatives must immediately report any suspected data breach, confidentiality breach, cyber security incident, safeguarding concern, or unauthorised disclosure of information.

Failure to maintain confidentiality or comply with this Policy may result in disciplinary action, suspension, removal from training or services, termination of engagement, withheld certification, legal action, or referral to relevant safeguarding, regulatory, professional, or law enforcement authorities where appropriate.

Mystic Wellness Ltd reserves the right to take any reasonable and proportionate action necessary to protect confidentiality, safety, legal compliance, professional standards, and the wellbeing of clients, learners, staff, and participants.

All staff and representatives are expected to comply with associated company policies including Data Protection, Cyber Security, Safeguarding, Equality and Diversity, Anti-Harassment, and Record Retention policies where applicable.

Staff, practitioners, tutors, contractors, and volunteers may be required to sign separate confidentiality agreements, practitioner agreements, or data protection agreements where appropriate.

Confidentiality obligations continue after employment, engagement, volunteering, training, or contractual relationships with Mystic Wellness Ltd have ended.

  1. Clients and Student Rights

Individuals have the right to:

  • know how their information is used;
  • request access to their personal data;
  • request correction of inaccurate data;
  • request deletion where legally permitted;
  • request restriction of processing where applicable;
  • object to certain forms of processing where permitted by law
  • withdraw consent where applicable;
  • request transfer of their data where legally applicable;
  • make complaints regarding data handling or confidentiality concerns

Requests relating to personal data may require identity verification before information is disclosed, amended, or deleted.

Requests relating to confidentiality or personal data should be submitted in writing to Mystic Wellness Ltd using the contact details provided within the company’s Privacy Notice or Data Protection documentation.

Certain legal exemptions may apply to requests where disclosure could adversely affect the rights and freedoms of others, safeguarding obligations, legal claims, confidential references, or ongoing investigations.

Individuals also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if they believe their data protection rights have been breached.

  1. Third-Party Services and External Platforms

Mystic Wellness Ltd may use third-party systems, software providers, payment processors, booking systems, learning platforms, cloud storage providers, communication services, or social media platforms to support business operations and service delivery.

Where third-party providers process personal data on behalf of Mystic Wellness Ltd, reasonable steps will be taken to ensure such providers implement appropriate security and confidentiality measures in accordance with applicable UK data protection laws.

Mystic Wellness Ltd is not responsible for the independent privacy or confidentiality practices of third-party platforms outside its reasonable control

  1. Changes to This Policy

Mystic Wellness Ltd may update this policy from time to time to reflect legal, regulatory, or operational safeguarding, technological, or business changes. Any updates will be published with an updated “Last Updated” date.

Continued use of services following publication of updated policies constitutes acceptance of the revised policy where permitted by law.

  1. Acknowledgement

By participating in services, individuals acknowledge that complementary and holistic wellbeing services may affect individuals differently and that outcomes, experiences, or perceived benefits cannot be guaranteed.

By attending therapy, training, workshops, mentoring, practitioner programmes, events, or services with Mystic Wellness Ltd, individuals confirm that they understand, acknowledge, and accept this Confidentiality Policy.

All practitioners, staff, contractors, volunteers, tutors, and relevant students working with or representing Mystic Wellness Ltd must read, understand, and comply with this policy.

All staff, contractors, and representatives of Mystic Wellness Ltd are required to follow this Policy and maintain confidentiality obligations both during and after their relationship with the business ends.

Mystic Wellness Ltd reserves the right to initiate appropriate action where this Policy is breached.

Failure to comply with this Policy by staff, practitioners, contractors, volunteers, students, or representatives may result in disciplinary action, suspension, restriction of duties, termination of engagement, removal from training or services, withdrawal of certification eligibility, legal action, or referral to relevant regulatory, safeguarding, professional, or law enforcement authorities where appropriate.