Last Updated: 27/05/2026 

1. Introduction

Mystic Wellness Ltd (“we”, “us”, “our”) is committed to protecting and respecting your privacy, confidentiality, and personal data rights in accordance with applicable UK data protection law.

This Privacy Policy explains in full detail how we collect, use, store, process, retain, share, and protect your personal data when you access or use our website https://mysticwellness.co.uk, make bookings, purchase services, attend training programmes, receive therapies, communicate with us, submit complaints, or otherwise engage with our services in any form.

We operate in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and where applicable consumer protection legislation including the Consumer Rights Act 2015 and Consumer Contracts Regulations 2013.

This Privacy Policy must be read alongside our Terms and Conditions of Website Use (including Section 36 Dispute Resolution), Complaints Procedure, Cookie Policy, and Terms and Conditions of Sale. These documents form part of a unified legal framework governing your relationship with Mystic Wellness Ltd.

All Mystic Wellness Ltd policies form part of a single contractual framework. In case of conflict, the Training Terms and Conditions Policy shall prevail unless expressly stated otherwise.

Data Protection Principles section

• lawfulness
• fairness
• transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality

We only collect and retain personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed

2. Data Controller Information

For the purposes of applicable data protection law, Mystic Wellness Ltd is the Data Controller responsible for determining the purposes and means of processing your personal data.

We do not an appointed DPO.

Mystic Wellness Ltd has appointed a designated Data Protection Lead (Rutviie Mmie Virk) responsible for overseeing data protection compliance and handling privacy-related queries.

Contact Details:

Mystic Wellness Ltd
98 Semley Road, Norbury, London SW16 4PJ United Kingdom

Email: info@mysticwellness.co.uk
Telephone: 07871 176758

We are responsible for ensuring that your personal data is processed lawfully, fairly, transparently, and securely at all times, and in accordance with UK GDPR principles.

3. Lawful Basis for Processing

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We only process personal data where a lawful basis applies, including (where appropriate):

• performance of a contract;
• compliance with legal obligations;
• our legitimate interests (such as fraud prevention, service improvement, and business operations); and
• consent, where required by law.

4. Your Legal Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• the right of access to your personal data;
• the right to rectification of inaccurate or incomplete data;
• the right to erasure of your personal data (commonly known as “the right to be forgotten”), where applicable;
• the right to restrict processing of your personal data;
• the right to data portability;
• the right to object to processing of your personal data; and
• the right to withdraw consent at any time, where processing is based on consent.

These rights are not absolute and may not apply in all circumstances. In certain cases, we may refuse or limit requests where exemptions apply under UK GDPR or the Data Protection Act 2018.

This may include situations involving:

• legal obligations or compliance requirements;
• safeguarding duties;
• fraud prevention or security measures;
• legal professional privilege;
• regulatory requirements; or
• ongoing or anticipated legal proceedings.

To exercise any of your rights, please contact us at: info@mysticwellness.co.uk

For security purposes, we may require you to verify your identity before we can respond to your request.

We will respond to valid requests without undue delay and in any event within one calendar month of receipt.

This period may be extended by up to two additional months where requests are complex or numerous, in accordance with UK GDPR requirements.

Where an extension is necessary, we will inform you within one month of receiving your request.

5. What Personal Data We Collect

We only collect data that is strictly necessary and data is not used for incompatible purposes

We may collect, store, and process different categories of personal data depending on how you interact with our services.

Identity Data

This includes your full name, title, and where relevant identification details required for booking verification, eligibility checks, safeguarding, or legal compliance purposes.

Contact Data

This includes your email address, telephone number, postal address, and any other communication identifiers you provide to us.

Transaction Data

This includes records of payments, booking history, service purchases, invoices, billing addresses, transaction IDs, and payment method types such as PayPal, Stripe, or bank transfer. We do not store full credit or debit card details under any circumstances, as all payment processing is handled securely by authorised third-party payment processors.

Technical Data

This includes IP address, browser type and version, device identifiers, operating system, time zone settings, website interaction data, pages visited, and usage analytics collected through cookies or similar technologies.

Profile Data

This includes service preferences, booking behaviour, training progress, communication preferences, feedback provided, and service history relevant to your engagement with Mystic Wellness Ltd.

Communications Data

This includes emails, messages, live chat conversations, telephone call notes (where recorded), complaint submissions, review submissions, support requests, and any other communications sent to us directly or indirectly.

Special Category (Sensitive) Data

Where necessary, and only where lawful under Article 9 UK GDPR, we may process sensitive personal data including health-related information voluntarily disclosed during therapy sessions, consultations, or wellbeing assessments.

Such data is processed only where strictly necessary and is subject to enhanced confidentiality, restricted access controls, and additional safeguards.

You do not knowingly process children’s data under 18 without parental consent (or appropriate lawful basis depending service type)

Safeguarding and Welfare Information

Where necessary and appropriate, Mystic Wellness Ltd may process safeguarding, welfare, wellbeing, accessibility, emergency contact, or risk-related information in connection with training, therapies, retreats, mentoring, workshops, vulnerable persons, or safeguarding obligations.

Such information will only be processed where lawful, proportionate, necessary, and in accordance with safeguarding responsibilities, UK GDPR, the Data Protection Act 2018, and applicable safeguarding legislation.

6. Children’s Data Processing, Parental Consent & Safeguarding

Mystic Wellness Ltd may process personal data relating to individuals under the age of 18 only where necessary for the provision of complementary therapy, holistic wellness services, or related supportive services, and only in accordance with strict safeguarding requirements.

Where we process personal data relating to individuals under 18, we apply enhanced safeguards and rely on parental or legal guardian consent as the primary lawful basis where required. Access to children’s data is restricted and processed strictly for service delivery and safeguarding purposes only.

We do not knowingly collect or process personal data from individuals under 18 without appropriate safeguards and verified parental or legal guardian involvement.

Where children’s data is processed, we rely on one or more of the following lawful bases under UK GDPR:

• Article 6(1)(a) – Consent, where verifiable consent is provided by a parent or legal guardian on behalf of the child;
  • Article 6(1)(b) – Contractual necessity, where processing is required to deliver the requested service;
  • Article 6(1)(c) – Legal obligation, where processing is required to comply with safeguarding, regulatory, or legal duties; and
  • Article 6(1)(f) – Legitimate interests, where necessary for safeguarding, service safety, fraud prevention, or responsible service delivery, provided such interests do not override the rights and freedoms of the child.

Where special category data is processed (for example, health-related information), we will additionally rely on an appropriate Article 9 UK GDPR condition, such as explicit consent or safeguarding-related necessity, where applicable.

All services involving individuals under 18 require prior verifiable consent from a parent or legal guardian before any personal data is collected or processed. We may request written consent and/or identity verification to confirm parental responsibility and ensure lawful processing.

Where services are provided to minors:

• parental or legal guardian consent must be obtained in advance;
  • parental or legal guardian involvement or presence may be required throughout the session depending on the nature of the service; and
  • the parent or guardian remains responsible for safeguarding, supervision, and ongoing welfare of the child during participation.

We reserve the right to refuse, suspend, or terminate services where appropriate consent cannot be verified, where safeguarding concerns arise, or where continued participation is not considered appropriate or safe.

Children’s personal data is processed strictly for the purpose of delivering services safely and appropriately, and is not used for marketing or unrelated purposes.

We implement appropriate technical and organisational measures to protect children’s data against unauthorised access, loss, misuse, or disclosure.

Data is only shared where necessary for service delivery, safeguarding, legal compliance, insurance requirements, or professional obligations.

We retain children’s personal data only for as long as necessary to deliver services, comply with legal or regulatory obligations, fulfil safeguarding requirements, or resolve disputes. Data is securely deleted or anonymised when no longer required.

Parents or legal guardians may exercise data protection rights on behalf of a child, including access, rectification, erasure (where applicable), restriction, and objection to processing.

Requests may be submitted to: info@mysticwellness.co.uk.

Verification of identity and parental responsibility may be required before processing any request.

7. How We Use Your Personal Data

We only process your personal data where a lawful basis exists under UK GDPR. These include contract necessity, legal obligation, legitimate interests, and consent.

We process personal data based on information you provide

Data Protection Impact Assessment (DPIA) is carried out where processing is high risk.

We ensure that all personal data processing is carried out fairly, transparently, and in a manner that is not unjustified, unexpected, or detrimental to individuals.

Contractual Necessity

We use your personal data to:

• process bookings, orders, and payments
• deliver training programmes, workshops, therapies, and consultations
• issue certificates, confirmations, and service records
• manage customer accounts and service delivery
• communicate essential service information

Legal Obligations

We may process personal data to comply with:

• tax and accounting laws
• regulatory requirements
• fraud prevention and anti-money laundering obligations
• consumer protection law requirements
• legal claims or court orders

Legitimate Interests

We may process data to:

• improve service quality and customer experience
• manage complaints and dispute resolution processes
• maintain website security and prevent fraud
• monitor system performance and service integrity
• ensure operational efficiency and business continuity

We will conduct formal “Legitimate Interest Assessments (LIA)” where required

Records are kept internally.

 We may also process personal data for safeguarding, health and safety, fraud prevention, risk management, internal governance, insurance administration, professional standards monitoring, staff management, training quality assurance, accreditation compliance, and business protection purposes where we have a legitimate interest to do so.

Where legitimate interest is used, we conduct balancing tests to ensure your rights and freedoms

are not overridden.

We only rely on legitimate interests where we have assessed that the processing is necessary and does not override your fundamental rights and freedoms.

Consent Based Processing

Where required, we process data based on your consent for:

• marketing communications
• optional analytics and cookies
• publication of testimonials or reviews
• promotional content featuring user submissions

You may withdraw consent at any time without affecting prior lawful processing.

Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn

8. Legal Compliance (Lawful Basis Mapping for Processing Activities)

We may process personal data where necessary to comply with legal obligations, regulatory requirements, or safeguarding responsibilities.

This may include responding to lawful requests from regulatory bodies, law enforcement agencies, or courts where required.

We process your personal data under different lawful bases depending on the specific purpose for which it is used, in accordance with Article 6 UK GDPR. These lawful bases include:

• Contract – where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.
  • Legal Obligation – where processing is necessary for compliance with a legal or regulatory obligation.
  • Legitimate Interests – where processing is necessary for our legitimate business interests, provided these are not overridden by your rights and freedoms. Examples include improving our services, ensuring website security, preventing fraud, and managing customer enquiries and complaints.
  • Consent – where you have given clear, informed, and explicit consent for us to process your personal data for a specific purpose, such as marketing communications or optional cookies.

For transparency, we apply these lawful bases to our processing activities as follows:

• Contract: used for booking management, service delivery, payments, account creation, issuing certificates, and customer support necessary to fulfil our services.
  • Legal Obligation: used for compliance with tax, accounting, safeguarding, fraud prevention, regulatory requirements, and lawful requests from authorities.
  • Legitimate Interests: used for service improvement, business administration, website analytics, security monitoring, complaint handling, and operational efficiency, where these do not override your rights.
  • Consent: used for marketing communications, optional analytics and cookies, testimonials, and promotional content where you have explicitly opted in.

Where multiple lawful bases apply to a single activity, we will determine the most appropriate basis depending on the specific context and purpose of processing.

9. Data Accuracy and User Responsibility

We rely on the accuracy of the personal data you provide to us. You are responsible for ensuring that any information you submit to us is accurate, complete, and kept up to date.

We may request that you update or correct your personal data where necessary to ensure that it remains accurate for the purposes for which it is processed.

10. Security of Personal Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure, or misuse.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security of data transmitted to our systems.

11. Security and Fraud Prevention

We may process personal data for the purposes of security, fraud prevention, and safeguarding our Website, systems, users, and services.

This may include monitoring transactions, booking activity, and account usage patterns to identify and prevent unauthorised, fraudulent, or suspicious activity.

Where necessary, we may verify identity or request additional information to ensure the security and integrity of our services.

12. Complaints, Disputes and Legal Escalation (Data Processing)

We process personal data when handling complaints, disputes, and related reviews in accordance with our Complaints Procedure and Section 36 (Dispute Resolution) of our Terms and Conditions of Website Use.

This includes processing personal data for the following purposes:

• receiving, logging, and managing complaints
• investigating service delivery issues or concerns
• reviewing supporting evidence, correspondence, and communications
• issuing formal responses, findings, and outcomes
• managing internal review or appeal processes
• maintaining audit records of complaint handling
• preparing documentation for Alternative Dispute Resolution (ADR), insurance matters, legal proceedings, or regulatory responses
• responding to enquiries from regulators, courts, tribunals, the Information Commissioner’s Office (ICO), or law enforcement where applicable

Lawful Basis for Processing

We process complaint-related personal data under one or more of the following lawful bases under UK GDPR:

• legal obligation (where required to comply with law or regulatory duties);
• contractual necessity (to manage service delivery and resolve disputes); and
• legitimate interests (including dispute resolution, business protection, safeguarding, fraud prevention, and defending legal claims).

Where special category data is processed (for example, safeguarding-related information), additional conditions under Article 9 UK GDPR may apply.

Storage, Security and Retention

Complaint-related personal data is stored securely and access is restricted to authorised personnel only.

We apply appropriate technical and organisational security measures to protect personal data against loss, misuse, unauthorised access, or disclosure.

Complaint records may include (where relevant):

• complaint submissions and logs
• correspondence and communications
• investigation notes and internal assessments
• evidence provided by users or third parties
• review outcomes and decision records
• supporting documentation or witness statements

We retain complaint-related data only for as long as necessary for:

• resolution of the complaint or dispute
• internal review and audit purposes
• legal defence or dispute resolution
• regulatory, safeguarding, or insurance requirements
• compliance with statutory limitation periods

Retention periods are reviewed regularly in accordance with applicable data protection law.

Internal Complaints Handling Process

If you are dissatisfied, you should contact us first so we can attempt to resolve the matter internally.

We will:

• acknowledge your complaint within five working days
• investigate the matter fairly and proportionately
• provide a written response within 28 working days where reasonably possible

Where additional time is required due to complexity, we will inform you and provide an updated timeframe.

Complaint handling decisions are made based on documented procedures and are carried out independently, fairly, and without improper influence.

 Alternative Dispute Resolution (ADR) and External Escalation

Where a complaint or dispute cannot be resolved internally, it may be referred to or handled through an independent Alternative Dispute Resolution (ADR) provider.

ADR providers operate under the Consumer ADR Regulations 2015 and are independent bodies designed to resolve disputes without court proceedings. Participation may be voluntary or required depending on the nature of the dispute and applicable legal obligations.

We may engage in ADR where appropriate, where both parties agree, or where required by law or contract.

 Data Sharing for Dispute Resolution

Where necessary, we may share relevant personal data for the purposes of resolving complaints or disputes with:

• independent ADR providers
• legal advisers and solicitors
• courts, tribunals, or judicial authorities
• regulators, including the Information Commissioner’s Office (ICO)
• law enforcement or other statutory bodies where legally required

Any sharing is limited to what is necessary and proportionate for dispute resolution, compliance, or legal defence.

Where required, we may also cooperate with regulatory authorities in other jurisdictions where complaints or legal obligations extend beyond the United Kingdom.

External Escalation Rights

You have the right to escalate complaints externally at any time, including without completing our internal complaints process.

External escalation routes include:

• Information Commissioner’s Office (ICO) – https://ico.org.uk
  (for data protection complaints)
• Competition and Markets Authority (CMA) – https://www.gov.uk/government/organisations/competition-and-markets-authority
  (for consumer protection or unfair trading concerns)

You may contact these authorities directly at any stage.

Legal Rights and Safeguarding

Nothing in this section limits your statutory rights under UK data protection law, consumer protection law, or any other applicable legislation.

We may also disclose personal data where required or permitted by law for safeguarding purposes, fraud prevention, insurance claims, regulatory investigations, or legal proceedings.

Nothing in this section affects your statutory rights under UK law, including under the UK GDPR, Data Protection Act 2018, or applicable consumer protection legislation.

13. Alternative Dispute Resolution (ADR) and External Escalation

Where a dispute cannot be resolved internally, personal data may be shared with an independent

Alternative Dispute Resolution (ADR) provider operating under the Consumer ADR Regulations 2015.

ADR providers are independent bodies designed to resolve disputes fairly, without court proceedings, where both parties agree or where required.

We are willing to engage in ADR where appropriate and where both parties consent to participation.

Personal data may also be shared with:

• legal representatives
• courts or tribunals
• regulatory bodies including the ICO where applicable

You also retain the right to escalate complaints externally to:
Information Commissioner’s Office (ICO) https://ico.org.uk
Competition and Markets Authority (CMA) https://www.gov.uk/government/organisations/competition-and-markets-authority

14. Data Sharing, Third Parties Processing and Service Providers

We may use trusted third-party service providers, platforms, and contractors to support the operation of our Website, business activities, and services.

These third parties may include (but are not limited to):
• payment processors;
• booking and scheduling systems;
• website hosting providers;
• cloud storage providers;
• IT and cybersecurity providers;
• analytics and performance tools;
• email and communication platforms;
• video conferencing providers;
• accountants, solicitors, insurers, and professional advisers; and
• regulatory, legal, or compliance service providers.

Where third-party providers process personal data on our behalf, they act as data processors and process personal data only in accordance with:
• our documented instructions;
• applicable UK data protection law; and
• contractual obligations under Article 28 UK GDPR.

All third-party processors are required to implement appropriate technical and organisational security measures to protect personal data and maintain confidentiality.

We take reasonable steps to assess the security, privacy, and compliance standards of third-party providers before engaging their services.

Some third parties may act as independent data controllers where they determine their own purposes and means of processing personal data. This may include:
• banks and financial institutions;
• payment providers such as Stripe or PayPal;
• regulatory authorities;
• law enforcement bodies; or
• external professional advisers.

Where third parties act as independent data controllers, their processing of personal data is governed by their own privacy policies, terms, and legal obligations, and not solely by this Privacy Policy.

Our Website may also contain links to third-party websites, services, platforms, or embedded content that are not owned, operated, or controlled by Mystic Wellness Ltd.

This may include:
• external booking systems;
• payment gateways;
• embedded videos;
• maps;
• social media integrations;
• external widgets; or
• third-party applications or integrations.

We do not control, endorse, monitor, or assume responsibility for:
• the content, accuracy, or reliability of third-party websites or services;
• their privacy practices or data processing activities;
• their security, systems, or technical performance;
• any interruption, suspension, or unavailability of third-party services; or
• any loss, damage, delay, payment failure, technical issue, or security incident arising from your use of third-party systems or platforms.

Accessing third-party websites or services is entirely at your own risk.

Third-party services may operate independently from Mystic Wellness Ltd and may apply separate:
• terms and conditions;
• cookie policies;
• privacy notices; and
• data processing practices.

We encourage users to review the applicable policies of third-party providers before submitting personal data or completing transactions.

We do not guarantee that third-party services, integrations, or embedded content will remain continuously available, compatible, secure, or error-free and such services may be modified, suspended, or discontinued at any time without notice.

Where personal data is transferred outside the United Kingdom, we take reasonable steps to ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

Third-Party Roles and Legal Basis

Some third-party providers may act as:

• Data Processors (processing data strictly on our instructions), or
• Independent Data Controllers (where they determine their own purposes, such as banks or payment providers)

Where they act as independent controllers, their processing is governed by their own privacy policies and legal obligations, and not solely by ours.

Once personal data is lawfully transferred to an independent data controller, that organisation becomes independently responsible for its own processing activities and compliance obligations.

We are not responsible for their independent data processing activities once data has been transferred to them.

15. Payment Processors

We use trusted third-party payment processors to securely handle financial transactions made through our Website and services. These may include, but are not limited to:

• Stripe
• PayPal
• Banking institutions used for direct bank transfers

All payment transactions are processed securely through these providers in accordance with their own security standards, including PCI-DSS (Payment Card Industry Data Security Standard) compliance where applicable.

We do not store full payment card details on our systems. Any payment information you provide is transmitted directly to and processed by the relevant third-party payment provider under their own privacy policies and security protocols.

These payment providers may act as independent data controllers or data processors depending on the nature of the transaction and their contractual role.

We recommend that you review the privacy policies of these providers before making any payment.

We are not responsible for the security, processing practices, or systems of third-party payment providers once your data has been transmitted to them.

16. Service Infrastructure and Data Processing Providers

We use carefully selected third-party service providers to operate our Website and deliver our services efficiently. These may include:

• Website hosting providers
• Cloud storage providers
• Email delivery and communication systems
• Booking and scheduling platforms
• Analytics providers (e.g., Google Analytics or similar tools)
• IT support and system maintenance providers

These providers process personal data only where necessary to deliver their services to us and act as data processors under Article 28 UK GDPR, unless otherwise stated.

All such processors are contractually bound to:

• process personal data only on our documented instructions
• maintain confidentiality and security of personal data
• implement appropriate technical and organisational security measures
• comply with UK GDPR and Data Protection Act 2018 requirements

We remain responsible for ensuring that any third-party processors we use meet appropriate data protection and security standards.

17. Professional, Legal and Business Advisors

We may share personal data with professional advisers where necessary for legitimate business, legal, or compliance purposes, including:

• Accountants
• Solicitors and legal advisers
• Compliance consultants
• Insurance providers (where required)
• Business auditors or financial advisers

These parties will process personal data as independent data controllers or processors depending on the context and their legal obligations.

18. Legal, Regulatory and Public Authorities

We may disclose personal data where required by law or where we reasonably believe it is necessary to comply with legal obligations, including:

• HM Revenue & Customs (HMRC)
• Courts, tribunals, and legal proceedings
• Law enforcement agencies
• The Information Commissioner’s Office (ICO)
• Regulatory bodies and safeguarding authorities

Such disclosures will only occur where legally required or permitted.

19. Children and Safeguarding Risk

Where we have reasonable grounds to believe that an individual under the age of 18 is at risk of harm, abuse, neglect, or exploitation, we may process and disclose personal data without prior consent where necessary to:

• protect the child’s vital interests;
• safeguard their physical or mental wellbeing;
• comply with safeguarding obligations under UK law; and/or
• report concerns to appropriate authorities, including social services, law enforcement, or safeguarding professionals.

Where services are provided to minors, we may also share relevant information with a parent or legal guardian unless doing so would increase risk to the child.

All disclosures will be limited to what is necessary and proportionate to address the safeguarding concern.

20. Safeguarding and Emergency Disclosures

While Mystic Wellness Ltd is committed to maintaining confidentiality and protecting personal data, there are circumstances where confidentiality may need to be limited or information disclosed in accordance with legal, safeguarding, ethical, or professional obligations.

Confidential information may be disclosed where reasonably necessary to:
• protect the vital interests, health, safety, or wellbeing of any individual;
• comply with safeguarding obligations under the Mystic Wellness Ltd Safeguarding Policy;
• prevent or reduce a serious risk of harm to a client, student, practitioner, staff member, or another person;
• report safeguarding concerns involving a child or vulnerable adult;
• comply with legal, regulatory, insurance, or professional obligations;
• cooperate with lawful investigations, court orders, regulatory authorities, insurers, safeguarding authorities, or law enforcement agencies;
• prevent, detect, or report suspected abuse, neglect, exploitation, terrorism, fraud, money laundering, or other criminal activity;
• establish, exercise, or defend legal claims or legal rights.

Where lawful, appropriate, and reasonably practicable, the individual concerned may be informed before information is disclosed.

Any disclosure will be limited to information reasonably necessary and proportionate for the relevant lawful purpose and handled in accordance with:
• UK GDPR;
• Data Protection Act 2018;
• Children Act 1989;
• Care Act 2014;
• Safeguarding Vulnerable Groups Act 2006;
• Counter-Terrorism and Security Act 2015;
• and any other applicable UK legal or safeguarding obligations.

Where appropriate, Mystic Wellness Ltd may seek safeguarding, legal, regulatory, insurance, or professional advice before making disclosure decisions.

All disclosure decisions will be made on a case-by-case basis, taking into account legal obligations, safeguarding duties, necessity, proportionality, confidentiality, and the rights and safety of all parties involved.

Mystic Wellness Ltd reserves the right to refuse, pause, adapt, or discontinue services where participation may present a health, safety, safeguarding, ethical, legal, or wellbeing concern.

21. International Data Transfers

Where personal data is transferred outside the United Kingdom, we implement appropriate safeguards in accordance with UK GDPR requirements, which may include adequacy regulations, International Data Transfer Agreements (IDTAs), or other legally approved transfer mechanisms where applicable.UK adequacy regulations:

• Standard Contractual Clauses (SCCs)
• Supplementary UK GDPR transfer safeguards
• Other legally approved transfer mechanisms

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR, such as adequacy regulations or standard contractual clauses.

These may include adequacy regulations, standard contractual clauses, or other legally recognised transfer mechanisms designed to protect your personal data.

These measures ensure your data remains protected to UK GDPR standards regardless of location.

 Some third-party providers used by Mystic Wellness Ltd may store or process data outside the United Kingdom. Where this occurs, we take reasonable steps to ensure appropriate safeguards, contractual protections, and lawful transfer mechanisms remain in place.

22. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected.

Retention periods depend on:

• legal obligations
• tax and accounting requirements
• service delivery requirements
• complaint and dispute resolution needs
• regulatory compliance obligations

Complaint and dispute related records may be retained for up to six years where necessary to defend legal claims or comply with statutory limitation periods.

After retention periods expire, data is securely deleted or anonymised.

Retention periods may be extended where reasonably necessary for:

• safeguarding investigations;
• ongoing disputes or complaints;
• insurance requirements;
• legal proceedings;
• fraud prevention;
• regulatory investigations;
• enforcement of contractual rights.

 

Complaint data retention: is 6 years

23. Data Security

We take appropriate technical and organisational measures to protect personal data against:

• unauthorised access
• loss
• misuse
• alteration
• disclosure

However, no system is completely secure, and we cannot guarantee absolute security of data transmitted online.

We implement appropriate technical and organisational measures to protect personal data, including:

• secure encrypted systems where applicable
• restricted access controls
• password protection and authentication procedures
• staff confidentiality agreements
• monitoring and security auditing
• secure third-party processors

We cannot guarantee absolute security of data transmitted over the internet; any transmission is at your own risk, but we apply industry-standard safeguards to reduce risk

Breach response includes:

• internal investigation
• ICO notification within 72 hours (where required)
• notification to affected individuals if high risk

Where a breach is likely to result in high risk to individuals’ rights and freedoms, we will notify affected individuals without undue delay.

Security audit and review clause

• periodic security reviews
• staff training refreshers

While we take all reasonable steps to protect your data, no system is completely secure, and transmission of data over the internet is at your own risk.

Mystic Wellness Ltd maintains internal procedures for managing suspected personal data breaches, cyber incidents, unauthorised access, and information security risks.

Where legally required, relevant breaches may be reported to the Information Commissioner’s Office (ICO) and affected individuals in accordance with UK GDPR breach notification obligations.

We regularly review our technical and organisational security measures to ensure they remain appropriate and effective in protecting personal data. This includes periodic internal security checks and updates to systems and processes where required.

We also provide staff with appropriate data protection and information security training, including refresher training, to ensure ongoing awareness of their responsibilities under UK GDPR and to maintain good security and confidentiality practices.

Security incidents or data protection concerns should be reported to: info@mysticwellness.co.uk which is monitored by our Data Protection Lead.

24. Automated Decision Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Article 22 of the UK GDPR.

All decisions relating to the provision of our services, including bookings, access to training, customer support, and service delivery, are made by appropriately trained members of our team and are subject to human review.

We may use basic analytics tools to understand website usage, improve user experience, and support business operations. However, this does not involve automated decision-making about individuals, nor does it result in any automated decisions that affect your legal rights or access to our services.

If this position changes in the future and we introduce any form of automated decision-making or profiling that has significant effects, we will update this Privacy Policy to clearly explain:

• the logic involved in the processing;
• the significance and expected consequences for individuals; and
• the legal basis relied upon under UK GDPR.

25. Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with our Cookie Policy to:

• enable website functionality
• improve performance and user experience
• analyse traffic and usage patterns
• support marketing (where consent is given)

You can manage or disable cookies via your browser settings at any time.

Non-essential cookies, analytics tools, advertising technologies, and tracking technologies will only be used where legally required consent has been obtained in accordance with PECR requirements.

26. Marketing Communications

We may send marketing communications where:

• you have explicitly consented, or
• we have a legitimate interest and you have not opted out

Marketing may include updates, promotions, or service-related information.

You can opt out at any time using unsubscribe links or by contacting us directly.

We do not sell, rent, or trade personal data to third parties for marketing purposes.

27. Relationship with Other Policies

This Privacy Policy operates alongside:

• Terms and Conditions of Website Use (Section 36 – Dispute Resolution)
• Complaints Procedure
• Cookie Policy
• Terms and Conditions of Supply policy Training and Therapies
• Acceptable Use Policy (Website and Digital)

In the event of conflict regarding dispute handling or escalation, Section 36 of the Terms and Conditions shall take legal priority.

28. Contact Us

Mystic Wellness Ltd
98 Semley Road, Norbury, London SW16 4PJ United Kingdom

07871 176758
info@mysticwellness.co.uk

29. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, operational practices, technology, safeguarding requirements, or business operations.

Updated versions will be published on this page together with a revised “Last Updated” date.

Where legally required or appropriate, significant changes may also be communicated directly by email, website notification, booking systems, training communications, or other reasonable methods.

Continued use of our website, services, training, workshops, therapies, or products following updates constitutes acceptance of the revised Privacy Policy.

30. Acknowledgement

All practitioners, staff, contractors, volunteers, assessors, tutors, students, and relevant representatives working with or representing Mystic Wellness Ltd must read, understand, and comply with this Privacy Policy and all applicable data protection obligations.

By accessing our website, purchasing products, booking services, attending training, participating in workshops, submitting personal information, or otherwise engaging with Mystic Wellness Ltd, users acknowledge that they have read, understood, and accepted this Privacy Policy.

Users further acknowledge that certain personal data processing activities are necessary for contractual performance, safeguarding, legal compliance, operational administration, complaints handling, dispute resolution, fraud prevention, security management, and legitimate business purposes.