📍 20 Ainsdale Close, Worthing BN13 2QX
📞 07947502512
jan@zendenworthing.com
Your data, handled with care

Privacy Notice

How I collect, use and protect your personal information — in plain English.

Who I am and how to contact me

This privacy notice explains how I collect, use and protect your personal information when you book a treatment, complete a consultation form, or otherwise interact with Zen Den Worthing.

I, Jan Bugar, trading as Zen Den Worthing, am the data controller for any personal information you provide. I take this responsibility seriously and have written this notice in plain English so you understand exactly what happens to your data and what rights you have under UK GDPR and the UK Data Protection Act 2018.

Contact details for any data-related questions: Jan Bugar · Zen Den Worthing
20 Ainsdale Close, Worthing, BN13 2QX
Email: jan@zendenworthing.com
Phone: 07947 502512

If you’d like to exercise any of your data rights, raise a concern, or just ask a question about your information, please get in touch using any of the methods above.

What information I collect about you

2.1 Basic personal information

  • Your title and full name
  • Date of birth
  • Home address
  • Email address
  • Phone number(s)
  • Gender (optional, only if you wish to share it)
  • Emergency contact details (optional)
  • How you found me (referral source)

2.2 Health and treatment information (“special category data”)

Because massage therapy involves your body, I also collect information that UK GDPR classifies as special category data — meaning data about your health. This includes:

  • Medical history and current health conditions
  • Current medications
  • Past injuries or surgeries
  • Allergies
  • GP or consultant details (where relevant)
  • Treatment notes and session records
  • Other lifestyle information relevant to your treatment (e.g. work, posture, exercise habits)

I only ever collect the minimum information needed to keep your treatments safe and effective.

2.3 Booking and payment information

When you book or pay for a treatment, I (or my payment processors on my behalf) collect:

  • Appointment date, time and service booked
  • Payment confirmation details (I do not store full card numbers — see section 6)
  • Voucher or membership records (if applicable)

How I collect your information

I collect your information in the following ways:

  • Your consultation form — completed digitally via Jotform before your first treatment.
  • The online booking system — Cliniko, when you book an appointment.
  • Direct communication — when you contact me by phone, SMS, WhatsApp, or email.
  • Social media messages — when you reach out via Facebook, Instagram, or LinkedIn.
  • In person, during your appointment — including verbal updates to your health information at the start of each session.
  • From your GP or consultant — only if you have asked them to share information with me, and only with your explicit consent.

Why I collect your information

I use your information solely for legitimate purposes related to your treatment and the running of my practice:

  • To deliver safe, effective and properly tailored massage treatments;
  • To schedule, confirm, and remind you of your appointments;
  • To identify you and access your treatment history at each session;
  • To process payments and issue receipts or invoices;
  • To meet my legal obligations (such as tax records and treatment-note retention required by FHT professional regulation);
  • To communicate with you about your bookings and treatments;
  • To send you occasional marketing emails — only if you have explicitly opted in (see section 11);
  • Where you have asked me to, to communicate with your GP or other healthcare providers about your care.

I will never sell your data, share it for someone else’s commercial purposes, or use it in any way you haven’t consented to.

Legal basis for processing

UK GDPR requires me to tell you the legal basis on which I process your data. Different activities rely on different bases, listed clearly below.

5.1 Contract (Article 6(1)(b))

I process your basic personal information (name, contact details, appointment details, payment information) because it is necessary to deliver the treatments you have booked and to manage your bookings.

5.2 Explicit consent (Articles 6(1)(a) and 9(2)(a))

I process your health information (special category data) on the basis of your explicit consent. You provide this consent by completing and signing the consultation form before your first treatment. You can withdraw your consent at any time — though if you do, I won’t be able to continue treating you safely.

5.3 Legal obligation (Article 6(1)(c))

I retain treatment records for the period required by professional regulation (FHT) and UK tax law (HMRC). This is a legal obligation I cannot opt out of, and it overrides requests to delete records during the retention window.

5.4 Consent for marketing (Article 6(1)(a))

If you have ticked the box on your consultation form to receive marketing communications, I process your contact details on the basis of your consent. You can withdraw this consent at any time and I’ll stop immediately (see section 11).

5.5 Legitimate interests (Article 6(1)(f))

I may rely on legitimate interests for limited purposes such as keeping basic business records, responding to enquiries, and protecting myself and clients during sessions (see section 8 on the Ring doorbell). Where I rely on legitimate interests, I make sure your interests and rights are not overridden.

Third parties who process your data

To run my practice, I use a small number of trusted third-party services. Under UK GDPR these are “data processors” — they only handle your data on my instructions and in line with this notice. I have a written data-processing relationship with each.

  • Cliniko

    My clinical practice management system. Stores your contact details, treatment notes (special category data), and appointment history on encrypted servers. Cliniko is the long-term home for your records. Cliniko privacy policy.

  • Jotform

    The form-builder used to collect your initial consultation form. Jotform stores form submissions briefly (typically up to 30 days) before they are deleted; I export your completed form into Cliniko shortly after you submit it. Jotform is US-based — see section 7 on international transfers. Jotform privacy policy.

  • Stripe (primary payment processor)

    Handles most card payments at the clinic and online. Stripe processes your card details directly — I never see or store your full card number. Stripe is PCI-DSS compliant and handles encryption and security to bank-industry standards. Stripe privacy policy.

  • SumUp (occasional payment processor)

    I occasionally use SumUp as a backup card terminal. Like Stripe, SumUp processes card details directly — I never see or store your full card number. SumUp is also PCI-DSS compliant. SumUp privacy policy.

  • Google (Gmail)

    I use Gmail for all email communication, including marketing emails to clients who have opted in. Google processes the email content and recipient list on its servers under its own data-protection commitments. Google privacy policy.

  • Meta (Facebook and Instagram messaging)

    If you message me through Facebook Messenger or Instagram, Meta processes that message on its platforms. I receive and reply to it from my account. I do not transfer those conversations into Cliniko unless they contain information directly relevant to your treatment, which I record in your notes. Meta privacy policy.

  • WhatsApp (also Meta)

    Messages sent over WhatsApp are end-to-end encrypted between us. WhatsApp itself does not access message content but does process metadata (sender, timestamp, etc.). WhatsApp privacy policy.

  • Webflow

    The platform that hosts this website. Webflow handles website infrastructure but does not directly access your personal data unless you submit it through a website form. Webflow privacy policy.

I do not share your data with any other third party for any other purpose. I will never sell your information.

International data transfers

Some of the services I use (Jotform, Google, Stripe, SumUp, Meta, Webflow) have servers outside the UK — mostly in the United States and the European Union. UK GDPR allows such transfers only when there are adequate protections in place.

The third parties I use rely on one or more of the following safeguards:

  • The UK’s adequacy decision for the EU — for data stored on EU servers.
  • The UK-US Data Bridge / UK extension to the EU-US Data Privacy Framework — for data transferred to certified US-based processors.
  • Standard Contractual Clauses (SCCs) — legally binding contract terms approved by the UK Information Commissioner.

If you’d like more detail about how any specific processor handles your data internationally, their privacy policies (linked in section 6) explain the safeguards they use.

Ring doorbell at the entrance

The front entrance to my home, where the clinic is located, has a Ring video doorbell. It may capture brief video footage of visitors as they approach the door.

  • The doorbell is for the security of my home and to let me know when clients arrive.
  • Footage is stored on Ring’s servers (operated by Amazon) and is automatically deleted after a short period unless I save a specific clip.
  • The camera covers only the immediate area around my front entrance — not the public footpath or any other public space.
  • I rely on legitimate interests as the legal basis for this processing (Article 6(1)(f)) — protecting my home and managing arrivals safely.
  • If you’d like to know more about Ring’s data handling, their privacy notice covers how footage is stored and processed.

How long I keep your data

  • Treatment notes and consultation forms — retained for at least 7 years from the date of your last treatment, as required by FHT professional regulation and UK tax law.
  • Records for clients who were under 18 at the time of treatment — retained until 7 years after their 18th birthday.
  • Marketing-related contact details — retained for as long as you have opted in. If you opt out, I delete you from the marketing list immediately.
  • Payment and tax records — retained for 7 years as required by HMRC.
  • Ring doorbell footage — held on Ring’s servers per their default settings; deleted unless I specifically save a clip for a reason (e.g. an incident).

After the relevant retention period, your information is securely deleted.

Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — you can ask me what data I hold about you and request a copy.
  • Right to rectification — you can ask me to correct any inaccurate or incomplete information.
  • Right to erasure (“right to be forgotten”) — you can ask me to delete your data. Please note that I’m legally required to keep treatment records for 7 years (see section 9), so I cannot delete clinical records during that period.
  • Right to restrict processing — you can ask me to stop using your data for certain purposes while a query is being resolved.
  • Right to object — you can object to any processing based on legitimate interests, and to marketing communications at any time.
  • Right to data portability — you can ask me to provide your data in a machine-readable format so you can transfer it to another service.
  • Right to withdraw consent — where I rely on your consent (e.g. for marketing or health-data processing), you can withdraw it at any time.
  • Right not to be subject to automated decision-making — I do not make any decisions about you using automated processing or profiling.

To exercise any of these rights, contact me at jan@zendenworthing.com. I’ll respond within 30 calendar days, as required by UK GDPR. I may need to verify your identity first to keep your data secure.

Marketing communications

From time to time I send occasional marketing emails — usually a seasonal offer, a relevant therapy update, or news about Zen Den Worthing.

  • I only send these to clients who have explicitly opted in, typically by ticking a box on the consultation form.
  • Every marketing email I send includes a clear unsubscribe link at the bottom. Clicking it removes you from my marketing list immediately.
  • You can also opt out at any time by replying to any marketing email, emailing me at jan@zendenworthing.com, or telling me directly.
  • Opting out is processed immediately. You will not receive further marketing communications from me.
  • Opting out of marketing does not affect appointment-related communications (booking confirmations, reminders, etc.) — these are necessary for the service you have booked.

Marketing emails are sent from my Gmail account, so the data processor for these communications is Google (see section 6).

Cookies and website analytics

12.1 What cookies are

Cookies are small text files stored on your device by websites you visit. They help websites remember things like preferences and gather information about how visitors use the site.

12.2 What I use cookies for

My website uses cookies for two purposes:

  • Essential cookies — required for the website to function (e.g. remembering your cookie preferences). These do not need your consent under UK law.
  • Analytics cookies — provided by Google Analytics, which helps me understand how visitors use my website (such as which pages are most read and where visitors come from). These require your consent.

12.3 Google Analytics

Google Analytics collects anonymised information about how you use my site — for example, what country you visit from, what device you use, and which pages you view. It does not identify you personally and I do not link analytics data to your treatment records.

Analytics cookies are only set if you accept them through the cookie banner shown when you first visit. You can change your preferences at any time using the “Cookie Settings” link in my website footer.

If you would prefer to opt out of Google Analytics entirely, Google offers a browser opt-out add-on.

12.4 No advertising or social media tracking

I do not use advertising cookies, social media tracking pixels, or any third-party trackers beyond Google Analytics. I do not run paid advertising campaigns that profile visitors.

How I protect your information

I take reasonable, practical steps to keep your information secure:

  • Clinical records are stored in Cliniko on encrypted servers with industry-standard protection. Only I have access to my Cliniko account.
  • My work laptop is locked with a 6-digit PIN known only to me, has up-to-date anti-malware protection, and is encrypted at rest.
  • Card payment details are never stored on my devices — Stripe and SumUp handle all card processing directly with PCI-DSS compliance.
  • Messages and emails are kept in their respective apps (Gmail, WhatsApp, etc.), each with their own security measures, and are deleted when no longer needed.
  • Paper records — if I ever have any physical notes during a session, they are scanned into Cliniko and the paper is securely destroyed.

No system is ever 100% secure, but I take privacy seriously and review my practices regularly to keep your data as safe as I reasonably can.

Complaints procedure

14.1 If you have a concern about your data

If you’re unhappy with how I’ve handled your information, I’d much rather hear from you first so I can try to put it right. Please contact me in writing:

Jan Bugar · Zen Den Worthing 20 Ainsdale Close, Worthing, BN13 2QX
Email: jan@zendenworthing.com
Phone: 07947 502512

I’ll acknowledge your concern within 5 working days and provide a substantive response within 14 working days.

14.2 Your right to complain to the ICO

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at any time, especially if you feel your concern hasn’t been resolved.

Information Commissioner’s Office (ICO) Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You don’t have to contact me first — but if you do, I’ll always try to resolve things directly and respectfully before any external escalation.

Updates to this notice

I may update this privacy notice from time to time — for example, if I change a service provider, add a new tool, or if UK data protection law evolves. The most current version is always available on this page, and the “last updated” date below tells you when I last made meaningful changes.

Material changes will be communicated to active clients where reasonable. Minor changes (such as wording clarifications) will simply be reflected in the published version.

By booking an appointment, you accept the version of this Privacy Notice current at the time of your booking.

Questions about your privacy?

Get in touch with me directly through any of these channels.

By booking an appointment, you acknowledge and agree to this privacy notice.

Book Your Appointment

Privacy Notice last updated: June 2026

Book