Privacy Policy

Your privacy matters. Here's a clear explanation of what personal data we collect, why we collect it, and how we look after it.

Who we are

Herbelle Remedies is the herbal medicine practice and apothecary of Ellie Marks, a registered member of the National Institute of Medical Herbalists (NIMH). Ellie is the data controller for this website and for all personal data collected in connection with the practice and online shop.

Practitioner: Ellie Marks
Practice name: Herbelle Remedies
Location: Caerphilly, South Wales
Email: info@herbelleremedies.co.uk
Website: www.herbelleremedies.co.uk

This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about how we handle your data, please don't hesitate to get in touch.

What personal data we collect

We only collect information that is necessary for the purpose it is collected for. Here is a breakdown of what we collect and how:

Online shop orders (via Shopify)

When you place an order in our apothecary, we collect your name, email address, delivery address, billing address, phone number, and payment details. Payment information is processed securely by Shopify and its payment providers | we do not store your card details directly. We also collect your order history and any communications you send us about your order.

Consultation enquiries (by email)

When you contact us by email, we receive your name, email address, and any details you choose to share about your health or the reason for your enquiry. This may include health information, which is classed as special category data under UK GDPR.

Appointment bookings (via Cal.com)

When you book a consultation through our website, you will be directed to our booking system, Cal.com. The information you provide during booking | typically your name, email address, and appointment details | is processed by Cal.com on our behalf. Please also refer to Cal.com's privacy policy for details of how they handle your data.

Consultation records

As part of providing a herbal medicine consultation, we collect detailed health information | including your medical history, current medications, symptoms, and lifestyle factors. This is special category data, and it is essential for providing safe and effective herbal medicine care.

Website analytics (via Google Analytics)

We use Google Analytics (GA4) to understand how visitors use this website. The data collected is anonymised and aggregated | it tells us things like which pages are most visited and how people find the site. It does not identify you personally.

Newsletter sign-ups

If you subscribe to our newsletter, we collect your email address for the sole purpose of sending you updates. You can unsubscribe at any time using the link in any email we send.

Why we collect your data (lawful basis)

Under UK GDPR, we must have a lawful basis for processing your personal data. Here is the basis we rely on for each type of processing:

Processing shop orders | Processing your order details is necessary for the performance of a contract (Article 6(1)(b)) | i.e., fulfilling and delivering your purchase.
Providing herbal medicine consultations | We process your health information on the basis of explicit consent (Article 9(2)(a) UK GDPR), given that health data is special category data. We will always ask for your consent before collecting detailed health information. You may withdraw that consent at any time.
Responding to enquiries | We process contact details submitted by email on the basis of legitimate interests (Article 6(1)(f)), as it is reasonable for you to expect a response when you contact us.
Appointment bookings | Processing your booking details is necessary for the performance of a contract (Article 6(1)(b)) | i.e., arranging your consultation.
Website analytics | We process anonymised usage data on the basis of legitimate interests (Article 6(1)(f)), to understand how the website performs and improve it. You can opt out at any time | see our Cookie Policy for details.
Marketing communications | If you sign up to receive updates from us, we process your contact details on the basis of your consent (Article 6(1)(a)). You can withdraw consent at any time by emailing us or using the unsubscribe link in any communication.

Special category data: your health information

Health information is given extra protection under UK GDPR because of its sensitive nature. We collect and process health data only:

With your explicit consent, given at the start of the consultation process;
For the sole purpose of providing herbal medicine consultation services to you;
In a way that is consistent with professional obligations as a NIMH-registered medical herbalist.

Your health information is held securely and is never shared with third parties except where you have consented or where we are legally required to do so.

How long we keep your data

Order records | Retained for 7 years from the date of purchase, in line with HMRC requirements for financial records.
Consultation records | Kept for 7 years from the date of your last consultation, in line with standard medical records retention guidance.
Email enquiries | Correspondence is kept for up to 2 years, after which it is securely deleted.
Booking records | Appointment records are retained in line with Cal.com's data retention settings and for up to 2 years for our internal records.
Analytics data | Google Analytics data is retained for 14 months by default, in line with GA4's standard retention settings.
Newsletter subscribers | Retained until you unsubscribe.

After the applicable retention period, your data is securely deleted or anonymised.

Who we share your data with

We do not sell your personal data. We only share it with trusted third parties who help us run this website and deliver our services, and only to the extent necessary:

Shopify Inc. | Our online shop is powered by Shopify, which processes your order data (name, address, payment, transaction history) on our behalf as a data processor, and in some cases as an independent data controller. Shopify may transfer data outside the UK; they use standard contractual clauses as a safeguard. See Shopify's Privacy Policy and the Shopify Privacy Portal.
Royal Mail / delivery partners | Your name and delivery address are shared with our delivery provider solely for the purpose of fulfilling your order.
Google LLC (Google Analytics) | Anonymised website usage data is processed by Google. Data may be transferred to the United States under standard contractual clauses. See Google's Privacy Policy.
Cal.com | Booking information is processed by Cal.com, who act as a data processor on our behalf. See Cal.com's Privacy Policy.
EmbedSocial | Our website may display an Instagram feed powered by EmbedSocial. See EmbedSocial's Privacy Policy.

We will never share your health information with any third party without your explicit consent, except where required by law.

Your rights under UK GDPR

You have a number of important rights regarding your personal data. We want to make it easy for you to exercise them. Here is a summary:

Right of access | You can ask us for a copy of the personal data we hold about you (a 'subject access request').
Right to rectification | If any information we hold is inaccurate or incomplete, you can ask us to correct it.
Right to erasure | In certain circumstances, you can ask us to delete your personal data. Please note that we may need to retain some records to meet our legal or professional obligations (such as medical records retention requirements).
Right to restrict processing | You can ask us to limit how we use your data in certain situations, for example while a dispute is being resolved.
Right to data portability | Where we process your data by automated means and on the basis of consent or contract, you can ask us to provide it in a machine-readable format.
Right to object | You can object to us processing your data where we rely on legitimate interests as our lawful basis. We will stop unless we have compelling grounds to continue.
Rights related to automated decision-making | We do not use automated decision-making or profiling in our practice. No decisions about you are made solely by automated means.

To exercise any of these rights, please contact us at info@herbelleremedies.co.uk. We will respond within one month, as required by law.

How we keep your data safe

We take data security seriously. Your personal data is held securely, and we take reasonable technical and organisational steps to protect it against unauthorised access, loss, or disclosure. Access to your consultation records is limited to Ellie Marks only.

How to make a complaint

We hope you will never have reason to complain, but if you are unhappy with how we have handled your personal data, please contact us first so we have the chance to put things right.

If you remain unsatisfied, you have the right to lodge a complaint with the UK's data protection authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113

Changes to this policy

We may update this privacy policy from time to time to reflect changes in the law or how we operate. Any updates will be published on this page with a revised date below. We encourage you to check back periodically.

Last updated: April 2026 | updated to include Herbelle Remedies Apothecary and Shopify data processing.