Privacy Policy

Your privacy matters. Here's a clear explanation of what personal data we collect, why we collect it, and how we look after it.

Who we are

Herbelle Remedies is the herbal medicine practice and apothecary of Ellie Marks, a registered member of the National Institute of Medical Herbalists (NIMH). Ellie is the data controller for this website and for all personal data collected in connection with the practice and online shop.

Practitioner: Ellie Marks
Practice name: Herbelle Remedies
Location: Caerphilly, South Wales
Email: info@herbelleremedies.co.uk
Website: www.herbelleremedies.co.uk

This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about how we handle your data, please don't hesitate to get in touch.

What personal data we collect

We only collect information that is necessary for the purpose it is collected for. Here is a breakdown of what we collect and how:

Online shop orders (via Shopify)

When you place an order in our apothecary, we collect your name, email address, delivery address, billing address, phone number, and payment details. Payment information is processed securely by Shopify and its payment providers | we do not store your card details directly. We also collect your order history and any communications you send us about your order.

Consultation enquiries (by email)

When you contact us by email, we receive your name, email address, and any details you choose to share about your health or the reason for your enquiry. This may include health information, which is classed as special category data under UK GDPR.

Appointment bookings

When you book a consultation through our website, your information is processed by our in-house booking system. Your name, email, phone number, and appointment details are stored securely and used solely to manage your appointment. Payments are processed by Stripe. Reminder emails are sent via Resend.

Workshop and event bookings

When you book a workshop or event through this website, we collect your name, email address, and phone number.

For under-18s events (such as the Junior Herbalist Club), we additionally collect: the child's name and date of birth, any relevant health information or allergies, emergency contact details, the child's doctor's name and contact details, collection arrangements, parental consent (including a parental signature), and photo and publicity consent choices.

Health information relating to a child is special category data under UK GDPR. It is collected on the basis of explicit parental consent (Article 9(2)(a) UK GDPR).

Payment is processed by Stripe (stripe.com). We do not store your card details. Stripe acts as a separate data controller for payment processing. Please refer to Stripe's privacy policy for details of how they handle your payment data.

Booking records, including any consent data for under-18s events, are stored securely in Sanity (sanity.io), our content management system, which acts as a data processor on our behalf.

Booking confirmation and session reminder emails are sent via Resend (resend.com), which acts as a data processor on our behalf.

Consultation records

As part of providing a herbal medicine consultation, we collect detailed health information | including your medical history, current medications, symptoms, and lifestyle factors. This is special category data, and it is essential for providing safe and effective herbal medicine care.

Website analytics (via Google Analytics)

We use Google Analytics (GA4) to understand how visitors use this website. The data collected is anonymised and aggregated | it tells us things like which pages are most visited and how people find the site. It does not identify you personally.

Newsletter sign-ups

If you subscribe to our newsletter, we collect your email address for the sole purpose of sending you updates. You can unsubscribe at any time using the link in any email we send.

Why we collect your data (lawful basis)

Under UK GDPR, we must have a lawful basis for processing your personal data. Here is the basis we rely on for each type of processing:

Processing shop orders | Processing your order details is necessary for the performance of a contract (Article 6(1)(b)) | i.e., fulfilling and delivering your purchase.
Providing herbal medicine consultations | We process your health information on the basis of explicit consent (Article 9(2)(a) UK GDPR), given that health data is special category data. We will always ask for your consent before collecting detailed health information. You may withdraw that consent at any time.
Responding to enquiries | We process contact details submitted by email on the basis of legitimate interests (Article 6(1)(f)), as it is reasonable for you to expect a response when you contact us.
Appointment bookings | Processing your booking details is necessary for the performance of a contract (Article 6(1)(b)) | i.e., arranging your consultation.
Website analytics | We process anonymised usage data on the basis of legitimate interests (Article 6(1)(f)), to understand how the website performs and improve it. You can opt out at any time | see our Cookie Policy for details.
Marketing communications | If you sign up to receive updates from us, we process your contact details on the basis of your consent (Article 6(1)(a)). You can withdraw consent at any time by emailing us or using the unsubscribe link in any communication.

Special category data: your health information

Health information is given extra protection under UK GDPR because of its sensitive nature. We collect and process health data only:

With your explicit consent, given at the start of the consultation process;
For the sole purpose of providing herbal medicine consultation services to you;
In a way that is consistent with professional obligations as a NIMH-registered medical herbalist.

Your health information is held securely and is never shared with third parties except where you have consented or where we are legally required to do so.

How long we keep your data (retention periods)

Shop order data | Retained for 7 years from the date of purchase, in line with HMRC requirements for financial records.
Workshop booking data (adults) | Retained for 3 years from the date of the event.
Workshop booking data (under-18s) | Booking records, consent forms, and health information for under-18s events are retained for 3 years from the date of the last session in the programme.
Consultation records | Kept in line with NIMH guidance, which is typically 8 years from the date of last contact, or until the child turns 25, whichever is later.
Email enquiries | Correspondence is kept for up to 2 years, after which it is securely deleted.
Analytics data | Google Analytics data is retained for 14 months by default, in line with GA4's standard retention settings.
Newsletter subscriptions | Retained until you unsubscribe.

After the retention period, personal data in workshop booking records is anonymised. This means names, contact details, health information, and consent records are removed. Anonymised statistical records (such as the number of spaces booked and amount paid) may be retained indefinitely for administrative purposes.

The anonymisation process runs automatically. You do not need to request it, though you may still exercise your right to erasure at any time by contacting us.

PECR and electronic communications

The Privacy and Electronic Communications Regulations (PECR) sit alongside UK GDPR and govern electronic marketing and the use of cookies.

Transactional emails | Booking confirmations, session reminders, and order confirmations are sent on the basis of contractual necessity. These are service communications, not marketing, and do not require separate marketing consent.
Marketing emails | Newsletter and workshop announcement emails are only sent to people who have explicitly opted in. You can unsubscribe at any time using the link in any email we send.
Klaviyo | We use Klaviyo to manage and send marketing emails. Klaviyo acts as a data processor on our behalf. See Klaviyo's privacy policy for details.
Cookies | This website uses Google Analytics (GA4) to collect anonymised usage data. See our Cookie Policy for full details.

Who we share your data with

We do not sell your personal data. We only share it with trusted third parties who help us run this website and deliver our services, and only to the extent necessary:

Shopify Inc. | Our online shop is powered by Shopify, which processes your order data (name, address, payment, transaction history) on our behalf as a data processor, and in some cases as an independent data controller. Shopify may transfer data outside the UK; they use standard contractual clauses as a safeguard. See Shopify's Privacy Policy and the Shopify Privacy Portal.
Royal Mail / delivery partners | Your name and delivery address are shared with our delivery provider solely for the purpose of fulfilling your order.
Google LLC (Google Analytics) | Anonymised website usage data is processed by Google. Data may be transferred to the United States under standard contractual clauses. See Google's Privacy Policy.
Stripe (payment processing) and Resend (email delivery). Stripe processes payments for consultation and workshop bookings. See Stripe's Privacy Policy. Resend delivers transactional emails (booking confirmations and reminders). See Resend's Privacy Policy.
EmbedSocial | Our website may display an Instagram feed powered by EmbedSocial. See EmbedSocial's Privacy Policy.
Stripe Inc. | Payments for workshop bookings are processed by Stripe, who act as a separate data controller for payment processing. See Stripe's Privacy Policy.
Sanity Inc. | Workshop booking records (including under-18s consent data) are stored in Sanity, our content management system, which acts as a data processor on our behalf. See Sanity's Privacy Policy.
Resend Inc. | Transactional emails (booking confirmations and session reminders) are delivered via Resend, which acts as a data processor on our behalf. See Resend's Privacy Policy.
Klaviyo Inc. | Marketing emails (newsletter and workshop announcements) are sent via Klaviyo, which acts as a data processor on our behalf. See Klaviyo's Privacy Policy.

We will never share your health information with any third party without your explicit consent, except where required by law.

Your rights under UK GDPR

You have a number of important rights regarding your personal data. We want to make it easy for you to exercise them. Here is a summary:

Right of access | You can ask us for a copy of the personal data we hold about you (a 'subject access request').
Right to rectification | If any information we hold is inaccurate or incomplete, you can ask us to correct it.
Right to erasure | In certain circumstances, you can ask us to delete your personal data. Please note that we may need to retain some records to meet our legal or professional obligations (such as medical records retention requirements).
Right to restrict processing | You can ask us to limit how we use your data in certain situations, for example while a dispute is being resolved.
Right to data portability | Where we process your data by automated means and on the basis of consent or contract, you can ask us to provide it in a machine-readable format.
Right to object | You can object to us processing your data where we rely on legitimate interests as our lawful basis. We will stop unless we have compelling grounds to continue.
Rights related to automated decision-making | We do not use automated decision-making or profiling in our practice. No decisions about you are made solely by automated means.

To exercise any of these rights, please contact us at info@herbelleremedies.co.uk. We will respond within one month, as required by law.

How we keep your data safe

We take data security seriously. Your personal data is held securely, and we take reasonable technical and organisational steps to protect it against unauthorised access, loss, or disclosure. Access to your consultation records is limited to Ellie Marks only.

How to make a complaint

We hope you will never have reason to complain, but if you are unhappy with how we have handled your personal data, please contact us first so we have the chance to put things right.

If you remain unsatisfied, you have the right to lodge a complaint with the UK's data protection authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113

Changes to this policy

We may update this privacy policy from time to time to reflect changes in the law or how we operate. Any updates will be published on this page with a revised date below. We encourage you to check back periodically.

Last updated: May 2026 | updated to include workshop and event bookings, under-18s consent data, data retention periods, PECR section, and new data processors (Stripe, Sanity, Resend, Klaviyo).