Privacy Notice

Jasmin Askari Yagane is a provider of nutritional therapist services registered with the ANP/GNC. 

I am the data controller for the personal information I collect and process in the course of providing the professional services.

To provide safe and effective care, I may collect the following types of information: 

• Personal details (name, address, contact details, date of birth, GP contact) 

• Health and medical history, symptoms, and relevant test results 

• Information about diet, lifestyle, medication, supplements, and goals 

• Consultation notes and correspondence 

• Payment details

I process your personal data under the following lawful bases: 

• Contract: to provide you with agreed naturopathic services. 

• Legitimate interests: to maintain records and manage my business safely and professionally. 

• Consent: for processing sensitive (special category) health information. You may withdraw your consent at any time. 

• Legal obligation: to comply with legal or insurance record-keeping requirements. 

Special categories of data included race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health and sexual orientation.   

I may hold special category data for the following purposes: 

• Provision of direct healthcare 

I process your data under the following articles of General Data Protection Regulation: 

• Article 6(1)(b) – Contract: to provide professional services requested by you 

• Article 9(2)(h) – Provision of healthcare: processing necessary for health and treatment purposes

Your information is used to: 

• Provide safe and effective care 

• Assess suitability of personalised health advice 

• Communicate with you about your care 

• Keep accurate clinical records 

• Process payments and manage bookings 

• Meet professional, insurance, and legal obligations 

I undertake at all times to protect your personal data, including any health and contact details, in a manner which is consistent with our duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR) concerning data protection. I will also take reasonable security measures to protect your personal data storage. 

I may use your personal data where there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.  

Your data will never be sold or used for marketing without your explicit consent. Your data may be shared with other parties for the following reasons if you have consented to in the GDPR consent form: 

• To obtain functional tests (such as blood or urine). 

• For booking and administrative purposes. 

• To courier and logistics providers who ship products to you. 

• To companies supplying supplements or other products directly to you on my recommendation

All personal information is stored securely in:

• Password-protected devices 

• Encrypted clinical software 

• Secure cloud storage

Online consultations are conducted using reputable platforms with appropriate security measures in place. Although all reasonable steps are taken to protect your information, no internet-based communication system can be guaranteed to be completely secure. If you choose to communicate via email, please be aware that standard email is not fully encrypted. 

In line with professional standards and insurance requirements, clinical records are retained for: 

• 7 years from the date of last consultation 

• For children: until age 25 (or 26 if aged 17 at end of treatment)

After this period, records are securely deleted or destroyed. In certain cases, such as where records may be relevant to an insurance claim or legal proceeding, they may be retained for longer. 

Where the client is under the age of 18, consent from a parent or legal guardian is required before treatment can begin. The child remains the data subject under data protection law. Both parents may have the right to access the child’s records unless there is a legal restriction or court order in place that limits this access.

I will not share your information with third parties unless: 

• You have given explicit consent (for example, to share with your GP or another healthcare provider); 

• Disclosure is required by law (for example, in cases of serious risk of harm); 

• It is necessary for accounting or administrative purposes (e.g., my professional indemnity insurer or accountant, who are GDPR-compliant). 

Under UK GDPR, you have the right to: 

• Access the personal data I hold about you.  

• Request to move, copy or transfer your data to a third party. 

• Request correction of inaccurate information 

• Request deletion of your data (where legally permissible) 

• Restrict or object to certain forms of processing 

• Withdraw consent at any time 

• Lodge a complaint with the Information Commissioner’s Office (ICO): www.ico.org.uk. 

Please note that clinical records cannot be deleted where retention is required by law, insurance, or professional standards.

Personal data will not be transferred outside the UK without appropriate safeguards in place. 

If data needs to be stored or processed outside the UK (for example, through certain cloud service providers), this will only occur where: 

• The country has been deemed to provide an adequate level of data protection, or 

• Appropriate safeguards (such as standard contractual clauses) are in place.

Personal data will not be transferred internationally without ensuring compliance with UK data protection law.

Clients have the right to request access to the personal data held about them. 

If a client makes a valid Subject Access Request: 

• A copy of the requested information will be provided free of charge. 

• The information will be supplied within one month of receiving the request. 

• Where the request is complex or multiple requests are received, this period may be extended by up to two further months. The client will be informed within the initial one-month period if an extension is required. 

• If a request is manifestly unfounded or excessive, a reasonable administrative fee may be charged, or the request may be refused where legally permitted. 

• If the request relates to a large volume of information, the practitioner may ask the client to clarify the specific data they require.

Once a Subject Access Request has been received, the relevant records must not be altered, amended, or deleted. Knowingly changing data following a request may constitute a criminal offence.

If you visit my website, cookies may be used to improve your browsing experience.

What are cookies? 

Cookies are small text files placed on your device when you visit a website. They help the website function properly and may collect limited information about how visitors use the site. 

Types of cookies that may be used: 

• Strictly necessary cookies – Required for the website to function (e.g. security, booking systems, saving preferences). These do not require consent. 

• Analytics cookies – Used to understand how visitors use the website (e.g. Google Analytics). These require your consent. 

• Third-party cookies – Some external services (such as online booking systems or embedded videos) may place their own cookies.

You can manage your cookie preferences via the cookie banner on this website or through your browser settings. 

More information about cookies can be found at: www.allaboutcookies.org.

I may occasionally update this Privacy Notice to reflect legal or procedural changes. The latest version will always be available on request.

Any breach of this policy or of data protection laws will be reported as soon as practically possible. This means as soon as we become aware of a breach.    

I have a legal obligation to report any data breaches to the UK Supervisory authority which is the Information Commissioners Officer within 72 hours.