Privacy policy.

This policy explains how Holuha Flow Therapies (run by Sarah McNaughton) collects, uses and protects your personal information when you use holuhaflow.com.

In short: you only share information with us when you choose to (filling in the contact form, signing up for the newsletter, or emailing the practice). We use that information to reply to you and, if you've subscribed, to send you occasional notes from the practice. We don't sell your data, we don't share it with advertisers, and you can ask for it to be deleted at any time.

Sarah McNaughton, trading as Holuha Flow Therapies, is the data controller for any personal information you share with us. If you have a question about this policy or how we handle your data, please email Sarah.

The categories of information we collect, and why:

Contact form enquiries

When you fill in the contact form on the site, we collect your name, your email address, optionally your phone number, optionally a topic, and the content of your message. We use this only to read your enquiry and reply to it.

Lawful basis: legitimate interests (responding to people who contact us) and, where you provide health-related context in your message, explicit consent (you choose what to share).

Newsletter subscriptions

When you sign up for the newsletter, we store your email address (and your name if you provide it) so we can send you occasional notes from the practice. You can unsubscribe at any time by emailing us.

Lawful basis: consent — you tick the form and submit.

Site analytics

The site does not currently use analytics tools. If we add them in future (for example to understand which pages are useful), they will be limited to privacy-friendly tools that don't track you across other sites, and we will ask for your consent through the cookie banner before any analytics cookies are set.

The site uses a small number of cookies:

Strictly necessary

• hf_consent— remembers your choice on the cookie banner so we don't ask you every time you visit. Expires after one year. Always on.

Optional (off by default)

• Analytics — not currently active. Listed in the consent banner so you can express a clear preference for when (if) we turn them on.
• Marketing — not currently used on this site. Listed in the consent banner for the same reason.

You can change your cookie choices at any time: Manage cookie preferences.

We don't sell or give your data to third parties for their own purposes. We do use a small number of trusted technology providers to actually run the site and deliver email. Each is a data processor acting on our instructions, and each is subject to their own GDPR-compliant data processing agreements.

• Railway — hosts the website infrastructure. Servers in the EU.
• Cloudflare — manages DNS and security for holuhaflow.com.
• Sanity — stores journal posts and the newsletter subscriber list. Data hosted in the EU.
• SendGrid (Twilio) — sends notification emails to Sarah when you submit the contact form or subscribe to the newsletter.
• Google Fonts— the typefaces used on the site are loaded from Google's CDN, which may log the IP address of the request. No personally identifying information is shared.

Contact form messages:kept in Sarah's email inbox for as long as is needed to reply to and follow up on your enquiry, then deleted or archived. Email logs at SendGrid are retained for up to 30 days.

Newsletter subscribers:kept while you remain subscribed. If you unsubscribe, your record is marked “unsubscribed” and we won't email you again. The record is deleted on request.

Cookies: see the table above.

You have the right to:

• Access — ask for a copy of the personal data we hold about you.
• Rectification— ask us to correct anything that's wrong.
• Erasure— ask us to delete your data (“the right to be forgotten”).
• Withdrawal of consent — withdraw consent at any time where consent is our lawful basis.
• Portability — ask for a copy of your data in a portable format.
• Objection — object to processing based on legitimate interests.
• Complaint— lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email Sarah and we'll respond within one month.

The site is served over HTTPS and the data processors listed above all hold appropriate technical and organisational safeguards. Sarah's professional duty of confidentiality (as an HCPC-registered occupational therapist) applies to any clinically sensitive information you choose to share with her.

The site is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has shared personal information with us, please contact us and we will delete it.

We may update this policy from time to time. The “last updated” date at the top of the page reflects the most recent change. Material changes affecting how we use your data will be flagged on the site itself.

For any privacy question or to exercise any of your rights, email Sarah.