Natalie Mobbs- Privacy Policy
1. Introduction
At Natalie Mobbs, we value the privacy and security of your personal data. We are committed to protecting your personal information and being transparent about how we collect, use, and store it. Our approach to data protection is guided by the principles outlined in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We understand that your personal data is sensitive and requires careful handling. Therefore, we strive to ensure that:
Data Minimisation: We only collect and process personal data that is necessary for the purposes of providing our services.
Purpose Limitation: Your personal data will only be used for the specific purposes outlined in this policy and will not be shared with third parties without your consent, unless required by law.
Security: We implement appropriate technical and organisational measures to safeguard your personal data against unauthorised access, loss or destruction.
Transparency: We are dedicated to keeping you informed about how your personal data is handled and what your rights are under data protection law.
Accuracy: We take reasonable steps to keep data accurate and up to date.
Retention: Personal data is only retained as long as necessary for its intended purpose.
International Transfers: Data will not be transferred outside the UK/EEA unless adequate protections are in place.
We regularly review our data protection practices to ensure compliance and to enhance our commitment to protecting your privacy.
This Privacy Policy relates to the practice of Natalie Mobbs (the “Practitioner”), operating as a sole trader, and the services provided to clients in relation to Emotional Freedom Techniques (“EFT”), including online therapy sessions. It also applies to the website www.nataliemobbs.com (“the Website”).
The Practitioner is the Data Controller for all personal information you provide.
Contact Details
Full name: Natalie Mobbs
Email: natalie@nataliemobbs.com
Postal address: 5 Brayford Square, London, E1 0SG
It is important that your personal information is accurate and up to date. Please inform us if your details change.
2. What Data We Collect and Why
In order to provide Emotional Freedom Techniques (EFT) services, manage bookings, and operate our website, we collect and process different categories of personal data:
a) Identity Data
Full name, date of birth, gender, and (where relevant) parental/guardian details.
Collected to identify you and to provide services safely and appropriately.
Lawful basis: performance of contract; explicit consent (for children’s data).
b) Contact Data
Email address, phone number, postal address, emergency contact details.
Used for appointment confirmations, service communications, and safeguarding.
Lawful basis: performance of contract; legitimate interests.
c) Sensitive / Health Data (Special Category Data)
Information provided on the Client Intake Form, including relevant health history, wellbeing information, and details necessary for EFT sessions.
This information is considered special category data under UK GDPR.
Collected only with your explicit consent, and only where necessary to provide EFT services safely and effectively.
Lawful basis: explicit consent; vital interests (in safeguarding situations).
Please note: Where we are required to collect personal or health data by law, or in order to deliver services, and you choose not to provide this data, we may be unable to provide EFT sessions.
d) Communication Data
Records of communications you send via email, telephone, social media, or the booking system.
Collected for record-keeping, responding to enquiries, and handling complaints or disputes.
Lawful basis: legitimate interests.
e) Customer / Transaction Data
Details relating to payments, invoices, and purchases made through Square or other payment platforms (note: we do not store full card details).
Used to process payments and maintain financial records.
Lawful basis: performance of contract; legal obligation (record-keeping).
f) Technical / Usage Data
Information about how you use our website and services, including IP address, browser type, operating system, time zone settings, pages viewed, navigation paths, and length of visits.
May be collected through cookies, server logs, and similar technologies.
This may include data collected through third-party tools such as Google Analytics, which we may use to improve our website and user experience.
Lawful basis: legitimate interests (to administer our website and services).
g) Marketing Data
Preferences you express about receiving newsletters, updates, or promotional content.
Collected through explicit opt-in at sign-up or via the booking system.
You can unsubscribe at any time by clicking the “unsubscribe” link in our emails.
Lawful basis: consent; legitimate interests (soft opt-in under PECR where you are an existing client).
h) Therapy Session Notes
In addition to information provided on the intake form, the Practitioner may make brief session notes. These are considered special category data as they may contain sensitive information relating to your wellbeing. They are collected for the purpose of supporting ongoing therapeutic work and ensuring continuity of care.
Lawful basis: legitimate interests (to provide safe and effective services).
i) Children’s Data
For clients under the age of 18, parental or guardian consent is required before services can be provided. A parent or guardian must normally be present at sessions, unless otherwise agreed with the Practitioner.
Where a child reaches the age of 13, they must provide their own consent in addition to parental consent. This consent is collected at the time of booking via the Client Intake Form.
Lawful basis: explicit consent (from parent/guardian and child aged 13+).
3. Information Which May Be Collected via the Website
Technical data: IP address, browser type, operating system, time zone, etc.
Cookies: The Website uses cookies to improve functionality and user experience. For details, see our Cookie Policy.
Analytics: We may use Google Analytics to gather anonymised, aggregated information about how visitors use the Website. This helps us improve user experience and content. See Google’s Privacy Policy: https://policies.google.com/privacy.
4. Payments
Payments are handled securely through a third-party processor, Square. No financial information is collected or stored by the Practitioner.
See Square’s Privacy Policy: https://squareup.com/gb/en/legal/general/privacy.
5. Online Sessions (Zoom)
Online sessions are conducted via Zoom. Clients are not permitted to record sessions without the Practitioner’s express permission.
See Zoom’s Privacy Policy: https://explore.zoom.us/en/privacy/.
6. How Your Data is Stored
Personal data and intake forms are stored securely using Acuity Scheduling (Squarespace). See Squarespace’s Privacy Policy: https://www.squarespace.com/privacy.
Therapy notes are stored in password-protected files by the Practitioner.
Data may also be shared with third parties where legally required (e.g. for tax or accounting purposes).
Your data is never sold or shared with third parties for marketing purposes.
7. Marketing Communications
Marketing emails will only be sent where you have given consent or where legitimate interests apply (e.g. you have purchased services). You may unsubscribe at any time via the link in emails or by contacting the Practitioner.
8. Disclosures of Your Data
We may share personal data with:
Professional advisers (e.g. lawyers, insurers, accountants)
Government authorities where required by law
IT and system administration providers
We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.
9. International Transfers
Where third-party providers outside the UK or EEA are used, appropriate safeguards are applied (such as adequacy decisions, contractual clauses, or approved frameworks).
10. Data Security and Data Breaches
We have put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. Access to your personal data is restricted to those who need it and are subject to confidentiality obligations.
In the event of a suspected personal data breach, we have procedures in place to assess the situation. If we determine that a breach has occurred and we are legally required to do so, we will notify you and any applicable regulator without undue delay.
A personal data breach is defined as a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
We will notify you of a breach if it is likely to result in a high risk to your rights and freedoms. Our notification will include:
A description of the nature of the breach
The name and contact details of our Data Protection Officer or relevant contact point
A description of the likely consequences of the breach
A description of the measures we have taken or propose to take to address the breach, including measures to mitigate its possible adverse effects
We are committed to ensuring the security of your personal data and will take all necessary steps to protect it.
11. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Session notes and personal records: retained for 6 years after the completion of services.
Children’s data: retained in line with the above, with parental/child consent records also retained for 6 years.
Financial/tax records: retained for 6 years as required by law.
Data may be anonymised and used indefinitely for research or statistical purposes.
12. Your Rights
Under UK GDPR, you have the right to:
Access your personal data (Data Subject Access Request)
Request correction of inaccurate data
Request deletion of data (subject to legal requirements)
Restrict or object to processing
Request transfer of data (data portability)
Withdraw consent at any time (where processing is based on consent)
Requests can be made by emailing: natalie@nataliemobbs.com.
If you are within the UK, you can see more about these rights at:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
You will not be charged for exercising your rights, unless requests are manifestly unfounded, repetitive, or excessive.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made multiple requests. In this case, we will notify you.
If you are within the UK and are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO): www.ico.org.uk. We would, however, appreciate the chance to resolve your concerns before you approach the ICO.
If you are within the EU and are not happy with any aspect of how we collect and use your data, you have the right to complain to the data protection authority of the country in which you are based.
13. Third-Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
14. Changes to this Policy
This Privacy Policy may be updated from time to time. The most recent version will always be available on the Website.
Last Updated- 21st September 2025