Last updated: 22 May 2025​​

 

Introduction

 

Welcome to the Privacy Notice for [Sanjit Bal Hypnotherapy] (“I”, “me”, “my”).

​

This Privacy Notice applies to my website, https://www.sanjitbal.com (“Website”), and to the services I provide, including hypnotherapy sessions, website interactions, and related marketing communications.

​

This Privacy Notice forms part of my Terms and Conditions and outlines how I collect, use, and protect your personal data.

 

It covers:

1. Contact Details

2. Legal Basis Under Which I May Collect Your Data (How)

3. Your Legal Rights

4. Legal Basis for Collecting & Using Your Data (Why)

5. What Data Is Collected

6. What The Data Is Used For

7. How Long I Keep Data For

8. Who I Share Information With (Third Parties)

9. Protecting Your Information 

10. Cookies and Other Internet Tracking Technology

11. Updates to This Policy

12. How to Complain

​

I am committed to processing your personal information fairly, transparently, and in compliance with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Before collecting any personal data (including through the use of cookies), I will inform you of how and why I intend to use it and will only process your data where legally permitted.

​

Some information may fall under under the ‘special category’ of personal data under the UK GDPR — for example, information about your health. This is discussed below. 

​

You may browse most of this Website without providing any personal data or accepting cookies. In that case, it is unlikely I will process any personal information about you.

​

When you visit my Website, a cookie banner gives you the option to accept all cookies, reject non-essential cookies, or manage your preferences. This system ensures compliance with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

 

Non-essential cookies — such as those used for analytics and marketing (including Meta Pixel) — will only be set with your explicit consent.

​

You can change or withdraw your consent at any time by accessing the cookie preferences link in the website footer. For more details about the cookies I use and how your data is handled, please refer to Section 10 of this Notice.

​

This Privacy Notice also outlines the security measures I take to protect your data and explains what I will or won’t do with your information. It should be read alongside my Terms and Conditions.

 

Marketing Communications

From time to time, if you enquire about or use my services, I may contact you with updates about similar services or offerings via email or other digital channels.

​

You will always have the option to opt out of receiving these communications by:

• Clicking the unsubscribe link included in any email, or

• Contacting me directly using the details in Section 1.1 of this Notice.

​​

I’ll also remind you of your right to opt out each time I send such messages.

 

1. Contact Details

 

1.1 For any questions, concerns, or requests relating to this Privacy Notice or your personal data, please contact:

Email: hello@sanjitbal.com

​

1.2 I am the Data Protection Officer (DPO) for Sanjit Bal Hypnotherapy and welcome any communication regarding data protection matters. You can reach me at the same email address: hello@sanjitbal.com

 

2. Legal Basis Under Which I May Collect Your Data (How)

I will only collect and process your personal information when one or more of the following legal bases apply:

​

2.1 You have given clear consent for me to process your data for specific purposes.

2.2 Processing is necessary to fulfil a contract I have with you, or to take steps at your request before entering into a contract.

2.3 Processing is required to comply with a legal obligation.

2.4 Processing is necessary to protect someone’s life (vital interests).

2.5 Processing is necessary for the performance of a task carried out in the public interest.

2.6 Processing is necessary for my legitimate interests (or those of a third party), provided these are not overridden by your rights and interests.

 

How Consent Is Given

​

2.7 If consent is required for specific uses of your data, I will ask for it clearly at the time of collection — for example, via an opt-in checkbox when you first provide your information through the website or other communication.

If you contact me via the website or email, I may occasionally email you about services or offerings I believe may be of interest. You’ll have the opportunity to opt out of such communications at any time — either via an unsubscribe link or by contacting me directly.

​

2.8 If you choose not to give consent for certain types of processing, I will do my best to ensure that access to the Website and services is not affected unnecessarily.

​

Withdrawing Consent

You can withdraw your consent at any time by contacting me at the email provided in Section 1. Once notified, I will stop processing your information for the relevant purposes, and if there is no legal basis to retain it, I will securely delete your data.

 

3. Your Legal Rights

​

You have a number of rights under UK data protection law in relation to the personal information I hold about you.

 

3.1 Your rights include:

​

3.1.1 Right of access
You have the right to request a copy of the personal data I hold about you and to check that I’m processing it lawfully.

​

👉 Read more about your right of access

 

3.1.2 Right to rectification
You can ask me to correct any inaccurate or incomplete information I hold. I may need to verify the accuracy of the new data before making changes.

👉 Read more about your right to rectification

​

3.1.3 Right to erasure (the “right to be forgotten”)
You can request that I delete your personal data where there’s no valid reason to keep it. This includes situations where:

• You’ve withdrawn your consent

• You’ve successfully objected to processing

• I’ve processed your data unlawfully

• I’m legally required to erase it

​​

Note that I may not always be able to comply for legal or regulatory reasons, which I’ll explain if applicable.

👉 Read more about your right to erasure

​

3.1.4 Right to restrict processing
You can ask me to limit the way I use your data, particularly if:

• You want me to confirm its accuracy

• The use is unlawful but you don’t want it deleted

• You need me to retain it for legal claims

• You’ve objected and I’m considering whether to override your objection

👉 Read more about your right to restrict processing

​

3.1.5 Right to object

You can object to the processing of your data where I’m relying on legitimate interests or conducting direct marketing.

👉 Read more about your right to object

​

3.1.6 Right to data portability

You can ask me to transfer the data you’ve provided to another organisation, or directly to you, in a commonly used, machine-readable format. This applies only where the processing is automated and based on your consent or a contract.

👉 Read more about your right to data portability

​

3.1.7 Right to withdraw consent

Where I rely on your consent to process your data, you can withdraw it at any time. This won’t affect any processing that has already taken place. I’ll let you know if your withdrawal impacts the services I can provide.

👉 Read more about your right to withdraw consent

​

3.2 You won’t have to pay a fee to access your data or exercise your rights. However, I may charge a reasonable fee or decline your request if it’s clearly unfounded, repetitive, or excessive.

​

3.3 To protect your privacy, I may ask for proof of identity before processing your request. I may also contact you for further details to help me respond more efficiently.

​

3.4 I aim to respond to all valid requests within one month. To exercise any of your rights, please contact me using the details in Section 1.

​

​​​​​​​​​4. Legal Basis for Collecting & Using Your Data

 

Under UK data protection law, I must have a lawful basis for collecting and using your personal information. These lawful bases are outlined on the ICO website. 

 

4.1 Service and Goods

 

My lawful bases for collecting or using personal information to provide services and goods are:​

 

• Consent – You’ve given clear permission after being fully informed.Read more about consent
  You can withdraw your consent at any time. All your rights apply, except the right to object.

 

• Contract – I need your data to enter into or fulfil a contract with you. Your rights apply, except the right to object.

​​

• Legal obligation – I must use your data to comply with the law. Your rights apply, except the rights to erasure, objection, and data portability.

 

4.2 Operation of customer accounts

 

Lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:​

 

• Consent – You’ve agreed to this after being given all relevant details. You may withdraw consent at any time. All your rights apply, except the right to object.

​​

• Contract – The data is necessary to create or manage your account in line with our agreement. All rights apply, except the right to object.

 

4.3 Service Updates/Marketing Purposes

 

For occasional service updates or marketing (if ever applicable), I rely on:

​

• Consent – You’ve opted in after receiving clear, relevant information. You can withdraw consent at any time.

 

Note: I only send marketing communications if you’ve explicitly asked to receive them.

​​

4.4 Legal Requirements

 

Where I’m legally obliged to process personal data, the lawful basis is:

​

• Legal obligation – I must retain or process data to meet legal or regulatory duties. Your rights apply, except the rights to erasure, objection, and portability.

​​

4.5 Queries/Complaints

 

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:​

 

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.​

​​

• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.​

 

• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.

 

Our legitimate interests are:​

 

To address client concerns effectively, the lawful bases are:

​

• Contract – The data helps fulfil obligations under our agreement.

• Legal obligation – I may need to retain or share data to comply with laws.

• Legitimate interests – This helps me resolve issues promptly and respectfully.

​

My legitimate interest:
To support your experience by responding to any queries or complaints in a timely, transparent, and supportive way. This benefits both of us and helps maintain the quality and trustworthiness of my services. Only the minimum necessary data is used, handled securely, and never in ways that override your rights or cause harm.

​

More on legitimate interests here

​

​5. What data is collected

​

5.1 Types of information collected

​

I may collect personal information about you from a number of sources, including:

​

• From you directly, when you agree to take a service or product from me. This may include:

  • Contact details

  • Date of birth

  • Payment details (via Stripe)

  • Bank details

​

• From your enquiries or responses to my communications, which may indicate how you use my services.

​​

• Automatically via this website, I may collect technical information about your equipment, browsing actions, and patterns. This can include:

  ​

  • Internet protocol (IP) address

  • Browser type and version

  • Time zone setting and location

  • Browser plug-in types and versions

  • Operating system and platform

  • Device type

  • Other technology used to access this website

​

I collect this information via cookies and similar technologies.For more details, please see Section 10: Cookies below.

​

• From publicly available sources, such as the electoral register.

​

• From third parties, where you have given consent for them to share your data. I will inform you as soon as reasonably practicable when I receive such information.

 

Note: If you refuse to provide information requested, and that information is necessary for the delivery of services, I may not be able to continue providing those services.

​

If at any point you believe I have requested data without a valid reason, you’re welcome to challenge or object and ask for clarification.

 

5.2 Data Collected For Service Delivery

 

• Names and contact details

• Addresses

• Date of birth

• Purchase or account history

• Payment details via Stripe (including card/bank info for transfers or direct debits)

• Health information (including allergies and medical conditions)

• Health and safety information

• Account information

• Website user behaviour (e.g., user journey, cookie tracking)

• Records of meetings and decisions

• Information relating to compliments or complaints

​

 

 

 

 

 

 

 

 

 

5.4 Special Category Data

 

I do not actively collect sensitive information such as racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic/biometric data, sex life, or sexual orientation (collectivelt referred to as 'special category data').

​

However, you may voluntarily provide such information through:

​

• Contact forms

• Case history intake

• Email or other communications

​

Lawful basis for processing special category data:

​

• Contract – when it is necessary to provide hypnotherapy services
  (UK GDPR Article 6(1)(b) and Article 9(2)(h))

• Explicit consent – when you voluntarily provide and agree to its use
  (UK GDPR Article 9(2)(a))

​

You may withdraw your consent at any time by contacting me at hello@sanjitbal.com. Withdrawing consent may affect my ability to provide certain services.

​

To protect your privacy, I recommend avoiding inputting unnecessary sensitive details in free-text fields.

 

5.5 Information Collected for Customer Accounts and Guarantees

​

• Names and contact details

• Addresses

• Payment details via Stripe

• Purchase history

• Account and registration information

• Security-related information

• Marketing preferences

• Health information (if relevant to services)

​

5.6 Information Collected for Marketing and Service Updates

​

• Names and contact details

• Marketing preferences

• Website and app user journey data (with your consent)

• Records of consent where applicable

​

5.7 Information Collected to Comply with Legal Requirements

​

• Name

• Contact information

• Health and safety information

​

While I do not actively collect data solely for legal compliance, I may process and disclose personal data to meet legal obligations (e.g., court orders or regulatory requests).

​

5.8 Information Collected for Queries, Complaints, or Claims

​

• Names and contact details

• Payment details

• Account information

• Purchase or service history

• Client/customer records

• Financial transaction details

• Health and safety-related data

• Correspondence

• Health information (if relevant to the query or complaint)

​

6. What The Data Is Used For

 

6.1 Data protection, privacy, and security are important to me. I will only use your personal information for specified purposes and will not retain it longer than necessary to fulfil these purposes.

​

Below are examples of such purposes, including the relevant UK GDPR lawful basis where applicable (note that the specific justification may vary depending on the circumstances):

​

a. To help identify you when you contact me.
Lawful basis: Performance of a contract.

 

b. b. To identify accounts, services, or products that may be relevant to you.
Lawful basis: Consent (if applicable).

 

c. Tc. To administer and improve services or products I have provided, currently provide, or may provide in the future.
Lawful basis: Legitimate interests or consent, depending on the context.

 

d. To conduct marketing analysis, customer profiling (including using transactional data), and research such as statistical and product testing.
Lawful basis: Legitimate interests or consent, depending on the context.

 

e. To prevent and detect fraud or loss.
Lawful basis: Legal obligation or legitimate interest (where necessary).

​

f. To contact you via electronic means (e.g., email, SMS) about services I offer, where:
   i. the services are similar to those you have previously used;
   ii. you were given the opportunity to opt out when your data was first collected and in all subsequent communications; and
   iii. you have not opted out.
Lawful basis: Legitimate interests.

 

g. To contact you in any way (e.g., email, telephone, post) about products and services offered by me or selected partners, only where you have expressly consented.
Lawful basis: Consent.

 

h. I may monitor and record communications with you (such as phone calls or emails) for quality assurance and compliance purposes.

​

    i. You will always be informed before any recording, including the specific purpose. Recording may be necessary to comply with legal obligations or for legitimate interests (e.g., evidence of a transaction), in which case I will balance my interest against yours and only proceed if appropriate.

​

    ii. If the recording is not strictly necessary, I will request your consent before proceeding. If you do not consent, the call will either not be recorded or may be terminated.

​

    iii. In certain legal contexts (e.g., fraud prevention), I may verify your details with external agencies. If you provide false or misleading information and I suspect fraud, I may record this.

 

6.2 I will not disclose your personal data to third parties except as described in this Notice or where permitted by law. Disclosure may occur in the following situations:

​

a. Where third parties process data on my behalf (as processors). I will have a written contract in place, as required by UK GDPR, ensuring they handle your data in accordance with this Notice and with appropriate safeguards.

b. Where data is shared with another controller (e.g., a partner organisation), I will inform you in advance unless an exemption applies. If I receive your data from a third party, I will notify you as soon as reasonably practicable, in line with the UK GDPR.

​

c. Where it is in your best interests to share your information with a third party, I will request your explicit consent before doing so.

 

6.3 If you provide personal data on behalf of someone else, you confirm that you have informed them of the contents of this Notice and that they do not object to their data being used in this way.

 

6.4

I may also disclose your data in the following circumstances:

​

a. If I (or substantially all of my assets) are acquired by a third party, personal data held about my clients will be one of the transferred assets.

​

b. If I am required to disclose information for legal or regulatory purposes, or in connection with legal proceedings (actual or prospective).

 

c. I may use trusted third parties (such as IT providers, mailing services, analytics platforms, customer support services) to perform certain functions on my behalf. In these cases, your data will only be used for the purposes described above and under strict contractual obligations. Where such third parties are located outside the UK or European Economic Area (EEA), I will ensure appropriate safeguards are in place to protect your data in accordance with UK GDPR requirements.

​

7. How Long We Keep Data For​

​

7.1 Client Data

​

​As a member of the Complementary and Natural Healthcare Council (CNHC), I am required to retain client records for a minimum of 8 years from the date of your last session. This is in line with professional standards and legal obligations.

​Your information is securely stored within the Jane client management system, which is a GDPR-compliant platform designed for safe, encrypted data storage. This ensures that your personal data is protected throughout the time I hold it.

​Once the required retention period has passed, your data will be safely and permanently deleted or destroyed, in accordance with GDPR and CNHC guidelines.

7.2 Website Enquiry Form 

​

We retain personal data collected via our website enquiry forms only for as long as necessary to respond to your enquiry and provide our services. If you do not become a client or otherwise engage with us, we will delete your personal information within 30 days of your initial enquiry, unless we are required by law to retain it for a longer period.

​

You have the right to request deletion of your data at any time by contacting us.

 

8. Who I Share Information With (Third Parties)​

 

Your privacy is important to me. I only share your personal data with trusted third parties when it is necessary to deliver my services, meet legal obligations, or where you have given explicit consent.

​

Data Processors

​

These third-party service providers process personal data on my behalf. Each has been carefully selected and is contractually required to keep your data safe and only use it for specified purposes in accordance with the UK GDPR.

​

Jane App

​

I use Jane, a secure client management system, to store client data and manage administrative tasks, such as bookings, communication, and session notes. Jane helps ensure that records are kept securely in compliance with legal and professional standards, including data retention requirements.

 

Stripe

 

I use Stripe, a secure third-party payment processor, to handle payments for our services.

​

Jane and Stripe

​

When you choose to pay through Jane, your payment is processed via Stripe, a PCI-DSS-compliant third-party payment provider.

You have the option to securely store your card details on file within Jane for future sessions. These card details are not stored directly by me or on my local systems. Instead, they are encrypted and securely stored by Stripe via Jane’s platform. Both Jane and Stripe comply with stringent privacy and security standards to ensure your payment information is protected.

​

If you choose to store your payment details, they are retained by Stripe on my behalf solely for the purpose of processing future payments. You can remove your stored card details at any time via your Jane account or by requesting that I do so on your behalf.

For more information, please refer to Stripe's Privacy Policy.​​

 

Other Third Parties

​

I may share personal data with other organisations only in the following situations:

​

• Where I am legally required to do so (e.g. for safeguarding, court orders, or HMRC).

• Where sharing is necessary to protect your vital interests or the safety of others.

• Where it is in the public interest or I am under a professional duty of care.

• If I am required to disclose information for legal or regulatory purposes.

​

I will never sell your personal data or share it for marketing purposes without your explicit consent.

​

9. Protecting Your Information

 

9.1 I take the security of your personal information seriously and have implemented robust measures to protect it from loss, misuse, or unauthorised access.

​

9.2 All data transmitted through my website and client management system is encrypted using Secure Sockets Layer (SSL) technology to ensure your information is protected during transmission.

​

9.3 I maintain appropriate physical, electronic, and procedural safeguards to protect the confidentiality and integrity of your personal data. This includes secure systems for storing session notes and client records. For your protection, I may occasionally request proof of identity before disclosing sensitive information.

​

9.4 If you access your client account through Jane, it is important that you protect your login credentials. Always log out after each session, especially when using a shared or public device, and do not share your password with others.

​

9.5 Please note that while I take all reasonable precautions, communications over the internet (such as email or website messages) may not always be secure unless encrypted. Messages can travel through multiple networks and countries, which is an inherent risk of online communication. I cannot accept responsibility for any unauthorised access or data loss that occurs beyond my control.

​

9.6 Guidance for Clients:

​

• To help protect your personal data, avoid sharing sensitive information (such as medical history or payment details) over unencrypted email or messaging apps

​

• Where possible, use the secure messaging function provided within the Jane platform to contact me regarding appointments or personal matters.

​

• If you need to share sensitive documents or information, please contact me to arrange a secure method of transfer.

​

• Always ensure your device is protected with a strong password or biometric login, and that your software is kept up to date with the latest security patches.

​

10. Cookies and Other Internet Tracking Technology

 

10.1 What are Cookies?

​

When I provide services, I aim to make them easy, useful, and reliable. This sometimes involves placing small text files known as cookies on your computer or device. These are sent back to my site during future visits. Cookies help enhance your experience. A list of the cookies used on this website can be found in section 10.5.

Some websites also use related technologies such as JavaScript, web beacons (also known as action tags or single-pixel gifs), and similar tools to collect user data, measure the effectiveness of content, and personalise advertising.

​

10.2 Scope

Where applicable, references to "cookies" in this section also apply to those similar technologies.

​

10.3 Why Cookies Are Used

​

Some cookies are essential to provide services you’ve requested. Others are used to enhance functionality and improve your browsing experience. For example, cookies may be used for:

• Navigating between pages efficiently

• Allowing a service to recognise your device so you don’t need to re-enter information

• Remembering your login details to avoid re-authentication on every page

• Measuring how users interact with the site to improve performance and speed

• ​

10.4 Learn More

​

You can learn more about cookies and how to manage them at:

• www.allaboutcookies.org

• www.youronlinechoices.eu

• Google’s cookie policies

 

10.5 Cookies Used on This Website

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

 

 

 

 

 

 

 

 

 

 

 

 

10.6 Cookie Classifications

​

​

​

​

​

​

​

​

​

 

 

 

​