Data Protection & GDPR Policy

Feeling Herd Ltd. is committed to protecting the privacy and personal data of all clients, including children, young people, adults, families, and staff. We recognise that, due to the therapeutic nature of our services, we may handle sensitive personal information and special category data. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

​

This policy explains how we collect, use, store, and protect personal data.

This policy aims to:

• Ensure all personal data is handled lawfully, transparently, and securely.
   

• Set out the rights of individuals regarding their personal data.
   

• Describe how Feeling Herd Ltd. manages, stores, and shares information.
   

• Protect clients, families, staff, and the organisation from data misuse or breaches.
   

Depending on the service provided, we may collect:

​

Personal Data

​

• Names, addresses, and contact details
   

• Date of birth
   

• Emergency contact information
   

• Session bookings and attendance records
   

• Payment details
   

Special Category Data

​

Due to the therapeutic nature of our work, we may also collect sensitive information, including:

• Health information (physical or mental health)
   

• Medical needs or disabilities
   

• Information relevant to safeguarding or wellbeing
   

• Behavioural or emotional observations
   

• Support or care plans
   

Data Relating to Children and Young People

​

For participants under 18, we collect information from parents/carers and may record observations relevant to child welfare, wellbeing, therapeutic goals, or safeguarding.

Feeling Herd Ltd. will use one or more of the following lawful bases:

• Consent – for photography, marketing, sharing with third parties, and storing certain details.
   

• Legitimate Interests – for managing bookings, communication, and service delivery.
   

• Vital Interests – where information is required to protect someone from immediate harm.
   

• Legal Obligation – for safeguarding, accounting, or regulatory compliance.
   

• Contract – where data is required to provide a service the client has requested.
   

Special category data is processed under:

• Provision of Health or Social Care
   

• Vital Interests
   

• Safeguarding Grounds under Schedule 8 of the Data Protection Act 2018.
   

We may use client data to:

• Deliver therapeutic or coaching sessions
   

• Understand participant needs and risks
   

• Keep appropriate records of sessions
   

• Communicate about appointments or changes
   

• Respond to safeguarding concerns
   

• Manage payments and administration
   

• Communicate with parents/carers where appropriate
   

We do not use personal data for automated decision-making.

Feeling Herd Ltd. will only share personal data when necessary and appropriate.

When We Share Data

​

• With explicit consent from the client or parent/carer
   

• When required to protect a child or adult at risk
   

• When legally required by police, courts, or safeguarding authorities
   

• With healthcare, education, or social care professionals if relevant and appropriate
   

• With emergency services during an emergency
   

Who We Share With

​

• Local authority safeguarding teams
   

• Health professionals (GPs, mental health teams)
   

• Emergency services
   

• Relevant professionals involved in the client’s care
   

We never share data for commercial or marketing purposes.

Data Storage and Security

​

Feeling Herd Ltd. is committed to secure storage of all personal and sensitive information.

Secure Storage Measures

​

• Digital data is stored on password-protected devices or encrypted systems.
   

• Paper records are stored in locked cabinets not accessible to the public.
   

• Access to records is restricted to authorised staff only.
   

Retention of Data

​

Records are kept only as long as necessary:

• Adult session records: 6 years
   

• Children's records: until age 25 (or age 26 if involved in safeguarding concerns)
   

• Safeguarding records: indefinitely, as recommended by statutory guidance
   

• Financial records: 6 years
   

When data is no longer required, it is securely shredded or permanently deleted.

Rights of Individuals

​

Under UK GDPR, individuals have the right to:

• Access their personal data
   

• Request correction of inaccuracies
   

• Request erasure (where legally permitted)
   

• Object to processing in certain circumstances
   

• Request data portability
   

• Withdraw consent at any time (where applicable)
   

Requests will be responded to within one month.

Photography, Video, and Media

​

• No photographs or videos will be taken without written consent.
   

• For children, consent must be provided by a parent or legal guardian.
   

• Images will only be used for agreed purposes.
   

• All media is securely stored and deleted when no longer required.
   

Consent may be withdrawn at any time.

A data breach includes any loss, theft, unauthorised access, or improper sharing of personal information.

What We Do in the Event of a Breach

​

• Assess the severity and nature of the breach
   

• Notify the affected individual(s) when appropriate
   

• Report serious breaches to the ICO within 72 hours
   

• Keep a full record of all breaches, regardless of severity

​

Third-Party Processors

​

We may use external services for:

• Email and communication
   

• Booking and scheduling
   

• Payment processing
   

• Secure digital storage
   

All third-party processors must be GDPR-compliant and provide sufficient security measures.

Children and Young People’s Data

​

We recognise our additional responsibilities when handling children’s data. We ensure:

• Only essential data is collected
   

• Consent is obtained from parents/carers
   

• Information is shared only when necessary for safeguarding or welfare
   

• Children’s data is protected with the highest level of security

Feeling Herd Ltd. is committed to ensuring that all personal data is handled with care, respect, and integrity.