Overview

Change Ahead and Change Ahead Associates (CAA) is committed to protecting your privacy online. This privacy notice provides you with details of how we collect and process your personal data through your use of our site bydeesign.com (the “Site”). By providing us with your data, you warrant to us that you are over 18 years of age.

Change Ahead is the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice). The term “user,” “you” and “your” refers to site visitors, customers and any other users of the site. The term “personal information” is defined as information that you voluntarily provide to us which personally identifies you and/or your contact information, such as your name, phone number and email address.

Change Ahead provides a website where users can read articles on health, health analysis, the process of health and resolutions for health both mental and physical and a service where users may purchase digital products related to Health emotions and Therapy, Analysis, Practitioner Skills and in Person events and workshops (the “Service”).

Use of change Ahead.biz, including all materials presented herein and all online services provided by CAA, is subject to the following Privacy Policy. This Privacy Policy applies to all site visitors, customers, and all other users of the site. By using the Site or Service, you agree to this Privacy Policy, without modification, and acknowledge reading it.

At Change Ahead, we are committed to safeguarding the privacy and personal data of our clients. This policy outlines how we comply with the General Data Protection Regulation ( GDPR ) to protect your information when you engage with our therapy and healthcare services.

Scope

This policy applies to:

  • All clients, patients, and service users whose personal and health data we process.
  • All employees, contractors, and partners involved in data handling.

Definitions

  1. Personal Data: Any information that can identify you as an individual ( e.g., name, address, contact details).
  2. Special Category Data: Sensitive personal data such as health records, therapy notes, and medical history.
  3. Data Controller: Change Ahead, which determines the purpose and means of data processing.
  4. Data Processor: Any third party that processes personal data on our behalf.
  5. Processing: Any operation on personal data, such as collection, storage, analysis, or destruction.

Principles of Data Protection

We adhere to the following principles to ensure the safe handling of your personal and health data:

  1. Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner.
  2. Purpose Limitation: Data is collected for specific therapeutic or healthcare purposes and not used beyond these purposes without explicit consent.
  3. Data Minimization: Only data strictly necessary for the provision of services is collected.
  4. Accuracy: Data is kept accurate and updated as required.
  5. Storage Limitation: Data is retained only for as long as necessary or required by law.
  6. Integrity and Confidentiality: Data is processed securely to prevent unauthorized access, breaches, or misuse.

Information We Collect

The data we collect about you, for what purpose and on what ground we process it. Personal data means any information capable of identifying an individual. It does not include anonymised data.

We may process the following categories of personal data about you:

Communication Data that includes any communication that you send to us whether that be through the contact form on our website, through email, text, social media messaging, social media posting or any other communication that you send us. We process this data for the purposes of communicating with you, for record keeping and for the establishment, pursuance or defence of legal claims. Our lawful ground for this processing is our legitimate interests which in this case are to reply to communications sent to us, to keep records and to establish, pursue or defend legal claims.

Customer Data that includes data relating to any purchases of goods and/or services such as your name, title, billing address, delivery address email address, phone number, contact details, purchase details and your card details. This information is shared with our e-commerce software providers to ensure the delivery of your order. We use your email to communicate with you about your order and to manage our customer relationship with you. When you place an order you may be added to our mailing list from which you can unsubscribe at any time using the unsubscribe link in each email or by contacting us at penny@changeahead.biz. We collect payment information for each order but we do not store payment information on CAA servers. Your payment information is securely communicated to and processed via our e-commerce software providers. All personal information collected for an order is used for the fulfilment of that order and to manage our customer relationship with you. We process this data to supply the goods and/or services you have purchased and to keep records of such transactions. Our lawful ground for this processing is the performance of a contract between you and us and/or taking steps at your request to enter into such a contract.

User Data that includes data about how you use our website and any online services together with any data that you post for publication on our website or through other online services. We process this data to operate our website and ensure relevant content is provided to you, to ensure the security of our website, to maintain back-ups of our website and/or databases and to enable publication and administration of our website, other online services and business. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business.

Technical Data that includes data about your use of our website and online services such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website. The source of this data is from our analytics tracking system. We process this data to analyse your use of our website and other online services, to administer and protect our business and website, to deliver relevant website content and advertisements to you and to understand the effectiveness of our advertising. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business and to grow our business and to decide our marketing strategy.

Marketing Data that includes data about your preferences in receiving marketing from us and our third parties and your communication preferences. We process this data to enable you to partake in our promotions such as competitions, prize draws and free give-aways, to deliver relevant website content and advertisements to you and measure or understand the effectiveness of this advertising. Our lawful ground for this processing is our legitimate interests which in this case are to study how customers use our products/services, to develop them, to grow our business and to decide our marketing strategy.

We may use Customer Data, User Data, Technical Data and Marketing Data to deliver relevant website content and advertisements to you (including Facebook adverts or other display advertisements) and to measure or understand the effectiveness of the advertising we serve you. Our lawful ground for this processing is legitimate interests which is to grow our business. We may also use such data to send other marketing communications to you. Our lawful ground for this processing is either consent or legitimate interests (namely to grow our business).

Sensitive Data
We do not collect any Sensitive Data about you. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences.

Personal Information: Name, address, date of birth, contact information, emergency contact details.

Health and Therapy Data: Medical history, therapy notes, diagnoses, treatment plans, medication details.

Administrative Data: Payment information, insurance details, appointment records.

Rights of Data Subjects

Under the Act, data subjects have the following rights:

  • The right to access a copy of their personal data held by the Company by means of a Subject Access Request (for which, see Part 8 of this Policy);
  • The right to object to any processing of his or her personal data that is likely to cause (or that is causing) damage or distress. Data subjects should make any such objection in writing to Penny Croal Founder of Change Ahead and the Company shall respond within 21 days either notifying the data subject of its compliance, or explaining why the Company feels that any aspect of the data subject’s request is unjustified;
  • The right to prevent processing for direct marketing purposes;
  • The right to object to decisions being taken by automated means (where such decisions will have a significant effect on the data subject) and to be informed when any such decision is taken (in which case the data subject has the right to require the data controller (by written notice) to reconsider the decision;
  • The right to have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances;
  • The right to claim compensation for damage caused by the Company’s breach of the Act.

Personal Data

Personal data is defined by the Act as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

The Act also defines “sensitive personal data” as personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

The Company only holds personal data that is directly relevant to its dealings with a given data subject. That data will be collected, held, and processed in accordance with the data protection principles and with this Policy. The following data may be collected, held and processed by the Company:

  • Details of age, race and gender, for best possible service for your health and well being
  • Details of past and present medical records, for best possible service for your health and wellbeing
  • Details of medication, pharmaceutical or recreational past and present for your best possible service for your health and wellbeing
  • Details of religion, or your faiths so that the practitioner from CAA can abide by and honour your own belief system
  • Details regarding physical, sexual or any other activity that the practitioner from CAA may think is relevant for sessions and for the best possible service for you

Processing Personal Data (Data Retention)

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, see section regarding insurance requirement and reporting requirements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.

We process your personal and health data for:

  1. Providing therapy, counselling, or healthcare services.
  2. Creating and maintaining accurate health records.
  3. Facilitating appointments, communications, and follow-ups.
  4. Complying with legal and regulatory requirements.
  5. Internal audits, quality assurance, and training ( where anonymized)

For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Any and all personal data collected by the Company (as detailed in Part 2 of this Policy) is collected in order to ensure that the Company can provide the best possible service to its customers, and can work effectively with its partners, associates and affiliates and efficiently manage its employees, contractors, agents and consultants. The Company may also use personal data in meeting certain obligations imposed by law.

Certain data collected by the Company, such as IP addresses, certain information gathered by cookies, pseudonyms and other non-identifying information will nonetheless be collected, held and processed to the same standards as personal data.

Personal data may be disclosed within the Company, provided such disclosure complies with this Policy. Personal data may be passed from one department to another in accordance with the data protection principles and this Policy. Under no circumstances will personal data be passed to any department or any individual within the Company that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.

In particular, the Company shall ensure that:

  • All personal data collected and processed for and on behalf of the Company by any party is collected and processed fairly and lawfully;
  • Data subjects are always made fully aware of the reasons for the collection of personal data and are given details of the purpose(s) for which the data will be used;
  • Personal data is only collected to the extent that is necessary to fulfil the purpose(s) for which it is required;
  • All personal data is accurate at the time of collection and kept accurate and up to date while it is being held and/or processed;
  • No personal data is held for any longer than necessary in light of the purpose(s) for which it is required; legally our Insurance company Holistic Insurance, requires us to hold data for 5 years for adults. For anyone under the age of 21 then by law we are required to keep data for as long as the insurance company requires and can be 10 years or more.
  • A suitable online privacy policy is implemented, maintained and followed;
  • Whenever cookies or similar technologies are used online by the Company, they shall be used strictly in accordance with the requirements of the Privacy and Electronic Communications Regulations, providing full details of cookie use and guidance on privacy;
  • Individuals are provided with a simple, accessible method of amending any data submitted by them online;
  • Individuals are informed if any data submitted by them online cannot be fully deleted at their request under normal circumstances (for example, because a file uploaded by a user has been backed up) and how to request that the Company deletes any other copies of that data, where it is within the individual’s right to do so;
  • All personal data is held in a safe and secure manner, as detailed in Part 3 of this Policy, taking all appropriate technical and organisational measures to protect the data;
  • All personal data is transferred securely, whether it is transmitted electronically or in hard copy, by www.therachat.io a HIPAA compliant app or encrypted on to CAA website, Xero Accounts, Mailchimp, Kartra and Zoom.
  • No personal data is transferred outside of the European Economic Area (as appropriate) without first ensuring that the destination country offers adequate levels of protection for personal data and the rights of data subjects; and
  • All data subjects can fully exercise their rights with ease and without hindrance.

Data Protection Registration

Registration reference: ZB815292

Data Protection Procedures

The Company shall ensure that all of its employees, agents, contractors, or other parties working on behalf of the Company comply with the following when working with personal data:

  • All emails containing personal data must be encrypted using TLS encryption;
  • Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances;
  • Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
  • Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
  • Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
  • Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using a trackable mail delivery service (Royal Mail Special Delivery).
  • No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Penny Croal Founder of CAA penny@changeahead.biz.
  • All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar;
  • No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Penny Croal Founder of CAA penny@changehead.biz;
  • Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time;
  • If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;
  • Any unwanted copies of personal data (i.e. printouts or electronic duplicates) that are no longer needed should be disposed of securely. Hardcopies should be shredded and electronic copies should be deleted securely using secure file deletion software to remove files and prevent recovery;
  • No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belongs to the Company or otherwise [without the formal written approval of Penny Croal Founder of CAA at penny@changeahead.biz and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary].
  • No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Act (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken);
  • All personal data stored electronically should be backed up daily with backups stored in Dropbox and Microsoft OneDrive for Business. All backups should be encrypted using industry cryptographic standards such as TLS/SSL and AES to protect the confidentiality and integrity of customer data
  • All electronic copies of personal data should be stored securely using passwords and industry cryptographic standards such as TLS/SSL and AES data encryption;
  • All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols [. All software used by the Company is designed to require such passwords];
  • Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
  • All personal data held by the Company shall be regularly reviewed for accuracy and completeness. Where the Company has regular contact with data subjects, any personal data held about those data subjects should be confirmed at least annually.
  • If any personal data is found to be out of date or otherwise inaccurate, it should be updated and/or corrected immediately where possible. If any personal data is no longer required by the Company, it should be securely deleted and disposed of within 1 year;
  • Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Penny Croal Founder of CAA at penny@changeahead.biz to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service. Such details should be checked at least annually.

Data Sharing and Confidentiality

We prioritise confidentiality in all aspects of our services. Your data will only be shared:

  • With healthcare providers directly involved in your treatment, with your consent.
  • With legal or regulatory authorities if required by law.
  • For billing purposes with insurance providers ( if applicable), with your explicit consent.
  • For emergency situations where your health or safety is at risk.

All third parties involved in data processing are contractually obligated to comply with GDPR.

Marketing Communications

Our lawful ground of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).

Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However, you can still opt out of receiving marketing emails from us at any time.

Before we share your personal data with any third party for their own marketing purposes we will get your express consent.

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or OR by emailing us at penny@changeahead.biz at any time.

If you opt out of receiving marketing communications this opt-out does not apply to personal data provided as a result of other transactions, such as purchases, warranty registrations etc.

Disclosures of your Personal Data

We may have to share your personal data with the parties set out below:

  • Service providers who provide IT and system administration services.
  • Professional advisers including lawyers, bankers, auditors and insurers
  • Government bodies that require us to report processing activities.
  • Third parties to whom we sell, transfer, or merge parts of our business or our assets.

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions. These trusted third parties agree to keep this information confidential. Your personal information will never be shared with unrelated third parties.

International Transfers

Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.

Many of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is in place:

  • We will only transfer your personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data by; or
  • Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or
  • If we use US-based providers that are part of EU-US Privacy Shield, we may transfer data to them, as they have equivalent safeguards in place.

If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, (see section accounting, or reporting requirements). When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.

For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Data Breaches

In the unlikely event of a data breach:

  • Affected individuals will be notified immediately if there is a high risk to their rights and freedoms.
  • Relevant authorities ( e.g., the Information Commissioner’s Office ) will be informed within 72 hours of discovering the breach.

Consent

We will obtain your explicit consent before processing sensitive health and therapy data, except in emergencies or where legally required. Consent may be withdrawn at any time without affecting the services provided.

Your Legal Rights

Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to portability of data and (where the lawful ground of processing is consent) to withdraw consent.

You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at penny@changeahead.biz

Under GDPR, you have the following rights concerning your data:

  1. Right to Access: Request access to your data and obtain a copy.
  2. Right to Rectification: Request corrections to inaccurate or incomplete data.
  3. Right to Erasure: Request deletion of your data ( except where required for legal or medical purposes)
  4. Right to Restrict Processing: Limit the use of your data in certain circumstances.
  5. Right to Data Portability: Obtain your data in a structured, commonly used format.
  6. Right to Object: Object to the processing of your data for non-therapeutic purposes.
  7. Right to Withdraw Consent: Withdraw consent for data processing at any time.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you. If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.

Third Party Links

The Site may contain links to third-party websites, plug-ins and applications.. Except as otherwise discussed in this Privacy Policy, this document only addresses the use and disclosure of information we collect from you on our Site. Other sites accessible through our site via links or otherwise have their own policies in regard to privacy. We are not responsible for the privacy policies or practices of third parties. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Security

We maintain security measures to protect your personal information from unauthorized access, misuse or disclosure. However, no exchange of data over the Internet can be guaranteed as 100% secure. While we make every effort to protect your personal information shared with us through our Site, you acknowledge that the personal information you voluntarily share with us through this Site could be accessed or tampered with by a third party. You agree that we are not responsible for any intercepted information shared through our Site without our knowledge or permission. Additionally, you release us from any and all claims arising out of or related to the use of such intercepted information in any unauthorized manner.

Sharing. Please be aware that when you use our Site to post comments and share other information, any information that you provide may not be secure and can be collected and used by others. As a result, you should exercise caution before you make such disclosures.

Children. To access or use the Site, you must be 18 years or older and have the requisite power and authority to enter into this Privacy Policy. Children under the age of 18 are prohibited from using the Site.

We implement stringent security measures to protect your data, including:

  • Encryption for electronic records.
  • Secure storage for paper records, where applicaable.
  • Restricted access, ensuring only authorized personnel handle your data.
  • Regular staff training on data protection and confidentiality.
  • Regular audits to identify and address vulnerabilities.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy

How to Update Your Information

If you opt-in to our mailing list, the option to unsubscribe or update will be included in every email. You may also access and correct your personal information and privacy preferences by contacting us with your request at penny@changeahead.biz

Notification of Changes to this Policy

You acknowledge and agree that it is your responsibility to review this Site and this Policy periodically and to be aware of any modifications. Updates to this Policy will be posted on this page.

Date of last update –  November 26th 2024

Contact

If you have questions about our Privacy Policy, please contact us via email: penny@changeahead.biz

By engaging with our services , you acknowledge that you have read, understood, and agreed to this GDPR compliance policy.