Privacy Policy
This policy explains how I collect, use, store, and protect your personal data as a client of Candour Nutrition. Please read it carefully. I will ask you to confirm that you have read and understood this policy before we begin working together.
Who is responsible for your data?
Karen Houston, trading as Candour Nutrition, is the data controller. I am registered as an Associate Nutritionist (ANutr) with the Association for Nutrition (AfN).
Contact: karen@candournutrition.com
What data I collect
I collect only the minimum personal data necessary to provide you with a safe and effective nutrition service. This includes:
Contact details — name, email address, phone number
Health and medical information — medical history, current medications and supplements, GP details, and any other health information you share with me
Dietary and lifestyle information — in some cases I may also collect information on food diaries, eating patterns, and lifestyle factors relevant to your nutrition goals
Session records — notes from our sessions and any written materials we develop together
Health and medical data is classed as special category data under UK GDPR and is given a higher level of protection.
Why I collect this data and the legal basis
To provide nutrition services. The primary basis for processing your data is the performance of our contract — that is, delivering the nutrition support you have engaged me to provide.
Health data. For special category health data, the additional legal basis is processing necessary for the provision of health or social care (Article 9(2)(h) UK GDPR), combined with your explicit consent, which I will ask for in writing before we begin.
GP details. I collect your GP's name and contact details in case of a safeguarding concern or emergency situation where it would be in your vital interests for me to make contact. I will not contact your GP for any other reason without your explicit consent.
How I store your data
All client records — including intake forms, session notes, and food diaries — are stored digitally in Google Workspace (Google Drive and Gmail), which is secured with two-factor authentication and restricted to my access only. Google acts as a data processor on my behalf under a Data Processing Agreement with Google.
Who I share your data with
I will not share your personal data with any third party without your explicit consent, except in the following circumstances:
With your consent — for example, writing to your GP or referring you to another health professional
Legal obligation — if I am required to disclose information by law or to protect your vital interests or those of another person
Supervision — I receive professional supervision as required by the AfN. Any case material discussed in supervision is anonymised and does not identify you
How long I keep your data
I retain client records for 7 years after the end of our working relationship, in line with standard professional body guidance. If you were under 18 at any point during our work together, records are retained until your 25th birthday if that is later.
After the retention period, your data will be securely deleted.
Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of access — to request a copy of the data I hold about you
Right to rectification — to ask me to correct inaccurate data
Right to erasure — to request deletion of your data, subject to my legal obligations to retain records
Right to restrict processing — to ask me to limit how I use your data
Right to object — to object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact me at karen@candournutrition.com. I will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time.
Data breaches
In the unlikely event of a data breach that poses a risk to your rights and freedoms, I will notify the ICO within 72 hours and inform you without undue delay.
Changes to this policy
I may update this policy from time to time. I will notify you of any material changes. The current version will always be available here.
Note for clients: You will be asked to sign a separate client agreement confirming that you have read and understood this privacy policy before our first session.