Data Protection & Gdpr Policy

1. Purpose of this policy

TruefaithHB is committed to protecting the privacy and personal data of our clients. This policy explains how we collect, use, store, and protect personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all personal data relating to clients, enquiries, and business contacts.

2. Data Controller

TruefaithHB is the Data Controller for the purposes of UK GDPR.

Contact details:
Email: Info@truefaithhb.com
Phone: 07708782595

3. Personal data we collect

We may collect and process the following information:

Personal data

  • Name
  • Address
  • Telephone number
  • Email address

Special category data (health-related)

  • Information relating to hair loss caused by medical conditions or treatment
  • Consultation notes
  • Measurements and fitting information
  • Photographs (with explicit consent)

4. Lawful basis for processing

We process personal data under the following lawful bases:

  • Provision of health-related services
  • Explicit consent, particularly for special category data and photographs
  • Legitimate interests, such as appointment management and follow-up care

Consent can be withdrawn at any time.

5. How we use personal data

Personal data is used only to:

  • Arrange and manage appointments
  • Provide wig consultation, fitting, and aftercare services
  • Communicate with clients regarding their care
  • Liaise with NHS services or healthcare professionals where appropriate and authorised
  • Maintain accurate records

We do not sell or use personal data for unrelated marketing purposes.

6. Data storage and security

We take reasonable and appropriate steps to protect personal data, including:

  • Password-protected devices
  • Encrypted cloud storage where digital records are used
  • Secure email or file transfer for sharing information
  • Locked storage for any paper records
  • Limiting access to personal data to authorised persons only

Personal data is not stored on shared or unsecured devices.

7. Sharing personal data

Personal data may be shared:

  • With NHS services or healthcare professionals, where relevant and authorised
  • With service providers necessary to deliver care (e.g. suppliers), where appropriate

Only the minimum necessary data is shared, and only via secure methods.

8. Data retention

We keep personal data only for as long as necessary:

  • Client records: 6–7 years after last contact
  • Photographs: retained only while clinically relevant or until consent is withdrawn
  • Enquiries not proceeding to consultation: up to 12 months

Data is securely deleted or destroyed once it is no longer required.

9. Individual rights

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Request deletion of data (where applicable)
  • Restrict or object to processing
  • Withdraw consent at any time

Requests should be made using the contact details above.

10. Data breaches

A data breach includes loss, unauthorised access, or disclosure of personal data.

In the event of a breach, we will:

  1. Identify and contain the breach
  2. Assess the risk to individuals
  3. Record the incident
  4. Report to the Information Commissioner’s Office (ICO) within 72 hours if required
  5. Inform affected individuals where appropriate

11. Policy review

This policy is reviewed annually or sooner if there are changes to legislation or business practices.