Privacy Policy

Effective Date: 27 December 2025

1. Introduction

Kaya Thai Therapy Ltd ("we", "our", or "us") is committed to protecting your privacy and security. This Privacy Policy explains how we collect, use, process, and store your personal data when you use our website and services, in strict accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

2. Data Controller & Statutory Information

For the purposes of data protection laws, the Data Controller is:

  • Company Name: Kaya Thai Therapy Ltd
  • Company Registration Number: 16923181
  • Registered Office: 18 Garrick Road, London, NW9 6AP
  • Place of Registration: England and Wales
  • Data Protection Lead: Errolson Gonito
  • Contact Email: errolson.gonito@kayathaitherapy.co.uk

3. The Data We Collect

We collect different categories of personal data to provide safe and effective therapeutic treatments:

  • Identity Data: First name, last name, title, and date of birth.
  • Contact Data: Email address, telephone number, and residential/billing address.
  • Special Category Data (Health Data): Information regarding your physical health, medical history, injuries, allergies, pregnancy status, and contraindications.
  • Note: Collection of this data is mandatory for client safety prior to any treatment.
  • Technical Data: Internet Protocol (IP) address, browser type and version, time zone setting, and operating system (collected via Vercel Analytics).
  • Usage Data: Information about how you use our website, including consent preferences managed via Cookiebot.

4. Lawful Basis for Processing

We rely on specific legal grounds under the UK GDPR to process your data:

  • Performance of a Contract (Article 6(1)(b)): To register you as a new client, process bookings, and deliver massage therapy services.
  • Legitimate Interests (Article 6(1)(f)): To manage our waitlist, notify you of our grand opening, prevention of fraud, and business administration.
  • Provision of Health or Social Care (Article 9(2)(h)): As we process sensitive health data, we rely on this specific condition to ensure we can assess your suitability for treatment and provide safe therapy.
  • Legal Obligation (Article 6(1)(c)): To comply with statutory requirements from HMRC and our professional indemnity insurers.

5. How We Use Your Data

  • Service Provision: To tailor massage treatments (e.g., Deep Tissue, Traditional Thai) to your physical needs.
  • Communication: To send appointment confirmations, waitlist updates, and the grand opening discount code.
  • Safety: To identify contraindications that may prevent treatment.
  • Improvement: To monitor website performance and local demand in the Colindale area.

6. Data Retention Policy

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for.

  • Clinical & Health Records: In accordance with professional indemnity insurance requirements and the limitation periods for negligence claims, all consultation and treatment records are retained for 7 years following your last appointment.
  • Marketing Data: We retain contact information for marketing purposes until you exercise your right to unsubscribe or withdraw consent.
  • Waitlist Data: If you join our pre-launch waitlist but do not book a treatment within 24 months of our opening, your data will be securely anonymised or deleted.

7. Data Security and Third-Party Processors

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way. We utilise the following trusted third-party processors:

  • Microsoft Corporation (USA/EU): Secure storage of client databases (SharePoint/Excel) and email automation (Outlook/Power Automate). Data is protected via standard contractual clauses and encryption at rest.
  • Vercel Inc. (USA): Secure web hosting infrastructure.
  • Usercentrics A/S (Cookiebot) (EU): Management of cookie consent and compliance logging.

8. Your Legal Rights

Under the UK GDPR, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of your data (subject to our legal obligation to retain clinical records for 7 years).
  • Right to Restrict Processing: Ask us to suspend the processing of your data.
  • Right to Withdraw Consent: You can withdraw consent for marketing at any time by clicking the "Unsubscribe" link in our emails.

To exercise any of these rights, please contact us at hello@kayathaitherapy.co.uk.

9. Complaints

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.