Privacy Policy

1. Introduction

This Privacy Policy explains how Debi Barr t/a Rocks n Rituals collects, uses, stores, and protects your personal data. It applies to all clients, customers, and website visitors.

We take our obligations under data protection law seriously. Your data will never be sold, rented, or shared with third parties for their own marketing purposes.

The data controller for all personal data processed under this policy is Debi Barr, Rocks n Rituals. Contact details are set out in Section 9.

2. Legislation

This policy is designed to comply with the following legislation:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018

If you are based outside the United Kingdom and are unsure whether this policy meets your local data protection requirements, please contact us using the details in Section 9.

3. What Personal Data We Collect and Why

3.1 Website Analytics

This website uses Google Analytics to understand how visitors find and use our site. Data collected includes geographical location, device type, browser, operating system, and IP address. This data is aggregated and does not personally identify you to us. Google acts as a third-party data processor (see Section 6).

You can prevent Google Analytics from tracking your visit by disabling cookies in your browser settings.

Lawful basis: Legitimate interests — understanding website usage to improve our services.

3.2 Blog Comments

If you submit a comment on our blog, your name, email address, IP address, and the time and date of submission are stored in our website database. Only your name is visible publicly. This data remains until the comment or post is removed. To request deletion, email us from the address used to submit the comment.

You must be 16 or over to submit a comment. If you are under 16, parental consent is required.

Lawful basis: Legitimate interests — managing user-generated content on our website.

3.3 Contact and Enquiries

When you contact us by email or via our contact page, your name and email address are used to respond to your enquiry. This data is held by our third-party email provider (Google Workspace) and is not stored separately by us.

Lawful basis: Legitimate interests — responding to enquiries from prospective and existing clients.

3.4 Email Newsletter and Marketing

If you subscribe to our mailing list, your email address and name are stored with our email marketing platform, MailerLite, who act as a third-party data processor (see Section 6). Your data will remain with MailerLite for as long as you remain subscribed or until you request removal.

You can unsubscribe at any time using the unsubscribe link in any email we send, or by contacting us directly. You must be 16 or over to subscribe. If you are under 16, parental consent is required.

Lawful basis: Consent — you have actively opted in to receive marketing communications from us.

3.5 Online Booking

If you book an appointment through our online booking system (Setmore), you will be asked to provide your name, email address, and contact telephone number. This data is stored and managed by Setmore as a third-party data processor (see Section 6) and is used solely for the purpose of managing your appointment.

Lawful basis: Contract — processing is necessary to fulfil your booking.

3.6 Client Records

All clients engaging in 1:1 services, mentoring, or training with Rocks n Rituals have a client record created. This includes your contact information and details relevant to your sessions. Client records are maintained in our client database (Notion) and associated business documentation systems. Records are retained for up to ten years from the date of your last session, in line with our professional obligations.

Legacy paper records from previous therapy services are held securely in a locked cabinet. These are retained for the same ten-year period and will be securely destroyed thereafter.

Lawful basis: Contract and legal obligation — records are necessary to deliver services and meet our professional and insurance requirements.

3.7 Membership and Course Participation

If you join Sacred Rebel Circle or purchase an online course, we hold your name, email address, payment information (processed by our payment provider), and records of your participation. This data is used to manage your access and deliver the service.

Lawful basis: Contract — processing is necessary to deliver your membership or course.

3.8 Telegram and WhatsApp

Where you engage with us via Telegram or WhatsApp for client work or support, the content of those communications is held within those platforms. We do not store or transfer this data externally. Both Telegram and WhatsApp act as third-party data processors (see Section 6).

Please be aware that messaging platforms have their own privacy policies and data practices which are independent of ours.

Lawful basis: Contract — communication is necessary to deliver agreed services.

4. How We Store Your Personal Data

Personal data is stored as follows:

• Google Workspace — email correspondence and associated files
• Notion — client database and records
• Microsoft OneDrive — business documentation
• Setmore — booking data
• MailerLite — newsletter subscriber data
• Telegram and WhatsApp — client communications
• Membership platform — Sacred Rebel Circle member data and course participation records
• WordPress website database — blog comment data only
• Locked physical cabinet — legacy paper client records

We take reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.

5. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — you can request a copy of the personal data we hold about you
• Right to rectification — you can ask us to correct inaccurate or incomplete data
• Right to erasure — you can request deletion of your data where we no longer have a lawful basis to hold it
• Right to restriction — you can ask us to restrict processing of your data in certain circumstances
• Right to data portability — you can request your data in a portable format where technically feasible
• Right to object — you can object to processing based on legitimate interests or for direct marketing purposes

To exercise any of these rights, please contact us using the details in Section 9. We will respond within one calendar month.

6. Third-Party Data Processors

We use the following third-party services to process personal data on our behalf. Each has been assessed for compliance with applicable data protection legislation:

• Google (Workspace) — Gmail, Google Drive, Google Analytics, and associated productivity tools
• MailerLite — email marketing and newsletter management
• Setmore — online appointment booking
• Notion — client database and records management
• Microsoft (OneDrive) — business document storage
• WordPress / Weblify — website hosting and content management
• Telegram — client communications
• WhatsApp (Meta) — client communications
• Facebook / Instagram (Meta) — social media marketing
• LinkedIn — social media marketing
• YouTube (Google) — video content hosting

We do not sell or share your personal data with any third party for their own marketing or commercial purposes.

7. Data Breaches

In the event of a data breach involving personal data held in an identifiable manner, we will notify all relevant individuals and report to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, in accordance with our obligations under UK GDPR.

8. Complaints and the ICO

If you have a concern about how we handle your personal data, please contact us in the first instance using the details in Section 9. We will acknowledge your concern within 5 business days and aim to resolve it within 28 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: ico.org.uk Telephone: 0303 123 1113

9. Data Controller and Contact Details

Data Controller: Debi Barr t/a Rocks n Rituals Email: info@rocksnrituals.co.uk Telephone: 028 9142 2214

Please contact us at the above email address to exercise your data subject rights, raise a concern, or request further information about how we handle your data.

10. Changes to This Policy

This policy will be updated periodically to reflect changes in legislation, our services, or our data processing practices. We recommend checking this page occasionally. The date of the most recent update is shown below.

Last updated: March 2026