LEGAL DOCUMENT

Privacy Policy

Last updated: 2026-05-17

1. Who controls your personal data

The data controller is:

Konrad Kowalik trading as Full of Health (also operating in Poland as „Życie Pełne Zdrowia") Email: contact@fullofhealth.uk ICO Registration Number: ZC106701

I provide naturopathic consultations online to clients based primarily in the UK, EU and worldwide. Because of that, my processing of personal data is governed by both the UK GDPR (incorporating EU GDPR into UK law) and, where applicable, the EU GDPR — see Section 2.

EU Representative (Art. 27 GDPR, for EU/EEA clients): Bożena Kowalik, ul. Przytulna 14, 26-900 Kozienice, Poland — contact@fullofhealth.uk

Your personal data is processed in accordance with:

  • the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 — for services delivered to clients in the United Kingdom
  • the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR") — for services delivered to clients located in the EU/EEA (Art. 3(2) EU GDPR)
  • the Privacy and Electronic Communications Regulations 2003 (PECR) — for cookies and electronic marketing

3. What data I collect and why

3.1. Contact form on the website

I collect: first name, email address, brief description of your health concern.

Purpose: to reply to your enquiry and discuss a possible naturopathic consultation.

Lawful basis:

  • standard data (name, email) — Art. 6(1)(b) UK GDPR: steps taken at your request before entering into a contract
  • health data (description of your concern) — Art. 9(2)(a) UK GDPR: your explicit consent, given by ticking the checkbox next to the contact form

The description of your health concern is special category data under Art. 9(1) UK GDPR (data concerning health). It is processed only on the basis of your explicit consent.

Retention: up to 12 months from your last contact, or until you withdraw consent — whichever comes first. If your enquiry leads to a paid consultation, your data becomes part of your client record (see Section 3.2).

3.2. Client questionnaire (Google Forms)

After paying for a consultation you receive a link to a detailed questionnaire. I collect: full name, email, phone number, medical history, current diagnoses, past surgeries, medications and supplements with doses, laboratory results, information about diet, digestion and lifestyle, physical and emotional symptoms, and diagnostic photographs (tongue, nails, skin where relevant).

Purpose: to prepare and deliver your naturopathic consultation, develop a personalised Action Plan, and maintain continuity of care across follow-ups.

Lawful basis:

  • standard data — Art. 6(1)(b) UK GDPR: performance of a contract
  • health data (special category) — Art. 9(2)(a) UK GDPR: your explicit consent, given inside the questionnaire

Retention: 7 years from your last contact. This is aligned with the limitation periods for civil claims (6 years under English law, up to 10 years under Polish law) and with general expectations for the continuity of health-related records.

3.3. Newsletter (planned)

If you subscribe to the newsletter I collect: email address, and optionally first name.

Purpose: to send educational material on health, biochemistry and naturopathy. Lawful basis: Art. 6(1)(a) UK GDPR — consent. Retention: until you unsubscribe or withdraw consent.

The newsletter uses double opt-in (confirmation by clicking a link in a confirmation email).

3.4. Billing data

When you pay for a service I process the data needed to issue and record the payment (name, payment details, amount, date). Lawful basis: Art. 6(1)(c) UK GDPR — compliance with a legal obligation (tax and accounting law in the UK and, where applicable, Poland). Retention: 6 years (HMRC requirement; equivalent Polish tax law also applies where relevant).

4. Recipients of your data

Your data may be shared with the following processors, only to the extent strictly necessary for the purposes above:

Processor Role Data shared Location
Google Ireland Ltd Questionnaire hosting (Google Forms), email (Gmail) Questionnaire data, email correspondence EU (Ireland)
Vercel, Inc. Website hosting Technical data (server logs, IP addresses) USA
Resend, Inc. Transactional email delivery Email address, first name USA
Anthropic, Inc. Analytical support when preparing your written plan Pseudonymised data (no name, no surname) USA
Supabase, Inc. Cookie-consent log storage Hashed IP, consent choice, timestamp EU (Ireland)

When I use AI-assisted tools from Anthropic, your data is pseudonymised — your name is replaced with a client code. All clinical decisions and recommendations are taken personally by me. You have the right to refuse processing of your data by this tool.

I do not sell your data. I do not share it for marketing purposes with any third party.

5. International transfers (outside the UK / EEA)

Where data is transferred to the United States, I rely on the following safeguards:

  • Vercel, Inc. and Resend, Inc. — under the UK-US Data Bridge (in force since 12.10.2023) and the EU-US Data Privacy Framework (Commission adequacy decision of 10.07.2023). Both providers hold active DPF certifications.
  • Anthropic, Inc. — under the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • Google Ireland Ltd — based in the EU; data processed within the EEA.
  • Supabase, Inc. — data stored in the EU (Ireland) region; not transferred outside the EEA.

6. Your rights

Under the UK GDPR (and, where applicable, the EU GDPR) you have the right to:

  • Access (Art. 15) — obtain information about what data I hold about you and receive a copy
  • Rectification (Art. 16) — have inaccurate or incomplete data corrected
  • Erasure (Art. 17) — request deletion of your data, subject to my legal obligations (e.g. retention of billing records)
  • Restriction of processing (Art. 18) — in defined circumstances (e.g. while you contest the accuracy of the data)
  • Data portability (Art. 20) — receive your data in a structured, commonly used format
  • Withdraw consent (Art. 7(3)) — at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Object (Art. 21) — to processing based on legitimate interests

To exercise any of these rights, email: contact@fullofhealth.uk

I will respond within 30 days of receiving your request (extendable by a further 60 days for complex cases — you will be told if that applies).

7. Right to complain

If you believe your data is being handled unlawfully, you have the right to lodge a complaint with the supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, SK9 5AF — ico.org.uk
  • Poland (for EU/EEA clients): Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl

You also have the right to complain to the supervisory authority in your own country of residence within the EU/EEA.

8. Cookies

Details about cookies used on this website are set out in the Cookie Policy.

9. Automated decision-making and profiling

I do not carry out automated decision-making concerning your health on the basis of profiling within the meaning of Art. 22 UK GDPR. All clinical decisions and recommendations are made personally by me.

10. Data security

I apply appropriate technical and organisational measures to protect your personal data, including:

  • TLS/SSL encryption across the entire website
  • pseudonymisation of health data passed to processors where feasible
  • access to client records restricted to me personally
  • regular review of processing practices and security controls

In the event of a personal data breach likely to result in a risk to your rights and freedoms, I will notify the ICO within 72 hours and inform you without undue delay, in line with Art. 33–34 UK GDPR.

11. Whether providing data is mandatory

Providing personal data is voluntary, but:

  • providing your name and email is required to send an enquiry via the contact form
  • providing the description of your health concern is required to give you a meaningful initial response
  • providing the data in the Client Questionnaire is required to deliver a naturopathic consultation

If you decide not to provide the relevant data, I will not be able to deliver the corresponding service.

12. Children

Services on this site are not directed at children. I do not knowingly collect personal data from anyone under 16. Where a parent or legal guardian books a consultation for a child, the parent/guardian is the contracting party and provides consent on the child's behalf, as permitted by Art. 8 UK GDPR.

13. Changes to this Privacy Policy

I may update this Privacy Policy from time to time. Material changes will be communicated on the website. The current version (with version number and date) is always available at fullofhealth.uk/en/privacy-policy.

Full of Health — Konrad Kowalik contact@fullofhealth.uk