Privacy Policy
Last updated: July 2026
1. Who we are
Cocoon Therapy - Massage & Wellness is a women-only massage therapy practice based in East Putney, London. We are the data controller for the personal information you provide to us.
Contact: hello@cocoontherapy.co.uk | 07933 274028
2. What data we collect
We collect personal information in three ways:
When you book or contact us:
- Name, email address, and phone number
- Booking history and booking details
- Emails or messages you send us, and our replies
When you buy or redeem a gift card:
- Purchaser and recipient contact details
- Gift-card value, redemption history, and any gift message you provide
When you complete our client forms:
- Health history, medical conditions, and medications
- Areas of concern, treatment preferences, and goals
- Signed consent and liability release
When you visit our website:
- Basic visit logs (page requests, timestamps, IP address, user-agent string, and approximate location from your IP)
- The page you landed on and the website or search you came from (if your browser shares it) so we can understand which channels (e.g. search engines, social media, printed leaflets, QR codes) bring people to the site
- Marketing tags such as utm_* parameters and ad-click identifiers (e.g. gclid, fbclid) when present in the link you clicked
- A randomly generated visitor identifier stored in your browser (no name or contact details) so repeat visits in the same browser are not double-counted
- If you use the optional Services helper, the general text you type when asking for treatment suggestions
We do not use Google Analytics, Meta Pixel or comparable advertising pixels. The main visit log is held on our server; when approximate location reporting is enabled, an IP address is sent to the limited geolocation provider described below.
3. How we use your data
We use your information to provide and administer our services:
- To assess suitability for treatment and adapt sessions to your needs
- To contact you about appointments or respond to enquiries
- To comply with our professional duty of care
- To provide gift cards, vouchers, receipts, and redemption records
- To prevent fraud, protect the website, investigate failed payments, and maintain operational records
- To send occasional marketing emails where you have consented or where the electronic-mail soft opt-in legally applies, with an unsubscribe option in every message
We do not sell, rent, or share your personal data with third parties for marketing purposes.
Online card payments are processed by Stripe or SumUp. Their hosted payment components collect your card details directly; Cocoon Therapy does not store your full card number or card security code. We retain limited payment references, amounts, status and refund information for reconciliation, fraud prevention and accounting.
4. Legal basis for processing
Under UK GDPR, we rely on the following legal bases:
- Explicit consent — for processing special-category health data collected through our consultation forms. This is requested separately from consent to treatment and can be withdrawn at any time
- Consent or the PECR soft opt-in — for marketing emails where its requirements are met, with the right to opt out at any time
- Contract — to fulfil your booking and deliver your treatment
- Legitimate interests — for website visit logging and traffic-source analytics, to keep the site secure, operational, and to understand which channels bring people to the site
- Legal obligation — for accounting, tax, and record-keeping duties
5. How we store your data
Your client forms, treatment notes, booking contact details, mirrored client emails and operational alert content are encrypted at rest and held behind access-controlled staff accounts protected by multi-factor authentication. Access is limited to people who need the information to provide or administer your treatment, and we do not send full health forms by unencrypted email. We take proportionate precautions to protect information from unauthorised access, alteration, loss or disclosure.
Retention depends on the record and why it is needed. Treatment and client records are normally retained for up to 7 years after the last treatment, subject to applicable professional, insurance and legal requirements. Accounting and transaction records are retained for the period required by UK tax and accounting law. Failed or abandoned checkout data, raw website logs and operational alerts are retained only for the shorter period needed for security, troubleshooting and reconciliation. Marketing suppression records are retained so that we can continue to honour an opt-out. Records are deleted or anonymised when the relevant period or purpose ends, unless a legal claim or other legal duty requires longer retention.
6. Service providers and international transfers
We share personal data only with service providers needed to operate the practice. These include payment processors; transactional email and calendar providers; booking platforms where you use those platforms; website hosting and security providers; and a limited IP-geolocation provider for approximate traffic reporting. Payment processing is currently provided by Stripe and SumUp. Where a booking originates through Treatwell, the relevant booking information is processed through that platform. Generic operational push notifications may be delivered through a notification provider and do not contain client names, health information or message contents.
Some providers may process information outside the UK. Where UK personal data is transferred internationally, we rely on an applicable UK adequacy regulation or contractual safeguards such as the UK International Data Transfer Agreement or UK Addendum, as appropriate. You may contact us for more information about the safeguard used for a particular provider.
Where an administrator deliberately uses the optional email-draft assistant, the relevant conversation text may be sent to OpenAI to prepare a draft which staff review before sending. This feature is not used to make treatment decisions.
We also offer an optional Services helper that can suggest treatments based on the text you type. If you use it, your request and a limited public catalogue of our services may be sent to OpenAI to generate suggestions. The helper does not access your client records, booking history, payment details, or health forms, and it does not make bookings or decisions about your care. We use basic technical information, such as IP address and browser user-agent, to rate-limit and protect this feature from abuse. Please keep requests general and do not include medical records or private health details.
7. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Restriction — ask us to limit how we use your data
- Object — object to processing based on our legitimate interests, including website analytics, and object at any time to direct marketing
- Withdraw consent — at any time, where processing is based on consent
- Portability — receive your data in a structured, machine-readable format
To exercise any of these rights, contact us at hello@cocoontherapy.co.uk. We will respond within 30 days.
If you have a concern about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
These rights can be limited in some circumstances, including where information must be retained to meet a legal obligation or establish, exercise or defend a legal claim.
8. Changes to this policy
We may update this policy from time to time. The current version will always be available on this page with the date it was last revised.
9. Contact
For any questions about this policy or your data, please contact:
Cocoon Therapy - Massage & Wellness
hello@cocoontherapy.co.uk
07933 274028