Privacy Notice

What you will read below is my full privacy notice, providing detail about the data CreaTEAvity collects, and what I do with it. I have tried to make it as easy to read, as possible.  

Simply put: the data that I collect, and how it is collected, is basic I am not keen on being tracked, or having my information shared with unknown entities, and I hope you will appreciate being treated the same way when you visit CreaTEAvity (and our sister website, Be Blooming Well)  

CONTACT INFORMATION
Callie Di Nello
CreaTEAvity Studio, Lambton Road, London, SW20 0TJ
Email: calliedinello@pm.me
Website: www.createavity.com  

I, Callie Di Nello, am the Data Controller and Processor of CreaTEAvity. CreaTEAvity is also identified as “we” throughout this Privacy Notice. Callie Di Nello is also be identified as "me" or "I" throughout this Privacy Notice.  

Personal data: what we collect, and why 
I hold client data on the basis of “Legitimate Interests”: this data is necessary for me to be able to fulfil the contract I have together with my clients (i.e. to provide therapy, or other professional support services), and it is data that you would reasonably expect me to hold, and use.  

For anyone who asks about my services, I hold data that will include any information that may have sent by email, text or direct message. The data is primarily used to enable me to provide therapy or professional support services. It may also be used scientific research purposes and statistical purposes.  

I hold the following data for clients who book, and attend, at least one session with CreaTEAvity:
- basic information: your name, email address, and phone number
- information that you share with me, as part of the work we do together
- records of what interventions used (or potentially do not use) in sessions
- emails, texts and/or messages that are sent between us
- audio recordings of sessions (unless you specifically object)
- information sent from any third party, e.g. GP, therapist or other professionals whom we may need to liaise with, in order to provide you with appropriate professional support  

SPECIAL CATEGORY DATA
Some of the information that you give me may fall under the definition of 'special category of data’ as defined by the General Data Protection Regulations (GDPR).  

The condition for processing this special data is: “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional”. However, data on any criminal offences (including allegations, proceedings and convictions) is even more tightly controlled and so I would need your specific consent in order to hold any such information.

Data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure, which are detailed and discussed when we first meet, as per our Coaching & Therapy Agreement and Disclosure (Terms & Conditions) .

Should you choose to make a complaint about me to my professional body, I am entitled to share your notes with any investigator under investigation procedures. Client session data, which comes under ‘special category data’, is kept for 7 years. The length of time is based on the stipulation of my insurer. After this time any paper records are shredded and computer records permanently deleted.

Methods of collection and use of data 
PAYMENTS
Bank, credit card, Stripe and Paypal records and transactions, which contain any information that you submit when making payment(s), will be seen by accountants hired by CreaTEAvity. If you would like me to redact any identifiable data before sending to the accountants, then please let me know.

WHERE YOUR DATA IS HELD
- any emails sent between us are held either on my computer hard drive or exchange server. If archived, they may be stored in Dropbox which is secure cloud-based storage, which is itself GDPR compliant
- any emails that may be held on my personal smartphone or iPad are fingerprint-protected
- any texts/WhatsApp/Signal/Telegram messages sent between us are held on my smartphone, which is fingerprint-protected. (Please refer to CreaTEAvity’s Social Media Policy)
- your notes may be handwritten and stored in a locked filing cabinet. A numerical coding system enables me to know whose notes belong to whom, but a stranger would not be able to identify who they referred to
- any credit card information taken from you is shredded once processed
- if you have registered for email updates, this data will be held on the email software database (currently TinyLetter and via www.createavity.com's inbuilt email capabilities). Only I have access to these databases.
- f you use Paypal, Stripe, or online banking, then clearly these systems will hold your data and will be downloaded from these systems for accounting purposes. All payment data is entered onto a spreadsheet on my computer, in a password-protected document. At such a time this data is sent to our accountants, they remain password-protected.

COMMENTING ON CREATEAVITY WEBSITE
The facility to leave comments on CreaTEAvity's website is part of our online courses and our online community. Please use this functionality - and leave comments - at your own discretion.

NEWSLETTERS
I use TinyLetter to send occasional email newsletters to registered subscribers. In each email, there will be a clear link to unsubscribe; you are free to unsubscribe at any time. If you have signed up to our courses, emails are sent using the inbuilt functionality of the website hosts (NewZenler).

EMBEDDED CONTENT FROM OTHER WEBSITES
Articles on this website may include embedded content (for example, videos, images, and articles). Embedded content from other websites behave in the exact same way as if you, the visitor, has visited the website where the embedded content originates from.

These websites may: collect data about you; use cookies; embed additional third-party tracking; and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that specific website.  I am not in control of data (including emails and texts) which you send me. Apps, such as Facebook, routinely access any information held and this is beyond my control.  

TECHNOLOGY USED FOR SERVICES
For transparency, listed below are the following technology/services used during the course of offering you professional support, and links to their individual policy notices: Dropbox cloud storage (Privacy Notice: https://www.dropbox.com/en_GB/privacy) NewZenler (Privacy Notice: https://www.newzenler.com/privacy-policy) ProtonMail (Privacy Notice: https://protonmail.com/privacy-policy) Signal app  (Privacy Notice: https://signal.org/legal) SimplyMeet.me (Privacy Notice: https://simplymeet.me/en/policy) Telegram app (Privacy Notice: https://telegram.org/privacy) TinyLetter app (Privacy Notice: https://www.intuit.com/privacy/statement/) WhatsApp app (Privacy Notice: https://www.whatsapp.com/legal/privacy-policy/?lang=en) Zoom (Privacy Notice: https://zoom.us/privacy)

Children under the age of 13 
CreaTEAvity (website) is not intended for children under 13 years of age. My professional services are no intended for children under the age of 18.

Security data breaches 
I take the security of data seriously and as such: all data is held securely (see details of where data is held above). any data transmitted is sent encrypted where possible. for accounting purposes, password-protected Excel spreadsheets are used.

If there is any breach of data security, in my capacity as Data Controller and Processor, I will give full details to the Information Commissioners Office, and any person affected, within 72 hours of being made aware of the breach. I will do all that is possible to minimise any potential impact.

You have rights with regards to the data held: 
- The right of access. I will provide you with all data held on within 30 days of your request, unless this is not possible due to holidays or illness.

- The right to rectification. If any data I hold is incorrect, just let me know and it will be amended within 30 days of your request, unless this is not possible due to holidays or illness.

- The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following your request (within 30 days, unless this is not possible due to holidays or illness).

NB:
(1) data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, but this does not include case notes, or data such as address/email/phone.
(2) ‘Special Category Data’ needs to be retained, for insurance and legal purposes.

- The right to restrict processing. This would usually be an interim measure before correction of any errors, or before erasure.

- The right to data portability. This may apply if you wish your records to be sent to another therapist, for example, but it is likely that the easiest solution would come under the Right to access provision, i.e. I would send the data to you.

- The right to object to: 
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). CreaTEAvity does not engage in these things
- direct marketing
- processing for purposes of scientific/historical research and statistics. For this, you must provide clear grounds for your objection
- automated decision-making and profiling. CreaTEAvity does not engage in automated decision making or profiling.

Cookies
As with most websites, CreaTEAvity uses cookies. A cookie is a small amount of data that is sent to your computer or mobile phone browser from a website’s computer and is stored on your device’s hard drive.

Cookies record information about your online preferences. They help me to understand how visitors engage with my site so that I can improve your online experience. I do not use cookies to collect personally identifiable information about you.

Each website you visit can send its own cookie to your browser if your browser’s preferences allow it. To protect your privacy, your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites.

How to control and delete cookies: you may restrict or block the cookies which are set by our site, or any other site, through your browser settings. You can also set your browser to alert you when a cookie is issued. For more information about cookies and how to manage them: www.aboutcookies.org.

Analytics 
WHO I SHARE YOUR DATA WITH
- Google Analytics is used on this site to help me understand how visitors engage with my content. It collects information anonymously, reporting website trends without identifying individuals. For more information, please visit: Google Analytics privacy and security information - https://marketingplatform.google.com/about/analytics/terms/us/

- Disclosures of your Personal Data We may be obliged to share your personal data with the parties set out below:

Online Course platform provider Zenler.com - as the data processor of your data. We have entered into a data processing addendum with Zenler to process your data, and this may include their chosen service providers who provide cloud infrastructure, video hosting, live video platforms, email provision, IT and system administration services, for example:
- Amazon
- Eventbrite
- PayPal
- Stripe
- Vimeo
- Zoom

Professional advisers - including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services; Government bodies that require us to report processing activities. require reporting of processing activities in certain circumstances; and Third parties to whom we sell, transfer, or merge parts of our business or our assets. We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

International transfers 
We share your personal data within Zenler, which involves transferring your data outside the European Economic Area (EEA). Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.

Many of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:
- Our Online course platform provider (Zenler) is based in the UK, and is our data processor. They have entered into data processing agreement for the processor to protect your personal data. They will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or where they use certain service providers, they may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or where they use providers based in the United States, they may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the UK, Europe and the USA. Where they use providers based in the United States (for example Amazon, Sendgrid) they may transfer data to them where they have signed data processing addendums for the provider to provide protection of data shared between the UK, Europe and the US.
- If none of the above safeguards are available, we (or Zenler) may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
- Please use the 'Contact Callie' page if you would like further information on the specific mechanism used by Zenler when transferring your personal data out of the EEA; please note this information is not available to hand, and may take some time to retrieve as we would need to request this from Zenler.

WHAT RIGHTS YOU HAVE OVER YOUR DATA
You may request that I erase any personal data I hold about you. This does not include any data I am obliged to keep for administrative, legal, or security purposes. Ie do not share information with third parties.

Future changes to this privacy notice CreaTEAvity has the discretion to update this privacy notice at any time.

When I do, the date on this page will be updated. I encourage visitors to frequently check www.createavity.com for any changes to stay informed about how I am helping to protect the personal information I collect.

You acknowledge, and agree, that it is your responsibility to review this privacy policy periodically and check for any modifications yourself.


- Updated 4 January 2023