This privacy policy applies between you, the user of this website and/or recipient of our services, and Anthrobotanica Limited, the owner and provider of this website. Anthrobotanica takes the privacy of your information very seriously. This privacy policy applies to our use of any and all personal data collected by us or provided by you in relation to your use of the website and/or in the course of receiving our services.

This privacy policy should be read alongside, and in addition to, our Terms of Engagement (clinic patients) and Terms and Conditions of Sale.

Please read this privacy policy carefully.

This privacy policy was last updated on 10 February 2026.

1. Definitions and Interpretation

In this privacy policy, the following definitions are used:

Term Definition
Anthrobotanica, us, or we Anthrobotanica Limited, a company incorporated in England and Wales with registered number 08637734 whose registered office is at 12 Hatherley Road, Sidcup, United Kingdom, DA14 4DT and whose trading address is 12 The Dove Centre, 109 Bartholomew Road, London NW5 2BJ.
Cookies A small text file placed on your computer or device by this website when you visit certain parts of the website and/or when you use certain features of the website. Details of the cookies used by this website are set out in section 12 below.
Data Protection Laws The UK General Data Protection Regulation (UK GDPR) as retained under the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003 (PECR) as amended, together with any successor or replacement legislation.
Special Category Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person’s sex life or sexual orientation, as defined in Article 9 of the UK GDPR.
User or you Any third party that accesses the website and is not either (i) employed by Anthrobotanica and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Anthrobotanica and accessing the website in connection with the provision of such services.
Website The website that you are currently using, https://anthrobotanica.com, and any sub-domains of this site unless expressly excluded by their own terms and conditions.
   

In this privacy policy, unless the context requires a different interpretation: the singular includes the plural and vice versa; “including” is understood to mean “including without limitation”; reference to any statutory provision includes any modification or amendment of it; and the headings and sub-headings do not form part of this privacy policy.

2. Scope of this Privacy Policy

This privacy policy applies to all personal data collected and processed by Anthrobotanica, whether through this website, during consultations (whether in person, by telephone, or by video), through our practice management systems, by email or other correspondence, or by any other means. It does not extend to any third-party websites that can be accessed from this website, including any links we may provide to social media websites. You are advised to read the privacy policies of any third-party websites before providing them with your personal data.

For the purposes of the Data Protection Laws, Anthrobotanica is the data controller. This means that Anthrobotanica determines the purposes for which, and the manner in which, your personal data is processed.

3. What we do

Anthrobotanica provides naturopathy, nutritional therapy, herbal medicine, and functional medicine services to clients to improve their health through diet, lifestyle, and therapeutic interventions. We focus on preventative healthcare, the optimisation of physical and mental health, and the management of chronic health conditions. Through consultation, dietary and lifestyle analysis, and functional testing, we aim to understand the underlying causes of your health concerns, which we will seek to address through personalised dietary therapy, nutraceutical prescription (supplements), herbal medicine, and lifestyle advice. We also provide consulting services, workshops, mentoring, and educational programmes.

4. Data Collected

We may collect the following data, which includes personal data and Special Category Data, from you:

  1. name and date of birth;
  2. contact information such as email addresses, telephone numbers, and postal address;
  3. next of kin or emergency contact details;
  4. information provided on contact forms, intake forms, and health questionnaires;
  5. information provided to make purchases, including payment details (processed and stored by our payment provider Stripe – we do not store your full card details);
  6. details of contact we have had with you, such as referrals, appointment requests, and correspondence;
  7. health information, including previous medical history, current symptoms, dietary and lifestyle details, supplement and medication details, functional testing results, genetic data, clinical notes, and health improvement plans;
  8. GP and other medical or healthcare provider contact details;
  9. information about your use of our website, including IP address, browser type, and browsing behaviour; and
  10. any other information you provide to us in the course of receiving our services;

in each case, in accordance with this privacy policy.

5. How we obtain your Personal Data
Information provided by you
You provide us with personal data in a number of ways, including:

  • by completing a nutritional therapy, naturopathic, or functional medicine questionnaire or intake form;
  • by signing our Terms of Engagement;
  • during a consultation (whether in person, by telephone, or by video);
  • through email, over the telephone, by post, via our website or via our messaging portal
  • by making credit card, debit card, or online payments;
  • when you register with us and set up an account to receive our services;
  • when you complete surveys that we use for research purposes (you are not obliged to respond to them);
  • when you enter a competition or promotion through a social media channel;
  • when you elect to receive marketing communications from us; and
  • when you provide us with genetic data, test results, or other health information.

Information we receive from third parties
We may receive data about you from the following third-party sources:

  • Functional testing companies. We receive test results from laboratories and testing providers in order to provide you with clinical services.
  • Other healthcare providers. We may obtain information from your GP, specialist, or other healthcare providers. We will only do so with your express consent. If we do not receive this consent, we will not be able to coordinate your care with other providers, which may affect the effectiveness of the healthcare we provide.
  • Third-party supplement and product providers. Where we are involved in processing a supplement order or verifying authorisation with a third-party provider, we may receive limited data in connection with that transaction.
  • Payment providers. Stripe, our payment processor, may share limited transaction data with us in connection with payments you make.

Information collected automatically
When you access the website, we collect certain data automatically, including:

  • your IP address, browser type, device type, screen size, operating system, and preferred language;
  • the date, times, and frequency with which you access the website, and the way you use and interact with its content;
  • geographic location (country only); and
  • cookies, in line with the cookie settings on your browser (see section 12 below).

We use analytics software to help us understand how visitors use the website. This software may use cookies and similar technologies to collect data about user behaviour and devices.

This data is stored in a pseudonymised form, and our analytics providers are contractually prohibited from selling any data collected on our behalf.

6. Lawful Bases for Processing your Personal Data
We process your personal data on the following lawful bases under Article 6 of the UK GDPR:

  • Performance of a contract (Article 6(1)(b)): where the processing is necessary to provide you with the clinical services you have engaged us to deliver, or to take steps at your request prior to entering into a contract.
  • Legitimate interests (Article 6(1)(f)): where the processing is necessary for our legitimate interests in running and improving our practice, provided these interests are not overridden by your rights and freedoms. This includes internal record keeping, service improvement, and practice administration.
  • Consent (Article 6(1)(a)): where you have given us your consent to process your data for a specific purpose, such as receiving marketing communications. You may withdraw consent at any time.
  • Legal obligation (Article 6(1)(c)): where we are required to process your data to comply with a legal obligation, such as financial record keeping for HMRC.
  • Vital interests (Article 6(1)(d)): in exceptional circumstances where we believe your life or the life of another person is in danger.

Special Category Data
Health data, genetic data, and certain other types of personal data are classified as Special Category Data under Article 9 of the UK GDPR and require an additional condition for processing beyond the Article 6 lawful bases above. We process your Special Category Data under the following conditions:

  • Explicit consent (Article 9(2)(a)): where you have given us explicit consent to process your health data for the purposes of providing you with clinical services. This consent is obtained when you sign our Terms of Engagement and complete your intake forms.
  • Health or social care purposes (Article 9(2)(h), read with Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018): where the processing is necessary for the provision of health care or treatment, or the management of health care systems and services, and is carried out by or under the responsibility of a health professional who is subject to a duty of confidentiality.

Where you provide us with genetic data (for example, from providers such as Genomic Insight or similar), this is also Special Category Data and will only be processed with your explicit consent. Genetic information is held confidentially and securely in accordance with this privacy policy.

7. How we use your Personal Data
We use your personal data for the following purposes:

  • providing you with clinical services, including consultations, health assessments, treatment plans, supplement and herbal prescriptions, and follow-up care;
  • managing your appointments and programme schedule;
  • communicating with you about your care, including sending clinical notes, test results, and appointment reminders;
  • processing payments and managing invoicing;
  • internal record keeping and practice administration;
  • improvement of our services;
  • complying with our professional, regulatory, and legal obligations, including record keeping for HMRC;
  • responding to complaints and resolving disputes;
  • sharing anonymised case histories with peers for professional development purposes (only with your explicit consent – see section 8 below); and
  • sending you marketing communications where you have consented to receive them.

We may use your data for the above purposes where we deem it necessary for our legitimate interests, provided your rights are not overridden. If you are not satisfied with this, you have the right to object in certain circumstances (see section 10 below).

We may also use your personal data where there is an overriding public interest in doing so, for example in order to safeguard an individual or to prevent a serious crime, or where there is a legal requirement such as a formal court order.

Marketing Communications
We will only send you direct marketing communications by email where we have your consent. This may be:

  • Soft opt-in consent: where you have previously engaged with us (for example, you have been a client or contacted us about our services), and we are marketing similar services. Under soft opt-in consent, we will take your consent as given unless you opt out.
  • Explicit consent: for all other marketing, we will obtain your explicit, affirmative consent (for example, by you ticking a consent box).

You may withdraw your consent to marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting us at  .

8. Who we share your Data with
We keep your information confidential. We will only disclose your information with other third parties with your express consent, with the exception of the following categories of third parties:

  • Our staff and associates: employees, contractors, locum practitioners, and professional advisors who assist in delivering our services to you, on the understanding that they are bound by confidentiality obligations.
  • Third-party service providers: companies that provide services to us which require the processing of personal data, including:
    • Stripe – payment processing
    • Intake Q – practice management, appointment scheduling, and invoicing
    • Zoom – video consultations
    • Heidi – medical scribe
    • Functional testing laboratories – processing and returning test results
    • Supplement and herbal dispensary providers – order fulfilment (we do not share sensitive health information with supplement companies
    • Email marketing platform – for marketing communications only, where you have consented
    • Analytics providers – for website usage analysis (data is pseudonymised)
  • Our registrant body (CNHC) and professional association (BANT): only where necessary for the processing of a formal complaint made by you.
  • Any contractors and advisors that provide a service to us or act as our agents, on the understanding that they keep the information confidential.
  • Anyone to whom we may transfer our rights and duties under any agreement we have with you.
  • Any legal or crime prevention agencies and/or to satisfy any regulatory request (for example, CNHC) if we have a duty to do so or if the law allows us to do so.

We will not include any sensitive health information when sharing data with supplement companies. Testing companies provide us with results as part of your direct healthcare.

We will seek your express consent before sharing your information with your GP or other healthcare providers. However, if we believe that your life is in danger then we may pass your information onto an appropriate authority (such as the police, social services in the case of a child or vulnerable adult, or your GP in case of self-harm) using the lawful basis of vital interests.

We may share your case history in an anonymised form with our peers for the purpose of professional development. This may be at clinical supervision meetings, conferences, online forums, and through publishing in medical journals, trade magazines or online professional sites. We will always seek your explicit consent before discussing your case in this way, even in anonymised form.

All third-party service providers who process data on our behalf are contractually bound to process your data only on our instructions and to maintain appropriate security measures. A current list of our third-party processors is available on request from  .

9. What safeguards are in place to ensure data that identifies you is secure?
We only use information that may identify you in accordance with the Data Protection Laws. This requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. We will protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it). We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Anthrobotanica is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website at https://ico.org.uk (search by business name).

In the event of a suspected personal data breach, we will assess the risk to your rights and freedoms and, where required, notify the ICO within 72 hours in accordance with Article 33 of the UK GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay in accordance with Article 34 of the UK GDPR.

If you suspect any misuse, loss, or unauthorised access to your data, please contact us immediately at  .

10. What are your Rights?

Every individual has the right to see, amend, delete or have a copy of data held that can identify them, with some exceptions. You do not need to give a reason to see your data.

Under the Data Protection Laws, you have the following rights in relation to your personal data:

  • Right of access – the right to request a copy of the personal data we hold about you. We will not charge a fee for this unless your request is manifestly unfounded or excessive. If we refuse your request, we will tell you the reasons why.
  • Right to rectification – the right to have your data corrected if it is inaccurate or incomplete.
  • Right to erasure – the right to request that we delete your data. Please note that we may not be able to comply with this request where we have a legal or regulatory obligation to retain the data (for example, clinical records during the retention period).
  • Right to restrict processing – the right to request that we limit the way we use your data.
  • Right to data portability – the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from us.
  • Right to object – the right to object to our processing of your data, including where we process it on the basis of legitimate interests.
  • Rights relating to automated decision-making – we do not carry out any automated decision-making or profiling that produces legal or similarly significant effects.

If you want to access your data, you must make a subject access request in writing to  . Under special circumstances, some information may be withheld. If an exemption under the Data Protection Act 2018 applies, we will explain this to you in writing.

We shall respond within one calendar month from the point of receiving the request and all necessary information from you, including formal identification to verify your identity. We will keep any identification requests proportionate and will not ask for more information than is reasonably necessary. Our response will include the details of the personal data we hold on you, including:

  • sources from which we acquired the information;
  • the purposes of processing the information; and
  • persons or entities with whom we are sharing the information.

To exercise any of the above rights, or to withdraw your consent to the processing of your data (where consent is the lawful basis), please contact the Data Controller, Carolina Brooks, at:

Anthrobotanica Limited

12 The Dove Centre, 109 Bartholomew Road

London NW5 2BJ

Email:  

11. How long do we hold your information for?
Clinical records (including consultation notes, health improvement plans, test results, and clinical correspondence) are retained for 8 years from the date of your last appointment. This retention period enables us to respond to any clinical queries, process any formal complaints, and comply with our professional and regulatory obligations.

  • Financial records (including invoices and payment records) are retained for 7 years in accordance with HMRC requirements.
  • Marketing consent records are retained for as long as you remain subscribed to our communications, and for 12 months thereafter to evidence that consent was given.

After the relevant retention period, your data will be securely deleted or anonymised.

Even if we delete your data, it may persist on backup or archival media for a limited period for legal, tax, or regulatory purposes.

12. Website technical details
Cookies

This website uses cookies to improve your experience and to help us understand how the website is used. All cookies used by this website are used in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) as amended.

Before the website places non-essential cookies on your device, you will be presented with a notice requesting your consent. By giving your consent, you enable us to provide a better experience and service. You may deny consent to the placing of non-essential cookies; however, certain features of the website may not function fully or as intended.

This website uses the following categories of cookies: strictly necessary, performance, targeting, and functionality. A full list of the cookies we use, including the cookie name, provider, expiration period, and purpose of each cookie, is available on our separate cookies page at https://anthrobotanica.com/info/cookies/. We keep this list under regular review. If you think we have missed a cookie or there is any discrepancy, please let us know at  .

We do not use cookies to collect private or personally identifiable information. Most web browsers allow some control of cookies through the browser settings. You can choose to enable or disable cookies, and you can delete cookies at any time, although you may lose certain personalisation settings. To find out more about cookies, including how to manage and delete them, visit www.allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

Forms

We use electronic forms on our website making use of an available forms module which has a number of built-in features to help ensure privacy. We also aim to use secure forms where appropriate.

Analytics

Like most websites, we make use of analytics software in order to help us understand the trends in popularity of our website and of different sections. We make no use of personally identifiable information in any of the statistical reports we use from this software. Any analytics software we use stores information on our behalf in a pseudonymised form and is contractually forbidden to sell any of the data collected on our behalf.

13. Transfers outside the United Kingdom
Some of the third-party service providers we use (including Stripe, Zoom, and certain functional testing laboratories) may store or process your data in countries outside the United Kingdom.

We will only transfer your data outside the UK where it is compliant with the Data Protection Laws and where one of the following safeguards is in place:

  • the receiving country has been deemed to provide an adequate level of protection for personal data by the UK Secretary of State;
  • the transfer is covered by a UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses;
  • the transfer is made under the UK-US Data Bridge (for organisations in the United States that have self-certified under the UK Extension to the EU-US Data Privacy Framework); or
  • another appropriate safeguard recognised under the Data Protection Laws is in place.

To ensure that your data receives an adequate level of protection, we have put in place appropriate safeguards and contractual arrangements with the third parties we share your data with. Details of the safeguards in place for any specific transfer are available on request from  .

14. Links to other websites
This website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.

15. Changes of business ownership and control
Anthrobotanica may, from time to time, expand or reduce our business, which may involve the sale and/or transfer of control of all or part of the business. Personal data provided by users will, where relevant to any part of the business being transferred, be transferred along with that part. The new owner or controlling party will, under the terms of this privacy policy, be permitted to use the data for the purposes for which it was originally provided.

We may also disclose data to a prospective purchaser of our business or any part of it. In the above instances, we will take steps to ensure your privacy is protected.

16. Complaints
If you have a complaint regarding the use of your personal data, please contact us by writing to the Data Controller, Carolina Brooks, at the address set out in section 10 above, or by email at  , and we will do our best to help you.

We will acknowledge your complaint within 30 days in accordance with the Data (Use and Access) Act 2025, and will aim to resolve it within 20 working days. If we are unable to resolve your complaint within this timeframe, we will write to you explaining the reason for the delay and the expected timeframe for resolution.

If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information Commissioner’s Office (ICO), you can contact them on 0303 123 1113 or through their website at https://ico.org.uk.

17. General

  • You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.
  • If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal, or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions will not be affected.
  • Unless otherwise agreed, no delay, act, or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
  • This privacy policy is governed by and interpreted according to the law of England and Wales. Disputes may be submitted to the jurisdiction of the courts of England and Wales or, where you live in Scotland or Northern Ireland, in the courts of Scotland or Northern Ireland respectively.

18. Changes to this Privacy Policy

Anthrobotanica reserves the right to update this privacy policy from time to time as may be necessary or as required by law. Any changes will be posted on the website, and you are deemed to have accepted the terms of the updated privacy policy on your first use of the website following the changes.

This privacy policy was last updated on 10th February 2026.

You may contact Anthrobotanica by email at   or by post to:

Anthrobotanica Limited

12 The Dove Centre, 109 Bartholomew Road

London NW5 2BJ

Telephone: +44 203 996 1891