03/08/20 : Please see the home page for current COVID updates.

Portsmouth Massage is committed to protecting your privacy. This policy statement explains this. Portsmouth Massage’s Data Protection Policy gives details about how data is handled. Both under the pre-existing UK Data Protection Act, ICO registration, and under the new GDPR. It includes details on how your sensitive information will be protected and used. The personal health information you provide during your consultations with Portsmouth Massage are classified as 'special category data' in the GDPR.

Portsmouth Massage and Quiddity Holistics are trade names for Kirsten McFarlane, GHT Massage Therapist, Sole Trader. Kirsten McFarlane is the sole Data Controller and Data Processor. In 2018 Portsmouth Massage will transition from Portsmouth Massage to Quiddity Holistics. Kirsten McFarlane is registered with the Information Commissioners Office (ICO) and in compliance with the new guide to the General Data Protection Regulation (GDPR). Kirsten McFarlane is certified and insured with The Guild of Holistic Therapists (MGHT) with insurance coverage for Treatments, Public and Product Liability for £6 million and with an additional endorsement for the Data Protection Act.

What information is collected for appointments and queries:

Portsmouth Massage only collects data directly provided by you in relation to each appointment booking, given with your consent for specific use by Portsmouth Massage: The ‘special category data’ - e.g. personal medical information which you provide - will only be used for the management of treatment and appointment bookings, professional regulatory requirements, in order to provide you the best experience, the most appropriate treatment, and to meet legal and insurance requirements.

Portsmouth Massage is required to maintain professional standards in all areas of my practice which includes record keeping and the safe storage of my documents. When you book your first appointment you will be asked to complete a medical and consent questionnaire giving consent for Portsmouth Massage to hold and process the information that you have provided in accordance with my policies and procedures. Only information necessary for the provision of the highest quality therapy services is taken and stored with your consent. This is updated as needed on future sessions, and the client can make updates at any time by phone, email or text message.

The information you provide will include: full name, address, contact phone and email details, date of birth, any information you provide in relation to your treatment(s), treatment logs, how you found Portsmouth Massage, if you will be driving for your appointments, medical and therapy history, medication and injury information relevant to appointments and treatment planning.

Client records (medical and appointment information) are held for 10 years from your most recent appointment, for professional legal and insurance requirements. For children under 16, the data will be held for 10 years from the year they reach adulthood.

The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). Portsmouth Massage will need be given consent from a person holding ‘parental responsibility’ for children under 16 as their legal representative. Portsmouth Massage uses the age of 16 as the age for consent for therapies without parental consent or supervision, for 16-18 year olds parents are generally encouraged to remain in the therapy room for sessions and to supervise entry of medical consultation records.

Client record data is collected directly from you, with your consent, via an secure online form, or on paper in person, by phone or text message. Any paper records are kept in a locked cabinet at Portsmouth Massage. Digital records are password secured on my electronic devices. Portsmouth Massage ensures that personal data is held securely. This includes protecting data against unauthorised or illegal use and against accidental loss, destruction or damage.

If there is a security breach which is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or major financial or social disadvantage, Portsmouth Massage will notify the ICO. If the breach is likely to result in a high risk to the rights and freedoms of individuals, Portsmouth Massage will also contact individuals directly and without undue delay.

How your personal data will be used and why:

  • To process any orders that you make by online, or via third party companies (E.g. Treatwell). If Portsmouth Massages doesn’t collect your personal data during checkout, we won’t be able to process your order and comply with our legal obligations. For example, your details may need to be kept for a reasonable period afterwards in order to fulfil any contractual obligations such as refunds, guarantees and so on.
  • To respond to your queries, refund requests and complaints. Handling the information you sent enables a response. Portsmouth Massage may also keep a record of these to inform any future communications. This on the basis of my contractual obligations to you, my legal obligations and my legitimate interests in providing you with the best service and understanding how to improve services based on your experience.
  • To protect my business and your account from fraud and other illegal activities. This includes using your personal data to maintain, update and safeguard your account.
  • Service Communications: Communications required by law or which are necessary to inform you about our changes to the services we provide you: For example, updates to this Privacy Notice, and legally required information relating to your bookings or purchases. These service messages will not include any promotional content and do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
  • To process your booking/appointment requests

Card Transactions: Portsmouth Massage's PCI DSS compliance certificate is managed by Sage Pay. Portsmouth Massage does not gather, retain or process sensitive data for card payments. All card payments data is processed externally through the full transaction by Sage Pay (Card Reader), Pay Pal or mobile banking services. Portsmouth massage regularly monitors systems for possible vulnerabilities and attacks, and carry out penetration testing to identify ways to further strengthen security.

Portsmouth Massage uses Sage Pay Card Reader. Portsmouth massage uses standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to merchant's payment processor to take customers' payment card information. The POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor. Portsmouth Massage does not collect card holder data, nor does Portsmouth Massage share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)


Portsmouth Massage does not pass on your details to any other third party, company or individual for their marketing, commercial or private use without your express permission. Portsmouth Massage is a sole trader, and no information is shared with any rented therapy centres, rooms, venues or corporative offices where therapies may be held, e.g. no client information is shared with Salix Health and Wellbeing Centre.

Clients may post reviews themselves directly on Google or the Portsmouth Massage Facebook page, I may copy these reviews to the Portsmouth Massage website for marketing purposes. If I post client reviews or case studies on social media sites or the Portsmouth Massage website that names a client, I will first ask for consent before using any of your information for marketing purposes.


The parties with whom Portsmouth Massage may share your personal information:

1. In the event that you or I believed a consultation with a medical or other alternative medicine practitioner is advisable, I will ask your consent to discuss your case before doing so.

Under the following circumstances I would be professionally and legally obligated to share relevant information with appropriate agencies with or without your consent:

1. Banking partners including but not limited to credit card issuers and banks processing your orders and transactions.

2. Credit bureaus and collection agencies to the degree the law allows.

3. The government, law enforcement, or other third parties if I need to do so in order to meet the requirements set by law or court order; or if I reasonably believe that the sharing of your personal information is necessary to report any concern for safety or wellbeing, suspected unlawful activity or to investigate potential or existing breaches of my policies and code of conduct.

Links to third party websites:

The Portsmouth Massage website may have links to and from other websites. These links are provided to you only as a convenience and the inclusion of any link does not imply endorsement of the relevant website by Portsmouth Massage. If you follow a link to any of these websites, please note that they have their own privacy policies and that Portsmouth Massage does not accept any responsibility or liability for these policies or those linked websites. Please check these policies before you submit any personal information to such websites.

The Portsmouth Massage privacy policy only applies to this website. Portsmouth Massage is listed in Treatwell and Spafinder Directories. Clients may make bookings through Treatwell for Portsmouth Massage. Treatwell's GDPR policy will cover any data you provide via the Treatwell website. Treatwell shares the information you provided them with Portsmouth Massage in order to fulfil your bookings. The treatwell privacy policy for clients who book massages via Treatwell can be viewed at https://www.treatwell.co.uk/info/privacy-policy/ 

Marketing Communications: Keeping in touch & your preferences: 

Portsmouth Massage would like to keep in touch with you on occasion with information about new therapies, news or special offers that may be of interest to you. If you would like to receive such mailings please contact Portsmouth Massage to be added to the mailing list. You can be removed from the mailing list at anytime, please contact Portsmouth Massage by email, text or phone to update your preferences. Mailings are rarely sent, and regular updates to information and services are posted on this website, on the Portsmouth Massage Google Page, and on the Portsmouth Massage Facebook page.

Portsmouth Massage may contact you from time to time with any issues related to your account, to respond to any queries you may have, or to bring you offers and other notifications. The form of contact may be via voice calls, emails, or text messages (SMS) using the contact information that you have provided. 

Data collected when you submit a query: To respond to email questions, Portsmouth Massage needs your name and email address. Your contact details submitted in communications or queries on the Portsmouth Massage website form, via direct email, text message etc. will be kept by the administrator and be used for communication purposes with you, and not shared with any third parties. Portsmouth massage does not keep any unnecessary data from our customers/enquirers. 

Removal of your data: You can at any time opt in or out of marketing communications at any time. If you would like your details deleted from my records when we have completed our communication, then please email Portsmouth Massage. Portsmouth Massage will verify your identity with an email to your stored email address and then comply with your request.

Please note that if you have had an appointment, records will not be deleted until 10 years from your last appointment - as stipulated above.


You have a right to

  • Rectify your personal data when incorrect, out of date or incomplete.
  • Request a copy of the information Portsmouth Massage holds on you at any time.
  • You can request a copy of your data records by the contact form, direct email, text or phone. Records will be provided within one month.


Portsmouth Massage does not currently use website cookies or analytical services such as google analytics. If at anytime Portsmouth Massage starts to use site cookies you will be asked to give consent for use when you visit the website.


Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.


This privacy policy has been designed to enable Portsmouth Massage to give you an optimal experience securely as reasonably possible. The policy is subject to change as the business evolves. Any changes to this policy will be updated on this website. When updated, Portsmouth Massage will take appropriate measures to inform you, consistent with the significance of the changes made. Portsmouth Massage will obtain your consent to any material Privacy Policy changes if and where this is required by applicable data protection laws.

Should you have any questions or comments regarding this policy you are more than welcome to contact Portsmouth Massage.

More information on GDPR can be found at: 

Information Commissioners Office. 

General Data Protection Regulation.