My name is Sarah Flower and my website is

This privacy policy explains how I use the personal data I collect from you.

I am the data controller and you can contact me at

What personal data I collect and why I collect it



I collect your name, address, email address, telephone number, date of birth and medical history.  This information is not shared outside of this organisation in any way and is strictly confidential, accessible only by myself.  The information is stored on paper and not electronically.  I may share information via email between myself and you.  This information is necessary to provide safe herbal treatment and to maintain contact with you when required.

With your consent I may write to your GP, or other medical professional, if we agree that it would benefit your overall medical care.

There may be occasion where I need to make a disclosure without your consent.  This will only happen if I feel there is serious danger to yourself or others.  I will always seek the advice of the National Institute of Medical Herbalists (NIMH), of whom I am member, first.  For further information about NIMH please see their website here.

I keep your medical notes for 7 years from the last consultation.  For minors I keep medical notes until they are 25 years old (7 years after they turn 18 years old).  Paper medical notes are destroyed by shredding.


If you contact me by email I do not share your details outside of our organisation.  I may keep emails for future reference but I do not keep them for longer then necessary.


Payments are currently taken electronically using Paypal.  Please visit their privacy hub here.


When visitors leave comments on the site I collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

There is an online contact form on the website that you may choose to use.  I collect your name and email address so that I may respond to your query.


Facebook: I use Facebook advertising. Facebook’s own Data policy can be found here: This data is used for targeted advertising to potential or existing customers based on similar demographics. We market products, services or offers based on previously viewed content. Facebook uses cookies to gather this data. Facebook has multiple opt-out options under your account settings to opt out of its advertising.

Instagram: I use Instagram to post marketing activity, and I may occasionally use the paid advertising service to target users based on demographics. I promote products, services and offers  – this is all run through the Facebook Advertising platform.

Google Ads: I occasionally used paid advertising through Google ads to promote products, services and offers to target users based on demographics.  Google Ads privacy policy can be found here:


If you sign up to my newsletter I collect your name and email address.  You can unsubscribe at any time by clicking on the unsubcribe button at the bottom of the newsletter.  I use Mailerlite to create my newsletter.  Mailerlite’s privacy policy can be found here: Privacy Policy – MailerLite


There are cookies in use on this website.  To view the cookie policy please visit our cookie policy page

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


This website uses Google Analytics.  Google Analytics is a web analytics service offered by Google that tracks and reports website traffic.  We use this data to help use understand how people use our site.  How Google uses data when you use our partners’ sites or apps

Who I share your data with

I do not share your data with anyone outside of this organisation that has not already been disclosed above.

How long I retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so I can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on this website (if any), I also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Please note that I keep medical notes for a minimum of 7 years.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data I hold about you, including any data you have provided to us. You can also request that I erase any personal data I hold about you. This does not include any data I am obliged to keep for administrative, legal, or security purposes.

If you wish to exercise these rights please contact Sarah Flower by email:  If you make a request, I have one month to respond to you

Where I send your data

Visitor comments may be checked through an automated spam detection service.

Additional information

How I protect your data

I am a qualified Medical Herbalist and I am fully trained in the General Data Protection Regulation (GDPR) and adhere to a strict confidentaility code of conduct.  All medical disclosure is treated with the strictest confidence.  For marketing and analytical purposes I only use companies that have full and robust data protection protocols in place.

What data breach procedures I have in place

In the event of a data breach I will notify you and the Information Commissioner’s Office (ICO).  As data processors we are registered with the ICO.  For further informaion on GDPR and the ICO please follow this link:

What third parties I receive data from

I use anonymised analytical data from Google Analytics and Facebook

What automated decision making and/or profiling I do with user data

I use analytical data to help target our marketing and to improve website users experience