Cosmos & Holly
Cosmos & Holly
Baby Wellness

Legal

Privacy & GDPR Policy

How I collect, use, and protect your personal data at Cosmos & Holly.

Version 1.0 Effective March 2026 Review March 2027
Summary: I am Harriet-Rose Rutherford-Ellis, sole trader behind Cosmos & Holly. I take your privacy seriously and only collect the information I need to run safe, tailored baby massage sessions. I will never sell your data. You have full rights over your information at any time.

1. Introduction

Cosmos & Holly is a baby wellness business providing baby massage classes to parents and carers in the Market Deeping, Deeping St James, Stamford, and Peterborough areas. I am committed to protecting the privacy of everyone who engages with me.

This policy explains how I collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

By using my services or communicating with me, you confirm that you have read and understood this policy.

2. Who I Am

I, Harriet-Rose Rutherford-Ellis, trading as Cosmos & Holly, am the data controller for personal data collected through my services and communications.

  • Business name: Cosmos & Holly
  • Practitioner: Harriet-Rose Rutherford-Ellis
  • Email: cosmosandholly@outlook.com
  • Instagram: @cosmosandholly
  • Operating area: Market Deeping, Deeping St James, Stamford, and surrounding Peterborough area

3. What Personal Data I Collect

3.1 Data You Provide to Me

When you book a class, contact me, or complete any of my forms, I may collect:

  • Full name and contact details (email, phone number)
  • Your baby's name, date of birth, and age
  • Health information you voluntarily share about you or your baby relevant to safe participation in sessions
  • Location information (address, for home visit sessions only)
  • Payment information (processed securely through third-party providers — I do not store card details)
  • Photography and social media consent preferences

3.2 Data Collected Automatically

When you visit my website or social media profiles, basic analytics data may be collected automatically by third-party platforms such as Instagram and Google, subject to their own privacy policies.

3.3 Special Category Data

Health information about you or your baby is classified as special category data under UK GDPR and receives a higher level of protection. I only collect this where you voluntarily provide it for safety purposes.

4. How I Use Your Data

I use your personal data only for the following purposes:

  • To process bookings and manage class attendance
  • To communicate with you about classes, scheduling, and cancellations
  • To send information about my services where you have opted in
  • To ensure the safety and wellbeing of all attendees during sessions
  • To maintain records required for my professional practice and insurance
  • To respond to enquiries and provide support
  • To comply with any legal obligations

I will never use your data for automated decision-making or profiling.

6. How I Share Your Data

I do not sell, rent, or trade your personal data. I may share your data only in the following limited circumstances:

  • Service providers — third-party tools such as booking platforms and payment processors, bound by data processing agreements
  • Professional obligations — my insurer or professional body where required for certification and compliance
  • Legal requirements — if required by law, court order, or to protect the safety of any person

I will always aim to inform you before sharing your data with any third party, unless legally prevented from doing so.

7. How Long I Keep Your Data

  • Booking and attendance records: 3 years from last engagement
  • Health and safety records: 7 years, or until your child reaches 18 (whichever is longer)
  • Financial records: 6 years in accordance with HMRC requirements
  • Marketing consent records: until you withdraw consent, plus 1 year
  • General enquiry communications: 12 months from date of enquiry

When data is no longer needed it is securely deleted or anonymised.

8. Your Rights Under UK GDPR

  • Right of access — request a copy of the data I hold about you
  • Right to rectification — ask me to correct inaccurate or incomplete data
  • Right to erasure — request deletion of your data, subject to legal exceptions
  • Right to restrict processing — ask me to limit how I use your data
  • Right to data portability — receive your data in a structured, commonly used format
  • Right to object — object to processing where I rely on legitimate interests

To exercise any of these rights, contact me at cosmosandholly@outlook.com. I will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

9. Children's Data

As a baby wellness business I necessarily collect some data about the babies who attend my sessions. This is always provided by a parent or carer. I collect only the minimum information necessary to run sessions safely and do not build profiles on children.

Parents and carers retain full rights over data provided about their children and may exercise any of the rights in Section 8 on behalf of their child.

10. Photography, Video & Social Media

I may occasionally take photographs or videos during sessions for use on my website, Instagram, or promotional materials. I will always:

  • Ask for your explicit written consent before taking or using any identifiable images
  • Allow you to withdraw consent at any time
  • Remove previously published images upon request, where technically possible

I will never share identifiable images of children without the express written consent of their parent or carer.

11. How I Keep Your Data Secure

I use appropriate technical and organisational measures to protect your data, including:

  • Storing digital records in password-protected accounts and devices
  • Using reputable, UK/EEA-compliant third-party tools
  • Using secure, encrypted communication channels where possible
  • Regularly reviewing my data handling practices

In the event of a data breach likely to risk your rights and freedoms, I will notify the ICO within 72 hours and inform you without undue delay.

12. International Transfers

Some third-party tools I use may store data outside the UK. Where this occurs I ensure appropriate safeguards are in place in accordance with UK GDPR, such as Standard Contractual Clauses or transfers to countries with UK adequacy decisions. Contact me for further information.

13. Cookies

I do not currently operate a website. If I launch a website in the future, I will publish a separate Cookie Policy explaining how cookies are used. I will only ever use analytical or marketing cookies with your prior consent in accordance with PECR.

14. Changes to This Policy

I may update this Privacy & GDPR Policy from time to time. When I do, I will notify clients by email or via my Instagram account @cosmosandholly, and the version number and date at the top of this page will be updated accordingly. You can always request the most current version by emailing me directly.

15. Contact Me

If you have any questions about this Privacy & GDPR Policy or wish to exercise your rights, please get in touch:

Questions about your data?

I'm always happy to help. Get in touch and I'll respond within 5 working days.

✉ cosmosandholly@outlook.com 📱 @cosmosandholly