GDPR brought in new legal protection for personal information from May 2018. This tells you what personal information I gather via my website and why, and what your rights are. 
 
What information I hold and what I do with it

In order to provide professional reflexology treatments, I will need to ask for and keep information about your health. I will only use this to inform treatments and any advice I give as a result of your treatment. The following information needs to be held:
Your contact details.
Your medical history and other health-related information (which I will take from you at your first consultation).
Treatment details and related notes (which I will take after each consultation)
I will NOT share your information with anyone else (other than within my own practice, or as required for legal process) without explaining why it is necessary and obtaining your explicit consent.

Lawful Basis for holding and using Information

As a Fellow member of the Association of Reflexologists (AoR), I abide by the Codes of Practice and Ethics of those organisations.
The lawful basis under which I hold and use information is my legitimate interest, and the requirement to retain the information in order to provide the best possible treatment for clients.
As I hold ‘special category data’ (health-related information), the Additional Condition under which I hold and use this is to fulfil my health care practitioner role, bound under the AoR Confidentiality code as defined in the AoR Code of Practice and Ethics.

How Long I Retain Your Information for

I will keep your information for the period of 8 years from your last appointment, in accordance with the requirements of CNHC of which I am a registrant and to fulfil insurance requirements. 
In the case of a child, records need to be kept until the child is 25 (or 26, if they were 17 when treated). 

Protecting Your Personal Data

I am committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, I have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information I collect from you.
I will contact you using the contact preferences you give me in relation to: 
Appointment times.                                                                                                     
Reflexology information or information related to your health or for treatment information and promotions (you may unsubscribe from this at any time).                 
Your data will not be transferred outside the EU without your consent. 

You may ask to see my records of your personal information to check and correct or add to them, if you think this is needed. You may let me know if there are any aspects of what you have told me that you do not want me to use or you can advise in what ways you’d like me to use them. In some circumstances, you can request a copy of personal information held electronically, so you can reuse it in other systems. 

Practitioner’s rights - Please note:

GDPR allows you the right to erasure. However, as I have to keep your records of treatment for a certain period, as detailed above, this may mean that even if you ask me to erase your details, I might have to keep them until after that period has passed.
If you don’t agree to me keeping records of information about you and your treatments, or if you don’t allow me to use the information in the way I need to for treatments, I may not be able to treat you.