Privacy Notice

Your privacy is the utmost importance to us. We diligently apply our operations following the General Data Protection Regulations 2018 (GDPR), ensuring fair personal data processing.

I (Suki Carpenter) have created this privacy notice so you can clearly read how "we" (Suki and Naoko) impart our operations of utilization, gathering and processing individual data.

Please read the following information below as it imparts how we obtain/collect your data, the steps we take to protect and secure it and how we process your personal data, and with explicit consent, how we share it. 


Who we are

White Willow Health & Beauty is situated inside Essensuals Toni & Guy NW3, 15 Harben Parade, Finchley Road, Swiss Cottage, London, NW3 6JP.

We are a holistic, beauty and wellness salon that offers a variety of holistic and beauty, face and body treatments and we stock quality home care products.

The owner and therapist, Suki Carpenter, is the data controller and processor for all your personal data and you can contact her on 0203 8860 890 or


Privacy information

We regularly review and where necessary, update our privacy information and regulations and take measures to ensure that the information you provide to us is secured and respected with the strictest of confidence.

We undertake up-to-date industry practices and use an information audit to find out what personal data we hold and what we do with it, ensuring your sensitive data cannot be accessed by unauthorised persons, nor can it be altered, destroyed, disclosed or misused.

We put ourselves in the position of the people we're collecting information about and we think of how we can avoid doing anything that may have unjustified adverse effects on them.

We use information in a way that people would expect by carrying out research and user testing to evaluate how effective our privacy information is and how their data is being used.

If we plan to use any personal data for a new purpose, we update our privacy information and communicate the changes to the individual before starting any new processing.


How we collect personal data

We identify the lawful purposes for the information we collect from you and gather individual data by legal and reasonable means and, where fitting, with the information or assent of the individual concerned.

Consultation Forms

We collect the following data on individualised, hand-written consultation cards before any treatment session with your consent and your signature required. Your treatment and the date you came in will be recorded for legal records and they are stored securely in a file and locked away. I (Suki) can only access your consultations forms that you have had with me and my associate, Naoko, does the same with her own record cards.

Personal data

  • Your Name
  • Your Address
  • Date of Birth
  • Your Email Address (opt-in / opt-out)
  • Your Telephone Number

Sensitive personal data

  • Medical history
  • Any allergies
  • Medications
  • Supplements
  • Skin care and body care routines and products
  • GP and doctors surgery

Outside sources

If we obtain personal data from another source other than the individual it relates to, we provide the person with:

  • within a reasonable period of time, no later than one month, on how and why we obtained the persons data.
  • if we plan to communicate with the individual, at the latest, when the first communication takes place, or,
  •  if we plan to disclose the data to someone else, at the latest, when the data is disclosed.

For example: The hair salon provides me with your name and contact details because you have requested them to do so to make an enquiry or a booking with us etc.

Our website

Our website uses cookies to collect your IP Address and information about what pages are accessed and when. Please scroll down to view our Cookie Policy below for more information. 


We use Mailchimp (an email marketing service) to help us create and send promotional emails to our subscribers. Mailchimp is purely a data processor and under no circumstance does it have authority to use your data for its own personal gain. Please scroll down to our cookie policy for more information on Mailchimp data processing.

Our regular emails are not created or sent through Mailchimp, so they do not involve their cookies.


Google uses unidentifiable cookies on our website. These cookies help to remember information about your visit, like your preferred language and other settings, which can help make your next visit more useful and easier for you to use.

Please scroll down to see our cookie policy for more information.


Why do we collect your data

We collect personal data to an minimum and that the information is absolutely necessary. It is a legal obligation and a contract that allows us to collect data to issue client agreements and supplying services and products.

Email address

Collecting an email address is of an opt-in consent for the data subject and we clearly state the options for being processed on the record card. We provide tick boxes of yes and no with specific options for receiving information from us, which requires a signature if you wish to opt-in. You can opt out of receiving information from us at anytime by emailing

Personal data and sensitive personal data on consultation forms

It is of "vital interest" and "legal obligation" that we know the data subjects sensitive personal data so we can carry out treatments with your health and safety being a priority.

It is a "legal obligation" that we make a record of your treatments and we protect your "vital interests" by updating any physical or mental health changes.

The data we collect on record cards is confidential and we do not share it with anyone unless we have explicit consent from you.

The information we hold secure will be accurate and up to date. You are free to check the information that we hold about you at any time. Inaccuracies in information will be corrected or erased immediately upon discovery.


We use personal data to provide existing, prospective and past clients with information on our services, newsletter, hints and tips and special offers via email and/or text messages.

We justify this with "consent" lawful basis and we will always ask for explicit consent, having a clear opt-in order to receive data via record cards or email before sending our information with emails and/or text messages.

We offer an opt-out function for those who no longer want to hear from us this way either by clicking our obvious unsubscribe button on our emails or by sending us an email at

CCTV and Security

Essensuals Toni and Guy NW3 use CCTV on their premises - a "legitmate interest" justified lawful basis but we (White Willow Health & Beauty) do not take any responsibility for the use of their CCTV.


Who will my data be shared with?

We do not share, sell or trade any personal information with any third parties unless explicit consent has been given.

If you book in with my associate Naoko for a treatment, your personal information will not be shared with her. In order to make a booking with Naoko you can do so through myself or I can give you her contact details. Naoko is GDPR compliant and will not share your personal data to anyone.

We are careful with who we share personal data with and do so to run our business and provide you with our services. This could mean sharing your information with our agencies and their partners who help us to run our business with services and who are all GDPR compliant.

We have a duty to share data with relevant legal authorities to comply with legal obligations if ever a situation arises. If the public authorities ask us to disclose your personal data because of any, including but not limited to, national security or law enforcement requests we will under a legal obligation to do so.

As required by law, we may disclose personal data to respond to legal processes such as a court order, to establish and exercise our legal rights, or to defend against legal claims.

In an event of any illegal activities or, a potential threat to the physical safety of a person or, suspected fraudulent activities, we will contact the relevant law enforcement if we believe necessary.


in case of a data breach

We aspire to the Data Protection By Design and have put robust implementations into place where we should be able to detect, investigate and use reporting procedures if a data breach, either electronical or physical, should occur. Under recital 87 of the GDPR, we will quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it.

A data breach may result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

If a high risk data breach occurs, we will write to every person whose data may be breached at the earliest practical opportunity, telling the individuals involved the effects of the breach, how it occurred and how we will resolve it, then notifying the ICO within 72 hours.

We would fully investigate a data breach and implement corrective measures to prevent it happening again.

We may contact you electronically regarding security, privacy and our administrative issues relating to the use of our services. By using our services or providing us with personal information, you are giving consent to us to communicate with you and if a security breach occurs, we may send you an email with the email address you gave us or text you if you didn't supply an email address.

We cannot guarantee or warrant that the data transmissions over the internet that you use to transmit to us are 100% safe and non-sensitive information e.g. your email address, is sent normally over the internet without encryption technology. We cannot guarantee the security of this information you provide to us therefore you do so at your own risk. When we receive your transmission, we ensure security on our systems.


Duration Period of Data Holding

As a legal contract, we will store your record cards for a minimum of seven years.

Emails and written correspondence, both sent and received messages will be properly deleted after a year of being processed.

Allergy tests are kept for up to four years.

Financial receipts are kept for six years.


Your Rights as an individual (Principle 6)

  • a right of access to a copy of the information comprised in their personal data; 
  • a right to object to processing that is likely to cause or is causing damage or distress; 
  • a right to prevent processing for direct marketing; 
  • a right to object to decisions being taken by automated means;
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
  • a right to claim compensation for damages caused by a breach of the Act.


policy info

We may update this Privacy Notice from time to time and we reserve the right to revise, adjust or update this policy at any time in order to reflect legal or regulatory reasons.

We will notify you via email or text message of any amendments or updates involving the way we store, process and treat your personal data but please feel free re-visit this policy regularly to stay informed.

If you would like to alter or delete any personal information we hold about you or if you have any questions or request more information about our Privacy Policy, do not hesitate to get in touch with us:

Write to us:

White Willow Health & Beauty, Essensuals Toni & Guy, 15 Harben Parade, Finchley Road, Swiss Cottage, London NW3 6JP


Calling us: 0203 8860890

The date at the bottom of the Privacy Notice indicates when it was last updated.

Updated Monday 21st May 2018

Cookie Policy

Cookies are small sequences of letters and numbers that websites store on a device. They are widely used in order to make websites work, or work more efficiently.

They provide information to us on how we can improve your visitors’ browsing experience because they help websites remember preferences and understand how people use different features.

Cookies are unidentifiable to an individual so you privacy is secure.

They can play an important role in your browsing experience and without them, using the web would be a much more frustrating experience.

Essential cookies

  • Name  Crumb

Expires  Session

Function  Prevents cross-site request forgery (CSRF). CSRF is an attack vector that tricks a browser into taking unwanted action in an application when someone’s logged in.


  • Name  RecentRedirect

Expires  30 minutes

Function  Prevents redirect loops if a site has. Redirect loops are bad for SEO.


  • Name  Popup-overlay

Expires  Persistent

Function  Prevents the Promotional Pop-Up from displaying if a visitor dismisses it.


  • Name  Squarespace-announcement-bar

Expires  Persistent

Function  Prevents the Announcement Bar from displaying if a visitor dismisses it.



We use Mailchimp (email marketing service), which automatically place single pixel gifs, also known as web beacons, in every email sent by our users. These are tiny graphic files that contain unique identifiers that enable us and our users to recognise when their subscribers have opened an email or clicked certain links. These technologies record each subscribers email address,

IP address, date, and time associated with each open and click for a campaign. We use this data to create reports so we know about how an email campaign performed and what actions subscribers took to better improve our services to you. You have the right to opt-out and unsubscribe by emailing explaining that you would like to come off our Mailchimp mailing list. We store this information on a "consent" and "legal obliging" basis so that we are reminded to avoid sending you Mailchimp emails again. You have the right to be forgotten all together and we will need this as a written request via


Analytical and performance cookies

  • Name  ss_cid

    Expires  2 years

    Function  Identifies unique visitors and tracks a visitor’s sessions on a site.


  • Name  ss_cvr

    Expires  2 years

    Function  Identifies unique visitors and tracks a visitor’s sessions on a site.


  • Name  ss_cvisit

    Expires  30 minutes

    Function  Identifies unique visitors and tracks a visitor’s sessions on a site.


  • Name  ss_cvt

    Expires  30 minutes

    Function  Identifies unique visitors and tracks a visitor’s sessions on a site.


  • Name  ss_cpvisit

    Expires  2 years

    Function  Identifies unique visitors and tracks a visitor’s sessions on a site.


  • Name ss_cookieAllowed

    Expires  30 days

    Function  Remembers if a visitor agreed to placing Analytics cookies on their browser if a site is restricting the placement of cookies.

  • Name  __ga (Google Analytics)

Expires 2 years

Function  Helps our us to understand how our visitors engage with their properties. It may use a set of cookies to collect information and report website usage statistics without personally identifying individual visitors to Google.

Your rights to Cookies

You have the power to modify and block some or all Cookies in your internet browser settings and prevent websites from storing Cookies onto your system. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

You can set up a notification pop-up on your internet browser when you visit a website that may attempt to install a Cookie. You can also delete the Cookies stored on your computer, just visit: and follow the instructions provided.

Cookie Policy info

We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal or regulatory reasons. Please therefore re-visit this Cookie Statement regularly to stay informed about our use of cookies and related technologies.

The date at the bottom of this Cookie Policy indicates when it was last updated.

Updated Monday 21st May 2018