Apply Today

Data Protection Policy

Version

2.0

Effective Date

June 2026

Review Date

June 2027

Policy Owner

Data Protection Officer

This policy applies to:  chehomeopathy.com, cheonline.co.uk, the CHE mobile application, and all related services operated by CHE Health and Wellbeing Ltd.

Data Controller: CHE Health and Wellbeing Ltd  |  ICO Registration: ZB035578

Data Protection Officer: Marcus Fernandez  |  [email protected]

1. Introduction

CHE Health and Wellbeing Ltd and its subsidiaries — CHE Online Ltd, CHE London Ltd and CHE Pro Ltd (together “CHE”, “we”, “us”) — are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This policy sets out our obligations as a data controller and the rights available to you.

The Data Protection Act 2018 supplements the UK GDPR and together these constitute the primary data protection legislation in the United Kingdom following Brexit. Non-compliance can result in significant fines (up to £17.5 million or 4% of annual global turnover, whichever is higher), enforcement action, and reputational damage.

2. Scope

This policy applies to:

  • All personal data processed by CHE in any format (digital or paper).
  • All staff (employees, contractors, freelancers, volunteers and associates).
  • All CHE entities: CHE Health and Wellbeing Ltd (group holding company), CHE Online Ltd, CHE London Ltd and CHE Pro Ltd.

3. Data Protection Principles

Under UK GDPR (Article 5), all personal data must be:

  • Processed lawfully, fairly and transparently.
  • Collected for specified, explicit and legitimate purposes and not further processed incompatibly.
  • Adequate, relevant and limited to what is necessary (data minimisation).
  • Accurate and kept up to date.
  • Kept no longer than necessary (storage limitation).
  • Processed securely (integrity and confidentiality).

The data controller (CHE) is responsible for demonstrating compliance with these principles (accountability).

4. Lawful Bases for Processing

CHE processes personal data on the following lawful bases, depending on the processing activity:

  • Contract performance: to deliver educational services to students.
  • Legal obligation: to comply with statutory requirements (e.g. HMRC, accreditation bodies).
  • Legitimate interests: for business administration, security, fraud prevention and analytics.
  • Consent: for marketing communications and optional data collection. Consent records are maintained.
  • Vital interests: in emergency situations involving health and safety.

5. Special Category Data

CHE may process special category data (UK GDPR Article 9) such as health information (e.g. medical certificates for deferral applications, disability-related adjustments). This is processed only where:

  • Explicit consent has been obtained, or
  • Processing is necessary for obligations or rights in the field of employment and social security law, or
  • Processing is necessary for the provision of health or social care.

Special category data is subject to heightened security controls and access restrictions.

6. Data Subjects' Rights

You have the following rights in relation to your personal data, which you can exercise by contacting our Data Protection Officer. We will respond within one calendar month.

  • Right of access: request a copy of the personal data we hold about you (Subject Access Request).
  • Right to rectification: ask us to correct inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data in certain circumstances.
  • Right to restriction: ask us to limit how we process your data.
  • Right to portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Right to complain: lodge a complaint with the ICO at ico.org.uk or on 0303 123 1113.

7. Data Sharing & Third Parties

CHE shares personal data with third-party processors only where:

  • There is a lawful basis for doing so.
  • A Data Processing Agreement (DPA) or equivalent contract is in place.
  • The processor provides sufficient guarantees about their security measures.

Key processors include: Stripe, PayPal, Kajabi, Thinkific, ActiveCampaign, ConvertFlow, and Xero. A Register of Processors is maintained by the DPO.

8. International Data Transfers

Transfers of personal data outside the UK are subject to UK GDPR Chapter V. CHE uses Standard Contractual Clauses (SCCs) and/or relies on ICO adequacy decisions/regulations to protect such transfers. The DPO maintains records of all international transfers.

9. Data Retention

Personal data is retained in accordance with CHE’s Retention Schedule, which is reviewed annually. Key periods are set out in the Privacy Policy. Data that is no longer required is securely deleted or anonymised.

10. Security

CHE takes appropriate technical and organisational measures to ensure data security, including:

  • Encryption of personal data at rest and in transit.
  • Access controls and multi-factor authentication for systems containing personal data.
  • Regular staff training on data protection and information security.
  • Incident response procedures for data breaches.

11. Data Breach Procedure

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

If you believe your personal data has been subject to a breach, please contact our Data Protection Officer immediately at [email protected].

12. Data Protection Officer (DPO)

CHE has appointed a Data Protection Officer: Marcus Fernandez ([email protected]). The DPO is responsible for monitoring compliance, providing advice, and acting as the contact point for the ICO.

13. Records of Processing Activities

In accordance with Article 30 UK GDPR, CHE maintains a Record of Processing Activities documenting all personal data processing we carry out. This record is reviewed and updated at least annually, and is available to the ICO on request.

14. Privacy by Design & Default

Data protection is considered at the design stage of all new projects, systems and processes. Data minimisation, pseudonymisation and appropriate access controls are applied as a default.

15. Your Responsibilities

When you interact with our services, you have a responsibility to:

  • Provide accurate and up-to-date personal information to us.
  • Keep your account login credentials confidential and notify us immediately of any suspected unauthorised access.
  • Not provide us with personal data belonging to another person without their knowledge and consent.
  • Update us promptly if any personal information you have provided changes.

16. Policy Review

This policy is reviewed annually, or sooner in response to significant legal or operational changes, by the DPO and Senior Management Team.

17. Contact

Data Protection Officer: Marcus Fernandez

Email: [email protected]

Post: CHE Health and Wellbeing Ltd, 4th Floor, 100 Fenchurch Street, London EC3M 5JD

Tel: 020 3405 4580

ICO Registration: ZB035578