Marketing Compliance For Wellness Practices
Your practice handles sensitive data every day, and its full of rich valuable stories. We help you harvest its value anonymously, and on solid legal ground.
Your practice handles sensitive data every day, and its full of rich valuable stories. We help you harvest its value anonymously, and on solid legal ground.
Running a practice on borrowed templates is one of those decisions that feels fine right up until a client asks a question you cannot answer. We put the correct paperwork in place before any marketing goes out - so every email, every testimonial, every welcome pack operates on ground solid enough to build on.
We deliver GDPR compliance as a named, finished document set. Four documents: a privacy notice, a consent form, a data retention schedule, and a testimonial consent template - each one written for your practice, before we write a single line of marketing copy.
Regulatory frameworks shift depending on where your clients are based and how your practice is structured. We work across GDPR in the UK and EU, data privacy requirements in the United States, and equivalent frameworks across Asia. Wherever your clients are, your documentation holds up.
Your four documents cover:
Practices often reach us with something patched together from a forum post and a solicitor's website circa 2019. That is not a criticism. It is just how it tends to go. We produce a document set written for practices like yours, reviewed for the frameworks that apply to you, and finished before your next client books in.
"We didn't realise how much of our marketing was resting on documents we'd never actually read."
Getting this right feels like finding the receipt for something expensive.
Our wellness marketing deliveries: services that come into play here:
Supporting services: relevant facets of our approach here are:
We run compliance work as a fixed-term project with a defined deliverable list, a clear timeline, and an actual end point. When the documents are delivered, the project is complete.
Surprising FactBACP's September 2024 guidance classifies session notes as special category data under UK GDPR, making every therapist a data controller - the compliance obligations cover testimonials, email lists, and consent forms, not only clinical records.
You own the documents outright. The fee is fixed, the term is fixed, and the arrangement ends cleanly - the way a good transaction should, rather than silently rolling into your bank statements like a forgotten gym membership.
What the project produces:
Once those land in your inbox, they are yours. Update them when your practice changes. File them. Print them. Frame one if the mood takes you. We are not precious about it.
Fixed scope means fixed expectations - you know what you are getting, when you are getting it, and what happens next. The goalposts stay where they are. The scope stays where it is. The project ends.
The arrangement works like a very good plumber: they come, they fix the boiler, they leave.
Booking hesitation is real. Clients arrive at the point of commitment with questions they hold back - about confidentiality, about data, about what happens to the notes taken during their session.
A clearly structured privacy notice and a written consent process reduce that hesitation. Practices using properly drafted documents see more clients move through the booking stage with confidence. A client reading something clearly written for a practice like yours, covering their situation, is a client who keeps moving forward.
Generic templates have a quality to them - a sort of vague, all-purpose confidence, like a horoscope. Experienced clients spot one immediately.
The documents we produce name your modality. They reference your professional body. They describe your actual intake process. When a prospective client reads your privacy notice and thinks "this is written for me", the booking conversation gets considerably shorter.
Trust, in a therapy or coaching context, builds long before the first session. The paperwork is part of it. A client who felt their data was handled carelessly by a previous practice is reading your documents with that in mind. Give them something worth reading.
A proper privacy notice sits on your website like a well-pressed shirt in a wardrobe.
GDPR compliance sits inside your marketing, not alongside it. Every testimonial you publish, every email you send, every client record you store - each one depends on a lawful basis being documented somewhere. Strip that away and those activities are unlawful. Full stop.
The ICO receives complaints. Some of those complaints come from former clients. A practice without documented consent and a clear data processing record has limited options when that happens.
Here is what compliance makes possible:
Practices sometimes describe compliance as the admin behind the marketing. Call it the permission structure that makes the marketing possible. The welcome sequence, the social proof, the newsletter - all of it rests on this.
Getting GDPR in order is like getting the electrics checked before you redecorate.
BACP ethics guidelines require therapists to handle client data in ways consistent with GDPR. Both frameworks apply simultaneously, and both have expectations about how client information is collected, stored, and used.
A document set written to satisfy both frameworks in one pass means your professional body obligation and your legal obligation are covered by the same paperwork. We wrote it to hold up against both rooms at once.
We work across the major UK and international professional bodies:
Practices sometimes maintain two separate sets of thinking about this - the legal side and the ethics side - as though they are different rooms in the same building. We write documents that treat both frameworks as one coherent structure, because that is what they are when a client raises a concern.
A dual-framework document set works like a good dual-voltage adaptor - one thing, every socket.
It works: real-world examples worth exploring:
Practices often working on their own compliance documents are doing it between nine and eleven at night. With a cold cup of tea. On a browser tab open since Thursday.
Handing this to us means the documents get drafted by people who have read the legislation, understand the professional body requirements, and have produced this kind of documentation before. Expertise you can borrow without having to acquire it.
The late-night compliance session tends to follow a familiar pattern:
The document you eventually publish has usually been through four versions, none of which quite fit, and one of which was definitely written for a dental practice.
We do the work. You get the documents. The evenings go back to being yours. Use them for whatever practices are supposed to do when the working day ends - rest, presumably, or something with a good box set.
Getting this off your plate feels like finally deleting the folder called "ADMIN TO SORT" that has sat on your desktop since 2021.
A client says "feel free to use what I said." Generous. Also legally insufficient in any form that holds up if they later dispute what you published, where you published it, or whether they agreed to it at all.
Written testimonial consent names the client, describes the content approved, and specifies the channels where that content can appear. Records can be produced. Recollections drift.
The testimonial consent template we produce covers:
The ICO has published guidance on this. Professional bodies have ethical positions on it. "She seemed fine with it at the time" satisfies neither.
A proper testimonial consent template protects both the practice and the client - the client knows exactly what they have agreed to, and the practice has the document to show it.
A signed testimonial consent form works like a well-kept till receipt.
Practices sometimes treat these two as interchangeable. They cover different ground. Confidentiality is an ethical obligation - it governs what you share and with whom. GDPR is a legal framework - it governs how you collect, store, and process personal data.
A practice can have a legally compliant GDPR policy and still breach its professional body's ethical code around confidentiality. Treating the two obligations as one leaves gaps wide enough to fall through.
Here is where confusion typically sets in:
Both frameworks ask different questions about the same client data. GDPR asks "is this lawful?" Your professional body asks "is this ethical?" The document set we produce answers both questions simultaneously, so each framework holds up on its own merits.
Getting both frameworks resolved in one document set is like finding out your buildings and contents insurance cover the same house.
UK GDPR Article 6 requires every organisation collecting and processing personal data to have a documented lawful basis for doing so. Email addresses are personal data. Your newsletter list is a personal data processing activity.
A list built on undocumented grounds is running unlawfully - regardless of how engaged the subscribers are, how long they have been on it, or whether anyone has ever complained.
The lawful bases available under UK GDPR include:
Practices often collecting email addresses via a website form are relying on consent. The question is whether that consent meets the standard - unticked by default, tied to a purpose, and logged at the point of collection. Forms inherited from website templates frequently miss this.
We document the lawful basis for your email marketing as part of the compliance project, so the list you are already working hard to grow is also a list you are legally permitted to hold.
A properly documented email list works like a library card.
A meaningful proportion of clients presenting at a new practice have had a previous experience where their data was handled carelessly - a note left visible, a name used publicly without consent, an email sent to the wrong address. They arrive already alert to how you handle this.
Practices with GDPR documentation in order attract a higher share of this group. They read the privacy notice. They notice the consent form. They check whether the testimonials on the website look like the practice asked before publishing them.
This group converts at higher rates. They refer more actively. They tend to stay longer, because the trust was established early and on a firm basis.
A practice displaying well-drafted compliance documentation makes a claim worth making: "We took this seriously before you arrived." That lands differently to a client who has experienced the alternative.
Referrals from this group are particularly warm - they are recommending the work and the sense the practice is run by a team paying close attention to the details that matter.
A properly structured compliance setup works like a clean MOT certificate in the window.
Explore more services in this area further:
Your compliance documents are ready to own - paperwork that holds up, written for your practice, finished before your next client books in. Book a discovery call and leave with a clear picture of exactly what your practice needs.
We love this moment. We have a visual river, a story garden and a listening wind that belong to exactly where you are - and a discovery call over coffee that goes properly both ways. Kettle's on. Milk and sugar?
≡