Last updated: March 2026
Data Controller: Marie-Claude Kacy, ToaSana Nutrition
info@toasananutrition.com

1. Introduction
ToaSana Nutrition is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store and share your personal data when you use our website, submit forms, contact us by email, or engage with our nutritional therapy services.

ToaSana Nutrition is based in France and provides nutritional therapy services to clients worldwide, with a primary focus on clients in the United Kingdom and France. As a result, our data processing activities are subject to the following legal frameworks:

The EU General Data Protection Regulation (EU GDPR) and French data protection law — as we are established in France and supervised by the CNIL (Commission Nationale de l'Informatique et des Libertes).
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 — as we specifically direct services to UK residents.
For clients in other countries, we apply the same high standards of data protection as required by the EU GDPR, which represents one of the most comprehensive data protection frameworks in the world.

This policy applies solely to personal data collected directly by ToaSana Nutrition. If you follow links to third-party websites, their own privacy policies will apply and ToaSana Nutrition is not responsible for their practices.

2. Who We Are (Data Controller)
The Data Controller responsible for your personal data is:

Marie-Claude Kacy — Data Controller
ToaSana Nutrition
Based in France, providing services worldwide
Email: info@toasananutrition.com

As we are established in France, our lead supervisory authority under the EU GDPR is the CNIL. As we also direct services to UK residents, we are additionally subject to the oversight of the UK Information Commissioner's Office (ICO). Clients in other countries may also have rights under their local data protection laws, which we respect and comply with. See Section 15 for complaint contact details.

3. Legal Basis for Processing
We process your personal data on the following legal grounds. For EU and French clients, this is under EU GDPR Article 6. For UK clients, under UK GDPR Article 6. For all other clients worldwide, we apply equivalent standards:

Contract performance: to provide the nutritional therapy services you have requested
Legitimate interests: to manage our business, improve our services and communicate with clients
Legal obligation: to comply with applicable laws and regulations in France and the UK
Consent: where you have given us explicit permission, for example to receive newsletters or marketing communications

Where we process special category data (such as health and dietary information), we do so on the basis of Article 9(2)(h) of EU GDPR and UK GDPR — processing necessary for the provision of health care or treatment — and with your explicit consent.

4. Personal Data We Collect
We collect the following categories of personal data:

4.1 Information you provide directly
Full name and contact details (email address, postal address)
Date of birth and age
Health and medical history (via our initial consultation form)
Dietary habits, lifestyle information and nutritional goals
Payment information (processed securely via Stripe — we do not store card details)

4.2 Information collected automatically
IP address (stored in anonymised format)
Browser type and device information
Geographic location (country level only)
Pages visited, referring domain, date and time of access
Preferred language settings

5. How We Use Your Personal Data
We use your personal data for the following purposes:

To provide and manage your nutritional therapy consultations and services
To process and administer appointments and follow-up care
To send you appointment reminders, programme updates and relevant health information
To process payments and issue receipts
To respond to your enquiries and communications
To comply with our legal and regulatory obligations
To improve the quality and functionality of our website and services
For statistical and analytical purposes (using anonymised or aggregated data only)

6. Sharing Your Personal Data
We do not sell, rent or trade your personal data. We may share your data only in the following limited circumstances:

Service providers: trusted third-party platforms we use to deliver our services, principally Practice Better for secure client management and records, and Stripe for payment processing. All providers are contractually bound to protect your data and may not use it for their own purposes.
Professional referrals: with your explicit consent, we may share relevant information with your GP or other healthcare professionals for the purpose of coordinating your care.
Legal requirements: where we are legally required to disclose information, for example by a court order or regulatory authority.

All third-party processors are required to maintain appropriate technical and organisational security measures and to process data only on our documented instructions.

7. International Data Transfers
As ToaSana Nutrition is based in France and provides services worldwide, personal data may be transferred internationally. We handle these transfers as follows:

France to UK (and vice versa):
Transfers between the EU and the UK are lawful under the European Commission's adequacy decision of June 2021, which recognises the UK as providing an equivalent level of data protection to the EU GDPR.

France/EU to other countries worldwide:
Where we transfer data to countries outside the EU/EEA and UK, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreements (IDTAs) where applicable
Transfers only to countries recognised by the European Commission as providing adequate protection
Use of providers holding recognised data protection certifications, including Practice Better (HIPAA, GDPR) and Stripe (PCI DSS Level 1, ISO 27001, SOC 2 Type II, EU GDPR, UK GDPR)

Regardless of where you are located, we apply the same high standards of data protection to all clients worldwide.

8. How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law:

Active client records: retained for the duration of your engagement with ToaSana Nutrition and for 7 years thereafter, in line with HMRC requirements and professional indemnity obligations.
Prospective client enquiries (where no consultation takes place): retained for up to 12 months.
Financial and payment records: retained for 7 years in accordance with UK tax law and French accounting obligations (Article L123-22 Code de Commerce).
Marketing consent records: retained until you withdraw your consent.

After the applicable retention period, your data is securely deleted or anonymised.

9. Cookies
Our website uses cookies to improve your browsing experience. Cookies are small text files placed on your device that help us understand how visitors use our site.

We use the following types of cookies:

Essential cookies: necessary for the website to function correctly. These cannot be disabled.
Analytical cookies: allow us to understand how visitors interact with our site (e.g. Google Analytics). These are only activated with your consent.
Functionality cookies: remember your preferences to personalise your experience.

You can manage your cookie preferences at any time via the cookie consent banner on our website. You may also configure your browser to reject cookies, though this may affect certain features of the site.

For full details of the cookies we use, please refer to our separate Cookie Policy available on our website.

10. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights regarding your personal data:

Right of access: to request a copy of the personal data we hold about you (Subject Access Request).
Right to rectification: to request correction of inaccurate or incomplete data.
Right to erasure: to request deletion of your personal data, subject to certain legal exceptions.
Right to restriction: to request that we limit the processing of your data in certain circumstances.
Right to data portability: to receive your data in a structured, machine-readable format.
Right to object: to object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us in writing at info@toasananutrition.com. We will respond within 30 days. There is no fee for standard requests.

11. Marketing Communications
With your consent, we may send you newsletters, health tips, event invitations and relevant promotional information. You may withdraw your consent and opt out of marketing communications at any time by:

Clicking the unsubscribe link in any marketing email
Emailing us directly at info@toasananutrition.com with a request to opt out

Opting out of marketing will not affect the delivery of service-related communications such as appointment confirmations.

12. Security of Your Data
We take the security of your personal data seriously. Measures we have in place include:

All client data is stored and managed via Practice Better, a HIPAA and GDPR-compliant platform with encrypted, cloud-based infrastructure, automatic backups and 24/7 security monitoring.
Practice Better maintains industry-standard certifications and handles all data securely on your behalf under a Data Processing Agreement with ToaSana Nutrition.
Payment processing is handled via Stripe, certified to PCI DSS Level 1, ISO 27001 and SOC 2 Type II, and fully compliant with EU GDPR and UK GDPR. ToaSana Nutrition does not store any payment card details.
Access to client records is protected by secure login credentials and is restricted to ToaSana Nutrition staff only.

In the unlikely event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) without undue delay and within 72 hours where required by law.

13. Links to Third-Party Websites
Our website may contain links to external websites. This Privacy Policy applies solely to ToaSana Nutrition and does not cover third-party sites. We encourage you to read the privacy policies of any website you visit before providing your personal data.

14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. Any changes will be posted on this page with the updated date shown at the top. Where changes are significant, we will notify you by email or by a prominent notice on our website.

15. How to Make a Complaint
If you have a concern about how we handle your personal data, please contact us first at info@toasananutrition.com. We will do our best to resolve your concern promptly and within 30 days.

If you remain unsatisfied, you have the right to lodge a complaint with a supervisory authority. The relevant authority depends on your location:

For clients based in the United Kingdom — ICO (Information Commissioner's Office):
Website: www.ico.org.uk
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

For clients based in France and EU — CNIL (Commission Nationale de l'Informatique et des Libertes):
Website: www.cnil.fr
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

For clients based elsewhere in the world:
You may contact either authority above, or lodge a complaint with your local data protection authority. We will cooperate fully with any investigation.


ToaSana Nutrition · info@toasananutrition.com
Last updated: March 2026 · Registered Data Controller

Privacy Policy