Privacy policy

CazMcNaz Hypnotherapy
 Effective Date: 07/01/2026

CazMcNaz Hypnotherapy ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using our services, you acknowledge and consent to the practices described in this policy.

1.   Data Controller

CazMcNaz Hypnotherapy is the data controller responsible for the personal data collected and processed under this policy. For any privacy-related inquiries, you can contact us at [email protected]. We have not appointed a Data Protection Officer (DPO), and all privacy matters are handled directly by CazMcNaz Hypnotherapy.

2.   Personal Data Collected

We collect and process personal data based on your interactions with CazMcNaz Hypnotherapy. The type of data collected depends on whether you sign up for our free lead magnet or purchase a paid digital product.

When you sign up for our free lead magnet, we collect your name and email address to provide access to the content and to send marketing emails if you have opted in. This data is collected with your explicit consent.

When you purchase a digital product, we collect your name, email address, billing address, and payment details. Payment details are processed securely through platforms such as Stripe, PayPal etc., and we do not store or have access to full payment card information. This data is collected under the legal basis of contract necessity, as it is required to process your transaction and grant you access to the purchased content.

All personal data is collected directly from you at the time of sign-up or purchase. We do not obtain data from third-party sources, and we do not process any special category data, such as health information, biometric data, or sensitive personal details.

3.   Legal Basis for Processing Personal Data

Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for processing personal data. The legal basis depends on the nature of the data processing and the purpose for which it is collected.

For individuals who sign up for our free lead magnet, we process name and email address under the legal basis of consent. By voluntarily providing this information and opting in via a checkbox, you give explicit consent for us to send you marketing emails. You may withdraw your consent at any time by contacting [email protected] or using the unsubscribe option provided in emails.

For customers who purchase a paid digital product, we process name, email address, billing address, and payment details under the legal basis of contract necessity. This data is essential for completing the transaction, delivering the purchased content, and providing customer support. Without this data, we would be unable to fulfil our contractual obligation to provide access to the purchased product.

We do not process any special category data (such as health information) and do not rely on automated decision-making in our data processing activities.

4.   How We Use Personal Data

We process personal data for specific purposes that are necessary to provide our services, fulfil legal obligations, and enhance user experience. The purposes for which we may process personal data include:

●       Providing access to digital products – To process purchases, deliver access to our paid and free digital products, and manage customer accounts.

●       Processing payments – To facilitate transactions securely through platforms such as Stripe and generate purchase confirmations.

●       Communicating with users – To send emails regarding purchase confirmations, product access, account updates, and customer support inquiries.

●       Marketing communications – To send promotional emails to users who have explicitly opted in, informing them of new products, special offers, or relevant content.

●       Managing customer support requests – To assist with product access issues, refund inquiries, and general customer service interactions.

●       Complying with legal obligations – To maintain financial transaction records for tax, accounting, and regulatory compliance purposes.

●       Preventing fraud and ensuring security – To monitor transactions for fraudulent activities and to protect our services from misuse or unauthorised access.

We do not use personal data for behavioural tracking, profiling, automated decision-making, or selling to third parties. All data processing is conducted in accordance with the UK GDPR and the Data Protection Act 2018.

5.   Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The retention periods for different categories of data are as follows:

●       Free lead magnet sign-ups (name and email address): Retained until the user withdraws consent or requests deletion.

●       Paid product customers (name, email, billing address, and payment details): Retained for a minimum of six years to comply with legal obligations related to tax, accounting, and financial record-keeping, as required by HM Revenue & Customs (HMRC).

●       Customer support inquiries: Retained for up to 12 months from the last communication to resolve queries and provide ongoing support.

If a user requests deletion of their data, we will erase personal data unless we are legally required to retain it for regulatory compliance, fraud prevention, or dispute resolution purposes. Where data must be retained for legal or accounting reasons, it will be securely stored and access restricted.

All personal data will be securely deleted once it is no longer required for legal or operational purposes. Users may request deletion or access to their stored data at any time by contacting [email protected].

6.   Third-Party Data Sharing

We do not sell, rent, or trade personal data with third parties for marketing or commercial purposes. However, we may share personal data with trusted third-party service providers to facilitate essential business operations, comply with legal obligations, and improve our services. Any third parties we engage with are required to comply with UK GDPR and implement adequate security measures to protect personal data.

We may share personal data under the following circumstances:

●       Payment Processing: We share necessary billing and payment information with trusted third party payment processors, including Stripe, Paypal or Other in use with our secure payment processor, to process transactions. We do not store or have access to full payment card details.

●       Email Marketing Services: We use FEA Create to manage and send marketing emails to users who have opted in. This ensures email communications are handled securely and efficiently.

●       Legal and Regulatory Compliance: We may disclose personal data if required to do so by law, court order, or regulatory authorities, such as HM Revenue & Customs (HMRC), to comply with tax, anti-fraud, or financial reporting obligations.

●       Fraud Prevention and Security: We may share data with fraud detection and cybersecurity services to prevent fraudulent transactions and unauthorised access to our platform.

●       Business Transfers: In the event of a business sale, merger, or acquisition, personal data may be transferred to the acquiring entity, provided that it remains subject to the protections outlined in this Privacy Policy.

●       Service Providers and IT Infrastructure: We may share personal data with IT and cloud storage providers for secure data hosting, backup, and system maintenance. These providers are contractually obligated to comply with data security and confidentiality standards.

7.   Marketing & Email Communication

We only send marketing emails to individuals who have explicitly opted in, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). We do not send unsolicited marketing emails or share marketing data with third parties.

We collect and process personal data for marketing purposes under the following conditions:

●       Lead Magnet Sign-Ups: When users sign up for our free lead magnet, they must provide explicit consent by ticking an opt-in checkbox before receiving marketing emails. This ensures full compliance with UK GDPR.

●       Paid Product Customers: Customers who purchase digital products may receive transactional emails related to their purchase and access, as well as marketing emails about similar products and services. This processing is based on legitimate interest, as permitted under PECR. Customers can opt out at any time.

We may send the following types of emails:

●       Transactional Emails: Purchase confirmations, product access details, customer support responses, and service-related notifications.

●       Marketing Emails: Promotions, new product announcements, special offers, and relevant updates. These emails are only sent to users who have provided consent.

●       Customer Support & Service Communications: Responses to user inquiries, product issue resolutions, and other direct communication related to user requests.

Users can opt out of marketing emails at any time by:

●       Clicking the "Unsubscribe" link in any marketing email.

●       Sending an opt-out request to [email protected].

Opting out of marketing emails does not affect the receipt of essential transactional emails, such as purchase confirmations and customer support responses.

We retain marketing preferences until the user withdraws consent or requests data deletion. Upon opt-out, we will immediately cease marketing communications but may retain a minimal record of the request to ensure compliance with do-not-contact lists.

All marketing emails are managed through FEA Create, our email marketing provider, which complies with UK GDPR and implements security measures to protect user data.

8.   Your Data Protection Rights

Under the UK General Data Protection Regulation (UK GDPR), individuals have specific rights regarding their personal data. We are committed to upholding these rights and ensuring transparency in how we handle personal information.

Users have the following data protection rights:

●       Right to Access – You have the right to request a copy of the personal data we hold about you and receive details on how it is processed.

●       Right to Rectification – You have the right to request corrections if any of your personal data is inaccurate or incomplete.

●       Right to Erasure ("Right to be Forgotten") – You can request that we delete your personal data where it is no longer necessary for the purpose it was collected, or if you withdraw consent.

●       Right to Restrict Processing – You have the right to request that we limit the processing of your personal data under certain conditions, such as if you contest its accuracy or object to its processing.

●       Right to Data Portability – You can request a copy of your personal data in a structured, commonly used, and machine-readable format to transfer it to another service provider.

●       Right to Object – You can object to the processing of your personal data for direct marketing purposes or under certain lawful bases, such as legitimate interest.

●       Right to Withdraw Consent – Where we rely on consent to process your data, you have the right to withdraw this consent at any time without affecting the lawfulness of processing prior to withdrawal.

●       Right to Lodge a Complaint – If you believe your rights have been violated, you have the right to file a complaint with the Information Commissioner's Office (ICO), the UK's data protection authority. More details are available at www.ico.org.uk.

To exercise any of these rights, users may submit a request by emailing [email protected]. We will respond within one month of receiving a valid request, in accordance with UK GDPR. If the request is complex or requires an extension, we will inform you of any necessary delays.

We may request proof of identity before processing certain requests to ensure that personal data is only disclosed to the rightful owner.

9.   Data Security

We implement technical and organisational measures to protect personal data from unauthorised access, loss, or misuse. While we take all reasonable precautions, data transmission over the internet is not entirely secure, and users provide data at their own risk.

10.   International Data Transfers

We do not transfer personal data outside the UK. If any third-party providers process data outside the UK, we ensure that they comply with UK GDPR standards through appropriate safeguards, such as UK-approved standard contractual clauses (SCCs).

11.    Updates to This Privacy Policy

We may update this Privacy Policy to reflect legal or operational changes. The latest version will always be available on our website or upon request. Continued use of our services after an update constitutes acceptance of the revised policy.

12.   Contact Us

If you have any questions or concerns about this Privacy Policy or your personal data, please contact us at [email protected].

Last Updated: 07/01/2026