PRIVACY POLICY
Your privacy matters to us. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law. Please read it carefully.
Drops of Gold: Infant Feeding Support Services
Dionne Grogan IBCLC RN HV | Croydon & South London | Last updated: June 2026
1. Who We Are and How to Contact Us
Drops of Gold: Lactation Services is operated by Dionne Grogan IBCLC RN HV as a sole trader providing lactation and infant feeding support services in Croydon, South London and online. For the purposes of UK data protection law, Dionne Grogan is the Data Controller.
2. About Us
Service provider: Dionne Grogan IBCLC RN HV
Trading as: Drops of Gold: Infant Feeding Support Services
Service area: Croydon, South London and surrounding areas (in-person); UK-wide (online)
Email: dropsofgolduk@gmail.com
Website: www.dropsofgolduk.com
For any privacy-related queries, subject access requests, or to exercise any of your rights listed below, please contact us at dropsofgolduk@gmail.com.
2. ICO Registration
As a business that processes special category health data, Drops of Gold is registered with the Information Commissioner's Office (ICO) as required under the UK GDPR and Data Protection Act 2018. Our ICO registration details are available on the ICO public register at www.ico.org.uk. If you have concerns about how we handle your data that we have been unable to resolve, you have the right to make a complaint directly to the ICO (see Section 12).
3. What Personal Data We Collect
3.1 Data You Provide Directly
We collect the following categories of personal data when you contact us, make a booking, or use our services:
Category Examples
Contact details
Your name, email address, telephone number, home address (for in-home visits)
Booking information
Date, time, and type of consultation booked; payment information (processed securely via our booking platform)
Health and feeding data
Birth history, feeding history, details of any medical conditions or medications relevant to feeding, your baby's weight and feeding patterns — this is special category (sensitive) data
Your baby's information
Name, date of birth, weight, feeding history
Communication records
Emails, WhatsApp messages, and notes from consultations
Consultation records
Assessment findings and the personalised feeding plan prepared following your session
3.2 Data Collected Automatically
When you visit our website (www.dropsofgolduk.com), our website provider (Squarespace) may automatically collect certain technical data, including your IP address, browser type, pages visited, and time spent on the site. This is used for website analytics and security. Please see Section 9 (Cookies) for further details.
4. Lawful Basis for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:
Lawful Basis
When We Rely on It
Contract (Article 6(1)(b))
To fulfil our agreement with you — booking management, delivering consultations, providing your feeding plan, processing payment, and communicating about your appointments.
Legitimate Interests (Article 6(1)(f))
For business administration, keeping accounting records, responding to enquiries from prospective clients, and improving our services.
Legal Obligation (Article 6(1)(c))
Where we are required to process or retain data to comply with a legal obligation, such as safeguarding duties or financial record-keeping requirements.
Vital Interests (Article 6(1)(d))
In emergency situations where processing is necessary to protect the vital interests of you or your baby.
4.1 Special Category (Health) Data
Your health and feeding data — and your baby's health data — is classified as 'special category data' under UK GDPR. This type of data receives additional protections and requires a specific condition for processing.
We process your health and feeding data on the following bases:
Explicit Consent (Article 9(2)(a)): You will be asked to give explicit written consent to the processing of your health data before your consultation begins, via our client intake and consent form.
Health and Social Care (Article 9(2)(h)): Processing is necessary for the purposes of preventive or occupational medicine and the provision of health or social care, carried out by a regulated health professional.
You have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing carried out before the withdrawal, and in some cases we may need to retain certain records to fulfil our legal obligations.
5. How We Use Your Personal Data
We use the personal data we collect for the following purposes:
To manage your booking and appointment
To deliver lactation consultation services and provide your personalised feeding plan
To process payment for services
To communicate with you before, during, and after your consultation
To refer you to other healthcare professionals where necessary, with your knowledge
To maintain accurate clinical records of the support provided
To comply with our legal and professional obligations as an IBCLC
To fulfil any safeguarding duties where required by law
To improve the quality of our services (using anonymised information only)
To respond to enquiries from prospective clients
6. Who We Share Your Data With
We do not sell, rent, or share your personal data for marketing purposes. We may share your data only in the following limited circumstances:
6.1 Healthcare Referrals
Where a referral to another healthcare professional (such as your GP, health visitor, or midwife) is in your or your baby's best interests, we will share relevant information with your knowledge and consent wherever possible, or under our duty of care where consent cannot be obtained.
6.2 Safeguarding
Where we have a safeguarding concern regarding the safety of you, your baby, or another person, we may be legally required to share information with relevant authorities without your consent. We will always endeavour to discuss this with you first unless doing so could put someone at risk.
6.3 Service Providers (Data Processors)
We use a small number of third-party service providers to operate our business. These act as data processors and are only permitted to process your data on our instructions. Our current third-party processors include:
Provider- Purpose / Data Processed
Squarespace Inc.
Website hosting, contact forms, and online booking functionality. Squarespace is based in the USA; data transfers are covered by appropriate safeguards (Standard Contractual Clauses). See squarespace.com/privacy for details.
Google (Gmail)
Email communication. Google may process message content on servers outside the UK. See policies.google.com/privacy for details.
Meta (WhatsApp)
WhatsApp Support Package communications. Please be aware that WhatsApp is a Meta platform; see their privacy policy at whatsapp.com/legal/privacy-policy for details.
Booking Platform
Online appointment scheduling and payment processing. Details of the specific provider and their privacy policy are available on our booking page.
6.4 Legal Requirements
We may disclose your data to law enforcement or other authorities if required to do so by law or in response to a valid legal request.
7. International Data Transfers
Some of our third-party service providers (including Squarespace and Google) are based outside the UK and may process your data in countries that do not have the same level of data protection as the UK. Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO, to protect your data. If you would like further information about the safeguards we use, please contact us at dropsofgolduk@gmail.com.
8. How Long We Keep Your Data
Type of Data & Retention Period
Clinical records (consultation notes, feeding plans, health data)
A minimum of 7 years from the date of the last consultation, or until your child reaches 25 years of age, whichever is the longer period — in line with NHS and professional guidance.
Booking and payment records
7 years from the date of the transaction, to comply with HMRC requirements.
General correspondence (emails, enquiries)
Up to 3 years from the date of last contact, unless a business need requires a longer retention period.
WhatsApp messages
For the duration of the support package and up to 12 months thereafter for reference purposes.
Website analytics data
As determined by Squarespace's own data retention policies (typically 26 months for analytics data).
After the applicable retention period, your personal data will be securely and permanently deleted or anonymised.
9. Cookies and Website Analytics
Our website (www.dropsofgolduk.com) is built on the Squarespace platform, which uses cookies and similar tracking technologies. Cookies are small text files placed on your device when you visit a website.
We use the following types of cookies on our website:
Essential cookies: Necessary for the website to function correctly, including enabling you to navigate pages and access secure areas. These cannot be disabled.
Analytics cookies: Used to understand how visitors use our website (e.g. which pages are most visited). This data is aggregated and anonymous.
Functional cookies: Used to remember preferences such as language or region settings.
When you first visit our website, you will be shown a cookie consent banner. You can manage your cookie preferences at any time via your browser settings. Please note that disabling certain cookies may affect the functionality of the website.
For full details of the cookies used by Squarespace, please refer to the Squarespace Cookie Policy at support.squarespace.com.
10. Your Data Protection Rights
Under UK GDPR, you have the following rights in relation to the personal data we hold about you:
Right- What It Means
Right of Access
You can request a copy of the personal data we hold about you (a 'Subject Access Request'). We will respond within one calendar month.
Right to Rectification
You can ask us to correct inaccurate or incomplete personal data.
Right to Erasure
You can ask us to delete your personal data in certain circumstances. Note that we may need to retain some data to comply with our legal and professional obligations (such as clinical records).
Right to Restrict Processing
You can ask us to pause or limit the processing of your data in certain circumstances, for example while a dispute is being resolved.
Right to Data Portability
Where processing is based on consent or contract, and carried out by automated means, you can ask us to provide your data in a structured, machine-readable format.
Right to Object
You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds to continue.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
Rights re: Automated Decisions
You have the right not to be subject to solely automated decisions that significantly affect you. We do not use automated decision-making.
To exercise any of these rights, please contact us at dropsofgolduk@gmail.com. We will respond within one calendar month of receiving your request. There is no charge for exercising your rights in most circumstances.
11. How We Protect Your Data
We take the security of your personal data seriously and have measures in place to protect it from unauthorised access, loss, or misuse. These include:
Storing digital records in password-protected and encrypted systems
Using secure email and messaging platforms for client communication
Limiting access to personal data to Dionne Grogan only
Not retaining personal data for longer than necessary
Securely deleting or shredding data when it is no longer required
While we take all reasonable precautions, no method of transmission over the internet is 100% secure. If you have concerns about the security of your data, please contact us.
11.1 Data Breach Notification
In the unlikely event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and report the breach to the ICO within 72 hours of becoming aware of it, as required by UK GDPR.
12. Right to Complain to the ICO
If you are unhappy with the way we have handled your personal data, please contact us in the first instance so that we can try to resolve the matter. You also have the right to lodge a complaint with the UK's data protection supervisory authority:
Authority- Information Commissioner's Office (ICO)
Website- www.ico.org.uk
Telephone- 0303 123 1113
Address- Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
13. Children's Data
Our services involve the collection of data about infants and young children. This data is collected with the consent of a parent or guardian and is processed solely in connection with providing lactation and infant feeding support. We do not share a child's data with any third party other than as described in Section 6 of this policy.
We do not knowingly collect personal data directly from children.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we do, we will update the 'Last updated' date at the top of this document and publish the updated policy on our website at www.dropsofgolduk.com. We encourage you to review this policy periodically. Where changes are significant, we will take steps to notify existing clients.
Drops of Gold: Infant Feeding Support Services
Dionne Grogan IBCLC RN HV
Croydon & South London, and Online