Privacy Policy
Last Updated: 21st April 2026
1. Introduction
Lucy Newport, trading as Binge Free & Worthy ("I," "me," or "my"), is committed to protecting your privacy and complying with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy explains how I collect, use, store, and protect your personal information when you:
- Visit my website (www.bingefreeandworthy.com)
- Sign up for my free resources or email communications
- Purchase or participate in my coaching services
- Contact me via email or other channels
Data Controller: Lucy Newport, Binge Free & Worthy
Contact: lucy@bingefreeandworthy.com
Address: 1A Cookson Terrace, Lydney, Gloucestershire, GL15 5ES, United Kingdom
By using my website or services, you agree to the collection and use of information in accordance with this Privacy Policy.
2. What Personal Data I Collect
I collect different types of personal information depending on how you interact with my business:
2.1 Information You Provide Directly
When you sign up for free resources or my email list:
- Name (first name only)
- Email address
- How you found me (optional)
When you become a coaching client:
- All of the above, plus:
- Payment information (processed securely through Stripe)
- Health-related information you choose to share (see Section 3 on Special Category Data)
- Session recordings (video and audio)
- WhatsApp messages between us
- Written reflections, homework, or journal entries you submit
- Any other information you voluntarily provide during coaching sessions
2.2 Information Collected Automatically
When you visit my website:
- IP address
- Browser type and version
- Device information
- Pages you visit and time spent on pages
- Referring website
- Cookie data (see Section 12 for details)
This information is collected through:
- Google Analytics - to understand how people use my website
- Cookies - small text files stored on your device (see Section 12)
3. Special Category Data (Health Information)
As a coach specialising in binge eating recovery for highly sensitive people, I process
health-related personal data, which is classified as "special category data" under UK GDPR and requires additional protection.
What Health Data I Collect:
When you work with me as a coaching client, you may share:
- Information about your eating patterns and behaviours
- Your relationship with food and your body
- Mental health information (such as anxiety, depression, past trauma, or other emotional wellbeing matters)
- Physical health conditions that affect your recovery
- Body image concerns
- Experiences as a Highly Sensitive Person
- Any other health information relevant to your recovery journey
Legal Basis for Processing Health Data:
I process your health information based on your
explicit consent, which I obtain when you:
- Sign the coaching agreement (Terms & Conditions and Waiver of Liability)
- Choose to share health information during sessions
- Submit written reflections or homework containing health information
Your consent is:
- Freely given - you choose to work with me and share information
- Specific - you know I'm collecting health data for coaching purposes
- Informed - this policy explains how I use your data
- Unambiguous - you actively sign documents and participate in sessions
Why I Need Health Information:
I need to understand your specific experiences, challenges, and patterns to provide effective, personalised coaching support tailored to your needs as a Highly Sensitive Person recovering from binge eating.
How I Protect Your Health Information:
- All session recordings are stored securely with password protection on Google Drive
- Client notes are kept in password-protected Google Sheets and Docs
- Access is strictly limited to me only
- Data is encrypted during transmission
- I follow industry-standard security practices
- Physical backups (if any) are kept on password-protected devices in secure locations
Who May See Your Health Information:
- Only me - your health information is confidential
- Clinical supervision - I may discuss your case anonymously (no identifying details) with professional supervisors or mentors for quality assurance and professional development
- Legal requirement - I will only share identifiable health information if legally required (e.g., court order) or if I have serious concern about immediate risk of harm to you or others
Your health information will never be:
- Shared with third parties for marketing purposes
- Sold or rented to anyone
- Used for purposes other than providing coaching services
Your Rights Regarding Health Data:
You can withdraw your consent at any time by contacting me at lucy@bingefreeandworthy.com. However, withdrawing consent may mean I cannot continue providing coaching services, as health information is essential to the work we do together.
You also have the right to:
- Access all health data I hold about you
- Request correction of inaccurate health data
- Request deletion of your health data (subject to legal retention requirements)
- Restrict how I process your health data
- Object to processing (in certain circumstances)
See Section 9 for full details of your rights.
4. Legal Basis for Processing Personal Data
Under UK GDPR, I must have a lawful basis for processing your personal data. Here's the legal basis for each type of processing:
| What I Process | Legal Basis | Explanation |
|---|---|---|
| Email marketing (Inbox Reflections, free resources) | Consent | You actively opt in via checkbox when signing up |
| Health information from coaching | Explicit Consent | You sign coaching agreements and voluntarily share information |
| Delivering paid coaching services | Contract | Necessary to fulfil the coaching contract between us |
| Payment processing | Contract + Legal Obligation | Necessary for service delivery and tax compliance |
| Website analytics | Legitimate Interests | I have legitimate interest in understanding how my website is used to improve services |
| Maintaining financial records | Legal Obligation | Required by UK tax law to keep records for 7 years |
| Professional development (anonymised case discussions) | Legitimate Interests | I have legitimate interest in quality improvement through supervision |
5. How I Use Your Personal Data
I use your information for the following purposes:
For Everyone:
- To respond to your inquiries and communications
- To send you requested free resources
- To understand website usage and improve user experience
- To comply with legal obligations
For Email Subscribers (with your consent):
- To send you my Inbox Reflections emails
- To notify you about new resources, services, or offerings
- To provide recovery insights and practical tools
For Coaching Clients:
- To deliver the coaching services you've purchased
- To schedule and conduct coaching sessions
- To provide between-session support via WhatsApp
- To create and update your Personal Binge Free Guide
- To curate your Body-Based Practice Library
- To maintain session recordings for your reference
- To track your progress and plan future sessions
- To process payments
- To fulfil contractual obligations
- To improve my coaching services through reflection and supervision
I will never:
- Sell your personal data to third parties
- Use your data for purposes you haven't consented to
- Send you marketing emails if you haven't opted in
- Share your health information for marketing purposes
6. Data Sharing and Third-Party Processors
I work with trusted third-party service providers who process personal data on my behalf. These processors are carefully selected and are required to protect your data in accordance with UK GDPR.
Third-Party Processors I Use:
Email Marketing:
- MailerLite (Lithuania, EU) - manages email list and sends newsletters
- Privacy Policy: https://www.mailerlite.com/legal/privacy-policy
Email Communications:
- Ionos (Germany, EU) - hosts business email address (lucy@bingefreeandworthy.com)
- Privacy Policy: https://www.ionos.co.uk/terms-gtc/privacy-policy/
- Processes: All email correspondence including inquiries, client communications, and support requests
Payment Processing:
- Stripe (US/Ireland) - processes coaching payments securely
- Privacy Policy: https://stripe.com/gb/privacy
- Note: I never see or store your full credit card details
Scheduling:
- Calendly (US) - manages session booking and scheduling
- Privacy Policy: https://calendly.com/privacy
- Processes: Names, email addresses, preferred session times, timezone information
Coaching Delivery:
- Zoom (US) - hosts video coaching sessions
- Privacy Policy: https://explore.zoom.us/en/privacy/
- WhatsApp (Meta, US) - provides between-session support messaging
- Privacy Policy: https://www.whatsapp.com/legal/privacy-policy
Data Storage:
- Google Workspace (US) - stores session recordings, client notes, forms, signed agreements, and practice library videos
- Includes: Google Drive, Google Docs, Google Sheets, Google Forms
- Privacy Policy: https://policies.google.com/privacy
- Vimeo (US) - hosts practice library videos
- Privacy Policy: https://vimeo.com/privacy
File Transfer:
- WeTransfer (Netherlands, EU) - occasionally used to send large files to clients
- Privacy Policy: https://wetransfer.com/legal/privacy
- Note: Files are automatically deleted from WeTransfer after 7 days
Website Services:
- Duda (US/Israel) - website hosting and building platform
- Privacy Policy: https://www.duda.co/privacy-policy
- Processes: Website visitor data including IP addresses, page views, and browsing behaviour
- Google Analytics (US) - website traffic analysis
- Privacy Policy: https://policies.google.com/privacy
- Note: IP addresses are anonymised
Document Creation:
- Canva (Australia/US) - design tool for creating client materials
- Privacy Policy: https://www.canva.com/policies/privacy-policy/
- Processes: Client first names and generic content when creating personalised guides (no health information is included in Canva)
Integration Tools:
- Zapier (US) - connects different services (e.g., email sign-ups to spreadsheet)
- Privacy Policy: https://zapier.com/privacy
Social Media Contact:
- Instagram (Meta, US) - occasional business posts; available for initial inquiries (conversations moved to email immediately)
- Privacy Policy: https://www.instagram.com/legal/privacy/
- LinkedIn (Microsoft, US) - professional profile; available for initial inquiries (conversations moved to email immediately)
- Privacy Policy: https://www.linkedin.com/legal/privacy-policy
- Note: If you contact me via Instagram or LinkedIn, your messages and profile information are processed by these platforms. I do not store social media conversations - all ongoing communication happens via email.
All of these processors have contractual obligations to:
- Process data only according to my instructions
- Implement appropriate security measures
- Not use your data for their own purposes
- Comply with UK GDPR requirements
7. International Data Transfers
Some of the third-party processors listed in Section 6 are based in the United States or other countries outside the UK and European Economic Area (EEA). This means your personal data may be transferred to, and processed in, countries that do not have the same data protection laws as the UK.
Safeguards in Place:
When I transfer your data internationally, I ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs):
- Google, Stripe, Zoom, and other major US-based processors have implemented Standard Contractual Clauses approved by the UK ICO
- These are legally binding contracts that require US companies to protect your data to UK GDPR standards
Adequacy Decisions:
- Some processors operate from EU/EEA countries that the UK recognises as having adequate data protection (e.g., MailerLite in Lithuania, WeTransfer in Netherlands)
Your Rights:
- You can request more information about the specific safeguards for any processor
- You can object to international transfers (though this may limit available services)
- Contact me at lucy@bingefreeandworthy.com with questions about international transfers
8. How Long I Keep Your Data
I retain your personal data only for as long as necessary for the purposes outlined in this policy or as required by law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Email subscriber data | Until you unsubscribe | To continue sending emails you've consented to receive |
| Coaching session recordings | 1 year after final session | To allow you to reference past sessions during and shortly after your coaching program |
| Client notes and forms | Until you request deletion | To maintain continuity if you return for future coaching; for quality assurance |
| Payment records | 7 years | UK tax law requirement |
| Website analytics data | 26 months | Google Analytics default retention for aggregate data |
| Cookie data | Varies by cookie type | See Section 12 for details |
| WeTransfer files | 7 days (automatic deletion by WeTransfer) | Temporary file transfer only |
| Calendly booking data | Until appointment completed, then archived | To manage scheduling; historical data for service improvement |
When I Delete Data:
- Email subscribers: Immediately upon unsubscribe
- Coaching clients: Session recordings deleted after 1 year; other data deleted upon your request
- Financial records: Deleted after 7 years (tax law requirement)
How to Request Deletion:
Email me at lucy@bingefreeandworthy.com to request deletion of your data. I will respond within 30 days. Note that some data (payment records) must be retained for legal reasons even if you request deletion.
9. Your Rights Under UK GDPR
You have important rights regarding your personal data. Here's what you can do and how to exercise each right:
9.1 Right to Access (Subject Access Request)
You can request a copy of all personal data I hold about you.
How to exercise: Email
lucy@bingefreeandworthy.com with "Subject Access Request" in the subject line.
Response time: 30 days
Cost: Free (unless request is manifestly unfounded or excessive)
9.2 Right to Rectification
You can ask me to correct inaccurate or incomplete personal data.
How to exercise: Email
lucy@bingefreeandworthy.com specifying what needs correction.
Response time: 30 days
9.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data in certain circumstances.
How to exercise: Email
lucy@bingefreeandworthy.com requesting deletion.
Response time: 30 days
Limitations: I may need to retain some data for legal obligations (e.g., financial records for tax purposes)
9.4 Right to Restrict Processing
You can ask me to limit how I use your personal data in certain circumstances (e.g., while disputing accuracy).
How to exercise: Email
lucy@bingefreeandworthy.com explaining why you want processing restricted.
Response time: 30 days
9.5 Right to Data Portability
You can receive your personal data in a structured, commonly used format and transfer it to another service provider.
How to exercise: Email
lucy@bingefreeandworthy.com requesting your data in portable format.
Response time: 30 days
Format: CSV, PDF, or other machine-readable format
9.6 Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes.
How to exercise:
- Marketing emails: Click "unsubscribe" in any email or email lucy@bingefreeandworthy.com
- Other processing: Email explaining your objection
Response time: Immediate for marketing; 30 days for other objections
9.7 Right to Withdraw Consent
For processing based on consent (marketing emails, health data), you can withdraw consent at any time.
How to exercise:
- Marketing: Click "unsubscribe" or email lucy@bingefreeandworthy.com
- Health data: Email lucy@bingefreeandworthy.com (note: may affect coaching services)
Effect: Withdrawal doesn't affect past processing but stops future processing
9.8 Rights Related to Automated Decision-Making
I do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.
10. Right to Complain to the ICO
If you're unhappy with how I've handled your personal data, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website:
https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
I encourage you to contact me first at lucy@bingefreeandworthy.com so I can try to resolve any concerns, but you have the right to go directly to the ICO if you prefer.
11. Data Security
I take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it from:
- Unauthorised access
- Accidental loss
- Destruction or damage
- Unlawful processing
Security Measures I Use:
- Encryption: Data transmitted between you and my website is encrypted using SSL/TLS
- Password protection: All file storage uses strong passwords and two-factor authentication where available
- Access controls: Only I have access to personal data; third-party processors have limited access only for their specific function
- Secure storage: Cloud storage with reputable providers who meet UK GDPR standards
- Regular reviews: Periodic assessment of security measures and processor practices
- Device security: Computers used for business are password-protected with up-to-date security software
Data Breach Procedures:
- In the event of a data breach that poses a risk to your rights and freedoms:
- I will notify the ICO within 72 hours
- I will notify you directly if the breach poses a high risk to you
- I will take immediate steps to contain the breach and prevent further unauthorised access
Limitations:
While I take all reasonable precautions, no method of transmission or storage is 100% secure. I cannot guarantee absolute security of your data. By using my services, you acknowledge:
- The inherent risks of digital data storage
- That you provide information at your own risk
- That you consent to these inherent security limitations
If you have concerns about data security, please contact me at lucy@bingefreeandworthy.com.
12. Cookies and Similar Technologies
My website uses cookies and similar technologies to improve your experience and understand how people use the site.
What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help websites remember information about your visit.
Types of Cookies I Use:
Strictly Necessary Cookies:
- Purpose: Essential for website functionality
- Examples: Session cookies, security cookies
- Legal basis: Legitimate interests (website cannot function without these)
- Can you opt out? No - these are required for the site to work
Analytics Cookies (Google Analytics):
- Purpose: Understand how visitors use my website (page views, time on site, referral sources)
- Data collected: Anonymised IP addresses, browser type, pages visited, time stamps
- Legal basis: Consent
- Can you opt out? Yes - through cookie settings or browser settings
- Third party: Google Inc. (Privacy Policy: https://policies.google.com/privacy)
Marketing/Advertising Cookies:
- Currently used: No
- If I use them in future: I will update this policy and obtain your consent
How to Control Cookies:
Browser Settings: Most browsers allow you to:
- View cookies stored on your device
- Delete cookies
- Block cookies from specific sites
- Block all cookies
Instructions by browser:
- Chrome: https://support.google.com/chrome/answer/95647
- Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
- Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac
- Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
Google Analytics Opt-Out: You can opt out of Google Analytics tracking using the browser add-on:
https://tools.google.com/dlpage/gaoptout
Note: Blocking cookies may affect website functionality and user experience.
Cookie Consent:
When you first visit my website, you'll see a cookie notice explaining:
- What cookies I use
- Why I use them
- How to accept or reject non-essential cookies
Your consent choices are stored so you're not asked repeatedly. You can change your cookie preferences at any time using the cookie settings link in the website footer.
13. Children's Privacy
My services are intended for adults aged 16 and over. I do not knowingly collect personal information from anyone under 16 years of age.
If you are under 16, please do not:
- Use my website
- Sign up for my email list
- Download my resources
- Purchase my services
- Provide any information to me
If I discover that I have collected personal data from someone under 16 without parental consent, I will delete that information immediately.
If you are a parent or guardian and believe your child under 16 has provided me with personal information, please contact me immediately at lucy@bingefreeandworthy.com so I can delete it.
14. Email Marketing Practices
How You Get on My Email List:
I will only send you marketing emails (Inbox Reflections, free resources, service updates) if you have explicitly opted in by:
- Ticking an unticked consent checkbox when signing up for my free guide or Inbox Reflections
- Confirming your email address (if double opt-in is enabled)
I will never:
- Add you to my list without your consent
- Use pre-ticked checkboxes
- Automatically enroll you for downloading a resource without your consent
What You'll Receive:
If you opt in to my emails, you'll receive:
- Daily Inbox Reflections - short emails with recovery insights, tools, and reflections
- Free resources - guides, practices, and HSP-specific content
- Service updates - information about my coaching services, new offerings, or changes
- Occasional promotional emails - information about paid services
Frequency: up to 4-5 times a week for Inbox Reflections; occasional for other emails
How to Unsubscribe:
You can unsubscribe at any time by:
- Clicking the "unsubscribe" link at the bottom of any email
- Emailing lucy@bingefreeandworthy.com with "Unsubscribe" in the subject line
Effect: You'll be removed from my list within 48 hours and will no longer receive emails from me (except transactional emails related to purchased services, if applicable).
Compliance:
My email practices comply with:
- UK GDPR - consent-based processing
- UK PECR (Privacy and Electronic Communications Regulations) - explicit opt-in for marketing emails
- Best practices - clear unsubscribe options, honest subject lines, sender identification
15. Links to Other Websites
My website and emails may contain links to third-party websites (e.g., research sources, recommended resources, social media).
Important: I am not responsible for the privacy practices of other websites. This Privacy Policy applies only to www.bingefreeandworthy.com and data I collect directly.
When you click a link to another website:
- You leave my website
- That website's privacy policy applies
- I have no control over their data practices
I encourage you to read the privacy policy of any website you visit.
16. Changes to This Privacy Policy
I may update this Privacy Policy from time to time to reflect:
- Changes in my business practices
- New legal requirements
- Changes in third-party processors
- Improvements to clarity or completeness
How I'll Notify You:
For minor changes (clarifications, formatting):
- Updated policy posted on website with new "Last Updated" date
For significant changes (new data collection, new processors, changes to your rights):
- Email notification to all email subscribers and current coaching clients
- Notice on website homepage
- 30 days to review before changes take effect
Your Responsibility:
Please review this Privacy Policy periodically. Continued use of my website or services after changes indicates acceptance of the updated policy.
Current version date: 21st April 2026
Previous version: 13th January 2022
17. Contact Me About Privacy
If you have any questions, concerns, or requests regarding this Privacy Policy or how I handle your personal data, please contact me:
Email:
lucy@bingefreeandworthy.com
Address: Lucy Newport, Binge Free & Worthy, 1A Cookson Terrace, Lydney, Gloucestershire, GL15 5ES, United Kingdom
I will respond to all privacy inquiries within 30 days.
For data subject access requests or exercising your rights, please see Section 9 for specific instructions.
To complain to the UK supervisory authority, see Section 10 for ICO contact details.