Privacy Notice – Friends

Who this notice is for

This Notice is for Friends of the CSTA and describes ways in which the CSTA needs to process personal information for your membership.

There is a separate Privacy Notice for the CSTA website, which can be found here.

What this notice is about

This notice tells you what personal data we collect, how we use it, and your rights relating to our use of your information. You should make sure you understand this information, and if you have any questions, please contact us at

Who we are

The Craniosacral Therapy Association UK (CSTA) is an accreditation and regulatory professional body for craniosacral therapy in the UK. Our charity number is 1156168.


Data protection legislation applies to ‘personal data’. This means information about someone (a living individual), who can be identified as that person. Generally this will include information such as full name, address, phone number, email address. Data protection law regulates how that data is ‘processed’ i.e. collected, stored and used, and in the UK is currently governed by the Data Protection Act 2018 and by the Europe-wide General Data Protection Regulation 2016 (GDPR).

The CSTA is the ‘data controller’ for the information it holds about its Members, Friends and Subscribers. This means it controls what happens to that information and takes legal responsibility for this.

We are committed to ensuring that the way we process personal data is compliant with applicable data protection law, as well as best practice for a professional body. All personal information is treated in confidence within the organisation and is used only for the purpose of maintaining the records we need to meet our responsibilities as a membership organisation and professional body.

The types of personal data we may hold about you

In general most information is supplied by you on your application form or membership renewals.

Information you provide

  • Your name, address, phone number, email address.
  • Your date of birth and preferred title (if given).

Information the CSTA may record about you

  • Your fee payment record and expected renewal date.

The purpose of processing

The purpose of holding and processing personal information about you is to manage your membership – processing your application and renewals and contacting you about this where needed; maintaining a database of membership; responding to enquiries from you; and sending you communications relevant to your membership.

Contacting you about your membership

  • We will contact you in order to process and renew your membership.
  • We will contact you with CSTA news including the newsletter and The Fulcrum journal, and with information about CSTA-run courses and adverts for roles within the CSTA.
  • We have a system of reminders if your membership lapses, to ensure members do not lapse accidentally. You will receive two reminder and, after this time, your membership will be archived.

The legal basis for holding your information

We rely on ‘legitimate interests’ as our main ‘lawful basis’ for processing your personal data under the current data protection regulations (GDPR and 2018 Data Protection Act UK). This means that we need this information in order to manage your membership and to function as a membership organisation, including fulfilling any legal requirements this may entail.

Retention – how long will we keep your information and why

We need to retain membership information to meet our duties and responsibilities as a professional body for craniosacral therapy, as described above. We will not keep information for longer than is needed in order to fulfil these purposes unless we are specifically obliged to by law.

  • Your information is held in an active record until your last renewal..
  • If your membership lapses, your information will be archived securely and removed from use.
  • General emails that you may send about your membership are deleted on a rolling approximately three-yearly basis.

Who we share your information with

We will only share personal information about members with external bodies in limited situations where this is strictly necessary, as described below.

Newsletters and CSTA communications

We may use third party services to send communications from the CSTA to members, such as our newsletter, a survey or The Fulcrum journal. These services include, but are not restricted to, MailChimp, Printmark, Google Forms and Survey Monkey. Only the minimum required personal data is shared for each purpose, for example your name and contact email or postal address,and these details are not accessed or used by the service for any other reason.We have checked that each service is GDPR-compliant.


If you attend a CSTA-run workshop, your name, email address, contact phone number and type of membership will be shared with the CSTA contact for the workshop, and may also be passed to the workshop provider.


We take the security of your personal information very seriously. We regularly review both our policies and our IT systems to ensure our security measures are adequate and reflect up to date technological advances as well as the requirements to prevent unauthorised access to, destruction or loss of your information.

All CSTA membership data is held on a secure and compliant server using GDPR-compliant hosting facilities. Membership documents are held on a secure and compliant cloud content management system.

Data protection and your rights

Data protection regulations say that anyone who holds and controls personal information about individuals must respect their privacy rights, and must also inform them about these rights.

Your right to refuse to give information

Under the GDPR, you should not be forced to provide your personal information to a data controller, and you have the right to be informed of any consequences of refusing to give it.

The CSTA respects the principle of ‘data minimisation’ which means we only request information which we actually need for each type of membership.

Because this information is needed to maintain your membership and to fulfil our obligations as a professional body, if you do not wish to give your personal information as described above, we will not be able to process membership for you.

Your right to object to personal data processing

If you object to us processing your personal information,you can ask us to restrict our use of it and delete any records we are not required to retain. At your request, for example, we will stop using your data to contact you – this will generally mean that your CSTA membership will cease. We will, however, need to retain some information about you as described in the retention section above, in order to fulfil good practice as a professional body.

Your right to see what information we hold about you

You have the right to request access to the information we hold about you, and we must respond to your request within one month. We will need to see proof of your identity and address before we can transfer a copy of your records to you. We will also respond to any concerns or questions you may have about our use of your information.

It should be noted that we are not obliged to disclose to you all the information we hold about you, in particular where disclosure could be a risk to the privacy rights of someone else.

Your right to rectify any information we hold which is not correct

If you believe that any of the information we hold about you is inaccurate or incorrect you have the right to tell us about this and request that the information is corrected. Please do let us know if any of your details change so we can keep your records up to date, and please ensure you keep your information up to date within your online account.

Who to contact at the CSTA about personal data and your privacy rights

For any questions or concerns about this privacy information, or to make a request to exercise your privacy rights, please contact, telephone 0844 700 2358, or write to us at CSTA, 27 Old Gloucester Street, London, WC1N 3AX.

Your right to make a complaint

You have the right to complain if you are unhappy about the way we look after your information, or feel we have not properly respected your rights – please contact and we will do our best to answer you and work with you to resolve any concerns. If you are still unhappy you can appeal to the Information Commissioner’s Office (ICO) or 0303 1231113.

Changes to this privacy notice

We may modify this privacy notice at any time to reflect best practice or changes in the laws or regulatory guidelines on data protection. If we make changes to this privacy notice, we will highlight this on our website where the new documents will be available, and for significant or major changes we aim to inform current members by email.

This privacy notice was last updated on 12th June 2019