Data Protection 

At Oceans of Calm, we ensure your data is protected by strictly adhering to the recommended legislative data protection framework, the General Data Protection Regulation-GDPR (2018).  Your data is safeguarded by the seven key GDPR principles related to the processing of Personal Data:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

In the Data Protection Policy outlined below we detail; what data we collect; how we use the data; why we need the information; to whom the information is shared and how we protect your data.

At Oceans of Calm we actively promote your privacy and only collect necessary data. Please refer to the Oceans of Calm Privacy Policy and Cookies Policy for more information.

Data Protection Policy

This Data Protection Policy will explain how Oceans of Calm protects your privacy and how we handle and protect the personal data we collect from you, when you use our website and when you are attending a Sound Therapy session. This Policy details the following:

  • What data do we collect?
  • How do we collect your data?
  • How do we obtain your consent to hold data?
  • Why is the data held?
  • How will we use your data?
  • How do we collect and hold Children’s personal data?
  • How do we store your data?
  • How secure is the data?
  • Who is the data controller?
  • What are your data protection rights?
  • Amending data
  • Transferring data
  • Data Breaches
  • What are cookies?
  • How do we use cookies?
  • What types of cookies do we use?
  • How to manage your cookies
  • Safety Statement
  • Privacy policies of other websites
  • Changes to our Data Protection policy
  • How to contact us
  • How to contact the appropriate authorities

What data do we collect and hold?

Oceans of Calm collects and holds the following data:

  • Personal identification information (Name, Address, Date of Birth, Phone number, Email address)
  • Doctors details
  • Next of Kin
  • Medical History
  • Medical red flags
  • Treatment notes
  • Client feedback
  • Relationship data
  • Browsing data

How do we collect your data?

You directly provide Oceans of Calm with most of the data we collect. We collect data and process data when you:

  • Register online or place an order for any of our products or services.
  • Voluntarily complete a customer survey or provide feedback on any of our message boards or via email.
  • Use or view our website via your browser’s cookies.
  • Make a booking and schedule an appointment
  • Complete the Well-Being assessment at your first appointment

Primarily, the data we hold is obtained during the face to face first appointment with Clients. We go through the Oceans of Calm Client well-being assessment form with you and discuss your present state of health and well-being, expanding our questions as necessary to understand. On the original booking, we will obtain a name and phone number by phone of if the booking is through our online booking system, we will look for date of birth and email address.

How do we obtain your consent to hold data?

Obtaining Data and Informed Consent to hold data

  • Clients make contact with us to book a treatment.
  • Once it is determined appropriate to book a treatment, basic details are recorded digitally on the Oceans of Calm online system only. If the booking is taken in person, by email or by phone, name and phone number is all that is asked for. If the booking is done by the individual through our website booking appointments system, they are asked for name, phone number, email and date of birth.
  • Browsing data is obtained by their use of our website.
  • At no point do we chase a client for details without them initiating the contact.
  • We will not secure a booking without a name and a phone number.
  • During the initial session with a new client, a full well-being assessment form is gone through and filled out. At this point it is explained to Clients the purpose of the data required. They can refrain from giving us an address, email, doctors details, next of kin, date of birth if they prefer and are not a child or vulnerable adult; however we will not proceed with treatment without name, phone number or medical history.
  • The Sound Therapist suggests that therapy clients sign their consent to data holding, along with consent to treatment, on the Client well-being  assessment form completed at initial intake. They must sign consent to treatment and to data retention at this point to continue treatment.
  • Clients are asked to sign the disclaimer statement after being informed of the consent process, the disclaimer reads:

    I agree to allow Gloria Turpin to work with me to form a plan of holistic healing, and agree to all modalities to be considered.  I understand a series of sessions may be required.  A full assessment has been carried out and I have given honest and comprehensive answers.  I have disclosed all relevant information regarding my health and well being, including physical, mental, emotional and spiritual.  I will consult my Medical Practitioner should the need arise. I will not stop taking any medication unless my GP advises.

     I allow any information to be used in research or case studies and understand anonymity and confidentiality will be maintained. All data held is in compliance with GDPR 2018 requirements and your data can be withdrawn at any time’.

     Signed:                                                                        Date:

    In the case of children the informed consent of the Child’s Parent/Carer/Guardian is obtained, as well as the Child’s assent to the treatment on the day. Please see the Child Safeguarding Policy for more information. 

Digital Consent

Digital booking systems have very strict rules:

  • Clients have the right to apt out by default. Any tick-box option needs to be giving consent, not withholding consent.
  • Clients should be able to opt out at any later date quickly and easily, if they choose to.

Why is this data held?

Name, phone number, email and date of birth are gathered at time of booking to secure booking, this lets us know who is coming in and how to contact them with a reminder text, or a text to cancel should we need to due to unforeseen circumstances.

Each item of data is specifically held as follows:

  • Name; for Client identification
  • Address; for Client identification; safety of the Sound Therapy Practitioner; to send the Client home if something happens; if a solid relationship, to send Christmas a card.
  • Date of birth; for Client identification, i.e., for occasions when we have duplicate names. This is especially helpful for online bookings, to indicate if a duplicate profile has been created for an individual.
  • Phone number; to send reminder texts the day before, to keep cancellations and no shows to a minimum; in case we need to contact the Client to cancel due to Sound Therapy Practitioner illness, etc.
  • Email; to send receipts and appointment confirmations. Only requested when clients book through Oceans of Calm online booking system or for some specific reason, i.e. forwarding information. It is never added to any marketing list.
  • Doctor’s details: if clients present with serious medical issues, in which case we may liaise with the GP or specialist.
  • Next of kin: taken only in the case of children (with the signed consent from parent or guardian and with the parent/guardian always remaining present in the room) and vulnerable adults.
  • Medical History; relevant past and current relevant history is collected and held to help the Sound Therapy Practitioner understand what the Client is presenting with on a given day, so a decision whether treatment is appropriate or not can be made and a tailored action plan of therapy can be drawn up, ensuring that treatments are carried out in a safe way. We ask for a baseline level of detail to be recorded at the first appointment to assess our Client’s current state of well-being, including the Client’s perceptions of their life balance and current state of physical, mental, emotional and spiritual health. Information is recorded on the private and confidential Oceans of Calm Client well-being assessment form. This form is actively referred to over subsequent sessions and is held both in paper and digital format.
  • Medical red flags: this is taken during the first initial assessment where a pain assessment is made based on the Client’s feedback and recorded on the Client well-being assessment form. Areas exhibiting pain are recorded on a scale of 0 to 10 ranked from no pain, mild, discomforting, distressing, horrible to excruciating. This information is held on our records and the area of the body experiencing the pain is noted in a highlighted area, to act as a reminder to the Sound Therapy Practitioner and to ensure the Client is treated appropriately and that the pain levels are tracked over time. No details are given here.
  • Treatment notes: These are the Sound Therapy practitioners record of what happened during any contact with their Client. The treatment notes are recorded and attached to the Client well-being assessment form.
  • Client feedback: These are the Clients feelings expressed verbally before, during and after the Therapy session. Relevant aspects of the feedback related to the clients health are recorded by the Sound Therapist in their notes and referred to before each new session commences, to inform changes that might be needed to treatment and to ensure the safety of the Client.
  • Relationship data: this is a record of other clients (whom you have informed us) you have intimate relationships with, to help us provide a complete service. As well as records of who may have referred you (or you them), to help us understand and improve our marketing and services.
  • Browsing data: through cookies and google analytics to help us understand how people use our website so we can identify issues and improve our service here.

How will we use your data?

Oceans of Calm collects your data so that we can:

  • Process your queries
  • Manage and schedule your appointments.
  • Email you with Oceans of Calm news, including special offers and services we think you might like.

When Our Company processes your data, it may send your data to, and we may also use the resulting information from, credit reference agencies to prevent fraudulent payments.

How do we collect and hold Children’s personal data?


Children’s personal data

Children have the same data protection rights as adults and can make access requests. However, they are given specific protection with regard to their personal data. This is because they may be less aware of the risks and consequences of sharing their personal data. Also, they may be less aware of the safeguards available and their rights in relation to how their personal information is processed.

Parents and guardians may also be able to make access requests or exercise any other data protection right on behalf of their children. If a request is made by a parent or guardian, the data controller must consider the nature and circumstances of the request, including the age, capacity and views of the child and the child’s best interests. Please see the Child Safeguarding Policy for more information.

Digital age of consent

Article 8 of the GDPR directs countries to set a minimum age at which online service providers, including social media companies, can rely on a child’s own consent to process their personal data. In Ireland, the Data Protection Act 2018 has set the age of digital consent at 16. This means that if an organisation is relying on consent as the legal basis (justification) for processing a child’s personal data and the child is under 16, then consent must be given or authorised by the child’s parents or guardians.

How do we store your data?

Oceans of Calm securely stores your personal data which is in paper format, in a specifically dedicated secured and locked filing cabinet, in a locked room and is only accessible to the Sole proprietor and Sound Therapist Gloria Turpin. The key to the cabinet is kept in a safe and can only be accessed by Gloria.

Personal data held digitally is triple encrypted e.g. data recorded on the Client well-being assessment form is stored in an encrypted folder on Gloria Turpin’s personal computer. Encryption codes are only known by Gloria Turpin and files and personal data are only ever accessed by Gloria Turpin. Each patient folder is also individually encrypted and each assessment form is individually encrypted.

Oceans of Calm will keep your Client well-being assessment form in accordance with the current best practice in Ireland for the retention of medical records:

  • Adults; for 8 years after their last treatment or death
  • Children and young people; until the Client’s 25th birthday or 26th if the young person was 17 at the conclusion of treatment, or eight years after the patient’s death.
  • Records of a mentally disordered Client; 20 years after last treatment or eight years after death.

Once time periods have expired, Gloria Turpin alone will carry out all of the data disposal according to GDPR regulations and Irish best practice guidelines for data management and retention of medical records, noting the importance to destroy the data in a way that ensures the information cannot be recreated and applying secure irreversible methods to ensure that the data is no longer usable.

All paperwork including photographs, will be shredded and destroyed and digital files will be wiped. Gloria will solely carry out the shredding and the electronic data will also be securely disposed of in such a way that the data can never again be constituted. At present, the best practice standard for permanent data deletion is through the ‘Purge’ protocols outlined in best practice policies on data retention. Gloria Turpin will carry out the purge protocols on her encrypted laptop where the data has been stored, to ensure that data recovery is infeasible.

Destroying Data

Data will only be destroyed after the allotted time frame as quoted above.

The online booking system can fully delete any details. The Client records in question will be archived as per their system and then deleted completely.

The record of the Client name on Gloria’s computer will continue to be listed with a highlighted note, indicating the date of the last appointment and the date of the destruction.

The paper record will be removed and shredded on site using a cross cut rather than a strip cut shredder. These are brought home in two separate bags one at a time, to burn in a fire, checking that all paper is properly burned and that nothing is remaining.

How secure is the data; encryption and accessibility?

Oceans of calm uses a cloud-based online booking system to track and take bookings hosted by Squarespace. This is a private cloud of Squarespace and has extensive encryption security built into it and has been expanded with the GDPR 2018. 

When Gloria is not at her desk, the computer screen is locked and needs a password to access. This password is known only to Gloria and is not written down or recorded.

Name, address, phone number, email and date of birth are stored on this booking system, as well as Client payment history and appointments schedule.

Client assessment forms in use each day, are kept in a folder that is with Gloria, the Sound Therapist, at all times and is not left lying around in view of a Client.

Newly filled out assessment forms, are put in a separate folder and locked into the filling cabinet at the end of each working day, awaiting processing, at which point they can be filed away with the rest.

Phones and devices used to take calls or access cloud-based online booking systems are kept locked by passwords and not left accessible to unauthorised people.

Is the data shared with 3rd Parties and on what basis?

As detailed above we use Squarespace, a cloud-based booking system to provide our services. This company books appointments, stores and processes all transactions, emails appointment confirmations, receipts and account statements. Please view their privacy policy.

We also use Mailchimp, PayPal and Stripe, please view their privacy policies.

Who is the data controller?

Oceans of Calm Sole Proprietor and Sound Therapist, Gloria Turpin.

What are your data protection rights?

Oceans of Calm would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

  • The right to access – You have the right to request from Oceans of Calm copies of your personal data. We may charge you a small fee for this service.
  • The right to rectification – You have the right to request that Oceans of Calm correct any information you believe is inaccurate. You also have the right to request Oceans of Calm complete the information you believe is incomplete.
  • The right to erasure – You have the right to request that Oceans of Calm erase your personal data, under certain conditions.
  • The right to restrict processing – You have the right to request that Oceans of Calm restrict the processing of your personal data, under certain conditions.
  • The right to object to processing – You have the right to object to Oceans of Calm’s processing of your personal data, under certain conditions.
  • The right to data portability – You have the right to request that Oceans of Calm transfer the data that we have collected to another organisation, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email:

Call us on: (+353) 083104 8243, or write to Gloria at:

Amending incorrect data

A change of name, address, phone number, email, Doctor, etc., is performed by Gloria, the Sound Therapist and Sole Proprietor at Oceans of Calm. Once the change needed has been brought to her attention directly by a client, the data will be updated on the online digital records and the paper records will be pulled and the update will be made to this file also.

Transferring data

Upon receiving a request from a client to transfer data to another therapist, solicitor or medical professional, the paper records including all medical history and treatment history will be sent by registered post, with no amendments, to the address provided by the Client. The Client must sign consent to this transfer, which states the date, the name and address of the recipient and acknowledgment of permission to send. This will be kept in the place of their original records, with name, date of birth and address until the allocated time has passed, in which case it will be destroyed.

Data breaches

What is a data breach?

A data breach is when our online system has been accessed at the core, or if our account has been accessed at our level or if a person has got access to our premises and there is evidence or a risk of data being copied, accessed, destroyed or removed from our premises.

How Oceans of Calm identifies data breaches:

  • Human error; most systems online are so locked down that cybercriminals are looking for human error to access data.
  • Identity theft; Cybercriminals are looking for card details and identity details.
  • Administrative access; Cybercriminals are getting in through administrative access.
  • Hacking; Cybercriminals are exploring methods for breaching defenses and exploiting weaknesses in computer systems and networks.
  • Card Breaches; card breaches are identified when clients all begin reporting fraudulent charges on their accounts coming from our payment facility. Please see ‘Card Security Fraud Prevention’ from your Card provider for more information.
  • Physical break-in; Oceans of Calm will be on the look-out for tampering signs at the door and windows accessing the premises, the internal doors, the safe and the cabinet where documents are stored.
  • Online breaches have a number of signs that Oceans of Calm looks out for on the computer:

    -Looking for unusually slow internet/computers – this could be a sign it may be exporting a lot of data.

    -Looking for high CPU cycle, memory usage or hard disk activity – this could be a sign it may be exporting a lot of data.

    -Noticing if the computer has been tampered with e.g. it is not on/off as it was left?

    -Looking for new/moved/deleted files?

    -Noticing pop-ups and redirected websites while browsing (lots of advertisements) – it could be malware trying to get Oceans of Calm to slip-up and grant access.

    -Noticing being locked out of accounts on first passwords entry – it could be someone else has been trying/succeeded in getting access.

What Oceans of Calm do if there has been a data breach

Oceans of Calm (Gloria Turpin) fills out a Data Breach incident form asap and the data controller (Gloria Turpin) then does the following:

  • Within 72 hours (this is a legal obligation or Oceans of Calm will face a fine) of knowing something has happened, Oceans of Calm get in touch with the Data Protection Commissioners, referring to the Data Breach form.
  • Oceans of Calm consider if clients affected need to be notified (risk of identity theft, card fraud or breach of confidentiality), so that they can take appropriate measures to mitigate the effects to their property, person or reputation. Notifying data subjects is a remedial measure intended to redress the balance and restore some measure of knowledge and control. Oceans of Calm will let Clients know that Gloria is the person to contact in our organisation for more details.
  • 3rd parties may need to be contacted to help; i.e. An Garda Siochana, the financial institutes etc.
  • Oceans of Calm keep a diary of any data breaches or suspected data breaches


Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. When you visit our website, we may collect information from you automatically through cookies or similar technology

For further information, visit

How do we use cookies?

Oceans of Calm uses cookies in a range of ways to improve your experience on our website, including:

  • Keeping you signed in
  • Understanding how you use our website

What types of cookies do we use?

There are a number of different types of cookies, however, our website uses:

Technical or functional cookies

Some cookies ensure that certain parts of the website work properly and that your user preferences remain known. By placing functional cookies, we make it easier for you to visit our website. This way, you do not need to repeatedly enter the same information when visiting our website and, for example, the items remain in your shopping cart until you have paid. We may place these cookies without your consent.

Advertising cookies

On this website we use advertising cookies, enabling us to gain insights into the campaign results. This happens based on a profile we create based on your behaviour on With these cookies you, as website visitor, are linked to a unique ID but these cookies will not profile your behaviour and interests to serve personalised ads.

Marketing/Tracking cookies

Marketing/Tracking cookies are cookies or any other form of local storage, used to create user profiles to display advertising or to track the user on this website or across several websites for similar marketing purposes.

Because these cookies are marked as tracking cookies, we ask your permission to place these.

Social media buttons

On our website we have included buttons for Facebook, Twitter, WhatsApp and Instagram to promote webpages (e.g. “like”, “pin”) or share (e.g. “tweet”) on social networks like Facebook, Twitter, WhatsApp and Instagram. These buttons work using pieces of code coming from Facebook, Twitter, WhatsApp and Instagram themselves. This code places cookies. These social media buttons also can store and process certain information, so a personalized advertisement can be shown to you.

Please read the privacy statement of these social networks (which can change regularly) to read what they do with your (personal) data which they process using these cookies. The data that is retrieved is anonymised as much as possible. Facebook, Twitter, WhatsApp and Instagram are located in the United States.

How to manage cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result. For more information on cookies please read our Cookies Policy.

Safety Statement

Sound Therapy is provided here at Oceans of Calm by Gloria Turpin and is delivered through clothing. Children under 18 years of age must be accompanied by a parent or guardian. There are limits to confidentiality regarding concerns about children. Oceans of Calm follows the National guidelines for the protection and welfare of children and has a legal duty of care under the Children First Act (2015) to keep children safe from harm whilst availing of our service. Cases which reach a particular abuse or neglect threshold and are  a cause for reasonable concerns will be reported to Tusla, the Child and Family Agency, this includes retrospective reporting of child abuse and potential suicide.

Privacy policies of other websites

The Oceans of Calm website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

Changes to our Data Protection Policy

Oceans of Calm keeps its Data Protection Policy under regular review and places any updates on this web page. This GDPR policy was last updated on 24th April 2022.

How to contact us

If you have any questions about Oceans of Calm policies, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email Gloria at:

Call Gloria on: (+353) 083 104 8243

Or write to Oceans of Calm at: Room 6, The Grove Medical Centre, Westport, County Mayo, Ireland. F28 EV22.

How to contact the appropriate authority

Should you wish to report a complaint or if you feel that Oceans of Calm has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.

Email: By webform, on the Data Protection Commission website accessible at

Address: Data Protection Commission, 21 Fitzwilliam Square, South Dublin 2. DO2 RD28, Ireland.