Privacy policy

Last updated: May 22, 2026

This Privacy Policy explains how Complete Wellness Hub (“we”, “us”, “the site”) collects, uses, stores, and discloses personal data when you visit completewellnesshub.com. This site is operated for English-speaking audiences in the United States, United Kingdom, Canada, and Australia. It is written to comply with the UK General Data Protection Regulation and Data Protection Act 2018 (United Kingdom), the EU General Data Protection Regulation (Regulation 2016/679) where applicable to EU visitors, the Privacy Act 1988 and Australian Privacy Principles (Australia), the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), and U.S. state privacy laws including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and the Texas Data Privacy and Security Act (TDPSA).

Controller

The controllers for the processing of personal data on this website within the meaning of Article 4(7) UK GDPR / EU GDPR are [Owner Name 1] and [Owner Name 2], trading as Complete Wellness Hub. General enquiries: [email protected]. Privacy and data-protection enquiries: [email protected].

Data Protection Officer

We have not appointed a Data Protection Officer because we do not meet the thresholds in Article 37 UK GDPR / EU GDPR: we are not a public authority, our core activities do not consist of regular and systematic monitoring of data subjects on a large scale, and our core activities do not consist of large-scale processing of special-category personal data. Data-protection enquiries can be sent to [email protected].

Categories of personal data we process

When you visit this website we may process the following categories of personal data:

  • Connection data: IP address (truncated where technically feasible), browser type and version, operating system, referrer URL, requested page, date and time of the request, language preference. This is processed in server log files and through our content-delivery and security provider.
  • Cookie identifiers and similar identifiers where you have consented through our cookie banner. See our Cookie Policy for details.
  • Data you provide voluntarily: when you contact us, comment on an article, or subscribe to a newsletter, we receive the information you provide (typically an email address, name where given, and the content of your message).

Purposes of processing and legal bases

We process personal data for the following purposes:

  • Operating and securing the website — Article 6(1)(f) GDPR (legitimate interest in operating a functional, secure website that is protected from abuse).
  • Aggregate traffic measurement before and in the absence of consent — Article 6(1)(f) GDPR (legitimate interest in understanding which content is read so editorial effort focuses on what works). See “Analytics & traffic measurement” below for the details, the data categories processed, and your right to object.
  • Statistics cookies and session-level measurement after consent — Article 6(1)(a) GDPR (your consent through the cookie banner). You can withdraw consent at any time by reopening the cookie banner via the footer link.
  • Responding to enquiries — Article 6(1)(b) or (f) GDPR depending on context.
  • Sending newsletter content where you have subscribed — Article 6(1)(a) GDPR.

Analytics & traffic measurement

We use Google Analytics 4 to understand which articles are read on this site. Because we are an editorial publisher, this measurement is operational rather than optional: without it we cannot tell which content draws readers, which has stopped working, or whether the site is reachable for real visitors. We have configured our analytics in the most privacy-preserving way that still produces actionable data.

What we process before you consent (and if you reject). Before you make a choice in our cookie banner, and if you choose Reject, we send a cookieless signal to Google in the “consent denied” mode of Google Consent Mode v2. That signal contains: your IP address (anonymized by Google at the point of collection), user-agent string, the URL of the page you requested, the referrer URL, your screen size, and your language preference. No cookie is set, no persistent identifier is generated, no advertising features are enabled, and we do not receive your IP address from Google. The lawful basis for this processing is our legitimate interest under Article 6(1)(f) GDPR in understanding aggregate traffic to operate and improve our content. We have completed a Legitimate Interest Assessment for this processing and concluded that your rights do not override our interest, given the anonymisation, the absence of profiling, and the right to object set out below. A summary of the assessment is available on request.

What we process after you consent. If you accept Statistics, Google Analytics is also permitted to set its standard cookies (_ga, _ga_[ID]) which allow Google to model session activity and returning-visitor patterns. The lawful basis for this further processing is your consent under Article 6(1)(a) GDPR. You can withdraw consent at any time by reopening the cookie banner via the footer link; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Recipient. Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, United States, acting as our processor under Article 28 GDPR. The transfer is covered by the EU–U.S. Data Privacy Framework (see “Transfers to third countries” below).

Retention. Google Analytics 4 retains user-level and event-level data for 14 months from collection (the GA4 default we have configured). Aggregated reports may be retained for longer.

Right to object (Article 21 GDPR). You have the right to object at any time to the legitimate-interest-based analytics processing described in this section, on grounds relating to your particular situation. To exercise that right, email [email protected]. We will honour the objection.

Recipients of personal data

Personal data may be shared with the following categories of recipients, each of whom acts as a processor or sub-processor under Article 28 GDPR:

  • Our hosting provider, Namecheap, Inc. (United States), for the storage and delivery of website content;
  • Cloudflare, Inc. (United States) for content delivery, edge caching, security, DDoS protection, and cookieless aggregated traffic measurement (Cloudflare Web Analytics);
  • Google LLC (United States) for analytics, as described in the “Analytics & traffic measurement” section above;
  • Email-service providers used to handle inbound and outbound mail relating to the website.

A current list of sub-processors is available on request.

Transfers to third countries

Some of the recipients listed above are based in the United States. Where personal data is transferred outside the European Economic Area, the transfer is protected by:

  • the EU–U.S. Data Privacy Framework adequacy decision of 10 July 2023 (Commission Implementing Decision C(2023) 4745), where the recipient is DPF-certified (Cloudflare, Inc. and Google LLC are both DPF-certified); and
  • as a fallback safeguard, the European Commission’s Standard Contractual Clauses adopted by Decision (EU) 2021/914 of 4 June 2021.

You may request a copy of the safeguards in place by contacting us at the address above.

Retention period

  • Server log files: 14 days, then deleted or anonymised.
  • Google Analytics data: 14 months at user/event level (GA4 default); aggregated reports may be retained for longer.
  • Cookie data: as set out in our Cookie Policy (maximum 24 months for analytics cookies; shorter for most categories).
  • Enquiry correspondence: deleted after the enquiry has been fully addressed, unless statutory retention obligations apply (typically 6 years for tax and business records under applicable UK, US, Canadian, or Australian law).
  • Newsletter data: retained until you unsubscribe.

Children’s privacy

This website is not directed at children under 16, and we do not knowingly collect personal data from children under 16 within the meaning of Article 8 GDPR (or under 13 within the meaning of the U.S. Children’s Online Privacy Protection Act, COPPA). If you are a parent or guardian and believe a child has provided personal data to us, please contact us at [email protected] and we will delete the data.

Your rights as a data subject

Under Articles 15–22 GDPR you have the right to:

  • request information about the personal data we process about you (Article 15);
  • request rectification of inaccurate data (Article 16);
  • request deletion of your data where one of the grounds in Article 17(1) applies (Article 17);
  • request restriction of processing (Article 18);
  • request data portability (Article 20);
  • object to processing based on legitimate interest (Article 21) — including the analytics processing described in the “Analytics & traffic measurement” section above;
  • withdraw your consent at any time with effect for the future (Article 7(3)) — for example, by reopening the cookie banner via the footer link.

To exercise any of these rights, email [email protected].

You also have the right to lodge a complaint with the supervisory authority in your country of residence. The competent authorities for our target markets are:

  • United Kingdom: Information Commissioner’s Office (ICO), ico.org.uk
  • Australia: Office of the Australian Information Commissioner (OAIC), oaic.gov.au
  • Canada: Office of the Privacy Commissioner of Canada (OPC), priv.gc.ca
  • United States: Your state Attorney General’s office. Residents of California, Virginia, Colorado, Connecticut, Utah, and Texas have additional state-specific rights under their respective privacy laws.

Residents of US states with comprehensive privacy laws have rights including the right to know what personal information we hold about you, the right to delete it, the right to correct it, the right to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discrimination for exercising these rights. To exercise any of these rights, email [email protected].

Automated decision-making

We do not use automated decision-making within the meaning of Article 22 GDPR.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. The “Last updated” date at the top of this page indicates the most recent revision.

Contact

For questions about this Privacy Policy or our data-processing practices, contact us at [email protected].