1. INTRODUCTION
This privacy notice explains how we collect, use, store, and protect your personal data when you interact with the websites, products, and services operated by Blossoming Limited (“we”, “us”, “our”), including:
https://www.head-trash.com— Head Trash brand sitehttps://www.fearless-birthing.com— Fearless Birthing brand site- Any sub-domains and connected applications operated by Blossoming Limited
By providing us with your data, you confirm that you are at least 16 years of age (or have a parent/guardian’s consent if younger).
Data controller
- Legal entity: Blossoming Limited
- Email: hello@fearless-birthing.com
- Postal address: Gothic House, Barker Gate, Nottingham NG1 1JU, United Kingdom
UK supervisory authority: Information Commissioner’s Office (ICO) — https://ico.org.uk. If you have a complaint about how we handle your data, we’d appreciate the chance to resolve it first, but you can complain directly to the ICO at any time.
2. WHAT DATA WE COLLECT
2.1 Standard personal data
- Identity Data — first name, last name, title, date of birth (where relevant)
- Contact Data — billing address, email address, phone number
- Financial Data — payment card details (handled by our payment processors — we do not store full card numbers)
- Transaction Data — products purchased, dates, amounts
- Technical Data — IP address, browser type/version, operating system, time zone, device identifiers
- Profile Data — username, password (hashed), preferences, interests, survey responses
- Usage Data — how you use our websites and services
- Marketing and Communications Data — your preferences for receiving communications from us
2.2 Special category / sensitive data (UK GDPR Article 9)
We collect and process special category personal data in the following specific contexts:
- Mental health and wellbeing data — when you use Fearless Birthing programmes, the Head Trash Clearance Club, or any of our other healing products. This includes self-reported emotional states, anxiety patterns, fears, life experiences, and related context.
- Perinatal mental health and birth-fear data — when you complete the Perinatal Inner Readiness Profile (PIRP) or related Fearless Birthing assessments. This includes responses to questions about pregnancy, birth, your relationship with your body, fears around motherhood, and your psychological readiness for birth.
- Health-related data — where relevant to the support we provide.
Legal basis for processing special category data: Explicit consent (UK GDPR Article 9(2)(a)). You provide this consent when you complete an assessment or sign up for a programme. You can withdraw consent at any time by emailing hello@fearless-birthing.com or via your preferences dashboard. Withdrawing consent will not affect lawful processing already carried out, but we will stop processing your data for affected purposes going forward and will delete it on request.
2.3 Practitioner-client relationship data (PIRP only)
If a healthcare practitioner has purchased PIRP assessment codes and shared one with you to use, we will process data on both sides of that relationship:
- The practitioner is identified to us as the purchaser of the assessment code and receives a professional version of your assessment report.
- You (the client) take the assessment and receive your own version.
- We link your assessment record to your practitioner so that you both work from the same insights.
If you do not want your practitioner to receive your assessment data, do not use a practitioner-provided code. You can purchase a direct version of the assessment from Fearless Birthing without involving a practitioner.
2.4 Children
Our services are not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe we hold data about a child, please contact hello@fearless-birthing.com and we will delete it.
3. HOW WE COLLECT YOUR DATA
3.1 Directly from you
- Filling in forms on our websites
- Purchasing products or services
- Creating an account
- Subscribing to newsletters or free resources
- Completing assessments (including PIRP)
- Communicating with us by email, phone, or messaging
3.2 Automated technologies
- Cookies and similar technologies on our websites (see our cookie policy)
- Server logs (IP addresses, request paths, timestamps)
- Analytics tools (see sub-processors below)
3.3 Third parties and public sources
- Payment confirmations from Stripe / PayPal
- Marketing campaign attribution from advertising platforms (Meta, Google)
- Publicly available business directories where applicable
4. HOW WE USE YOUR DATA
We will only use your personal data when legally permitted. The lawful bases we rely on are:
- Contract — to perform the contract between you and us (e.g., delivering a product you purchased)
- Legitimate Interests — where the processing is necessary for our legitimate business interests and doesn’t override your rights
- Legal Obligation — to comply with applicable law
- Consent — for marketing communications and for processing special category data (mental health, perinatal, etc.)
Purposes and lawful basis
| Purpose | Data types | Lawful basis (Article 6) | Special category basis (Article 9, where relevant) |
|---|---|---|---|
| Register you as a customer / set up your account | Identity, Contact | Contract | n/a |
| Deliver products and services you purchased (including running assessments and generating reports) | Identity, Contact, Profile, Special Category | Contract | Explicit consent |
| Process payments and recover monies owed | Identity, Contact, Financial, Transaction | Contract; Legitimate Interest (debt recovery) | n/a |
| Provide personalised programme support and follow-up based on your assessment results | Profile, Special Category | Contract | Explicit consent |
| Generate AI-assisted reports from your assessment responses | Profile, Special Category | Contract | Explicit consent |
| Send you transactional emails (order confirmations, report deliveries, account notifications) | Identity, Contact | Contract | n/a |
| Send you marketing communications | Identity, Contact, Marketing | Consent | n/a |
| Analyse usage of our websites and services to improve them | Technical, Usage | Legitimate Interest | n/a |
| Protect our systems against fraud and abuse | Technical, Usage | Legitimate Interest | n/a |
| Comply with legal, tax, accounting obligations | Identity, Contact, Financial, Transaction | Legal Obligation | n/a |
5. SUB-PROCESSORS
We use the following third-party service providers (“sub-processors”) to deliver our services. We have data processing agreements in place with each of them. They process your personal data only on our instructions and in line with this policy.
| Sub-processor | What they do | Where they process data | Transfer safeguard |
|---|---|---|---|
| GHL (HighLevel / LeadConnector LLC) | CRM, marketing automation, email delivery, payment processing, contact management | USA | UK IDTA / Standard Contractual Clauses + Data Privacy Framework (where applicable) |
| Supabase Inc. | Database hosting for assessment data, application backend | EU (eu-west-1, Ireland) | UK adequacy regulations (Ireland is adequate); SCCs apply where US infrastructure is touched |
| Anthropic, PBC | AI report generation (Claude model). We send your assessment scores (anonymised — no email, no contact ID) to Anthropic’s API to generate your personalised report. Anthropic does not use API data to train its models. | USA | UK IDTA + Data Privacy Framework (Anthropic is DPF-certified) |
| Stripe | Payment processing | USA / Ireland | SCCs / UK IDTA |
| PayPal | Payment processing | USA / Luxembourg | SCCs |
| A2 Hosting | Website hosting | Amsterdam, Netherlands datacenter | SCCs / UK IDTA |
| Google (Analytics) | Analytics, advertising, productivity | USA | UK IDTA + Data Privacy Framework |
| Meta (Facebook, Instagram) | Advertising | USA | UK IDTA + Data Privacy Framework |
| Mailgun | Transactional email delivery | USA | UK IDTA + Data Privacy Framework |
| Skool | Community platform (Fearless Birthing community) | USA | UK IDTA / SCCs |
| Bookfunnel | Book sales/delivery | USA | UK IDTA / SCCs |
6. INTERNATIONAL DATA TRANSFERS
The UK left the EU on 31 January 2020. UK data protection law (the UK GDPR and the Data Protection Act 2018) now governs how we handle personal data of people in the UK.
Many of our sub-processors are based outside the United Kingdom and the European Economic Area (EEA). We rely on the following safeguards when transferring your data internationally:
- UK adequacy regulations — for transfers to countries the UK government has determined provide an adequate level of data protection (including all EEA countries and a list of others).
- UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum — for transfers to non-adequate countries (including the USA).
- EU-US Data Privacy Framework (DPF) — for transfers to US companies certified under the framework (including Google, Meta, Anthropic, and several others listed above).
If you would like further information on the safeguards in place for any specific transfer, email hello@fearless-birthing.com
7. DATA SECURITY
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Encryption in transit — all websites and APIs use HTTPS/TLS
- Encryption at rest — database storage (Supabase, GHL) encrypts data at rest
- Access control — only authorised personnel can access personal data, and access is logged
- Row-level security (RLS) on all assessment-related database tables, restricting access to authorised server-side operations only
- Token-based access to assessment reports — each report has a unique, unguessable 64-character token; reports cannot be enumerated or guessed
- Service role keys for sensitive backend operations are stored only in server-side environment variables, never exposed to client code
- Rate limits and spend caps on API endpoints to prevent abuse
- Regular security audits of our database and edge functions, including automated security advisor checks
We retain logs of access and changes to personal data for audit purposes.
If you become aware of a security issue, please email hello@fearless-birthing.com immediately. We will investigate and notify affected users and the ICO within 72 hours of becoming aware of a personal data breach where required by law.
8. DATA RETENTION
We keep your personal data only as long as we need it.
| Data category | Retention period | Reason |
|---|---|---|
| Customer account data (Identity, Contact) | 6 years after last interaction | UK tax law (HMRC) requires we keep basic customer records for 6 years after the end of the tax year |
| Financial / transaction records | 6 years after the transaction | UK tax law (HMRC) |
| Assessment data (PIRP, anxiety, head-trash assessments) | 2 years after last login/use, then anonymised; |
To allow you to access historic reports, support continuity of care, and improve our services |
| Generated reports (PDF / web reports) | Same as assessment data | Tied to underlying assessment |
| Marketing data (where consent is the basis) | Until you withdraw consent or 3 years of inactivity | Legitimate retention windows for active subscribers |
| Website analytics / server logs | 12 months | Limited retention to balance analytics value with privacy |
| Support correspondence | 3 years after resolution | To handle follow-up queries and improve service |
After the retention period, data is either deleted or fully anonymised (so it can no longer be associated with you).
You can request deletion at any time — see Section 9.
9. YOUR LEGAL RIGHTS
Under UK GDPR you have the following rights:
- Right of access — get a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure (“right to be forgotten”) — request deletion of your data
- Right to restrict processing — limit how we use your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — to processing based on legitimate interests, and to direct marketing
- Right to withdraw consent — where consent is the lawful basis (including for special category data and marketing)
- Right not to be subject to automated decision-making — including profiling, where it produces legal or similarly significant effects
PIRP generates a personalised report from your assessment responses using AI (Anthropic’s Claude). This is a suggestion-generating tool, not a diagnostic decision. It does not produce legal or similarly significant effects, and it is reviewed/used by you (and your practitioner, if applicable) — not used to make automated decisions about you.
To exercise any of these rights, email hello@fearless-birthing.com. We will respond within one month. If your request is complex, we may extend this by up to two further months and will let you know.
We may ask you to verify your identity before processing a request, as a security measure.
10. COOKIES
See our separate Cookie Policy at https://www.fearless-birthing.com/cookie-policy/
You can configure your browser to refuse cookies. Some parts of our websites may not function correctly if you disable essential cookies.
11. THIRD-PARTY LINKS
Our websites include links to third-party websites and tools. We are not responsible for their privacy practices. When you leave our sites, please read the privacy policies of any websites you visit.
12. CHANGES TO THIS POLICY
We may update this policy from time to time. The current version is always available at https://www.fearless-birthing.com/privacy-policy/ and the date of the last update is shown at the bottom.
If we make material changes, we will notify you by email or via a prominent notice on our websites before the changes take effect.
Policy last updated: 18th May 2026