Privacy Policy

1. Who We Are

Urmston Physio Clinic is a private physiotherapy clinic based in Urmston, Manchester. For the purposes of UK data protection law, we are the 'data controller' responsible for your personal information.

If you have any questions about this policy or how we handle your data, please get in touch:

2. What Information We Collect

2.1 Information you give us directly

When you register with us, book an appointment, or get in touch with an enquiry, we may collect:

• Full name
• Date of birth
• Email address
• Phone number
• Home address

2.2 Information provided by third parties

We sometimes receive information from third parties who refer you to us or who are involved in your care. These may include:

• Insurance companies (e.g. Bupa, Aviva, WPA, AXA Health, Simply Health, Vitality)
• Referral agencies (e.g. HCML, IPRS, Nuffield Health)
• Private consultants
• GPs
• Solicitors

The information shared may include your name, date of birth, contact details, policy or case reference numbers, and relevant clinical information. We only receive information from third parties where you have already agreed to share it with them.

2.3 Special category (health) data

As a physiotherapy clinic, we collect and process health information about you. Under UK GDPR, health data is classified as 'special category' data and is given extra protection. We process this data for the purposes of providing you with healthcare treatment, on the legal basis of Article 9(2)(h) of the UK GDPR: processing necessary for the provision of health or social care.

2.4 Information you provide about someone else

If you provide information on behalf of another person (for example, booking an appointment for a child or family member), you confirm that you have their permission to do so and that they are aware of this privacy policy.

2.5 Communications monitoring

We may monitor or record communications such as emails and phone calls for purposes including quality assurance, staff training, fraud prevention, and regulatory compliance.

2.6 Website cookies

Our website uses cookies (small text files placed on your device) to help the site function and to understand how visitors use it. Cookies may collect information such as which pages you visit, how often you visit, and your general location.

We will ask for your consent before placing any non-essential cookies. You can also manage cookies through your browser settings. Please note that disabling some cookies may affect how the website works. We may also link website usage to third-party services such as Google Analytics where you have authorised this.

3. How We Use Your Information

3.1 Legal basis for processing

We process your personal data on the following legal bases:

• Healthcare provision: processing is necessary to provide you with physiotherapy treatment and related services (Article 6(1)(b) and Article 9(2)(h) UK GDPR)
• Legal obligation: we are required to retain certain records by law
• Legitimate interests: for example, to manage our business effectively and maintain the security of our systems
• Consent: for direct marketing communications, where you have opted in

3.2 What we use your information for

We use your information to:

• Book and manage your appointments
• Provide physiotherapy treatment and maintain your health records
• Communicate with your GP, insurer, or other healthcare providers involved in your care
• Release records to you or an authorised third party upon request
• Send you marketing updates, where you have consented to this

4. Who We Share Your Information With

We do not sell or share your data with third parties for their own marketing purposes. We may share your information in the following limited circumstances:

• With third parties directly involved in your care (e.g. your GP, insurer, or referral agency), where you have agreed to this
• With law enforcement or regulatory bodies where we are legally required to do so

5. Third-Party Software and Data Processors

We use trusted third-party services to help us run our clinic. These services act as 'data processors' on our behalf and are only permitted to use your data as instructed by us:

• Halaxy: our practice management system, used for appointment booking and storing health records
• pCloud: used for secure cloud storage of documents and files

Both providers are required to handle your data securely and in compliance with applicable data protection law.

6. How We Store Your Information

Your information may be stored in paper or electronic format. Paper records are kept securely on our premises. Electronic data is stored using Halaxy and pCloud, which use advanced encryption to protect your information.

Some data may be stored on servers outside of the UK. Where this is the case, we ensure that the country or provider offers a level of data protection equivalent to that required under UK law.

While we take all reasonable steps to keep your data secure, no internet-based system can be guaranteed to be completely secure. If you have concerns about the security of your information, please contact us.

7. How Long We Keep Your Information

We only keep your information for as long as necessary. For health records, we are guided by the legal requirements under the Limitation Act 1980, which sets out the timeframes within which personal injury and contract claims can be brought.

As a general rule, we retain health records for a maximum of seven years after your last appointment. Records relating to children may be kept for longer, typically until the child's 25th birthday or seven years after the last appointment, whichever is later.

Once the retention period has passed, your records are securely destroyed.

8. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

8.1 Right to access

You can request a copy of the personal information we hold about you (known as a Subject Access Request). To do this, please contact our Data Protection Officer with proof of identity and details of what information you would like.

8.2 Right to correction

If any information we hold about you is inaccurate or out of date, you can ask us to correct it. Please contact us with proof of identity and details of what needs to be changed.

8.3 Right to deletion

You can ask us to delete some or all of the information we hold about you. Please note that if you have received treatment from us, we are legally required to retain your health records and certain identifying information for the duration of our retention period (see Section 7).

8.4 Right to stop direct marketing

You can ask us to stop contacting you for marketing purposes at any time by emailing, calling, or writing to us, or by clicking the unsubscribe link in any marketing email we send you. Please note that it may take a short period of time to process your request, during which you may still receive communications.

8.5 Other rights

You also have the right to restrict or object to processing in certain circumstances, and the right to data portability. If you wish to exercise any of these rights, please contact our Data Protection Officer.

9. How to Complain

If you are unhappy with how we have handled your personal data, please contact us in the first instance and we will do our best to resolve the matter.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:

10. Changes to This Policy

We may update this policy from time to time. When we do, we will update the 'last updated' date at the top of this document. We encourage you to review this policy periodically.