Privacy policy

Privacy Notice (Copy and Paste Into WordPress)

Last Updated: 25 May 2026

This Privacy Notice describes how and why Andrea [Your Surname] trading as OsteoMassageCare (“I”, “we”, “us”, or “our”) collects, stores, uses, and processes your personal information when you use our clinical services or visit our website at https://theosteomassagecare.com (the “Services”).

I am a registered osteopath with the General Osteopathic Council (GOsC No. [Your Number]). For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, I am the Data Controller responsible for your personal information.

If you have any questions or concerns about this notice, please contact me at .

SUMMARY OF KEY POINTS

  • What personal information do we process? We process standard identifying information (name, email, phone number, address, date of birth) and Special Category clinical health data (medical history, symptoms, lifestyle factors, diagnoses, and treatment notes) necessary to deliver safe osteopathic care.
  • Do we process sensitive personal information? Yes. Because we provide healthcare, we process sensitive health data (“Special Category Data”). We do not process other sensitive categories (such as political opinions, religious beliefs, or sexual orientation) unless they directly impact your clinical treatment plan.
  • How do we process your information? Primarily to provide clinical osteopathy, sports massage, and rehabilitation treatments; to schedule appointments; to send confirmations/reminders; to manage invoices and payments; and to comply with statutory healthcare record-keeping laws.
  • With whom do we share your personal information? We only share data with secure, GDPR-compliant healthcare sub-processors required to run our practice (primarily Cliniko for clinical records and Stripe for payment processing). We never sell your data.
  • How long do we keep your information? We do not delete medical records after 90 days. To comply with UK health regulations and GOsC guidelines, clinical records are kept for a minimum of 8 years following your last appointment (or until a minor reaches age 25).

1. WHAT INFORMATION DO WE COLLECT?

We collect personal information that you voluntarily disclose to us when you book an appointment, fill out our online patient intake forms, or contact us directly.

Personal Information Provided by You:

  • Contact & Identity Details: Full name, phone number, email address, physical home address, date of birth, and emergency contact details.
  • Financial Information: Credit card details (processed securely via Stripe; we do not store your raw card details).

Special Category Personal Information (Sensitive Health Data):

As a healthcare provider, we collect clinical health details which are classified as sensitive:

  • Medical history, current health conditions, family medical history, medications, and previous surgeries.
  • Physical assessment findings, diagnoses, treatment plans, and post-session progress notes.
  • GP name, surgery address, and contact details.

All personal information you provide must be true, accurate, and complete. Please notify us of any changes to your contact or health details.

2. WHY AND HOW DO WE PROCESS YOUR DATA? (LAWFUL BASIS)

Under the UK GDPR, we must have a valid legal reason (lawful basis) to process your data. We rely on the following bases:

Category of Data Purpose of Processing Lawful Basis (UK GDPR Article 6) Special Category Basis (UK GDPR Article 9)
Identity & Contact Details Managing bookings, sending confirmations, SMS reminders, and billing. Article 6(1)(b) – Contract: Necessary to fulfill our agreement to provide clinical services. Not Applicable (Non-sensitive)
Identity & Contact Details Administrative operations, responding to inquiries, and request for reviews. Article 6(1)(f) – Legitimate Interests: To run and grow our solo practice efficiently. Not Applicable (Non-sensitive)
Clinical Health Data Taking a case history, diagnosing conditions, formulating safe treatment plans, and recording SOAP notes. Article 6(1)(b) – Contract and Article 6(1)(c) – Legal Obligation (to keep clinical records). Article 9(2)(h) – Health & Social Care: The provision of preventative or occupational medicine, medical diagnosis, or health/social care treatment.

3. WHEN AND WITH WHOM DO WE SHARE YOUR DATA?

We protect your privacy. Your personal information and clinical health records are strictly confidential and will never be shared, sold, or transferred to third parties for marketing purposes.

We share your information only with secure, GDPR-compliant third-party systems (“processors”) necessary to operate the clinic:

  • Cliniko (Practice Management System): Your clinical notes, booking details, contact info, and intake forms are stored securely on Cliniko’s encrypted, GDPR-compliant servers.
  • Stripe (Payment Gateway): Credit card transactions are processed securely by Stripe. We do not hold or see your raw card information.
  • Your General Practitioner (GP) or Specialists: We will only share clinical summaries or referral letters with your GP or other medical professionals with your explicit, written consent, unless required to do so by law in an absolute medical emergency.

4. DO WE USE COOKIES AND TRACKING?

We may use cookies and similar technologies (like web beacons and pixels) to gather basic website usage analytics or remember your booking preferences. You can adjust your browser settings to reject cookies, though this may affect the usability of the online booking system. For complete details, please see our Cookie Policy.

5. HOW LONG DO WE KEEP YOUR INFORMATION?

To comply with the General Osteopathic Council (GOsC) Code of Practice and UK healthcare standards, we retain your records for the following legally mandated periods:

  • Adult Patients: Clinical records are retained for a minimum of 8 years after the date of your last treatment.
  • Child Patients (Under 18): Clinical records must be retained until the patient’s 25th birthday (or 26th birthday if they were 17 at the conclusion of treatment).

Once the statutory retention period has expired and there is no ongoing medical or legal reason to keep the data, your records will be permanently and securely deleted or anonymized.

6. HOW DO WE KEEP YOUR DATA SECURE?

We have implemented robust technical and organizational security measures to protect your personal and medical information:

  • All digital clinical notes, intake forms, and records are stored inside Cliniko, which uses bank-grade AES-256 encryption, regular security audits, and secure, firewalled data centers.
  • Devices used to access Cliniko (laptops, mobile devices) are passcode-locked, encrypted, and protected by biometric authentication.
  • Although we utilize highly secure systems, no transmission over the internet can be guaranteed 100% secure. You transmit personal details to us at your own risk, and we recommend completing intake forms in a secure web environment.

7. DO WE COLLECT INFORMATION FROM MINORS?

We treat children under the age of 18 only with the explicit written consent and physical presence of a parent or legal guardian. Clinical records for minors are subject to the special retention periods outlined in Section 5.

8. WHAT ARE YOUR PRIVACY RIGHTS?

Under UK data protection law, you have specific rights regarding your personal information:

  • Right of Access (Subject Access Request): You have the right to request a copy of the personal data and clinical medical notes we hold about you. We will provide this free of charge within one calendar month.
  • Right to Rectification: You can request that we correct inaccurate or incomplete contact details. (Please note that clinical opinions and notes recorded during consultations cannot be altered, but a patient statement can be appended to the record if there is a dispute).
  • Right to Restriction of Processing: You can ask us to restrict how we use your contact data.
  • Right to Object: You have the right to object to receiving marketing or clinic news updates.

Note on the “Right to Erasure” (Right to be Forgotten): Under UK GDPR, the right to erasure does not override a healthcare professional’s statutory legal obligation to retain medical records. We cannot delete clinical medical records before the 8-year statutory retention period has elapsed.

To exercise any of these rights, please email us at .

9. REGULATORY COMPLAINTS

If you believe we are processing your personal data unlawfully, you have the right to file a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline: 0303 123 1113 Website: https://ico.org.uk

10. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions, comments, or requests regarding your privacy, please contact:

Andrea [Your Surname] Data Controller, OsteoMassageCare

  • Email: 
  • Address: [Your Gym/Room Rental Street Address, Telegraph Hill, London, Postcode]