📞 +44 7367 094333  |  📱 +44 7723 489555  |  ⏰ Mon–Sat: 8am–8pm

Privacy Policy

Last updated: Last reviewed: March 2026

Home › Privacy Policy

1. Who We Are and How to Contact Us

Physiomedicine (trading name of Physiotherapy London Ltd) is the Data Controller responsible for your personal data collected through this website and our clinical services.

Data Controller Contact Details

Physiomedicine (Physiotherapy London Ltd)
Email: info@physiomedicine.co.uk
Phone: 020 4641 4372
ICO Registration: [Insert ICO Registration Number]

We are registered with the Information Commissioner's Office (ICO) under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our ICO registration number is [Insert Number].

2. What Personal Data We Collect

We collect personal data in the following categories:

CategoryExamplesHow Collected
Identity DataFull name, date of birth, genderBooking forms, clinic intake
Contact DataEmail, phone number, postal addressBooking, enquiry forms
Health Data (Special Category)Medical history, symptoms, treatment notes, referral lettersClinical consultation, intake forms
Financial DataPayment records, insurance policy numbersPoint of sale, booking system
Technical DataIP address, browser type, cookies, pages visitedAutomatically when you visit our site
Communications DataEmails, SMS messages, phone call recordsWhen you contact us
⚠️ Special Category Data: Health and medical information is classified as "special category data" under UK GDPR and receives heightened protection. We only process this data with your explicit consent or where there is another lawful basis under Article 9 UK GDPR.

3. Why We Collect Your Data and the Legal Basis

We process your personal data for the following purposes:

PurposeData UsedLegal Basis
Providing physiotherapy and clinical treatmentIdentity, Health, ContactContract performance; Explicit consent (Art.9(2)(a)); Healthcare treatment (Art.9(2)(h))
Managing appointments and bookingsIdentity, Contact, FinancialContract performance
Processing insurance claimsIdentity, Health, FinancialExplicit consent; Legal obligation
Sending appointment remindersIdentity, ContactContract performance; Legitimate interests
Referring you to other healthcare professionalsIdentity, HealthExplicit consent
Sending marketing communicationsIdentity, ContactConsent (you can withdraw at any time)
Improving our website and servicesTechnical, UsageLegitimate interests
Complying with legal/regulatory obligationsAll categories as requiredLegal obligation

4. How Long We Keep Your Data

We retain personal data only for as long as necessary. Our standard retention periods are:

  • Adult patient clinical records: Minimum 8 years from the date of last treatment (NHS guidelines)
  • Children's clinical records: Until the patient's 25th birthday (or 26th if treatment ended when 17)
  • Financial records: 6 years (HMRC requirement)
  • Marketing consent records: Until consent is withdrawn + 6 months
  • Website technical data (cookies): As defined in our Cookie Policy
  • CCTV footage (where applicable): 30 days

After the retention period expires, your data is securely deleted or anonymised.

5. Who We Share Your Data With

We may share your personal data with trusted third parties in limited circumstances:

  • TM3 (appointment booking system): Secure clinical management platform — processes bookings and clinical notes on our behalf
  • Your GP or referring consultant: Only with your explicit consent, to support your care
  • Health insurers (AXA, Aviva, Bupa, Cigna, Simply Health, Vitality, WPA): To process authorised insurance claims, with your consent
  • Payment processors: For secure payment transactions only — we do not store card data
  • IT service providers: Who maintain our website and systems under strict data processing agreements
  • Regulatory bodies: HCPC, CSP or other regulators where we are legally required to disclose

We never sell your personal data to third parties. We never share your data for commercial marketing purposes without your explicit consent.

6. Transferring Data Outside the UK

Where we transfer your personal data outside the UK, we ensure adequate protection is in place through one of the following mechanisms:

  • The UK Government has determined the destination country provides adequate protection (adequacy decision)
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules where applicable

Our primary clinical management system (TM3) stores data within the UK/EEA. Where any third-party services operate outside these regions, we will notify you and obtain your consent where required.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of Access: Request a copy of all personal data we hold about you (Subject Access Request)
  • Right to Rectification: Ask us to correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data where there is no legitimate reason to retain it
  • Right to Restrict Processing: Ask us to limit how we use your data in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Rights Related to Automated Decision-Making: We do not use automated decision-making or profiling that has legal or significant effects on you
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time
✓ To exercise any of these rights, please contact us at info@physiomedicine.co.uk. We will respond within 30 days. There is no charge for exercising your rights in most circumstances.

You also have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

8. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures including:

  • SSL/TLS encryption on all data transmitted via our website
  • Password-protected and access-controlled clinical management systems
  • Role-based access controls limiting staff access to data on a need-to-know basis
  • Regular staff training on data protection and information security
  • Secure disposal of paper records and electronic data at end of retention period
  • Data Processing Agreements (DPAs) in place with all third-party processors

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where appropriate, notify you directly.

9. Cookies

Our website uses cookies to enhance your experience and analyse usage. For full details of the cookies we use, the data they collect, and how to manage your preferences, please see our Cookie Policy.

10. Children's Data

We treat children's health data with heightened care. Where we provide services to children under 16, we require parental or guardian consent. We retain children's clinical records until their 25th birthday (or 26th if aged 17 at the end of treatment), in line with NHS/HCPC guidelines.

11. Changes to This Policy

We review and update this Privacy Policy periodically. The date at the top of this page reflects the most recent revision. We will notify you of significant changes by email or a prominent notice on our website.

This policy was last reviewed in accordance with the UK GDPR (as retained by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) and the Data Protection Act 2018.