Privacy Policy & Booking Terms

Graceful Physiotherapy – Privacy Policy

At Graceful Physiotherapy, we take the security and privacy of your personal and clinical information very seriously. This Privacy Policy outlines how we collect, use, store, and protect your data in strict compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the regulatory guidelines set out by the Information Commissioner’s Office (ICO).

 

Practice & Regulatory Details

  • Data Controller: Kin Li is the ‘Data Controller’ for all personal and health information processed through our services and website.

  • ICO Registration Number: ZB748452 (Registered with the Information Commissioner’s Office).

1. Personal and Health Information We Collect

To provide safe and effective physiotherapy and sports massage treatments, we collect data through positive opt-in via our website contact forms (WPForms) and our secure online booking system (Cliniko). This includes:

  • Identification and Contact Information: Full name, date of birth (D.O.B), gender/sex, home address, email address, and telephone number(s).

  • Emergency Contact Details: Name, relationship, and contact telephone number of your designated emergency contact.

  • Healthcare Provider Details: Your General Practitioner (GP) name and clinic address.

  • Clinical Data (Special Category Data): Medical history, current symptoms, lifestyle factors, clinical assessment notes, and treatment plans.

2. Our Lawful Basis for Processing Data

Under the UK GDPR, we process your standard personal data under Article 6(1)(b) (Contract) to manage your bookings, and Article 6(1)(f) (Legitimate Interests) to run our practice safely.

Because we handle health-related medical data, which is classified as Special Category Data, we process this under Article 9(2)(h) of the UK GDPR, which strictly permits the processing of health data for the provision of medical diagnosis, health or social care, or treatment.

 

3. How We Use Your Data

Graceful Physiotherapy will strictly use your information to:

  • Confirm, reschedule, or manage your appointments.

  • Formulate precise, safe, and effective clinical treatment strategies.

  • Send you essential home exercise programmes (such as Rehab My Patient logs).

  • Liaise professionally with your General Practitioner (GP), Medical Consultant, or private medical insurance provider (only with your explicit, prior consent, or in rare emergency situations where clinical safeguarding is legally required).

4. Private Medical Insurance (PMI) Data Processing

If your treatment is funded via a Private Medical Insurance provider (such as Bupa, AXA Health, Aviva, Vitality, or WPA), we will collect your insurance membership number, case authorisation codes, and relevant corporate details.

  • To facilitate direct billing, you grant Graceful Physiotherapy explicit permission to share relevant clinical notes, diagnostic codes, and invoices with your respective insurance provider.

  • Please note that the ultimate financial liability for the session remains with the patient should the insurer refuse payment for any reason.

5. Data Sharing and Third-Party Processors

We do not, and will never, sell, rent, or share your personal data with third parties for marketing purposes. Your data is only handled via our highly secure, UK GDPR-compliant third-party medical practice software (Cliniko) and encrypted web servers.

 

6. Use of Cookies

Graceful Physiotherapy and our third-party service providers (such as our secure booking platform, Cliniko) use cookies to distinguish you from other users of our Website and Services. This helps us provide you with a high-quality, seamless experience when you browse our site and allows us to continuously improve our online booking systems.

You can choose to set your web browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. Please note that if you disable or refuse cookies, certain essential parts of our Website and online booking services may become inaccessible or fail to function properly (e.g., processing your appointment selection). For more detailed information about how cookies work and how to manage them, please visit www.allaboutcookies.org.

 

7. Data Security and Safeguarding Minors

  • Data Security: All physical and digital records are protected by industry-standard encryption, firewalls, and restricted secure access control protocols.

  • Minors (Under 16): In alignment with UK safeguarding laws, data regarding patients under the age of 16 will only be gathered with the mandatory consent and presence of a parent or legal guardian.

8. Data Retention Period (UK Medical Standards)

Unlike standard commercial businesses, medical records are governed by statutory retention periods in the UK:

  • Adult Records: Clinical files will be securely archived and retained for a mandatory 8 years following your conclusion of treatment.

  • Children’s Records: Files for patients under 18 will be securely retained until their 25th birthday, or 8 years after their last treatment (whichever is longer).

  • Once this legal period expires, all digital and physical files are permanently and securely destroyed.

9. Cancellation and No-Show Policy

To respect the time of our practitioners and other patients on our waiting list, Graceful Physiotherapy operates a strict 24-hour cancellation policy.

  • If you need to cancel or reschedule your appointment, you must provide us with at least 24 hours’ notice.

  • Cancellations made less than 24 hours before the scheduled appointment, or failure to attend (No-Show), may incur a charge of up to 100% of the full session fee.

  • Late arrivals may result in a shortened treatment session, with the full fee still applicable.

  • By booking an appointment through our website or Cliniko platform, you explicitly agree to these commercial terms.

9. Your Legal Rights and ICO Escalation

Under the UK GDPR, you hold significant rights regarding your data, including the Right of Access (Subject Access Request), Right to Rectification, and Right to Restrict Processing.

Please note: While you have the right to request the deletion of your data, our legal and professional obligation as registered UK healthcare practitioners to retain clinical treatment records for statutory periods will override the right to erasure for clinical files.

 

How to raise a concern or complaint:

If you have any questions or wish to raise a concern about how we handle your data, please contact us directly at: kin@gracefulphysio.co.uk

If you remain unsatisfied with our response, you have the absolute legal right to lodge a formal complaint with the UK’s independent privacy regulatory body: