Privacy Policy for Croxley Physio Academy

This Privacy Policy outlines how Croxley Physio Academy (“we”, “us”, or “our”) collects, uses, stores, and protects your personal data when you visit our website, croxleyphysioacademy.co.uk, and use our services. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Our Contact Details

Name: Croxley Physio Academy
Website: croxleyphysioacademy.co.uk
Email for Data Protection Queries: [email protected]
Postal Address: 28 Beechcroft Ave, Croxley Green. WD3 3EQ

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.¹

2. The Type of Personal Information We Collect

We currently collect and process the following categories of personal information:

• Identity and Contact Data: Name, address, email address, phone number, date of birth, gender.

• Health and Medical Data (Special Category Data): Medical history, current health conditions, treatment notes, physical examination findings, medication details, details of activities and employment relevant to your physiotherapy care.

• Technical Data: Internet protocol (IP) address, browser type and version, operating system and platform, information about your visit including pages viewed, time spent on site, referral source, and download errors.

• Usage Data: Information about how you use our website and services.

• Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

3. How We Get Your Personal Information and Why We Collect It

Most of the personal information we process is provided to us directly by you for one of the following reasons:

• Direct Interactions: When you:

  • Fill in forms on our website (e.g., contact forms, enquiry forms).

  • Use our online booking system.

  • Communicate with us by phone, email, or in person.

  • Register as a patient at Croxley Physio Academy.

  • Subscribe to our newsletter or other marketing communications.

• Indirectly from Third Parties (with your consent or where legally permitted):

  • Your General Practitioner (GP).

  • Consultants or other medical professionals.

  • Health insurance companies.

  • Relatives, case managers, or care workers (acting on your behalf).

  • Publicly available sources.

• Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, Browse actions, and patterns. We collect this personal data by using cookies and other similar technologies.

We use the information that you have given us in order to:

• Provide Physiotherapy Services: To deliver and manage your physiotherapy treatment, including scheduling appointments, maintaining continuity of care, and providing appropriate advice and exercises.

• Manage Our Relationship With You: This includes processing payments, notifying you about changes to our services, and responding to your enquiries.

• Comply with Legal and Professional Obligations: As physiotherapists, we have a legal obligation (under regulations such as those from the Health and Care Professions Council (HCPC) and the Chartered Society of Physiotherapy (CSP)) to accurately record and store medical data for specific periods.

• Improve Our Services: To monitor and review the quality of care, understand patient needs, and train staff (using anonymised data where possible).

• Marketing: To send you newsletters or information about new services, where you have consented to receive such communications.

4. Lawful Bases for Processing

Under the UK GDPR, the lawful bases we rely on for processing your personal information are:

• (a) Your Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., for marketing communications). You are able to withdraw your consent at any time by contacting us.

• (b) Performance of a Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g., providing physiotherapy services you have booked).

• (c) Legal Obligation: Where processing is necessary for compliance with a legal obligation that we are subject to (e.g., maintaining patient medical records for statutory periods).

• (d) Vital Interests: Where processing is necessary to protect your vital interests or those of another natural person.

• (e) Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and interests (e.g., for internal administrative purposes, security, improving our website and services, and statistical analysis of anonymised data).

For Special Category Data (e.g., health information), we typically rely on:

• Provision of health or social care: Where processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

• Explicit Consent: Where you have given explicit consent for us to process your health data for specific purposes not covered by the provision of health care (e.g., for certain research or shared care arrangements not directly part of your treatment).

5. How We Store Your Personal Information

Your information is securely stored. We employ appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Using secure, password-protected electronic record systems (potentially cloud-based with robust security).

• Encrypting emails containing personal data where appropriate.

• Transmitting personal data only over secure networks.

• Restricting access to personal data to authorised employees who have a legitimate need to access it.

• Ensuring hard copies of personal data are stored securely.

• Regularly reviewing and updating our security practices.

We keep different types of personal information for varying periods as required by law and professional guidelines:

• Medical Records: We have a legal obligation to retain medical records for 8 years after the conclusion of treatment. If the record relates to a child or young person (under 18), records must be kept until their 25th birthday or 8 years after death. If the records relate to pregnancy/maternity care, they must be kept for 25 years after the birth of the last child.

• Contractual Information: Personal information collected in relation to contractual obligations will be held for a period of 6 years after the contract ends.

• Other Personal Information: We will retain other personal information only for as long as necessary for the purposes for which it was collected or until you request its removal, provided there are no overriding legal or contractual obligations.

We will dispose of your information securely once retention periods expire, typically by secure deletion of electronic records and shredding of hard copies.

6. Data Sharing

We are not in the business of selling your personal information to others. We will not share your information with third parties for marketing purposes.

We may share your information with certain third parties in the following circumstances:

• With your explicit consent:

  • To refer you to other medical professionals (e.g., GPs, consultants) for further care.

  • To share information with your insurance provider for billing or claim purposes.

• Service Providers: We may use third-party service providers to support the delivery of our services (e.g., IT systems support, website hosting, online booking platforms). These providers operate under contractual restrictions regarding confidentiality and security and comply with data protection laws.

• Legal Obligations: Where we are legally obliged to do so (e.g., for law enforcement or regulatory requirements).

• Business Transfers: In the event of a sale or transfer of all or part of our business, your personal data may be transferred to the new owner or controlling party, who will be permitted to use the data only for the same purposes for which it was originally collected.

• Anonymised Data: We may compile statistics about the use of our site and services, including data on traffic, usage patterns, and user numbers. All such data will be anonymised and will not include any personally identifying information. This anonymised data may be shared with third parties for analytical purposes.

7. Your Data Protection Rights

Under data protection law, you have rights including:

• Your right of access: You have the right to ask us for copies of your personal information.

• Your right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.²

• Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.³

• Your right to restriction of processing: You have the right to ask us to restrict the processing of your personal informa⁴tion in certain circumstances.

• Your right to object to processing: You have the right to object to the processing of your personal information in certain circumstances (e.g., direct marketing).

• Your right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

• Rights in relation to automated decision-making and profiling: You have rights regarding decisions made solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us at [email protected] if you wish to make a request.

8. Cookies

Our website uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse our website and allows us to improve our site. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any changes will be posted on this page with an updated “Last Updated” date. We encourage you to review this Privacy Policy periodically.

Last Updated: July 13, 2025