Privacy policy.

1 ABOUT THIS NOTICE

1.1 Who should read this notice? All customers. This privacy notice covers how we look after your personal data if you work with us (whether you are a patient, client or customer).

1.2 What is covered? This privacy notice will cover how we use, look after and manage information that identifies you or could be combined with other information to identify you (referred to as personal data).

1.3 Who checks this notice is enforced? The Information Commissioner’s Office (ICO) is the UK data protection regulator and is responsible for checking that businesses comply with UK data protection law. If you have a complaint or concern, you can complain to the ICO, although we hope that you would come to us first.

2 IMPORTANT INFORMATION ABOUT US

2.1 We are [P]rehab Physiotherapy LTD, registered in England and Wales with company number 10508880 with our registered address at First Floor, Lumiere, Elstree Way, Borehamwood, Herts, England, WD6 1JH (we, us or our).

2.2 We are a controller for your personal data. This means we decide how to use the information we hold about you and how long to keep it (in accordance with applicable data protection laws).

2.3 We are registered as a controller with the Information Commissioner’s Office (ICO) under registered number ZB177327.

2.4 Where you have engaged our services through a third party, such as a partner company or another service provider, we act as independent controllers with respect to your personal data. This means that both we and the third party separately determine how your personal data is used, and may use it for different purposes.

3 CONTACT DETAILS

3.1 If you have any questions about this privacy policy or the way that we use information, please get in touch using the following details:

Data protection officer

-Name: Darel Evans

-Email address: darel@p-rehab.co.uk

-Phone number: 07908604540

4 THE INFORMATION WE COLLECT ABOUT YOU

4.1 Personal data means any information which does (or could be used to) identify a living person.

We have grouped together the types of personal data that we collect and where we receive it from below:

Identity Data: name, title, date of birth, job title, gender, emergency contact name and their relationship to you, passport, driving licence.

Contact Data: personal email address, telephone numbers, home address.

Performance Data: your set objectives, assessment outcomes, ad hoc guidance & feedback.

Health Data: medical history, diagnosis, and treatment data

Feedback: information and responses you provide when completing surveys and questionnaires.

Photo and Image Data: images, videos and audio (e.g. video calls), CCTV footage.

Profile Data: username, password, chat logs, audit trail of systems used and documents accessed and downloaded.

Sensitive Data: information about your racial or ethnic origin, political opinions, gender, sexual orientation which you may choose to provide to us.

Usage Data: information about how you engage with our services and utilisation.

5 HOW WE USE YOUR INFORMATION

5.1 Under UK data protection law, we need a legal reason (known as a lawful basis) for holding,

collecting and using your personal data. There are 7 main legal reasons which organisations can rely on. The most relevant are:

-To provide you with healthcare & coaching services and manage your appointments and treatment—this is essential for delivering our services to you.

-To comply with our legal and regulatory obligations, including keeping accurate medical records and meeting health and safety requirements.

-To pursue our legitimate business interests, but only where these interests do not override your rights and privacy.

-To protect your vital interests or those of another person in emergency situations, such as sharing information with medical professionals or contacting your emergency contact if necessary.

-Where you have given your explicit consent, for example, if you agree to receive marketing communications or participate in research.

-These lawful bases ensure that your personal data is handled responsibly, transparently, and in accordance with UK data protection law

5.2 When We Rely on Each Lawful Basis to Use Your Personal Data

5.2.1 Provision of Care and Coaching Services

-To arrange, manage, and deliver health care and coaching related services to you.

-To communicate with you regarding appointments, training, treatment plans, and follow-up care.

5.2.2 Legal Obligation

-To maintain accurate and complete medical records as required by law and professional guidelines.

-To comply with our legal and regulatory obligations, such as health and safety requirements, or when required to disclose information to authorities.

5.2.3 Legitimate Interests

-To manage and improve our clinic’s services and operations, provided these interests do not override your rights and freedoms. To ensure the safety and security of our premises and systems (e.g., use of CCTV or IT monitoring).

-To handle queries, feedback, or complaints, and to audit our business practices.

5.2.4 Vital Interests

-To use your personal data in an emergency, such as disclosing relevant information to medical professionals or contacting your nominated emergency contact if necessary.

5.2.5 Consent

-Where we ask for your explicit consent to use your data for a specific purpose (for example, to send you marketing information or for research participation). Where we request and record diversity or other sensitive information not required for your care.

5.3 Special Category Data

Where we process information about your health (special category data), we will usually do so because it is necessary for the provision of health care or treatment, or to comply with our legal obligations. In some cases, we may ask for your explicit consent to process this data, or process it where it is necessary to protect your vital interests or those of another person.

5.4 Lawful Basis for Special Category Data

Our primary lawful basis for processing special category (health) data is that it is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, provision of health or social care, or treatment or management of health or social care systems and services, as permitted under UK data protection law. Where required, we will also seek your explicit consent

6 WHO WE SHARE YOUR INFORMATION WITH

6.1 We share (or may share) your personal data with:

-Other personnel: Our employees (or other types of workers) who have contracts containing confidentiality and data protection obligations. Some examples are external healthcare team, our referral network, collaborative health departments within a production.

-Show specific: Company managers or production staff, only when it is necessary to do so and in the specific context of your safety to carry out your duties safely in any production.

-Our supply chain: other organisations that help us fulfil our obligations with you and help manage our business. We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.

-Our professional advisers: such as our accountants or legal advisors where we require specialist advice to help us conduct our business.

Any actual or potential buyer of the business.

7 WHERE YOUR INFORMATION IS LOCATED OR TRANSFERRED TO

7.1 Data Hosting Location

Patient information collected and managed by our clinic is stored using Cliniko, a secure practice management system. For UK residents, Cliniko stores personal and health data primarily on servers located within the United Kingdom. These servers are maintained in secure, state-of-the-art data centres with robust physical and electronic security controls.

7.2 Data Security Measures

We will only transfer information outside of the UK or EEA where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located, e.g. by using contracts approved by the European Commission or UK Secretary of State). Cliniko employs industry-standard security protocols to protect patient data,

including:

-Encryption of all data in transit (using HTTPS and 2048-bit SSL certificates) and at rest (using

AES-256 encryption).

-Restricted access controls, ensuring only authorised personnel can access sensitive information.

-Daily automated backups to safeguard against data loss.

7.3 International Data Transfers

While Cliniko’s primary servers for UK data are located within the UK, there may be occasions where data is processed or accessed outside the United Kingdom. In such cases, Cliniko ensures that appropriate safeguards are in place, including the use of Standard Contractual Clauses and compliance with the UK General Data Protection Regulation (UK GDPR), to maintain the security and privacy of your data.

7.4 Compliance and Subprocessors

Cliniko’s data processing practices are governed by a Data Processing Addendum (DPA), which outlines their compliance with applicable data protection laws, including UK GDPR. Any subprocessors engaged by Cliniko are contractually required to adhere to equivalent data protection and security standards.

7.5 Further Information

For more details on how Cliniko stores and processes your information, or to review their privacy policy, please visit: https://www.cliniko.com/policies/privacy/.

7.6 If you access our systems whilst abroad then your personal data may be stored on services located in that country.

8 HOW WE KEEP YOUR INFORMATION SAFE

8.1 We have put in place appropriate security and safety measures to prevent your personal data from being lost or illegally accessed by those who do not have permission. These measures include:

-access controls and user authentication (including multi-factor authentication)

-regular testing and review of our security measures

-staff policies and training

-incident and breach reporting processes

8.2 If there is an event or incident affecting your personal data, we will keep you informed. We may also need to notify the regulator (where required under data protection law). If we make decisions about your data jointly with another entity (for example, if you work for us through an agency or a consultancy firm) we and the other entity act as independent controllers for your information (which means the other company and us separately decide how your information is used and use it for different reasons).

9 HOW LONG WE KEEP YOUR INFORMATION

9.1 Where we are responsible for making decisions about how to collect and use your personal data, we will only keep your personal data for as long as necessary to fulfil the purposes we collected it for or as long as required to fulfil our legal obligations. Data is kept for no longer than 10 years after treatment has ceased or death.

9.2 We may keep Identity Data, Contact Data and certain other data (specifically, any exchanges between us by email or any other means) for up to seven years after the end of our contractual relationship with you.

10 YOUR LEGAL RIGHTS

10.1 You have specific legal rights in relation to your personal data. These are as follows:

-Access: You must be told if your personal data is being used and you can ask for a copy of your personal data as well as information about how we are using it to make sure we are abiding by the law.

-Correction: You can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.

-Deletion: You can ask us to delete or remove your personal data if there is no good reason for us to continue holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.

-Restriction: You can ask us to restrict how we use your personal data and temporarily limit the way we use it (e.g. whilst we check that the personal data we hold for you is correct).

-Objection: You can object to us using your personal data if you want us to stop using it. We always comply with your request if you ask us to stop sending you marketing communications. In other cases, if we think there is a good reason for us to keep using the information, we will let you know and explain our decision.

-Portability: You can ask us to send you or another organisation an electronic copy of your personal data.

-Complaints: If you are unhappy with the way we collect and use your personal data, you can complain to the ICO or another relevant supervisory body, but we hope that we can respond to your concerns before it reaches that stage. You should speak to the data protection officer in the first instance.

10.2 If you would like to exercise any of your legal rights, please contact: darel@p-rehab.co.uk