Call Us

02381 102077

Email Us

team@southampton-physio.co.uk

PRIVACY NOTICE

Last updated: 13th February 2026

1. Scope and who this notice applies to

This privacy notice explains how Southampton Physio Limited (“we”, “us”, “our practice”) collects, uses, stores and protects your personal information, including information about your health.

This notice applies to:

  • Patients – current, former and prospective patients, including children and young people
  • People making enquiries by phone, email, web form or in person
  • Website visitors where cookies or analytics are used

If you are a member of staff, a separate privacy notice for employees is available on request.

This privacy notice is provided to meet our obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

2. Who we are and how to contact us

Data controller:
Southampton Physio Limited
35 Bedford Place
Southampton
SO15 2DG

Trading as: Southampton Physio

ICO registration number: ZB845452

Data Protection Officer:
Ian Greaves

Email
ian@southampton-physio.co.uk

Telephone: 07751 752068

If you have any questions about how we handle your personal information, or wish to exercise any of your data protection rights, please contact Ian Greaves using the details above.

3. About our practice and the services we provide

Southampton Physio is a multidisciplinary musculoskeletal (MSK) clinic. Our team includes:

  • Osteopaths, regulated by the General Osteopathic Council (GOsC)
  • Physiotherapists, regulated by the Health and Care Professions Council (HCPC)
  • Sports therapists, registered with the Society of Sports Therapists (SST)

All clinicians and administrative staff are employees of Southampton Physio Limited. We provide assessment, diagnosis, treatment and ongoing care for a wide range of musculoskeletal conditions, injuries and movement problems. We may also provide exercise prescription, rehabilitation programmes, lifestyle advice and other related services.

All staff are bound by professional and contractual confidentiality obligations and receive regular training in data protection.

4. Categories of personal data we collect

We collect and process the following types of personal information:

 

a) Identification and contact information

  • Full name, date of birth, gender/sex
  • Home address, email address, telephone number(s)
  • Emergency contact details
  • GP name and address
  • NHS number (where provided)

 

b) Financial and administrative information

  • Payment and billing records
  • Private medical insurance details (company name, policy number, authorisation codes)
  • Employer details where you are referred via occupational health or an employer-funded scheme

 

c) Clinical and health information (special category data)

The information we collect about your health includes:

  • Your presenting complaint, symptoms and concerns
  • Detailed medical history, including past injuries, surgery, medications and other treatments
  • Biopsychosocial information: mental health and wellbeing, lifestyle factors (e.g. occupation, physical activity, sleep, smoking, alcohol use), pregnancy status, and social factors affecting your health
  • Physical examination findings
  • Clinical assessments, diagnoses and treatment plans
  • Clinical notes recorded during and after each appointment
  • Outcome measures, progress tracking and review notes
  • Exercise programmes prescribed via Physitrack, and your adherence/feedback
  • Strength and movement assessment results from Kinvent dynamometer testing
  • Imaging reports, referral letters and correspondence from GPs, consultants or other health professionals

 

d) Visual clinical records

With your explicit verbal consent, we may occasionally record:

  • Video footage of movement or gait for assessment purposes
  • Photographs of posture, injury sites or treatment progress

These recordings are stored securely as part of your clinical record.

 

e) Referral and communication records

  • GP and consultant referral letters
  • Correspondence with other healthcare providers involved in your care
  • Records of phone calls, messages and appointment communications (including calls handled by our AI receptionist service)
  • Appointment history, attendance and cancellations

 

f) Website and digital information

  • IP address, browser type, device and operating system information
  • Pages visited on our website, time spent and navigation paths
  • Cookie identifiers and analytics data (where you have consented via our cookie banner)
  • Information you provide via online enquiry forms, booking widgets or patient portals

 

g) Audio recordings during consultations

Our AI medical scribe tool (Heidi Health) may temporarily process audio from your consultation to generate draft clinical notes. The audio recording is not stored and is deleted immediately after the draft note is produced. Only the written note (reviewed and approved by your clinician) is retained in your record. You will be informed at the start of any appointment where this tool is used, and you can opt out at any time.

5. Where we get your information from

We collect personal information from the following sources:

 

a) Directly from you

  • During appointments, consultations and assessments
  • Through telephone calls, emails and text messages
  • Via our website enquiry forms, online booking system and patient portals
  • Through digital intake forms completed via Cliniq Apps
  • From exercise feedback and progress reports you submit via Physitrack

 

b) From other healthcare professionals

  • GP referral letters and medical summaries
  • Hospital consultant letters and reports
  • Diagnostic imaging reports (X-ray, MRI, ultrasound, etc.)
  • Letters and clinical summaries from other physiotherapists, osteopaths, chiropractors, podiatrists, psychologists or allied health professionals involved in your care

 

c) From insurers and case managers

  • Private medical insurance companies providing authorisation details or case information
  • Medico-legal companies and case management providers
  • Self-insured employers or occupational health services commissioning your treatment

 

d) From family members or representatives

  • Parents or guardians providing information about children or young people in their care
  • Family members, friends or carers booking appointments or providing information on your behalf with your knowledge
6. How and why we use your personal information

We use your personal information for the purposes set out below. For each purpose, we have identified the lawful basis under the UK GDPR and, where we process special category health data, the additional condition under Article 9.

 

a) Direct patient care and clinical record-keeping

What this includes:

  • Taking your medical history and assessing your condition
  • Diagnosing, treating and monitoring your progress
  • Planning and delivering your care, including exercise prescription and rehabilitation
  • Maintaining accurate, up-to-date clinical records
  • Communicating with you about your treatment, appointments and care
  • Safety monitoring and managing risks to your health

Lawful basis (Article 6 UK GDPR):
Performance of a contract – you have engaged us to provide healthcare treatment (Article 6(1)(b)); and/or
Legitimate interests – providing safe, effective, evidence-based healthcare is a fundamental legitimate interest (Article 6(1)(f))

Special category condition (Article 9 UK GDPR):
Health or social care – provision of health or social care and management of health or social care systems and services (Article 9(2)(h)), with Data Protection Act 2018, Schedule 1, paragraph 2 (health or social care purposes)

 

b) Appointment and practice administration

What this includes:

  • Booking, rescheduling and managing appointments
  • Sending appointment confirmations and reminders (via SMS, email or phone, including through our AI receptionist service and Cliniq Apps)
  • Processing payments and issuing receipts
  • Managing insurance claims and authorisations
  • Dealing with cancellations and missed appointments

Lawful basis:
Performance of a contract (Article 6(1)(b)) and/or legitimate interests in running an efficient, well-organised practice (Article 6(1)(f))

Special category condition:
Article 9(2)(h) – where appointment type, frequency or related information reveals health details

 

c) Sharing information with other healthcare professionals

What this includes:

  • Preparing letters, reports or summaries for your GP, hospital consultants, or other therapists involved in your care
  • Responding to referrals from other healthcare providers
  • Coordinating care with other professionals where clinically appropriate

How we share:
We normally share information with other healthcare professionals involved in your care on the basis that this is necessary for safe, joined-up care. We will usually also seek your explicit agreement before sharing, and in many cases we provide you with a letter or report to pass on yourself, so you remain in control of what is shared and when. In urgent situations (e.g., safeguarding concerns, serious safety risks), we may share information directly where legally required or where delay would put you or others at risk.

Lawful basis:
Performance of a contract (Article 6(1)(b)) and/or legitimate interests in providing safe, coordinated healthcare (Article 6(1)(f)); and consent (Article 6(1)(a)) where you have given explicit agreement

Special category condition:
Article 9(2)(h) – health or social care purposes

 

d) Legal and regulatory compliance

What this includes:

  • Responding to requests or investigations from our professional regulators (General Osteopathic Council, Health and Care Professions Council, Society of Sports Therapists)
  • Complying with requests from the Information Commissioner’s Office (ICO)
  • Meeting safeguarding duties (protecting children and vulnerable adults)
  • Reporting serious incidents or safety concerns as required by law
  • Complying with professional indemnity and insurance requirements
  • Responding to court orders, legal processes or other statutory obligations

Lawful basis:
Legal obligation (Article 6(1)(c))

Special category condition:
Substantial public interest – regulatory and safeguarding functions (Article 9(2)(g) with DPA 2018 Schedule 1); and/or health or social care purposes (Article 9(2)(h))

 

e) Complaints, legal claims and dispute resolution

What this includes:

  • Handling and investigating complaints
  • Defending or pursuing legal claims or regulatory proceedings
  • Sharing relevant information with our legal advisers, professional indemnity insurers, and representatives

Lawful basis:
Legitimate interests – protecting our legal rights and defending claims (Article 6(1)(f)); and/or legal obligation (Article 6(1)(c))

Special category condition:
Establishment, exercise or defence of legal claims (Article 9(2)(f))

 

f) Clinical governance, quality improvement and audit

What this includes:

  • Internal clinical audit and outcome monitoring
  • Reviewing and improving our treatment protocols and services
  • Supervising and supporting clinical staff
  • Investigating and learning from incidents or near-misses
  • Maintaining professional standards and continuous improvement

Lawful basis:
Legitimate interests – maintaining high standards of care and patient safety (Article 6(1)(f))

Special category condition:
Health or social care purposes – management of health services and quality assurance (Article 9(2)(h) with DPA 2018 Schedule 1, paragraph 2)

 

g) Patient recall, reactivation and continuity of care

What this includes:

  • Sending messages (via Cliniq Apps, SMS or email) to remind you when a follow-up or review appointment may be beneficial (e.g., “You haven’t been in for 3 months; you might benefit from a check-up”)
  • Checking in with patients who have not completed a course of treatment

Lawful basis:
Legitimate interests – supporting continuity of care and patient outcomes (Article 6(1)(f))

PECR compliance:
We send these messages to existing patients about healthcare services you have previously used. Every message includes a clear and easy way to opt out. If you opt out, we will stop sending recall messages but will continue to send essential appointment confirmations and reminders for bookings you have made.

Special category condition:
Article 9(2)(h) – health or social care purposes

 

h) Marketing communications and newsletters

What this includes:

  • Sending our monthly email newsletter (via Brevo) with clinic news, health tips, new services and special offers
  • Other promotional emails or messages about our services

Who we send to:

  • Current patients who have given explicit consent
  • People who have subscribed via our website, social media or events and given explicit consent

Lawful basis:
Consent (Article 6(1)(a))

PECR compliance:
We only send marketing emails and SMS to individuals who have explicitly opted in or subscribed. Every message includes an unsubscribe link, and you can withdraw your consent at any time.

We do not send marketing messages about unrelated third-party products or services.

 

i) Internal teaching, professional supervision and staff development

What this includes:

  • Using de-identified copies of consultation notes and transcripts for supervising clinicians, mentoring, teaching and quality improvement
  • Analysing anonymised or pseudonymised clinical scenarios to improve our practice and support professional development
  • Where appropriate, using external AI tools (such as large language models) to assist with analysis of these de-identified records

How we protect your identity:

  • We remove all direct identifiers: name, date of birth, contact details, appointment dates/times, and other obviously recognisable information
  • The resulting data is pseudonymised – your treating clinician may be able to recognise it, but others cannot
  • These records are used only within the practice for internal training and improvement
  • Where we use external AI tools (ChatGPT, Claude, Perplexity or similar large language models) to assist with analysis of de-identified training material, we do so under business terms that prohibit the providers from using your information to train their public models, and we only send information that has been robustly de-identified
  • These external AI providers act as our data processors for this pseudonymised data, and any transfers outside the UK are protected by appropriate safeguards including Standard Contractual Clauses (see Section 8)

Lawful basis:
Legitimate interests – improving the quality of care through staff training, supervision and evidence-based practice development (Article 6(1)(f))

Special category condition:
Health or social care purposes – quality assurance and training (Article 9(2)(h) with DPA 2018 Schedule 1, paragraph 2)

Your right to object:
You have the right to opt out of your information being used for these internal teaching and development purposes. If you object, it will not affect the care you receive. Please contact our Data Protection Officer (details in Section 2) to opt out.

Please note: If you wish to opt out of any of the uses described in this section, please inform us in writing. We will record your opt-out preference in your clinical record and ensure all staff are aware. You can change your mind at any time.

 

Whether providing your information is mandatory

For treatment:

  • There is no legal obligation for you to become a patient of Southampton Physio
  • However, if you choose to receive treatment from us, providing certain information is a contractual requirement
  • We need accurate information about your identity, contact details, medical history and current symptoms to assess and treat you safely
  • If you choose not to provide this information, or provide incomplete or inaccurate information, we may not be able to accept you as a patient or continue your treatment

For insurance claims:

  • If you are claiming on private medical insurance, providing policy details and authorisation information is necessary for us to process your claim
  • If you do not provide this information, you will need to pay for treatment privately

For other purposes:

  • Marketing communications, newsletter subscriptions, and use of your pseudonymised data for teaching are entirely optional – you can opt out at any time without affecting your care
7. Who we share your information with

We will only share your personal information where necessary for the purposes set out in Section 6, and where we have a lawful basis to do so.

 

a) Within our practice

Your information is shared between our clinical and administrative staff on a “need to know” basis:

  • Clinicians (osteopaths, physiotherapists, sports therapists) may access your clinical record where they are involved in your care or providing cover
  • Administrative staff have access to your contact details and appointment information to manage bookings and communications
  • All staff are employees of Southampton Physio Limited, are bound by confidentiality obligations, and receive regular data protection training

 

b) Other healthcare professionals

With your explicit consent, we share clinical information with:

  • Your GP
  • Hospital consultants and specialists
  • Other physiotherapists, osteopaths, chiropractors, podiatrists, psychologists or therapists involved in your care

We typically provide you with a letter or report to share yourself, so you control what is passed on and when. In urgent situations (e.g., safeguarding concerns), we may share information directly where legally required.

 

c) IT systems and service providers (data processors)

We use the following trusted third-party systems and providers who process personal data on our behalf under written Data Processing Agreements:

Cliniko – Practice management and electronic health record system

  • What they do: Host and manage our clinical records, appointment system, billing and patient communications
  • Data shared: All patient information including clinical notes, contact details, appointment history, payment records
  • Location: Data for UK accounts is stored in the UK
  • Role: Data processor acting on our instructions

Cliniq Apps – Patient engagement and communications platform

  • What they do: Digital intake forms, appointment reminders, recall and reactivation messages, SMS/email delivery
  • Data shared: Name, contact details, appointment information; may include limited clinical context in message templates
  • Role: Data processor

Physitrack – Exercise prescription and rehabilitation platform

  • What they do: Deliver personalised exercise programmes, track adherence and collect patient feedback
  • Data shared: Name, email, date of birth (sometimes), exercise programmes, progress and symptom reports
  • Location: Data processed on secure cloud infrastructure with GDPR-compliant safeguards
  • Role: Data processor

Kinvent – Strength and movement assessment tools

  • What they do: Record and analyse strength, range of motion and functional test results
  • Data shared: Name, test results and assessment data (which are health data)
  • Location: EU-based provider; data hosted in the EU
  • Role: Data processor – Kinvent processes test data on our instructions as part of your assessment and treatment
  • Your consent: You will be asked for explicit consent within the Kinvent system when these assessments are used

Verbalise.ai – AI-powered telephone answering and receptionist service

  • What they do: Answer incoming calls, take messages, assist with bookings and basic enquiries, process payments over the phone
  • Data shared: Caller phone number, name, contact details, brief description of reason for calling (which may reveal health information), call metadata and recordings/transcripts
  • Location: Data may be processed outside the UK, including in the USA (via Verbalise’s sub-processors including OpenAI for AI voice processing), under appropriate safeguards including Standard Contractual Clauses as set out in our Data Processing Agreement with Verbalise
  • Role: Data processor
  • Your choice: You can ask to speak to a human team member or request a call-back instead of interacting with the AI service

Heidi Health – AI medical scribe and clinical documentation tool

  • What they do: Listen to consultations and generate draft clinical notes, which your clinician reviews and approves before saving to your record
  • Data shared: Everything discussed during your consultation (high-sensitivity health data)
  • How it works: Audio is processed in real time to create a draft summary; the audio recording is not stored and is deleted immediately after transcription. Only the final approved written note is retained in your clinical record
  • Location: Data is processed within UK-hosted infrastructure under NHS-aligned security standards
  • Role: Data processor
  • Your consent and opt-out: You will be informed at the start of any appointment where Heidi is used, and you can opt out at any time. Opting out will not affect the quality of your care

Brevo – Email marketing and newsletter platform

  • What they do: Send our monthly newsletter and occasional marketing emails to subscribers
  • Data shared: Name, email address, subscription preferences, email engagement data (opens, clicks)
  • Location: Data hosted in secure EU data centres; may use sub-processors with appropriate safeguards
  • Role: Data processor

Google Analytics and Google Ads – Website analytics and advertising tools

  • What they do: Collect anonymous or pseudonymous data about how visitors use our website; measure advertising effectiveness
  • Data shared: IP address (or truncated IP), device/browser information, pages visited, actions on site
  • Location: Data may be transferred to the USA and other countries under Google’s international data transfer safeguards (Standard Contractual Clauses)
  • Your consent: These tools only activate if you consent via our cookie banner
  • Important: We do not intentionally send identifiable health information, diagnostic details or form content revealing your condition to Google

Meta (Facebook) Pixel – Advertising measurement and optimisation

  • What they do: Track website visits and interactions to measure and improve the effectiveness of our social media advertising
  • Data shared: Device/browser data, pages visited, actions taken; no identifiable health information
  • Location: Data may be transferred to the USA under Meta’s data transfer safeguards
  • Your consent: This tool only activates if you consent via our cookie banner
  • Important: We do not send health information, personal identifiers or sensitive query data to Meta, in line with their prohibited data policies

External AI analytics tools (for internal teaching and quality improvement)

  • What they do: We may use large language model AI services (such as ChatGPT, Claude, Perplexity) to assist with analysis of pseudonymised consultation transcripts for staff supervision, teaching and quality improvement
  • Data shared: De-identified consultation content with all direct identifiers removed (names, dates, contact details, recognisable specifics). Your treating clinician may still be able to recognise the case, but others cannot
  • Location: These providers are based in the USA (OpenAI, Anthropic, Perplexity AI Inc)
  • Transfers: Governed by Standard Contractual Clauses under our business agreements with these providers
  • Role: Data processors
  • Safeguards: We use business/API terms that prohibit these providers from using your data to train their public models
  • Your right to object: You can opt out of your pseudonymised data being used for these purposes (see Section 6(i))

 

d) Payment processors

We use secure third-party payment processors to handle card and online payments. These providers process transaction data (card details, amount, date) but do not have access to your clinical records. Payment processors act under strict PCI-DSS security standards.

 

e) Professional advisers and insurers

We may share your information with:

  • Professional indemnity insurers – where required for insurance purposes or in the event of a claim
  • Legal advisers – where necessary to obtain legal advice or defend/pursue legal action
  • Accountants and auditors – for financial compliance and audit (access to financial records only, not clinical notes)

These recipients are bound by their own professional confidentiality and data protection obligations.

 

f) Private medical insurers and case managers

Where you are claiming on private medical insurance or are referred via a medico-legal or case management company, we share:

  • Clinical summaries and progress reports
  • Invoices and treatment details
  • Information required to obtain authorisation or ongoing funding

We only share what is necessary for the insurer or case manager to assess and process your claim.

 

g) Regulators, law enforcement and statutory bodies

We may be legally required to share information with:

  • Our professional regulators (General Osteopathic Council, Health and Care Professions Council, Society of Sports Therapists)
  • The Information Commissioner’s Office (ICO)
  • Local authorities (for safeguarding or public health purposes)
  • Police, courts or other law enforcement bodies (where required by law or court order)
  • NHS bodies or public health authorities (for public health or safety reasons)

We will only share the minimum information necessary to meet our legal obligations.

 

h) In the event of business restructuring

If Southampton Physio Limited is sold, merged, or restructured, your personal data may be transferred to the new owner or entity, but only where they agree to uphold the same data protection standards. We would inform you of any such change.

8. International transfers of personal data

Some of the systems and service providers we use may process or store your personal data outside the United Kingdom. Where this happens, we ensure that appropriate safeguards are in place to protect your information in accordance with UK data protection law.

 

Systems hosted in the UK

The following systems store data in the United Kingdom:

  • Cliniko (practice management system) – data for UK accounts is hosted in UK data centres
  • Heidi Health (AI medical scribe) – data is processed within UK-hosted infrastructure

 

Systems hosted in the EU/EEA

The following providers are based in or host data within the European Union or European Economic Area, which has been recognised as providing adequate data protection:

  • Brevo (email newsletters) – hosted in EU data centres
  • Kinvent (assessment tools) – EU-based provider with data hosted in the EU
  • Physitrack (exercise prescription) – GDPR-compliant with secure EU/international hosting and appropriate safeguards

 

Systems involving transfers outside the UK/EEA

Some service providers may transfer or process data in countries outside the UK and EU, including the United States. Where this occurs, we rely on the following safeguards:

Google Analytics and Google Ads

  • Data may be transferred to the USA and other countries
  • Transfers are governed by Standard Contractual Clauses (SCCs) approved by the UK and EU, along with additional technical and organisational safeguards implemented by Google
  • Further details: 
  • Google’s safeguards for international data transfers

Meta (Facebook) Pixel

  • Data may be transferred to the USA
  • Transfers are governed by Standard Contractual Clauses and Meta’s data transfer mechanisms
  • Only activated with your consent via our cookie banner

Verbalise.ai (AI receptionist)

  • Call data (including voice, transcripts and health-related information disclosed during calls) may be processed in the USA and other countries outside the UK via Verbalise’s sub-processors, including OpenAI Inc for AI processing
  • Transfers are governed by Standard Contractual Clauses under our Data Processing Agreement with Verbalise, and Verbalise’s onward agreements with its sub-processors

Cliniq Apps and other processors

  • May use sub-processors or cloud infrastructure located outside the UK/EEA
  • All transfers are covered by Data Processing Agreements with appropriate safeguards (Standard Contractual Clauses or International Data Transfer Agreements)

External AI analytics providers (ChatGPT, Claude, Perplexity)

  • Pseudonymised consultation transcripts used for internal teaching and quality improvement may be processed by US-based AI providers (OpenAI Inc, Anthropic Inc, Perplexity AI Inc)
  • Transfers are governed by Standard Contractual Clauses under our business agreements with these providers
  • These providers are prohibited from using your data to train their public models under our contractual terms

 

Your rights

You have the right to request further information about the safeguards we use for international data transfers. Please contact our Data Protection Officer (details in Section 2) if you would like more details about how your data is protected when transferred internationally.

9. How long we keep your information

We only keep your personal information for as long as necessary to fulfil the purposes for which it was collected, to meet our legal and regulatory obligations, and to protect our legal rights.

 

a) Patient clinical records

Adults (patients aged 18 and over):

  • We retain your full clinical record for 8 years after your last appointment or contact with us
  • This period is based on professional guidance and allows us to meet our legal, regulatory and clinical obligations

Children and young people (under 18):

  • We retain clinical records until the patient’s 25th birthday
  • This longer retention period reflects the fact that legal claims relating to childhood treatment can be brought up to the age of 21 (or later in some circumstances)

Extended retention:

  • In some cases, we may need to keep records for longer than the standard periods, for example:
    • Where there is an ongoing medico-legal case or potential claim
    • Where there are specific clinical reasons for longer retention (e.g., complex long-term conditions)
    • Where we have a legal obligation or court order to retain records
    • Where you have given explicit consent for us to retain records for a longer period
  • If we keep your records for longer than the standard period, we will review the continued need for retention regularly

After the retention period:

  • Once the retention period expires, we securely delete or destroy your clinical records unless there is a specific legal reason to retain basic information (e.g., to demonstrate that we have complied with an erasure request)

 

b) Enquiry and non-patient records

If you contact us with an enquiry but do not go on to book or attend an appointment, we will keep your contact details and enquiry information for 1 year, after which it will be securely deleted unless you have subscribed to our newsletter or given consent for ongoing contact.

 

c) Marketing and newsletter data

Newsletter subscribers:

  • We keep your email address and subscription preferences for as long as you remain subscribed
  • We review our mailing list every 6 months and may remove subscribers who have not engaged with our newsletters (opened or clicked) for 12 months or more
  • You can unsubscribe at any time using the link in every email, and we will delete your data within 30 days unless we have another lawful basis to retain it (e.g., you are also a current patient)

Recall and reactivation lists:

  • Contact details for patients eligible for recall messages are retained while you remain an active or recent patient
  • If you opt out of recall messages, we suppress your details but keep a record of your opt-out to ensure we do not contact you again

 

d) Financial and accounting records

We retain invoices, payment records, insurance claims and related financial data for 7 years after the end of the financial year in which the transaction occurred. This is required to meet our legal obligations under tax and accounting law.

 

e) Website analytics and cookies

Google Analytics:

  • Analytics data collected via cookies is retained in our Google Analytics account in line with our configured retention settings and Google’s data retention policies
  • This data is pseudonymised and used only for aggregate reporting
  • Cookie identifiers expire in accordance with the retention periods set in our cookie banner and Google’s policies (typically 14-26 months for analytics cookies)

Meta Pixel:

  • Event data sent to Meta is subject to Meta’s data retention policies
  • You can manage or delete this data via your Facebook account settings

 

f) AI and system-generated data

Heidi Health transcription audio:

  • Audio recordings captured during consultations for transcription purposes are not stored and are deleted immediately after the draft note is generated (typically within seconds). The transcripts are retained for 90 days.

Verbalise.ai call recordings:

  • Call recordings and transcripts are retained for the duration of our service agreement with Verbalise and in accordance with their data retention policy. In practice, recordings are retained only as long as necessary for quality assurance and service improvement, and are then securely deleted

Pseudonymised data for teaching and supervision:

  • De-identified consultation transcripts used for internal teaching and staff development are retained for as long as they remain useful for training purposes, typically up to 3 years, and are then securely deleted
10. How we keep your information secure

We take the security of your personal information very seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction or damage.

 

Our security measures include:

Physical security:

  • Secure premises with controlled access
  • SimpliSafe security system with 24-hour monitoring and response
  • Locked storage for any paper records
  • Confidential waste disposal for documents containing personal information

Technical security:

  • All electronic patient records and systems are password-protected and encrypted
  • Access controls ensure that staff can only access information necessary for their role
  • Regular software updates and security patches
  • Secure, encrypted backup systems
  • Firewall and anti-virus protection
  • Secure, encrypted connections (HTTPS/TLS) for all online communications and data transfers

Organisational security:

  • All staff receive regular training in data protection, confidentiality and information security
  • Staff are bound by contractual confidentiality obligations
  • Clear policies and procedures for handling personal data
  • Incident response procedures in case of a data breach
  • Regular review and audit of our security measures

Third-party processors:

  • All service providers who process personal data on our behalf are carefully selected and must demonstrate appropriate security standards
  • We use written Data Processing Agreements to ensure they protect your information and only use it in accordance with our instructions
  • Many of our key systems (Cliniko, Heidi Health, Physitrack, Brevo) are ISO 27001 certified or meet equivalent security standards

 

Data breach notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner’s Office (ICO) within 72 hours where required by law
  • Notify you directly without undue delay if the breach is likely to result in a high risk to you
  • Take immediate steps to contain and remedy the breach
11. Your data protection rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights in relation to your personal information:

 

a) Right to be informed

You have the right to clear, transparent information about how we use your personal data. This privacy notice, and any other information we provide to you, fulfils this right.

 

b) Right of access (Subject Access Request)

You have the right to request a copy of the personal information we hold about you. This is commonly known as a “Subject Access Request” or SAR.

How to make a request:

  • Contact our Data Protection Officer in writing (email or letter – details in Section 2)
  • We do not charge a fee for this service unless your request is manifestly unfounded or excessive
  • We will provide your information within 1 month of receiving your request (we may extend this by up to 2 months for complex or multiple requests, and will let you know if this is necessary)

What we need from you:

To protect your privacy and confirm your identity, we may ask you to provide:

  • One piece of photographic ID (driving licence, passport, or birth certificate)
  • One proof of address (utility bill, bank statement or council tax bill dated within the last 3 months)

The level of identity verification we require will be proportionate to the sensitivity of the information and the risk involved. For established patients whose identity we already know well, we may require less documentation. If the quality of documents is unclear or we have concerns about the identity of the requester, we may ask for additional verification before releasing your records.

What you will receive:

  • A copy of your personal data in electronic format (typically a PDF sent via secure email)
  • Information about how and why we are processing your data
  • Details of who we have shared your data with (if applicable)
  • How long we intend to keep your data
  • Information about your other rights

 

c) Right to rectification

You have the right to ask us to correct personal information that is inaccurate or incomplete.

Please note:

  • Clinical records are legal documents and must remain accurate reflections of what was observed, discussed or decided at the time
  • If you believe a clinical note is factually incorrect, we will review it with the treating clinician
  • Where appropriate, we will add a correction or supplementary note to your record; in some cases we may not be able to delete or alter the original entry but will ensure your view is recorded
  • We can readily update administrative details (contact information, GP details, insurance information, etc.)

 

d) Right to erasure (“right to be forgotten”)

In certain circumstances, you have the right to ask us to delete your personal information.

When this right applies:

  • The information is no longer necessary for the purpose it was collected
  • You withdraw consent (where consent was the lawful basis) and we have no other legal basis to continue processing
  • You object to processing based on legitimate interests and there are no overriding legitimate grounds for us to continue
  • The data has been processed unlawfully
  • Erasure is required to comply with a legal obligation

When this right does NOT apply:

  • We need to retain the information to comply with a legal obligation (e.g., professional record-keeping requirements, accounting law, regulatory obligations)
  • The information is needed for the establishment, exercise or defence of legal claims
  • The processing is necessary for public health or archiving purposes in the public interest

For clinical records, we are generally required by law and professional regulations to retain records for the periods set out in Section 9, so requests for erasure during these periods will normally be refused. After the retention period has expired, records are securely deleted as a matter of course.

 

e) Right to restriction of processing

You have the right to ask us to restrict (but not delete) your personal data in certain situations:

  • You contest the accuracy of the data (we will restrict processing while we verify accuracy)
  • Processing is unlawful but you do not want the data erased
  • We no longer need the data, but you need it for a legal claim
  • You have objected to processing based on legitimate interests (we will restrict while we verify whether our legitimate grounds override your interests)

Where processing is restricted, we will store the data but not use it (except with your consent, for legal claims, or to protect another person’s rights).

 

f) Right to data portability

Where we process your data based on consent or contract, and the processing is carried out by automated means, you have the right to:

  • Receive your personal data in a structured, commonly used and machine-readable format (e.g., CSV, JSON, PDF)
  • Request that we transmit your data directly to another organisation (where technically feasible)

This right applies primarily to data you have provided to us (e.g., contact details, intake forms, exercise adherence data) rather than clinical notes created by our clinicians.

 

g) Right to object

You have the right to object to processing of your personal data in certain circumstances:

Objection to processing based on legitimate interests:

  • If we are processing your data on the basis of legitimate interests (e.g., internal quality improvement, recall messages), you can object
  • We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or we need the data for legal claims

Objection to direct marketing:

  • You have an absolute right to object to your data being used for direct marketing at any time
  • We will stop all marketing communications immediately
  • You can opt out by clicking “unsubscribe” in any marketing email, or by contacting us

Objection to use of data for teaching/research:

  • You can object to your pseudonymised data being used for internal teaching, supervision or quality improvement (as described in Section 6(i))
  • Your objection will not affect the care you receive

 

h) Rights relating to automated decision-making and profiling

You have the right not to be subject to decisions based solely on automated processing (including profiling) which produce legal effects or similarly significantly affect you.

We do not carry out automated decision-making or profiling that has legal or similarly significant effects. Where we use AI tools (such as Heidi Health or Verbalise.ai), these are assistive technologies and all clinical and administrative decisions are made by qualified human practitioners.

 

How to exercise your rights

To exercise any of these rights, please contact:

Ian Greaves, Data Protection Officer
Email: ian@southampton-physio.co.uk
Telephone: 07751 752068
Address: Southampton Physio Limited, 35 Bedford Place, Southampton, SO15 2DG

We will respond to your request within 1 month (extendable by up to 2 months for complex requests).

 

If we refuse your request

If we refuse your request (for example, because a legal exemption applies), we will explain why and inform you of your right to complain to the ICO or seek a legal remedy.

12. Automated decision-making and profiling

We do not carry out any automated decision-making or profiling that produces legal effects or similarly significantly affects you.

What this means:

  • All clinical decisions (diagnosis, treatment plans, referrals, discharge) are made by qualified healthcare professionals
  • All administrative decisions (appointment scheduling, payment processing, insurance authorisations) involve human oversight
  • Where we use AI-powered tools (such as Heidi Health for note transcription or Verbalise.ai for call handling), these are assistive technologies only – they support our staff but do not make decisions automatically

You have the right not to be subject to decisions based solely on automated processing. If you believe we have made an automated decision about you, please contact our Data Protection Officer.

13. Cookies and our website

Our website uses cookies and similar technologies to improve your experience and understand how visitors use our site.

 

What are cookies?

Cookies are small text files that are placed on your device when you visit a website. They help the website remember your preferences and provide information about how the site is being used.

 

Types of cookies we use

Strictly necessary cookies:

  • These cookies are essential for our website to function properly (e.g., security, basic navigation, form submissions)
  • They do not require your consent and cannot be disabled

Analytics cookies (Google Analytics):

  • Help us understand how visitors interact with our website (pages visited, time spent, navigation paths)
  • Collect pseudonymised data including IP address, device type, browser information
  • Require your consent – only activated if you accept via our cookie banner

Marketing/advertising cookies (Meta Pixel, Google Ads):

  • Help us measure the effectiveness of our online advertising and social media campaigns
  • Track website visits and actions to optimise our marketing
  • Require your consent – only activated if you accept via our cookie banner

 

International transfers

Data collected via Google Analytics and Meta Pixel may be transferred to the USA and other countries under appropriate safeguards (Standard Contractual Clauses). See Section 8 for more details.

 

Managing your cookies

  • You can accept or reject non-essential cookies using the banner that appears when you first visit our website
  • You can change your cookie preferences at any time by clicking the “Cookie settings” link in the footer of our website, or by clearing your browser cookies and revisiting the site to see the banner again
  • You can also control cookies through your browser settings, though this may affect website functionality
  • Withdrawing consent for cookies does not affect any data already collected while cookies were active

 

What we do NOT track

We configure our website analytics and advertising tools to minimise the collection of health-related information. Where possible, we exclude tracking from pages that reveal specific health conditions or treatment types. We regularly review our tracking configuration to ensure it remains appropriate for a healthcare setting.

14. Changes to this privacy notice

We may update this privacy notice from time to time to reflect changes in our practices, legal requirements, or the services we provide.

How we will notify you:

  • The “last updated” date at the top of this notice will always show when it was last revised
  • For significant changes, we will notify current patients by email, SMS, or via a notice displayed prominently in our clinic and on our website
  • We encourage you to review this notice periodically

Your continued use of our services:

By continuing to use our services after we make changes, you acknowledge the updated privacy notice. If you have concerns about any changes, please contact our Data Protection Officer.

The current version of this privacy notice is always available:

  • On our website: www.southampton-physio.co.uk/privacy-policy
  • At our reception desk
  • On request by email or post
15. How to complain

We take your privacy seriously and are committed to handling your personal information responsibly. If you have any concerns or complaints about how we have handled your personal data, we want to hear from you.

 

Complain to us first

Please contact our Data Protection Officer:

Ian Greaves
Email: ian@southampton-physio.co.uk
Telephone: 07751 752068
Address: Southampton Physio Limited, 35 Bedford Place, Southampton, SO15 2DG

We will acknowledge your complaint and aim to investigate and respond within 30 days. If your complaint is complex, we will keep you informed of progress and let you know if we need more time.

 

Complain to the Information Commissioner’s Office (ICO)

You have the right to complain directly to the UK’s data protection supervisory authority if you are unhappy with how we have processed your personal data, or if you are not satisfied with our response to your complaint.

Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Website: https://ico.org.uk/make-a-complaint/

Email: https://ico.org.uk/global/contact-us/email/

 

The ICO website provides full guidance on making a data protection complaint and what to expect from the process.

 

Right to seek legal remedy

You also have the right to seek a legal remedy through the courts if you believe your data protection rights have been breached.