Privacy Policy

Privacy Notice

29 June 2026

Phoenix Osteopathy Ltd.  is the data controller for the personal information collected through our clinics and websites. Our registered office is:

Suite 1 Amersham House, Mill Street, Berkhamsted, Hertfordshire, United Kingdom, HP4 2DT, and our company number is 09055063.

This Privacy Notice explains how we collect, use, store, share, and protect your personal information when you visit our websites, contact us, book an appointment, attend treatment, purchase a gift voucher, subscribe to our emails, or otherwise use our services. It applies to patients, prospective patients, former patients, website visitors, newsletter subscribers, suppliers, contractors, and job applicants.

Our trading names

We trade under the following names and locations:

– Phoenix Osteopathy, 16 Jaggard Way, Wandsworth Common, London, SW12 8SG.
– Beaconsfield Health Hub, The Old Barn, Windsor End, Beaconsfield, Bucks, HP9 2JJ.

This same Privacy Notice applies to both of our websites:

phoenixosteopathy.com/privacy-policy](https://phoenixosteopathy.com/privacy-policy/)
beaconsfield-osteopathy-physio.co.uk/privacy-policy](https://beaconsfield-osteopathy-physio.co.uk/privacy-policy)

What personal data means

Personal data is any information that identifies, or can be used to identify, a living person. This includes your name, contact details, address, date of birth, payment information, appointment history, and communication records.

We also process special category data, which includes health information such as symptoms, medical history, examination findings, treatment notes, referrals, and other information relating to your physical or mental health. This type of information needs extra protection under data protection law.

What we collect

We may collect the following information about you:

– Identity details such as your name and date of birth.
– Contact details such as your address, phone number, email address, and WhatsApp number.
– Appointment and booking information.
– Clinical information including symptoms, medical history, treatment notes, progress notes, and referral correspondence.
– Payment and invoicing information.
– Insurance claim information.
– Information you provide through website forms, landing pages, phone calls, emails, voicemail, or WhatsApp.
– Newsletter and marketing preferences.
– Complaints, comments, and feedback.
– Staff, contractor, supplier, and applicant information where relevant.

Why we use your information

We use your information to:

– Assess your needs and provide safe and appropriate osteopathic, physiotherapy, and related healthcare services.
– Manage bookings, reminders, cancellations, invoices, receipts, and payment links.
– Keep clinical records and provide treatment notes, advice, and follow-up care.
– Communicate with you about your appointments and your care.
– Process insurance claims and related correspondence where appropriate.
– Correspond with your GP or other healthcare professional when clinically appropriate or when you ask us to do so.
– Deal with complaints, concerns, incidents, and legal claims.
– Meet our legal, regulatory, accounting, insurance, and record-keeping obligations.
– Send marketing emails where you have opted in or where we are otherwise legally permitted to do so.
– Operate, secure, and improve our websites and online services.

Lawful bases for processing

Under UK GDPR, we must have a lawful basis to use your personal data. Depending on the situation, we may rely on one or more of the following:

– Contract: to provide the treatment or service you have requested.
– Legal obligation: to meet accounting, tax, regulatory, safeguarding, and record-keeping requirements.
– Legitimate interests: to manage our business, respond to enquiries, protect our clinic, and improve our services, where those interests are not overridden by your rights.
– Consent: for certain marketing communications, website cookies, or optional contact methods where consent is required.
– Vital interests: in rare cases where urgent action is needed to protect someone’s life.

Because we process health information, we also need a separate condition for special category data. Depending on the circumstances, we may rely on one or more of the following:

– Health or social care.
– Explicit consent where appropriate.
– Establishment, exercise, or defence of legal claims.
– Substantial public interest only where relevant and lawful.

How we collect your information

We collect information when you:

– Book online through Cliniko.
– Complete a form on our website.
– Contact us by phone, voicemail, email, or WhatsApp.
– Attend an appointment or assessment.
– Complete a consent form, health questionnaire, or intake form.
– Make a payment or buy a gift voucher.
– Submit an insurance claim, complaint, or job application.
– Subscribe to our newsletter or marketing emails.

Systems we use

We use trusted third-party systems and service providers to help operate our clinics and websites. These may include:

– Cliniko for bookings, forms, reminders, invoicing, and clinical records.
– Stripe for payment processing and payment links.
– Clover and SumUp for card payments.
– QuickBooks for accounting and invoicing.
– Zoho Mail for business and patient email.
– Microsoft 365 and OneDrive for documents, letters, and file storage.
– Mailchimp for newsletter sign-ups and marketing emails.
– Rehab My Patient for rehabilitation content where used.
– Materialise and Footscan software for orthotics and gait-related data.
– Virtual Landline for telephone and voicemail handling.
– Google services such as Google Analytics, GA4, Google Tags, and Google Ads.
– WhatsApp where you choose to contact us that way.
– Heidi Health or other approved note-taking tools only where used and configured appropriately.

We only share the information each supplier needs to provide its service, and we take reasonable steps to protect the data we send to them.

Who we share data with

We may share your information with:

– Clinicians involved in your care.
– Our administrative and front-of-house team for booking, contact, and claims administration.
– Your insurer, where you ask us to help with a claim or where it is necessary to process an invoice or supporting record.
– Your GP or other healthcare professional, where this is clinically appropriate or you ask us to do so.
– Our accountant, IT support, insurers, professional advisers, or legal advisers where necessary.
– Regulatory bodies, courts, the police, or public authorities where the law requires it or where it is necessary to protect someone’s safety or legal rights.

Our administrative team can access contact details and insurance claim information where needed, but they do not access treatment notes unless that is required for their role. Our treating practitioners and authorised contractors may access relevant clinical notes on a need-to-know basis so that safe care can be provided.

Contractors and practitioners

Some of the people working in our clinics are self-employed contractors, including physiotherapists, osteopaths, acupuncturists, nutritionists, Pilates instructors, and personal trainers. Where they need access to your information in order to provide care or coordinate treatment, they must handle it lawfully, confidentially, and in line with our policies and applicable data protection law.

Orthotics and footscan data

Where we provide orthotics or footscan-related services, we may collect and store patient details, gait data, and related clinical information in Footscan software or related systems. When orthotics are manufactured, limited or anonymised information, such as serial numbers or manufacturing data, may be sent to Materialise so the orthotics can be produced and returned to the clinic for fitting.

WhatsApp, phone calls, and voicemail

If you contact us by WhatsApp, phone, or voicemail, we may use the information you give us to respond to your enquiry, arrange appointments, or manage treatment-related communication. If you prefer not to use WhatsApp for clinical communication, please let us know and we will use another method where possible.

Marketing

We may send you occasional newsletters, practice updates, or relevant marketing messages if you have opted in, or if the law otherwise allows us to do so. You can unsubscribe at any time using the unsubscribe link in the email or by contacting us directly.

Service emails, such as appointment reminders, treatment messages, invoices, and essential practice communications, are separate from marketing emails. Unsubscribing from marketing will not stop essential service emails.[11][10]

Cookies and analytics

Our websites use cookies and similar technologies. Some are strictly necessary for the site to work, while others are used for analytics, performance, and advertising.

Where required, we will ask for your consent before setting non-essential cookies, including analytics and marketing cookies such as Google Analytics, GA4, Google Ads tracking, and Meta pixel. You can manage your cookie preferences using the cookie banner and cookie settings on the website.

Children and younger patients

We do treat children and younger patients where appropriate. Where we process a child’s personal information, we take additional care to explain things clearly and to handle their information in a way that is appropriate for their age and understanding.

Where a child is able to understand the information, we will try to communicate directly with them in plain language. Where a parent, guardian, or responsible adult is involved, we may need to communicate with them in order to provide safe and appropriate care.

How long we keep information

We keep personal data only for as long as is reasonably necessary for the purpose for which it was collected. Retention periods vary depending on the type of record, the reason for holding it, and any legal or professional obligations.

Our current working retention approach is:

– Adult patient records: at least 8 years after the last treatment.
– Child patient records: until the patient is 25 years old, or longer if clinically or legally necessary.
– Complaints and incident records: long enough to deal with the matter and any follow-up, legal, or insurance issue.
– Accounting and tax records: in line with legal and accounting requirements.
– Recruitment and contractor records: for the relevant employment, tax, and legal period.

We review and audit records periodically and delete or archive those that are no longer required.

International transfers

Some of the systems we use may store or access data outside the UK. Where this happens, we take reasonable steps to make sure that any international transfer is protected by appropriate safeguards and is carried out lawfully under UK GDPR.

Your rights

You have rights over your personal data, subject to legal exemptions. These include the right to:

– be informed;
– access your data;
– correct inaccurate data;
– request erasure in some circumstances;
– restrict processing in some circumstances;
– object to certain processing;
– withdraw consent where consent is the legal basis;
– request data portability in some circumstances.

If you want to exercise any of these rights, please contact us using the details below. You also have the right to complain to the Information Commissioner’s Office if you are unhappy with how we have handled your data.

Complaints about data use

If you have a privacy or data protection concern, please contact us first so we can try to resolve it. We have a dedicated complaints process and a dedicated email address for this purpose, and where available you can also use the complaints form on our website.

Contact us

If you have any questions about this Privacy Notice or your personal data, please contact us at:

Phoenix Osteopathy Ltd

Beaconsfield Health Hub
The Old Barn 
Windsor End 
Beaconsfield 
HP10 9LD 

email: privacy (@) beaconsfieldhealthhub.com
Telephone: 01494623202

Changes to this notice

We may update this Privacy Notice from time to time. The latest version will always be available on our websites.