top of page
OsteopathyAndWellnessLogo_v2.gif

Privacy Policy

Why we collect your personal data and what we do with it.

When you supply your personal details to this practice, they are stored and processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This notice explains how we handle your data, why we need it, and your rights regarding it.

1. What personal data we collect
To provide you with effective and safe osteopathic care, we need to collect and store information such as:

Your name, date of birth, and contact details

Medical history and current health information

Treatment notes and progress updates

Appointment and billing information

2. Why we collect this data (Lawful Basis for Processing)
We process your personal and health information for the following reasons:

Contractual necessity: When you request treatment and we agree to provide that care, we are entering into a contract under Article 6(1)(b) of the UK GDPR.

Provision of healthcare: Because we work with sensitive health data, we are permitted to process this information under Article 9(2)(h) – for the provision of health or social care.

Legitimate interests: We may contact you to confirm appointments, send invoices or receipts, or inform you about matters related to your ongoing care.

Consent: With your explicit consent (which is requested separately), we may send you general health information, newsletters, or updates about the practice. You can withdraw this consent at any time.

3. How we store your records
Paper Records
Records created before November 2017 are securely stored in locked filing cabinets. Our offices are locked outside working hours.

Electronic Records
Since November 2017, we have used a secure, cloud-based system called, Cliniko, to store your records. This provider is fully UK GDPR-compliant and stores data on servers located in the UK/EU. Practitioner access is password-protected, and the devices used are secured appropriately.

4. Who we share your data with
We only share your data where necessary and with your explicit consent unless legally required to do so.

 

Routine access is limited to:

Your practitioner(s) for the purposes of providing treatment

Our reception staff who manage appointments and communications (they do not access your medical history)

Our electronic records provider who securely hosts your information Mailchimp, which we may use to send newsletters or updates (name and email only). Mailchimp is based in the USA, and we ensure appropriate safeguards are in place (such as the UK International Data Transfer Agreement) to protect your data.

 

We will never sell or share your data with third parties for marketing purposes.

5. How long we retain your data
For adults: Records are kept for 8 years after the date of your last appointment.

For children: Records are kept until the patient’s 25th birthday or 8 years after last treatment, whichever is longer.

After these periods, you may request that we delete your records, though we may retain them for longer if needed for ongoing care.

6. Your rights
You have the right to:

Access the personal data we hold about you

Request correction of inaccurate or incomplete data

Request erasure of your data after the required retention period

Withdraw consent (where processing is based on consent)

Lodge a complaint with the Information Commissioner’s Office (ICO)

7. Contact details
If you have any concerns about how we handle your data, or if you wish to exercise your rights, please contact our Data Controller:

Henry
📧 Email: Henry@andwellness.co.uk
📍 Address: 1-2 St Ann’s Passage, Barnes, London SW13 0AX

If you are not satisfied with our response, you may contact the Information Commissioner’s Office (ICO): www.ico.org.uk | Tel: 0303 123 1113

A legal disclaimer

bottom of page