GDPR Privacy Notice


This notice is to explain why we collect your personal data, and what we do with it, and to ensure we are working in accordance with the new EU General Data Protection Regulation (GDPR); terms from the regulation are indicated in bold.

When you supply your personal details to the clinic diary (or acuity scheduling), to one of our practitioners, when we communicate by email or text, and when we take notes in the clinic, this information is stored and processed for four reasons in line with the
GDPR requirements:
1. We may need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes in law an (unwritten) contract.
2. We have a legitimate interest in collecting this information, because without it we couldn’t practice effectively and safely.
3. We keep records of your contact information because we think that it is important that we can contact you in order to confirm your appointments, or to update you on matters related to your medical care. This again constitutes a legitimate interest, but this time it is your legitimate interest.
4. Provided we have your consent (and this only needs to be verbal consent), some practitioners may occasionally send you individualised health information by email or text in the form of articles, links or advice. We will never send out generalised leaflets or advertisements. You may withdraw this consent at any time – just let us know by any convenient method.
We have legal obligations (acupuncturists, osteopaths and chiropractors) to retain your records for 8 years after your most recent appointment (or after you have reached the age of 25, if this is longer), but after this period you can ask us to delete your records if you wish. Otherwise, we will retain your records in order that we can provide you with the best possible care should you wish to see us at some future date, or destroy your records (both electronic and paper notes). Paper notes are shredded using Printwaste, who work to the highest standards ( Your clinical records are stored in individual paper files in a secure lockable cabinet in the clinic, or in the care of your practitioner. Your emails and telephone numbers are stored on devices (acuity scheduling, mobile phones, tablets) which are password protected and secure. Some practitioners may store your records on devices or laptops, and again these will be password protected and secure. If you would like to know how any practitioner at the clinic stores your information, please contact either reception, or the practitioner, and we will be happy to inform you. You may choose to save your payment details on acuity scheduling, although this is not obligatory.
The practitioner is the only person who has access to your records, texts and emails. We will never share your information with anyone who does not have a legal right of access without your written consent. In the case of referral to another practitioner this would only be done with your full knowledge and permission. Our reception staff may retrieve and store paper files for practitioners.
Some patients and prospective patients return questionnaires or tell us about their medical conditions and medication by email or text. We are unable to send or receive encrypted emails so you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. We also keep accident records for any patients, visitors or staff who are involved in accidents at our clinic in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR).
You have the right to see what personal data of yours we hold, and you can also ask us to correct any factual errors. We are legally required to respond to any request from a client to see their personal data within a timescale of 30 days. We would, of course, ensure that we responded as soon as possible to any reasonable request for access to personal records.
In the event that anything should happen to your practitioner which would render them unable to oversee your records, then, and only then, another practitioner at the clinic of the same or similar discipline would be entrusted with the handling of your clinical records.
I want you to be absolutely confident that we are treating your personal data responsibly, and that we will do everything we can to make sure that the only people who access that data have a genuine need to do so.  
Of course, if you feel that we are mishandling your personal data in any way, you have the right to complain. Please first raise your concern with us, as we very much hope that we will be able deal with any concerns you might have. However, you can also raise a concern directly with the Information Commissioner’s Office on
CCAC – Danny Blyth, May 2018 (updated May 2020).
Acuity Scheduling Privacy: During the coronavirus pandemic we moved to an electronic booking system to reduce the necessity of visiting reception, and to give both practitioners and patients greater flexibility to move and cancel appointments at short notice. You can learn more about how Acuity Scheduling safeguards your privacy here ( You can choose to make an account with Acuity Scheduling, or just give you email address, mobile phone number and name. You may also wish to save your payment details through Acuity Scheduling. If you do not wish to use Acuity Scheduling, you can still book in person, or over the telephone, and we can insert your name (or an assumed name) into the diary on your behalf. Acuity Scheduling collects this information so that it can send you automatic email and text message reminders and confirmation of your appointments. If you wish to be removed from Acuity Scheduling at any point, you can delete your account with them, or ask us to delete your information on your behalf. They also offer a function to delete inactive patients, so if you haven’t visited the clinic for some time, we will automatically remove your data from the system.
Website Privacy: When someone visits our website we use a third party service (Google Analytics) to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If in the future we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it. We use a third party service (, to host our website including publishing our blog. This site is hosted at (and which is run by YinYang Hosting. We use a standard website host service to collect anonymous information about users’ activity on the site (for example the number of users viewing pages on the site), to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see ( Our website uses cookies to improve user experience of our website by enabling our website to ‘remember’ users for the duration of their visit.