Last updated: [Insert Date]
Thistle Osteopathy ("we", "us", "our", "the clinic") is committed to protecting and respecting your privacy. This policy explains how we collect, use, store, and protect your personal data — including special category health data — when you visit our website, contact us, or receive osteopathic treatment from us.
We are committed to processing your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as the standards set out by the General Osteopathic Council (GOsC).
1. Who We Are
Data Controller: Amir [Surname], trading as Thistle Osteopathy
GOsC Registration No.: [Insert Registration Number]
Clinic Address: [Insert Clinic Address]
Email: [email protected]
Phone: [Insert Phone Number]
If you have any questions about this policy or how your data is handled, please contact us using the details above.
2. Information We Collect
We may collect and process the following categories of personal data:
2.1 Information you provide directly
- Name, date of birth, address, telephone number, and email address
- Emergency contact details
- GP details and relevant medical history
- Details of your presenting complaint, symptoms, and treatment history
- Payment and billing information
- Correspondence you send us, including booking enquiries and feedback
2.2 Special category data (health information)
As an osteopathic clinic, we collect detailed clinical information about your health, including case history, examination findings, treatment notes, and any relevant medical conditions. This is classed as "special category data" under UK GDPR and is handled with additional safeguards as set out in this policy.
2.3 Information collected automatically
If you visit our website, we may collect limited technical data such as your IP address, browser type, and pages visited, typically via cookies or similar technologies, to help us understand site usage and improve user experience.
3. How We Use Your Information
We use your personal data for the following purposes:
- To assess your suitability for osteopathic treatment and provide safe, appropriate clinical care
- To maintain accurate clinical records, as required by GOsC professional standards
- To communicate with you regarding appointments, treatment plans, and clinic updates
- To process payments and maintain financial records
- To comply with our legal and professional regulatory obligations
- To respond to enquiries, feedback, or complaints
- Where you have consented, to send you appointment reminders or relevant clinic information
4. Our Legal Basis for Processing
We rely on the following legal bases under UK GDPR:
- Consent — for the provision of osteopathic treatment, and for any optional marketing communications
- Contract — to fulfil our obligations when you book and receive treatment
- Legal obligation — to comply with record-keeping and regulatory requirements set by the GOsC
- Legitimate interests — for general administration, service improvement, and responding to enquiries
For special category health data, we rely specifically on your explicit consent and the necessity of processing for the provision of health care, in line with UK GDPR Article 9.
5. Sharing Your Information
We do not sell your personal data. We may share your information, where necessary, with:
- Your GP or other healthcare professionals, with your consent, where onward referral is clinically appropriate
- Practice management and booking software providers (e.g. our online booking system), who process data on our behalf
- Professional indemnity insurers, regulators (including the GOsC), or legal advisers, where required
- Payment processors, to facilitate secure transactions
Any third parties who process data on our behalf are required to maintain appropriate security and confidentiality standards consistent with UK GDPR.
6. Data Retention
In line with GOsC professional guidance, we retain clinical records for a minimum of eight years from the date of last treatment for adult patients, and until a child patient's 25th birthday (or longer, where clinically indicated). Financial records are retained in line with HMRC requirements, typically six years.
Where data is no longer required, it is securely deleted or anonymised.
7. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Clinical records are stored securely, whether in our practice management system or, where applicable, in physical form.
8. Your Rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request erasure of your data, where legally permitted (note: clinical records are subject to mandatory retention periods)
- Restrict or object to certain types of processing
- Request a copy of your data in a portable format
- Withdraw consent at any time, where processing is based on consent
To exercise any of these rights, please contact us using the details in Section 1. We will respond within one calendar month, as required by law.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been mishandled.
9. Cookies
Our website may use essential cookies to ensure proper functioning, and, where applicable, analytics cookies to help us understand how visitors use our site. You can control or disable cookies through your browser settings at any time.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any updates will be posted on this page with a revised "last updated" date.
11. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected] or via the details listed in Section 1.