1. We need to collect information about your health in order to deliver the best possible care. Your request for treatment and our agreement to provide it forms a contract. While you are not obliged to share this information, we would be unable to offer treatment without it.

2. We have a legitimate interest in collecting this data, as it is essential for us to carry out our work safely and effectively.

3. We may contact you to confirm appointments or update you on matters related to your care. This also falls under legitimate interest, but in this case, it is your legitimate interest.

4. With your consent, we may occasionally send you general health updates, advice or newsletters. You can withdraw this consent at any time, just let us know in a way that’s convenient for you.

We are legally required to retain your records for eight years following your most recent appointment. After this period, you can request that we delete your records. Otherwise, we will keep them indefinitely to ensure we can provide appropriate care if you return in the future.

How Your Records Are Stored

Your records are kept securely in the following ways:

1. Paper records are stored in locked filing cabinets within offices that are secured and alarmed outside of working hours.

2. Electronic records are stored securely in the cloud using a specialist medical records service. This provider has confirmed full compliance with the General Data Protection Regulation (GDPR). Access is protected by passwords, which are regularly updated.

3. Office computers also store some data. These computers are password-protected, backed up regularly, and located in offices that are locked and alarmed when not in use.

Who Has Access to Your Data

We will never share your personal data with anyone who doesn’t require access without your written consent. The following individuals or organisations have routine access, strictly for purposes related to your care or our clinic’s operations:

1. Our medical records service, which securely stores and processes your files.

2. Your practitioner(s), so they can provide your treatment.

3. Reception staff, who manage appointment scheduling and reminders. They do not have access to your medical history or sensitive information.

4. Administrative staff, such as our finance team. They only access basic contact details necessary for their role and do not view your medical records.

5. We also use ClickSend to manage our communication and database. Your name, email address and mobile telephone number may be stored on their system. This platform is also used for marketing communications but only if you opt in. You can opt out of marketing at any time using the unsubscribe links provided in emails and text messages.

6. Occasionally, we may engage external consultants to carry out specific tasks that could involve limited access to your personal data (excluding your medical records). In such cases, we ensure they are fully informed of their responsibility to maintain confidentiality and require them to sign a non-disclosure agreement (NDA) before any access is granted.

Your Rights Regarding Your Personal Data

• You have the right to access the personal data we hold about you and to request corrections to any factual inaccuracies. Once the legally required retention period has passed, you may also request that your records be deleted.

• We are committed to handling your personal data responsibly and ensuring that only individuals with a legitimate need have access to it.

• If you ever feel that your data is being mishandled, you have the right to file a complaint. In such cases, please direct your concerns to the designated Data Controller wbc1@wellbodyclinic.com.