Privacy Policy

Expert Home Physiotherapy ("we", "us", "our") is a professional physiotherapy service operating across Derbyshire and surrounding areas. We provide expert, clinician-led treatment delivered directly to patients at home.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website or engage our services. Please read this policy carefully. If you disagree with its terms, please discontinue use of our services.

We collect information that you provide directly to us, as well as data collected automatically when you use our website. Categories include:

• Identity Data: Full name, date of birth, gender
• Contact Data: Email address, telephone number, home address
• Health Data: Medical history, current conditions, treatment details, medications
• Financial Data: Payment card details, billing address (processed via secure third-party providers)
• Technical Data: IP address, browser type, device information, pages visited
• Usage Data: Information about how you navigate and use our website
• Marketing Data: Your preferences for receiving communications from us
• Communications: Records of correspondence including WhatsApp messages and emails

Health data is classified as Special Category Data under UK GDPR and is handled with the highest level of care and protection.

We use the information we collect for the following purposes:

• To provide and manage physiotherapy assessments and home-visit treatment sessions
• To communicate appointment confirmations, reminders, and follow-up care plans
• To process payments and manage invoicing
• To maintain accurate clinical records as required by our professional regulatory body
• To improve our website, services, and overall patient experience
• To send newsletters and promotional information (only with your explicit consent)
• To respond to your enquiries submitted via our website contact or WhatsApp
• To comply with legal obligations and professional standards
• To safeguard children and vulnerable adults in accordance with our duty of care

We only process your personal data where we have a valid lawful basis. The lawful bases we rely upon are:

1. Consent – Where you have given us clear consent to process your personal data for a specific purpose (e.g., marketing emails)
2. Contract – Processing is necessary for the performance of a contract with you (e.g., providing treatment)
3. Legal Obligation – Where processing is necessary for compliance with a legal or regulatory requirement
4. Vital Interests – Where processing is necessary to protect someone's life
5. Legitimate Interests – For purposes such as fraud prevention, website improvement, and business administration

We do not sell, trade, or rent your personal data to third parties. We may share your information in the following limited circumstances:

• Healthcare Providers: GPs, hospitals, or specialists involved in your care (only with your consent or in an emergency)
• Payment Processors: Secure third-party payment platforms (e.g., Stripe, PayPal) for transaction processing
• IT & Platform Providers: Website hosting, booking software, and email platform providers operating under data processing agreements
• Legal & Regulatory Bodies: Where required by law, court order, or regulatory authority
• Professional Indemnity Insurers: In the event of a claim or dispute

All third-party processors are required to handle your data in accordance with applicable data protection law and our strict contractual requirements.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements.

• Clinical / Health Records: Retained for a minimum of 8 years from the date of last treatment (or until age 25 if the patient is a child), in line with NHS and professional body guidelines
• Financial Records: Retained for 7 years from the end of the relevant tax year
• Marketing Preferences: Until you withdraw consent or request deletion
• Website Analytics: Up to 26 months
• Correspondence: Up to 3 years after our last interaction

Under UK GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your data where no legal basis remains for retention
• Right to Restrict Processing: Ask us to suspend processing of your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw any consent given at any time without affecting prior processing
• Right to Complain: Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, please contact us using the details in Section 13. We will respond within 30 days.

Our website uses cookies and similar tracking technologies to enhance your browsing experience and gather analytics data. The types of cookies we use include:

• Strictly Necessary Cookies: Essential for the website to function properly; cannot be disabled
• Analytics Cookies: Help us understand how visitors interact with our website (e.g., Google Analytics)
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Used to deliver relevant advertisements (only if you consent)

You can manage or disable cookies through your browser settings or our cookie consent banner. Disabling certain cookies may affect the functionality of our website.

Our website may contain links to third-party websites including payment gateways, review platforms, and social media channels. We are not responsible for the privacy practices or content of those external sites.

We recommend reviewing the privacy policy of any website you visit via an external link. Their data collection and use will be governed by their own policies, not ours.

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• SSL/TLS encryption across all website communications
• Encrypted storage for sensitive health and clinical records
• Access controls limiting data access to authorised personnel only
• Regular security assessments and staff training on data protection
• Secure deletion procedures when data is no longer required

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the ICO in accordance with our legal obligations (within 72 hours of becoming aware).

Our services are available to patients of all ages, including children. Where we treat or assess a patient under the age of 16, we will always obtain consent from a parent or legal guardian before collecting any personal or health data.

Parents and guardians may request access to, or deletion of, their child's data by contacting us directly. We take the protection of children's data extremely seriously and apply heightened safeguards in all such cases.

We reserve the right to update or modify this Privacy Policy at any time. Any changes will be published on this page with an updated "Last Updated" date. Where changes are material, we will notify you by email or by placing a prominent notice on our website.

Your continued use of our services following the posting of changes constitutes your acceptance of those changes. We encourage you to review this policy periodically.

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please do not hesitate to get in touch.