Updated May 2018
The GDPR is the biggest reform in data protection legislation in the past 20 years and creates new responsibilities for how businesses (like BODY FIRST UK) and data processors (like Practice Pal, who provide our online booking system) handle personal data.
This policy (together with our terms of website use and any other documents referred to on it) sets out the basis on which we BODY FIRST UK, the trading name of Angel Falls Limited, Registered Company no. 07283939 and registered address 39 High Street Hampton Hill, Middlesex, TW12 2PW, United Kingdom will process any personal data we collect from you, or which you provide to us, in the course of using our site https://bodyfirst.clinic/.
We are legally bound to capture and store personal and sensitive information about you in order to deliver the types of medical and therapeutic services we provide.
Overview of GDPR
GDPR affects any business that is either based in the European Union or that stores data of EU citizens, and grants EU citizens certain rights regarding how their data is stored and handled. The requirements of GDPR that affect my clients (“you”) the most are:
Right of consent: Businesses have an obligation to make sure customers understand how their data is stored and processed before capturing it
Right of access: Customers must be able to request what data is being stored and with whom their data is shared, and receive a response within 30 days
Right of rectification: Customers must be able to request that incorrectly stored data is corrected within 30 days
Right of erasure: Customers must be able to request that their personal data be removed (“pseudonymized”) from the record of a business within 30 days.
How we collect your data
• We request all our clients fill in a consultation form prior to any treatment. This is so we understand your requirements and so we can properly plan your treatment schedule with you. The consultation form has your name, address, date of birth, email address, treatment history and any medical issues
• This information is then entered into our online client database which is also our in-clinic booking system which is held on secure databases ran by a company called PracticePal
• Paper copies are stored securely in the clinic in a locked filing cabinet to which there are only two keys. One which our Clinic owner Liz Tough holds and one which Lucy Payne, our Office Manager holds.
• Online Contact Form – Our contact form enables you to contact us with enquiries. We ask for your name, email address and for you to leave a comment; you will NOT be added to my mailing list for using this.
• Social media – You may contact me via Facebook messenger, Instagram or other networks and I will reply to your message but we DO NOT PAY TO OR USE YOUR PERSONAL DATA FROM SOCIAL MEDIA.
How your data is stored
• Your data is in digital and paper form at BODY FIRST UK clinic in Hampton Hill
• Paper versions of consultation forms are stored alphabetically in a locked filing cabinet that only the Clinic Owner and the Office Manager have access to. UNLESS you are being treated, your therapist will have your file in order to carry out the treatment. Once your Therapist has updated your client notes, your notes will be filed away and locked up.
• Digital information is stored using Practice Pal, online booking system and is password protected. All BODY FIRST UK therapist have access to your online data for the purpose of carrying out your treatment via Practice Pal. All therapist have their own secure password to gain entry into the system. A full audit trail and history of who accessed your data and when can easily be obtained by our Clinic Owner.
• Electronic devices at BODY FIRST UK are used by our staff and all devises are password protected.
Your Information – How we collect your data:
When you use our site, there are a number of ways in which you provide information and other data to us. By using the site, you consent to us processing and collecting this data, on the terms and for the reasons which are explained below.
Like most website operators, BODY FIRST UK collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. BODY FIRST UK purpose in collecting non-personally identifying information is to better understand how BODY FIRST UK’s visitors use its website. From time to time, BODY FIRST UK may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website. BODY FIRST UK also collects potentially personally-identifying information like Internet Protocol (IP) addresses for logged in users and for users leaving comments on the website. BODY FIRST UK only discloses logged in user and commenter IP addresses under the same circumstances that it uses and discloses personally-identifying information as described below, except that commenter IP addresses and email addresses are visible and disclosed to the administrators of the blog/site where the comment was left.
By filling out a Consultation Form:
What personal data do we collect and why
When arriving for your appointment you will asked to complete a client record card or consultation form. We require the following personal details from you and have a legal reason why we need these:
• Your full name – So we can address you correctly, ensure all communication is with the correct person and to confirm your identity
• Date of birth – to help us distinguish between two clients with identical names and also for the emergency services in case of an emergency
• Address –to aid the emergency services in case of an emergency
• Email address – To send booking confirmations, reschedule appointments and 24 hour reminders as well as email invoices of any services you have received
• Medical history including operations, diseases, disorders – Medical history is crucial to allow us to perform your treatments safely and adhere to the terms of insurance
• Allergies – To ensure nothing we use during a treatment can cause you harm, irritation or any other complications and to adhere to the terms of insurance.
• Medication – Some medication can be a contraindication (something that may restrict or prevent a treatment) to treatment or react with products we use. It is essential we know the full details to protect you
• Treatment history – This is so we can see what and how the last treatment was performed to monitor improvements, identify changes to be made and as a record of all treatments which we have performed to maintain your safety and as in accordance with our insurance
• Your Consent – We require you to read and sign a paragragh that allows us to obtain this information lawfully from you and legally store it in accordance with GDPR
• Your Contact preferences – If you wish to be on my mailing list you must opt in otherwise we cannot legally send you updates, newsletters and special offers
• Your consent to use treatments photos – Some of our treatments involve before and after photos or photos of the treatments being performed, these are taken on either a camera or mobile phone or iPad to aid the client experience and proof of progress/treatment or for promotional activity. Our devices are protected by passwords/passcodes and/or fingerprints. Sometimes your photos are used on social media and need your permission to do so
• Your signature – To prove it was you who answered these questions to the best of your knowledge and honestly and that that you agree to BODY FIRST UK holding your data on an online booking system database (Practice pal) and on paper form in our secure locked filing cabinets
• The name and address and telephone number of your GP for emergencies
• Your emergency contact details
How your information is used:
We may use your information to:
• send you our newsletters from time to time.
• ensure that content from our site is presented in the most effective manner for you and for your computer.
• carry out our obligations arising from any contracts entered into between you and us.
• allow you to participate in interactive features of our service, when you choose to do so.
• notify you about changes to our service.
Where you have consented to us sending you newsletters, if you no longer wish to receive these, please either unsubscribe from the newsletter or email us at firstname.lastname@example.org. We will action your request immediately.
All information you provide to us is encrypted and stored on our secure servers. Any payment transactions will be encrypted using SSL technology.
We take your privacy very seriously, and will take all reasonable steps to protect your personal data, but please be aware that any data which you send to our site is sent at your own risk.
Credit/Debit Card Payments
We never collect or store your payment card details because they are processed by yourself or by telephone via a third party payment gateway. We do not accept card payments by email. We only use PCI=DSS compliant payment systems procured from reliable third party providers.
How long we hold your personal data for
will hold your data for up to 7 years for tax and insurance purposes as well as to ensure that we can continue to provide the best service possible. we need these records to see exactly what treatments were performed, reactions to treatments and progress and after care advise.
Disclosure of your Information
We may disclose your personal information to any of our group companies (which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 1985) and also to third parties in the following circumstances: –
• to any prospective seller or buyer of all (or part of) our business or assets;
• If we are required to do so by law, any applicable regulation or to protect the rights, property, or safety of ourselves or others. This may include disclosing to other companies and organisations in connection with fraud protection and credit risk reduction.
We use an online booking tool which holds our client database called Practice Pal which we use to send out your appointment confirmations and reminders. We also use this to send out our monthly newsletter (which you would have agreed to receive). We DO NOT sell or share your personal data with anyone. No other third party including our accountant has any client personal data. Practice Pal have updated all their policies and security in accordance with the GDPR.
Access to Information
You have the right under the Data Protection Act to access the information which we hold about you. If you wish to exercise this right, please send your request to email@example.com.
Your right to access or changed your mind?
Your data control officer for BODY FIRST UK is Liz Tough the Clinic Owner. In the event of a breach of personal data you will be contacted by the above mentioned person within 72 hours of discovery.
You have the right to be forgotten. If at anytime you no longer wish to be on our database that’s no problem, simply send an email to firstname.lastname@example.org and we will make our data “inactive” in our system, which mean you will no longer receive any communication from us. In accordance with our data storage obligations as stated above, we will keep your file for 7 years. Your file will be locked away in a secure cabinet within the clinic to which only the Clinic Owner and Office Manager have access to.
You have the right to access your personal data that BODY FIRST UK holds and the right to rectification if it is incomplete, incorrect or out of date.
You also have the right to data portability if you wish us to transfer some personal data to your GP or other medical professionals.
You also have the right to object to processing and direct marketing. Your data can remain in one place but not used.