GDPR & Data Protection Policy — One Body LDN
Last Updated: February 2026
1. Who we are
Data Controller: One Body LDN Ltd
ICO Registration: ZA789544
Website: www.onebodyldn.com
2. What this policy covers
This policy explains:
- What personal data we collect and why
- The lawful bases we rely on
- How we protect your data
- How long we keep data
This policy does not reduce your legal rights. It is provided for transparency.
3. Personal data we may collect
Depending on how you interact with us, we may collect:
Basic details: name, email, phone number, address, date of birth (where required)
Healthcare data (special category): appointment history, treatment notes, clinical records, relevant health information
Payment information: transaction references and payment status (processed via third-party providers; we do not store full card details)
Marketing preferences: your opt-in/opt-out choices
Website/usage data: IP address, device/browser information, pages visited and interactions (subject to cookie choices)
4. Lawful bases for processing (UK GDPR)
We process data only where we have a lawful basis, including:
- Contractual necessity — to book and deliver the service you requested
- Legal obligation — where we must comply with law/regulation
- Legitimate interests — to run and improve our clinic safely and efficiently (without overriding your rights)
- Consent — mainly for marketing communications and non-essential cookies
- Vital interests / public interest — where applicable in exceptional circumstances
Health data (special category) is processed under appropriate UK GDPR conditions, including where necessary for medical diagnosis and treatment.
5. How we use your personal data
We use personal data to:
- Manage appointments, accounts, and clinical care
- Maintain accurate clinical records and provide safe treatment
- Handle billing, receipts/invoices, and (where relevant) insurance administration
- Respond to queries and service issues
- Improve our website and services
- Send marketing communications only where you have opted in
We do not sell your personal data.
6. How long we keep your data
Typical retention periods:
- Clinical/treatment records: generally 8 years (or longer where required; for minors this may be retained until adulthood plus an additional period where appropriate)
- Payment/accounting records: typically up to 6–7 years
- Marketing preferences: until you unsubscribe/withdraw consent
7. How we protect your data
We use appropriate security controls, which may include:
- Secure clinical systems and encrypted connections
- Access controls (role-based permissions)
- Staff training and confidentiality requirements
- Cybersecurity controls and regular reviews
- Vendor due diligence and contracts for third-party processors
Clinical systems
We use clinical platforms such as PatientNotes, registered as a UK Class I Medical Device. This supports robust clinical record-keeping and secure handling of patient information. We remain responsible for ensuring lawful processing and appropriate security.
Data breaches
If a personal data breach occurs, we assess it promptly and take steps to reduce risk. Where required, we will notify the ICO and/or affected individuals in line with UK GDPR rules.
8. International transfers
Some suppliers (e.g. analytics, advertising, and communications providers) may process data outside the UK/EEA. Where international transfers occur, we use appropriate safeguards such as:
- UK IDTA and/or Standard Contractual Clauses
- vendor contracts and security measures
- additional protections where required
9. Complaints and the ICO
If you have a data protection concern, you can complain to the UK regulator:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
https://ico.org.uk/concerns/