GDPR & Data Protection Policy — One Body LDN

1. Who we are

Data Controller: One Body LDN Ltd
ICO Registration: ZA789544
Website: www.onebodyldn.com

2. What this policy covers

This policy explains:

• what personal data we collect and why

• the lawful bases we rely on

• how we protect your data

• how long we keep data

This policy does not reduce your legal rights. It is provided for transparency.

3. Personal data we may collect

Depending on how you interact with us, we may collect:

Basic details: name, email, phone number, address, date of birth (where required)
Healthcare data (special category): appointment history, treatment notes, clinical records, relevant health information
Payment information: transaction references and payment status (processed via third-party providers; we do not store full card details)
Marketing preferences: your opt-in/opt-out choices
Website/usage data: IP address, device/browser information, pages visited and interactions (subject to cookie choices)

4. Lawful bases for processing (UK GDPR)

We process data only where we have a lawful basis, including:

• Contractual necessity — to book and deliver the service you requested

• Legal obligation — where we must comply with law/regulation

• Legitimate interests — to run and improve our clinic safely and efficiently (without overriding your rights)

• Consent — mainly for marketing communications and non-essential cookies

• Vital interests / public interest — where applicable in exceptional circumstances

Health data (special category) is processed under appropriate UK GDPR conditions, including where necessary for medical diagnosis and treatment.

5. How we use your personal data

We use personal data to:

• manage appointments, accounts, and clinical care

• maintain accurate clinical records and provide safe treatment

• handle billing, receipts/invoices, and (where relevant) insurance administration

• respond to queries and service issues

• improve our website and services

• send marketing communications only where you have opted in

We do not sell your personal data.

6. How long we keep your data

We keep data only as long as necessary for clinical, legal, and operational reasons.

Typical retention periods:

• Clinical/treatment records: generally 8 years (or longer where required; for minors this may be retained until adulthood plus an additional period where appropriate)

• Payment/accounting records: typically up to 6–7 years

• Marketing preferences: until you unsubscribe/withdraw consent

When data is no longer needed, it is securely deleted or anonymised where appropriate.

8. How we protect your data

We use appropriate security controls, which may include:

• secure clinical systems and encrypted connections

• access controls (role-based permissions)

• staff training and confidentiality requirements

• cybersecurity controls and regular reviews

• vendor due diligence and contracts for third-party processors

Clinical systems

We use clinical platforms such as PatientNotes, registered as a UK Class I Medical Device. This supports robust clinical record-keeping and secure handling of patient information. We remain responsible for ensuring lawful processing and appropriate security.

Data breaches

If a personal data breach occurs, we assess it promptly and take steps to reduce risk. Where required, we will notify the ICO and/or affected individuals in line with UK GDPR rules.

9. International transfers

Some suppliers (e.g. analytics, advertising, and communications providers) may process data outside the UK/EEA. Where international transfers occur, we use appropriate safeguards such as:

• UK IDTA and/or Standard Contractual Clauses

• vendor contracts and security measures

• additional protections where required

10. Complaints and the ICO

If you have a data protection concern, you can complain to the UK regulator:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
https://ico.org.uk/concerns/

11. Transparency around AI

We do not use AI to make automated clinical or customer decisions that produce legal or similarly significant effects. If this changes, we will update our policies and ensure appropriate safeguards and human oversight.