Privacy Policy (One Body LDN Ltd)

Plain English Summary

• We collect the information we need to book appointments, deliver healthcare safely, and run the clinic (including billing and insurance).
• When you become a patient, we keep clinical records as required for safe care and regulatory reasons.
• We may use cookies/analytics to improve the website and measure marketing performance (you can control this via our cookie banner).
• We do not sell your personal data.
• You have rights over your data (access, correction, objection, etc.) and you can contact us at any time.

1. Who We Are (Data Controller)

Company: One Body LDN Ltd
Registered Office: The Retreat, 406 Roding Lane South, Woodford Green, Essex, England, IG8 8EY
Website: https://onebodyldn.com
ICO Registration: ZA789544

2. Scope of This Privacy Policy

This policy applies to:

• Visitors to our website
• Clients/patients using our services (including physiotherapy, sports massage, osteopathy, acupuncture)
• People who contact us by phone, email, forms, or other channels
• Email subscribers and marketing recipients
• Parents/guardians where we treat a child (see Children’s Privacy)

If you are a patient, the sections on Healthcare Data and Retention are particularly relevant.

3. Our Clinical Systems and Data Security

We use clinical software (including PatientNotes) to manage clinical records and patient administration. PatientNotes is registered as a UK Class I Medical Device. This supports robust clinical governance and secure record-keeping aligned with healthcare and data protection expectations.

(For clarity: no software “certification” replaces our own duties as a healthcare provider. We remain responsible for ensuring appropriate security, access controls, retention, and lawful processing.)

4. Definitions

• Personal Data: Information that identifies you directly or indirectly (e.g. name, email, phone number, IP address).
• Special Category Data: Sensitive information such as health/medical data.
• Data Controller: One Body LDN Ltd — we decide how and why personal data is processed.
• Processor: A third party that processes personal data on our behalf (e.g. booking, email, analytics, payment providers).

5. What Data We Collect

A) Standard personal data

• Name, email address, phone number
• Address (home/billing, if needed)
• Appointment/booking details
• Communications with us (emails, messages, call notes)

B) Payment data

• Payment status and transaction references
• We do not store full card details. Card payments are handled by third-party payment providers.

C) Healthcare data (special category)

• Medical history and relevant health information
• Clinical assessments and treatment notes
• Relevant imaging/diagnostic information (if provided)
• Correspondence from other healthcare professionals (where relevant)

D) Website and device data

• IP address, device type, browser type
• Pages visited, time spent, clicks, referral source
• Cookie and tracking identifiers (depending on your preferences)

E) Children’s data (where applicable)

• Child’s first name and age/date of birth
• Parent/guardian contact details
• Relevant clinical information needed for care

6. How We Collect Your Data

We collect information:

• Through online forms (booking forms, contact forms, insurance forms)
• During consultations, treatment sessions, and follow-up communications
• Via phone, email, and written correspondence
• From referrals (e.g. insurers, healthcare partners, or other professionals) where appropriate
• Automatically via cookies and similar technologies on our website (subject to your cookie choices)

If you provide someone else’s personal data (e.g. your child), you confirm you have the right and authority to share it with us.

7. How We Use Your Data (Purposes and Lawful Bases)

UK GDPR requires a lawful basis under Article 6 for personal data, and an additional condition under Article 9 for special category health data.

A) Appointment management and service delivery

Purpose: bookings, reminders, scheduling, admin communications, customer support

• Article 6(1)(b) Contract (to provide services you request)
• Article 6(1)(f) Legitimate interests (running a safe and efficient clinic)

B) Providing healthcare and maintaining clinical records

Purpose: assessment, diagnosis, treatment, clinical documentation, safety and continuity of care

• Article 6(1)(b) Contract and/or Article 6(1)(c) Legal obligation (where applicable)
• Article 9(2)(h) Health or social care (medical diagnosis and treatment)

C) Insurance processing and clinical coordination (where relevant)

Purpose: liaising with your insurer/benefit provider, obtaining authorisations, invoicing, and clinical coordination where appropriate

• Article 6(1)(b) Contract and/or Article 6(1)(f) Legitimate interests
• Article 9(2)(h) Health or social care (where health information is involved)

D) Compliance and regulation

Purpose: meeting legal, regulatory, and professional obligations (e.g. record keeping, audits, responding to regulators)

• Article 6(1)(c) Legal obligation
• Article 9(2)(h) (where health data is involved)

E) Marketing (where you opt in)

Purpose: newsletters, offers, updates

• Article 6(1)(a) Consent (and PECR rules apply)
  You can unsubscribe at any time using the link in emails or by contacting us.

8. Service Communications (Annual MOT, Insurance Entitlements & Loyalty Programme)

Service communications are not marketing. If you become a client or patient of One Body LDN, we may contact you by email or other direct means where necessary to deliver the services and benefits available to you.

These service communications may include:

• Reminders about your complimentary annual Body MOT, including invitations to book and related service information
• Notifications about unused or remaining private health insurance sessions, where you may be entitled to further treatment under your policy
• Administrative or eligibility updates relating to insurance-funded care
• Information relating to our client loyalty programme, which eligible clients are enrolled into automatically as part of their ongoing relationship with One Body LDN

These communications are designed to help you fully utilise benefits you already have, avoid missed entitlements, and support continuity of care. They are not promotional in nature and do not constitute marketing communications.

Lawful basis: Article 6(1)(b) UK GDPR — performance of a contract (delivery and optimisation of services and benefits available to you).

If you prefer not to receive service communications of this type, you may contact us to opt out. Please note that opting out may result in missed reminders, unused benefits, or loss of eligibility for certain service-based programmes, including the complimentary annual Body MOT.

9. Healthcare Data (Special Category Data)

As a healthcare provider, we process health data under Article 9(2)(h) UK GDPR for medical diagnosis and treatment. We aim to keep clinical records accurate, secure, and accessible only to authorised staff.

Where relevant, we follow professional and regulatory expectations for documentation and confidentiality (including HCPC-related standards where applicable to our clinicians and best practice guidance for clinical record-keeping).

10. Cookies, Analytics, and Advertising

We use cookies and similar technologies to:

• make the website work (necessary cookies)
• understand website use (analytics)
• measure and improve advertising (marketing cookies, where permitted)

You can manage your preferences at any time via our cookie banner (consent management tool) and/or your browser settings.

Microsoft Clarity and Microsoft Advertising

We partner with Microsoft Clarity and Microsoft Advertising to understand how visitors use our website through behavioural metrics, heatmaps, and session replay to improve user experience and measure advertising effectiveness. Data may be captured using first- and third-party cookies and similar technologies (subject to your cookie choices). For more information, please refer to the Microsoft Privacy Statement.

11. Third-Party Services (Processors)

We use trusted third parties to help us operate our website and services. Where a supplier acts as our processor, we put appropriate data processing agreements in place.

Examples may include:

• Website analytics tools (e.g. Google Analytics)
• Email marketing platforms (e.g. ActiveCampaign)
• Payment processors (e.g. Stripe, PayPal, Elavon)
• Website optimisation/advertising tools (e.g. Microsoft Clarity, Google Ads, Meta/Facebook Ads)

Payment processing is handled by third parties and we do not store full card details on our systems.

12. When We Share Your Data

We only share personal data where necessary and appropriate, such as:

• For your care: with your GP, consultant, or other treating professional (where relevant and appropriate)
• For insurance: with your insurer/benefit provider for authorisation and billing (where you are using insurance)
• For legal/regulatory reasons: if required by law or requested by a regulator or authority
• With service providers: who support our operations (under contractual safeguards)

We do not sell your personal data.

13. International Transfers

Some suppliers may process data outside the UK/EEA. Where international transfers occur, we use appropriate safeguards such as:

• the UK International Data Transfer Agreement (IDTA) and/or
• Standard Contractual Clauses, plus additional measures where required.

14. Data Retention

We keep personal data only as long as necessary for the purposes we collected it, including legal and clinical obligations.

Typical retention periods:

• Clinical/health records: generally 8 years (depending on circumstances and applicable guidance)
• Booking/contact details: typically up to 6 years after last interaction (e.g. for audit, accounting, or dispute handling)
• Marketing preferences: until you withdraw consent or unsubscribe
• Payment data: card details are not stored by us; transaction records may be retained for accounting/audit as required

15. Security Measures

We use appropriate organisational and technical measures to protect personal data, which may include:

• access controls and role-based permissions
• staff training and confidentiality requirements
• encryption and secure storage where appropriate
• multi-factor authentication where available
• secure clinical systems and periodic reviews of security practices

16. Your Rights (UK GDPR)

You have rights over your personal data, including:

• Access (request a copy of your data)
• Rectification (correct inaccurate or incomplete data)
• Erasure (request deletion where lawful)
• Restriction (limit processing in certain situations)
• Objection (especially to legitimate interests processing or marketing)
• Portability (in limited circumstances)
• Withdraw consent (for marketing at any time)

17. Children’s Privacy

We do not knowingly collect data from children under 13 via the website without parental/guardian involvement. If we treat a child, a parent/guardian will usually manage communications and consent where required.

Parents/guardians can contact us to:

• review or update a child’s data
• withdraw consent (where applicable)
• request erasure (where lawful)

18. Automated Decision-Making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects.

19. Data Breaches

If a personal data breach occurs, we assess it promptly and take appropriate steps to limit harm. Where required, we will:

• notify the ICO within applicable timeframes, and
• notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

20. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available at:
https://onebodyldn.com/privacy-policy

Where changes are significant, we may also notify you by email and/or via the website.

21. Complaints

If you wish to exercise your rights, you can complain to the UK regulator:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
https://ico.org.uk/
Helpline: 0303 123 1113