1. about this policy

Newcastle Physiotherapy Ltd ("we", "us", "our") operates two clinics in Newcastle upon Tyne and the website at newcastlephysioclinic.com. This policy explains what personal data we collect, how we use it, and the rights you have under UK GDPR and the Data Protection Act 2018.

If you have questions about this policy or how we handle your data, contact our data protection lead at privacy@newcastlephysioclinic.com or call 0191 217 1929.

2. who we are

Controller: Newcastle Physiotherapy Ltd, registered in England & Wales. Registered address: Drake House, Burdon Terrace, Jesmond, Newcastle upon Tyne NE2 3AE. ICO registration number: available on request.

3. information we collect

We collect information you give us directly when you book an appointment, complete a form, or attend clinic; information generated during treatment (clinical assessments, treatment notes, images where relevant); and limited technical information when you use the website.

personal details

  • name, date of birth, gender
  • contact details (phone, email, address)
  • next-of-kin / emergency contact where relevant
  • gp details where relevant
  • insurance policy details (Bupa, Aviva, Vitality, WPA, AXA, etc.)

clinical information

  • presenting complaint and symptoms
  • medical history, medication, past injuries or surgeries
  • assessment findings and treatment notes
  • measurements, images or video captured with your consent for assessment or outcome tracking
  • correspondence with your GP, insurer, or other clinicians (with your consent)

website and technical data

  • pages viewed and device / browser information via privacy-respecting analytics
  • information submitted via our enquiry form
  • cookies and similar technologies — see our cookie policy

4. how we use your data

We process your data for the following purposes and lawful bases:

  • providing care (lawful basis: contract with you; and for clinical data, provision of health or social care under Article 9(2)(h) UK GDPR)
  • managing appointments and billing (lawful basis: contract)
  • communicating with insurers, GPs or other clinicians with your explicit consent (Article 9(2)(a))
  • clinical audit and service improvement using anonymised data (legitimate interest)
  • meeting our legal obligations, including record-keeping requirements set by the HCPC and CSP (legal obligation)
  • marketing (only where you have opted in)

5. how long we keep your data

Clinical records are retained for the minimum period required by UK healthcare record-keeping standards — usually 8 years from the date of last treatment for adults, and until the patient's 25th birthday for records relating to minors. Financial records are retained for 6 years. Marketing data is retained for as long as you remain subscribed.

6. who we share your data with

We only share your data where necessary and lawful. Recipients may include:

  • your GP, consultant, or other treating clinicians, with your consent
  • your private medical insurer, for invoice processing and authorisation
  • our secure clinic software providers (booking, records, payments) — under contract with data-processing agreements in place
  • HM Revenue & Customs, regulators (HCPC), or law enforcement where we are legally obliged

We never sell your data. We never share clinical data for marketing.

7. where your data is stored

Your data is stored on secure servers within the UK and EEA. Where a supplier processes data outside the UK/EEA we ensure adequate safeguards are in place (UK adequacy regulations, standard contractual clauses, or equivalent).

8. how we protect your data

We use encryption in transit and at rest, role-based access controls, two-factor authentication, audited backups, and continuous monitoring on our booking and records systems. All staff are trained on data protection annually.

9. your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, object to, or port your personal data, and to withdraw consent where processing is consent-based. To exercise any of these rights, contact privacy@newcastlephysioclinic.com. We will respond within one month.

You have the right to complain to the Information Commissioner's Office if you believe we have mishandled your data.

10. changes to this policy

We review this policy annually. Material changes will be posted on this page with a revised "last updated" date and — where changes affect the processing of your data — communicated by email or at your next appointment.