Privacy Policy – Joint Pain Clinics

Effective Date: 28/04/2024

This Privacy Policy explains how we collect, use, and share your personal information when you attend an appointment at our clinics, purchase a product, contact us, or otherwise engage with our services. It is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Data Protection Act (DPA) 2018.

Information We Collect

To provide healthcare services and manage your treatment effectively, we collect the following personal information:

  • Name

  • Date of Birth

  • Email address

  • Postal address

  • Medical history and treatment information

  • Payment details

Your information is securely stored in an encrypted, password-protected electronic patient record and diary system.

Legal Bases for Processing Your Information

Under GDPR, we rely on the following lawful bases to process your information:

  • Provision of Healthcare Services: Processing your data is necessary for the purpose of providing health care and treatment.

  • Consent: Where you have given clear consent, such as subscribing to marketing communications. You can withdraw consent at any time.

  • Legal Obligations: Compliance with legal requirements (e.g., tax laws or regulatory obligations).

  • Legitimate Interests: When necessary to protect vital interests, manage our business operations, or improve our services.

Marketing Communications

We may occasionally send you marketing communications, including updates about services and special offers. You can choose your preferred contact methods:

☐ Mail ☐ Email ☐ Text ☐ Phone ☐ No Marketing

You may withdraw your consent for marketing at any time by contacting us.

Information Sharing and Disclosure

We only share your information when necessary and in accordance with GDPR:

  • Medical Professionals: With your consent, we may share information with your GP, consultants, or other healthcare providers to ensure continuity of care.

  • Service Providers: Trusted third-party service providers (such as reception and administrative support services) may have limited access to your information solely to perform services on our behalf.

  • Data Storage Providers: We use GDPR-compliant providers such as Cliniko, Physitrack, Best Reception, and Mailchimp. Each provider has its own privacy policies and data protection measures.

  • Business Transfers: If we sell or merge our business, your data may be shared as part of that transaction under strict confidentiality and GDPR guidelines.

  • Compliance with Laws: We may disclose your data where required to comply with legal or regulatory obligations.

We never sell your personal information to third parties.

Data Retention

We retain your personal information only as long as necessary:

  • Patient records: Minimum of 8 years from the date of last treatment (in line with medical record-keeping requirements).

  • Customer purchase data (non-patient): Minimum of 6 years for tax purposes.

After this period, your data will be securely deleted or anonymised.

Transfers of Personal Data Outside the UK/EU

Some of our service providers may store data outside the UK/EU (e.g., in the United States). When we transfer your data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or reliance on providers who are Privacy Shield certified (where applicable).

Your Rights

You have rights under GDPR regarding your personal information:

  • Access: You can request a copy of the information we hold about you.

  • Rectification: You can request correction of inaccurate or incomplete data.

  • Erasure: You can request deletion of your data in certain circumstances (please note medical records may be exempt from deletion requests).

  • Restriction: You can request restriction of data processing.

  • Data Portability: You can request to receive your data in a structured, commonly used format.

  • Objection: You can object to processing based on legitimate interests or for direct marketing purposes.

  • Complaint: You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.

Contact Details

Data Controller:
Joint Pain Clinics – Aamir Safdar-Khan
Email: admin@jointpainclinics.co.uk

Postal Address:
Joint Pain Clinics
15 High Street, Harborne
Birmingham, B17 9NT