top of page

Privacy Policy

Copyright notice

Please see the Copyright section at the end of this document.

Information about The Fernandes Clinic Ltd

Company Name: The Fernandes Clinic Ltd

Place of registration: England and Wales

Companies House Number: 16747901

Registered Office: 

9 BARN CLOSE
PEASE POTTAGE
CRAWLEY
RH11 9AN

Principal activities Healthcare services as defined below.

Professional regulation: Practitioners are regulated by the Health and Care Professions Council (HCPC) and adhere to the standards of the Chartered Society of Physiotherapy (CSP) and The Royal College of Occupational Therapists (RCOT). Additionally, there may be non-medical professionals working within the clinic that may adhere to CASES, UKSCA and BASRaT.

About our Privacy Notice

The Fernandes Clinic Limited is committed to protecting your privacy and legal rights when dealing with your personal information. This Privacy Notice intends to provide clear and understandable details about the information we collect about you (or anyone you have provided us with information about, e.g. your child), how we use and protect it. It also provides information about your rights that relate to the data we process.

If you have any queries about this Privacy Notice, if you are not sure what something means, or if you wish to contact us about personal information we hold, please email us at:

info@thefernandesclinic.com

The Fernandes Clinic Limited is registered with the Information Commissioners Office, registration number ZA038723

The right to object

You have the right to object to processing of your data, if processing of your data is based on legitimate interests, or if processing is being used for direct marketing.  The definition of ‘legitimate interests’ is discussed within this Privacy Notice. Please contact us in the first instance if you wish to object.

Definitions of terms within this Privacy Notice

‘we’, our’, ‘us’, ‘Company’ is a direct reference to The Fernandes Clinic.

 

‘services’ means health care related services provided by us, as defined in ‘Scope of healthcare services’.

GDPR means EU General Data Protection Regulations that come into force on May 25th 2018.

ICO means the Information Commissioner’s Office and will also refer to any successor to it as the UK data protection authority.

Data Protection Laws means the Act, GDPR, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the ICO or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction.

Data Controller, Data Processor, Data Subject and Personal Data all have the meaning given to them in the Act and GDPR.

Website or site means the Company’s website at https://www.thefernandesclinic.com.

‘patient’ or ‘patients’ means people who attend our clinic or intend to use our services.

‘patient or patient’s data’ means either Personal Data or Special Category data, as defined by the GDPR.

‘personal information’ means either Personal Data or Special Category data, as defined by the GDPR.

Privacy Notice scope

This Privacy Notice will apply to any person (also known as a ‘data subject’) who enquires about, uses or purchases our services. Please see the section ‘Scope of Health Care Services’ for more information.

It also applies if you communicate with us in any manner, for the purpose of discussing current or past use of our services.

You may be reading a printed version of our Privacy Notice, which may not be the latest version. Please view the current Privacy Notice on our website, or contact us using the contact details at the beginning of this Privacy Notice to request a copy of the Privacy Notice via email, in Adobe PDF format.

Scope of Health Care Services

The Fernandes Clinic Limited provides the following health care services.

  • Physiotherapy

  • Occupational 

Securing your personal information

Data protection laws require us to take appropriate technical and organisational measures to prevent unlawful access or processing of personal information, that the Data Controller for The Fernandes Clinic, are responsible for implementing.

The level of technical safeguarding of data should be appropriate to the nature of information in question, and the harm that might result from its improper use, or from its accidental deletion or destruction.

The following list shows some of the technical and organisational measures we put in place to ensure the safety and integrity of your data.

  • Our clinicians and administrative staff are trained in the appropriate handing of personal information and how to respond to a data breach

  • We practice common sense cybersecurity requirements, such as locking screens when away from them, ensuring Windows / Mac OS updates are installed on release

  • Where possible, we use two factor authentication for key systems

  • We ensure passwords are changed regularly on our systems

  • We don’t use systems aimed purely at consumers, such as Gmail personal, Dropbox personal and Hotmail

  • Where we consider appropriate, we ensure we encrypt our hardware that will store personal information, using industry standard encryption methods

  • Cliniko (electronic health record and practice management). Cliniko hosts clinical notes, appointment data, and related patient information within its platform.

  • Wix Studio (website and forms) and its integrated payment gateway for online booking, enquiries, and payments. 

  • Our third party providers of systems used to process your personal data are compliant with data protection laws and requirements, and also have effective data restore capabilities to ensure your data can be recovered

Encryption and transmission

  • Encryption in transit using HTTPS/TLS for our website and supported portals.

  • Encryption at rest is provided by our processors for data stored within their platforms.

Training and awareness

  • Induction and periodic training for staff on confidentiality, data protection, phishing awareness, and incident reporting.

  • Acceptable use requirements covering email, messaging, and social media.

Business continuity and backup

  • Reliance on our processors’ resilience and backup facilities for hosted systems.

  • Local contingency procedures for continuity of care if hosted services become temporarily unavailable.

Monitoring and review

  • Periodic review of access permissions, processor assurances, and policy effectiveness.

  • Supplier due diligence for processors and sub-processors.

Important accountability statement

The Fernandes Clinic Ltd is the data controller. We select processors that provide appropriate guarantees and enter into Article 28 UK GDPR terms with them. Cliniko and Wix operate as data processors for the services they provide and are responsible for implementing and maintaining security within their platforms. While processors have direct security obligations, The Fernandes Clinic remains accountable under UK GDPR for its own compliance and for choosing processors with appropriate safeguards. 

How we collect personal information from you

The Fernandes Clinic Ltd obtains personal and clinical information only in ways that are fair, lawful, and transparent. We collect data directly from you and, where appropriate, from trusted third parties who are already involved in your healthcare or act on your behalf. Each collection route has an identified lawful basis under the UK GDPR.

If you provide us with personal information about other people, please ensure that they have seen this Privacy Notice and understand it, before you provide this information to us.

  • We will collect Standard and Special Category personal information from you, or other third parties. We will collect the information from the following sources:

  • Your parent or guardian, if you are under 18 years of age

  • A family member, or someone else acting on your behalf

  • Your interpreter, acting on your behalf

  • From yourself, either in face to face consultations, or via electronic communications such as email, via the telephone, or via postal communications

  • When you have given explicit consent to subscribe to educational or marketing email correspondence

  • Manually, when you fill in referral, assessment, registration and other forms

  • Via postal communications, via electronic or postal communications, or records completed by clinicians involved in your care, and their administrators

  • When given directly by social services, carers, relatives and friends – over the phone or in person

  • From providers of medical imaging and diagnostic testing involved in your care

  • From your private medical insurance provider or referring Embassy

  • In emergency situations by the social services, police or ambulance service staff

Information generated during treatment

During consultation and treatment, our clinicians will create and maintain clinical notes, assessments, exercise plans, and progress reports. This information constitutes special category data relating to your physical and mental health and is stored within Cliniko. These records are necessary for safe and effective care, regulatory compliance, and continuity between sessions.

Information obtained automatically through our website

When you visit thefernandesclinic.com, technical information such as IP address, browser type, and interaction data may be automatically logged by Wix Studio for security and analytics. These data are anonymised and used solely to maintain website functionality and detect technical faults. They are not combined with clinical or identifiable information.

Information for marketing purposes

We collect limited contact information, typically your name and email address, when you explicitly consent to receive updates via email, Instagram, or TikTok. You may withdraw this consent at any time by using the unsubscribe link in our emails or by contacting info@thefernandesclinic.com. We never buy, sell, or trade marketing lists.

Information received from insurers or referring organisations

If your sessions are funded or referred by a private medical-insurance company, sports organisation, or employer, we may receive authorisation codes, claim numbers, and administrative correspondence. Only the minimum data required to process treatment and invoices are recorded. Financial data are handled in accordance with HMRC record-keeping rules.

Lawful basis for collection

Depending on the context, our lawful bases under Articles 6 and 9 of the UK GDPR include:

  • Legal obligation – for maintaining accurate medical records and fulfilling professional-regulatory duties.

  • Contract – for delivering the healthcare services you request.

  • Legitimate interest – for managing clinic operations, appointment reminders, and debt recovery.

  • Consent – for marketing and optional communications.

  • Vital interests – for sharing information in a medical emergency.

Categories of personal information that we process
Standard personal information

Which can include (but not limited to):

  • name

  • address(es)

  • email address(es)

  • telephone number(s)

  • occupation

  • date of birth

  • next of kin or similar contact details

  • details of any complaints or grievances raised that relate to the provision of our services

  • financial details that relate to payments for our services (note we do not store card details)

  • account details relating to your private medical insurance provider

  • Limited technical data collected by our website host (e.g., IP address, browser type, session timestamps).

Special Category personal information

This is personal information specifically relating to your:

  • health, both physical and mental

  • sex life

  • clinical notes, assessment findings, and treatment plans;

  • medical history, diagnoses, and surgical history;

  • test results, imaging reports, or diagnostic referrals;

  • medication information and known allergies;

  • pain levels, injury mechanisms, rehabilitation progress, and outcome measures;

  • information relating to mental-health status if relevant to treatment;

  • data concerning reproductive or musculoskeletal health where clinically required; and

  • correspondence received from other healthcare professionals directly involved in your care.

 

Special Category personal information relating to health can include (but is not limited to) clinical notes, examination findings, medical imaging data related to your care, diagnostic test results, correspondence and communications from other clinical professionals which relates to your current or past clinical care. We collect the minimum information necessary for safe and effective care and to meet legal and regulatory requirements.

Financial information

For patients paying directly, we collect transaction data to confirm payments and issue receipts. All online payments are processed through Wix Payments, which complies with the Payment Card Industry Data Security Standard (PCI DSS). The Fernandes Clinic Ltd does not retain or access your full card details. Where payments are made via insurance or employer schemes, only claim reference numbers and authorisation codes are stored.

Marketing and communication preferences

Where you have opted in to receive educational or promotional material, we retain your name, contact details, and communication-preference record. This data are stored separately from clinical records and processed solely on the basis of your explicit consent. You may withdraw consent at any time without affecting your clinical care.

What we use your personal information for

We will process your personal information for reasons set out in this Privacy Notice. By law, we need to have a lawful basis or bases for processing your Standard personal information and a lawful basis or bases for processing your Special Category personal information. Additionally, for Special Category personal information, we are required to identify a condition or conditions for processing this data (as well as a lawful basis or bases).

These two types of personal information are discussed above in the section “Categories of personal information that we process”.

For ‘’Standard’ personal information:

We process Standard personal information about you if it is determined:

  • It is in our Legitimate Interests. Details of what constitutes Legitimate Interests are detailed below.

  • It is our Legal Obligation – this means we are required to process your Standard personal information in order for us to comply with the law. Details of the Legal Obligation are detailed below.

  • We have your Explicit Consent – this only applies when you’ve subscribed and opted in to receive our email newsletters, blogs and marketing offers, or you’ve provided consent to receive email newsletters, blog and marketing offers via our marketing consent form via an opt-in checkbox.

Standard personal information – Legitimate Interests

The law requires us to our balance the processing of your Standard personal information against your interests, rights and freedoms. We conduct a legitimate interests assessment to ensure we ensure the Standard personal information we process does not override your interests, rights or freedom that relate to your information.

The Legitimate Interests we have identified that allow us to process your Standard personal information are:

  • To enable us to take sufficient information in order to record who you are when booking appointments

  • To ensure we can email you with basic information about your appointments

  • To manage our personal relationship with you, with respect to discussing invoices, requesting insurer authorisation codes

  • To communicate with you if we need to cancel or rearrange appointments

 

If you book into our clinic as a potential patient and we hold no previous clinical records that relate to your direct care, and then you cancel the booking, we will no longer have a legitimate interest in processing your data. In most instances, we would delete any personal information that was used to make the booking.

 

Please note, that if you are a patient currently undergoing treatment or have appointments booked, we will use your email address to inform you of any changes that relate to our clinic. Examples include changes to fees and change of clinic address. Even if you ask us to not send you marketing or educational emails, we will still use your email address to communicate with you regarding this clinic related information.

Standard personal information – Legal Obligation

We process Standard personal information to fulfil our Legal Obligation, which requires us to maintain complete records relating to the health care services we supply to you. The records that we maintain require that we process a subset of your Standard personal information, with the lawful basis being a Legal Obligation. The Standard personal information we will then process under a Legal Obligation is your:

Full name;

address;

date of birth;

gender;

contact details (such as an email address or telephone number);

your parent(s) or legal guardian details if you are a minor.

 

Please note, that whilst we initially use Legitimate Interests as a lawful basis for processing your data, once you attend clinic and we take any notes relating to your clinical care, we will then process your Standard personal information on the lawful basis of our Legal Obligation.

For ‘Special Category’ personal information

As we are a provider of health care services to you, we have several reasons for processing your Special Category personal information. We would not be able to provide health care services to you unless we can process this information.

We undertake to process this information in line with Data Protection Laws as defined in the section “Definitions of terms within this Privacy Notice” within this document.

We process Special Category personal information about you if it is determined:

  • It is our Legal Obligation – this means we are required to process your Standard personal information in order for us to comply with the law. Details of the Legal Obligation are detailed below. We also are required to define an additional condition or conditions to process your Special Category personal information.

 

The conditions under which we need to process your Special Category personal information are:

  • Processing is necessary for the purposes of preventive or occupational medicine, for medical diagnosis or the provision of health care or treatment, including for the purposes of preventive or occupational medicine, on the basis of Union or Member State law or pursuant to contract with a health professional

  • Processing is necessary for the establishment, exercise or defence of legal claims (for example, to process a legal claim against us, including your personal information provided to our regulatory body if lawfully requested)

 

Special Category information – provision of health care or treatment on the basis of UK law (lawful basis is Legal Obligation)

People directly involved in your healthcare that are designated as being regulated by the regulatory bodies as listed in the Medical Act 1983 or the Health Professionals Order 2001 are legally required to record information about you, that relate to preventive or occupational medicine, for medical diagnosis or the provision of health care or treatment.

 

We are required to demonstrate we follow the legal requirements as listed in:

The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014

Which includes:

PART 3, Section 2, Regulation 17 (c)

Which state:

(c) maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided;

Note, you as the patient are the “service user”.

We are also required by our Regulatory body, the Health & Care Professions Council (the HCPC) to take and process medical records, which are required to support safe and effective care. As our regulatory body is covered by UK law, this also demonstrates a legal requirement to record and maintain clinical records that relate to your clinical care.

Additional safeguards for Special Category Data

  • Encryption and storage All clinical notes and documents are stored exclusively within Cliniko, whose servers employ AES-256 encryption, secure authentication, and audited access logs. Data in transit are protected using TLS 1.2 or higher.

  • Access limitation Only authorised clinicians and administrative staff who require access to perform their duties may view Special Category Data. Access rights are reviewed quarterly and revoked immediately when staff leave.

  • Separation of records Special Category Data are stored separately from marketing or financial systems. Anonymised or pseudonymised datasets are used whenever possible for quality-improvement analysis.

  • Confidentiality training All staff receive training in data protection, record keeping, and confidentiality before being granted access to clinical systems.

  • Audit trail Cliniko automatically logs every user access and amendment, enabling retrospective audit if a data-integrity concern arises.

  • Data minimisation and retention Only information strictly necessary for care is collected, and records are retained for eight years after the final treatment (or until the patient’s 25th or 26th birthday for minors) unless extended for legal-defence purposes.

  • Independent processors – Where Cliniko or Wix Studio perform data-processing tasks, they do so under contract as independent processors, each with their own security and breach-notification obligations. The Fernandes Clinic Ltd is not responsible for security failures arising solely from those platforms’ infrastructure.

Sharing Special Category Data

Special Category Data are shared only:

  • with healthcare professionals directly involved in your treatment and bound by professional confidentiality;

  • with insurers, legal representatives, or employers when you have provided explicit written consent or when necessary to administer authorised treatment;

  • with regulators or statutory bodies if required by law; or

  • in rare circumstances, to protect life or prevent serious harm, consistent with professional-practice guidance.

 

All sharing is documented, and disclosures are limited to the minimum information necessary.

Provision of assessment, diagnosis, and treatment

We use your information to conduct initial assessments, establish and review treatment plans, deliver physiotherapy, sports rehabilitation, sports-massage, or acupuncture services, and monitor progress. These activities rely on the lawful bases of Contract and Legal Obligation, and on the special-category condition of provision of health care or treatment by a regulated professional.

Continuity and coordination of care

Your data may be used to liaise with referring practitioners, consultants, or insurers so that all professionals involved in your care have accurate, up-to-date information. Disclosures for this purpose are limited to what is clinically relevant and rely on the lawful bases of Legitimate Interest and Legal Obligation.

Appointment management and communications

We process your contact details to send appointment confirmations, reminders, and administrative updates. Automated notifications generated by Cliniko or Wix are delivered via secure servers. This processing is necessary for the performance of your treatment contract and for our legitimate business interest in reducing missed appointments.

Billing and financial administration

Names, contact details, and payment references are used to raise invoices, process payments, reconcile accounts, and meet HMRC record-keeping requirements. The lawful bases are Legal Obligation and Legitimate Interest.

Regulatory compliance and record keeping

As a regulated healthcare provider, we must create and maintain contemporaneous clinical records to evidence safe and effective practice, support audits, and meet obligations under the HCPC Standards of Conduct, Performance and Ethics and the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. Processing for this purpose is a Legal Obligation.

Quality assurance, training, and service improvement

We may review anonymised or pseudonymised data to monitor clinical outcomes, improve protocols, and ensure consistent quality of care. Where used for staff training or research, data are fully anonymised so that individuals cannot be identified. The lawful basis is Legitimate Interest.

Marketing and communications (opt-in only)

Where you have explicitly opted in, we may use your contact information to send educational material, updates, or promotional offers relating to The Fernandes Clinic via email, Instagram, or TikTok. This processing relies on your consent, which you may withdraw at any time by emailing info@thefernandesclinic.com or using the unsubscribe option provided.

Legal claims and defence

We retain and may process data as necessary to establish, exercise, or defend legal claims or regulatory investigations. The lawful bases are Legitimate Interest and Legal Obligation, and the special-category condition is processing necessary for the establishment, exercise or defence of legal claims. Records may therefore be held beyond normal retention limits where an active or potential claim exists.

Business management and auditing

Aggregate and non-identifiable information may be used to analyse business performance, ensure financial integrity, and comply with statutory audit requirements. Individual identities are not used for profiling or automated decision-making.

Sharing your personal information

We sometimes need to share your information with other people or organisations for the purposes set out in this Privacy Notice. We will, where required, share the minimal amount of your personal data as appropriate with the other people or organisations we are communicating with:

  • Doctors, surgeons, clinicians and other health-care professionals, hospitals, clinics and other health-care providers;

  • Their administrative staff such as secretaries;

  • People or organisations that we are required by law or our regulatory body to share your personal information with;

  • The police or other law enforcement agencies, where we are either required by law or a court order;

  • A parent or legal guardian if you are a minor;

  • Any person that you have authorised us to share information with

Internal sharing

Access to your data within the clinic is restricted to personnel who require it to fulfil their duties. Clinicians, administrative staff, and authorised contractors may view or update records only for tasks relevant to your care or the day-to-day running of the clinic. Each individual is bound by a confidentiality clause and receives annual data-protection training.

Sharing with other healthcare professionals

Your information may be shared with GPs, consultants, imaging providers, or allied-health professionals involved in your treatment plan. The lawful bases are Contract, Legal Obligation, and Legitimate Interest. Only data necessary for continuity of care are disclosed. Correspondence is transmitted through secure encrypted channels or uploaded directly into Cliniko’s secure messaging environment.

Insurance companies, legal representatives, and employers

If your treatment is arranged or funded through an insurer, solicitor, sports organisation, or employer, limited personal and clinical data will be provided to them for authorisation, invoicing, or outcome reporting. This sharing occurs only where you have provided explicit consent or where the contract with the funder requires disclosure. We remind all third parties of their independent data-controller responsibilities.

Regulatory bodies and statutory disclosures

We may share information when legally obliged to do so, for example, with the Health and Care Professions Council (HCPC), Chartered Society of Physiotherapy (CSP), HMRC, courts, or law-enforcement agencies. In such cases, disclosure will be the minimum required to comply with the law.

Technology and service providers

We use reputable third-party service providers to host, process, and store data securely. These include:

  • Cliniko – patient-management system and electronic health-record storage;

  • Wix Studio – website hosting, contact forms, and payment gateway;

  • Email and cloud-storage providers – used solely for business communication and file backup.
     

Each processor has provided written assurances of compliance with UK GDPR Article 28 and maintains its own data-security certifications. They act on our documented instructions and are contractually prohibited from using your information for any purpose other than the service they supply.

Transfers outside the UK or EEA

We do not routinely transfer data outside the United Kingdom or European Economic Area. Should a processor use sub-processors based abroad, they must do so under the UK Government’s approved International Data-Transfer Agreements or equivalent safeguards ensuring adequate protection.

Business transfers and continuity

In the unlikely event that The Fernandes Clinic Ltd undergoes a business sale, merger, or restructuring, anonymised or pseudonymised data may be shared with prospective parties for due-diligence purposes. Identifiable data will only be transferred once appropriate confidentiality and data-processing agreements are in place, and you will be notified where practicable.

Limitation of liability and independent responsibilities

While The Fernandes Clinic Ltd selects and contracts only processors that demonstrate strong data-protection compliance, each processor retains independent control over its own infrastructure. The clinic cannot be held responsible for any unauthorised access, system outage, or loss of data that arises solely from a processor’s platform or negligence. Our responsibility is limited to ensuring that processors are properly vetted, bound by contract, and monitored for compliance.

Transferring information outside the boundaries of the EEA (European Economic Area)

Generally, we store your personal information on secure systems that reside within the EEA.  Where we store systems that are outside of the EEA, we will ensure that there are suitable contractual or other safeguards in place to protect your data.

These measures may include data controller (us) to data processor contracts who we have checked have the required data protection law compliance, or ensuring your data is transmitted from the EEA to other global areas in a highly encrypted format, that is then stored on secure systems using “zero knowledge” encryption. This means your data cannot be decrypted by a data processor.

Legal frameworks for international transfers

When personal information must leave the UK or EEA, The Fernandes Clinic Ltd ensures that one of the following conditions is satisfied:

  1. Adequacy regulations: the destination country has been formally recognised by the UK Government as providing an adequate level of data protection;

  2. Standard Contractual Clauses (SCCs) / International Data-Transfer Agreement (IDTA): our processors are bound by contractual terms approved by the UK Government or the European Commission that guarantee equivalent protections; or

  3. Explicit consent: where you have been informed of the transfer and have provided clear consent for it.
     

Under no circumstances will identifiable patient data be transferred internationally without these safeguards in place.

Encryption and security during transfer

If data are transmitted outside the UK or EEA, all transmissions are encrypted using Transport Layer Security (TLS 1.2 or higher). Remote connections to clinical systems use secure, authenticated channels. Access is restricted to authorised users, and all devices must comply with our encryption and password-protection standards.

Processor obligations

Each data processor engaged by The Fernandes Clinic Ltd, currently Cliniko and Wix Studio, has provided written assurance that any international transfers undertaken by them meet the requirements of the UK GDPR, including the use of approved safeguards and sub-processor vetting. These processors act on our instructions only and are independently responsible for maintaining appropriate technical and organisational measures.

Responsibility and limitation of liability

While The Fernandes Clinic Ltd ensures that contracts and due-diligence reviews are in place, operational control of foreign servers or sub-processors lies with the relevant processor. The clinic cannot accept liability for any unauthorised access or data loss arising solely from the processor’s infrastructure or international-transfer mechanism. Our duty is to ensure that such processors are demonstrably compliant with the UK GDPR and that transfers occur only where adequate safeguards exist.

How long do we keep your personal information for

As we are processing your personal data for provision of health care services using a lawful basis of Legal Obligation, we also have a legal obligation to retain this data.

There are also industry standard guidelines for retention of records (set by the UK National Health Service) that we follow, in accordance with our regulatory body requirement.

Normally we will process or store your personal information for eight (8) years for adults and until their 25th or 26th birthday if a child, but this can increase if there are specific circumstances. If you have any queries about how long we are processing your data for, please contact us.

We will also store information to ensure we can deal with any legal claims that arise from you using our services, and the data will be stored for as long as is required and advised by our legal counsel.

Your rights on us processing your personal information versus us storing your personal information are discussed in the section ‘Your rights’, below.

Any personal information that is used for marketing purposes, that has been provided using explicit consent, will be erased in accordance with your rights if requested.

Clinical records

  • Adults: kept for eight (8) years after the date of the last treatment or discharge from care.

  • Children and young people: kept until their 25th or 26th birthday, whichever occurs later.

  • Maternity records: retained for 25 years following the birth of the last child where applicable.
    These periods reflect the standards set by the Chartered Society of Physiotherapy (CSP) and HCPC for safe record keeping and align with NHS best practice.
     

If a claim, complaint, or regulatory investigation is anticipated, records may be held longer until resolution, after which they will be securely destroyed.

Financial and transactional data

Invoices, payment records, and other financial documents are retained for seven (7) years to comply with HMRC accounting and tax requirements. After this period, records are anonymised or securely deleted.

Marketing and communication data

Contact details collected for newsletters, email campaigns, or social-media outreach are held only while valid consent exists. Withdrawal of consent triggers immediate suppression from marketing systems, ensuring no further contact for promotional purposes. Minimal records are maintained to evidence that the request was fulfilled.

Employment and contractor data

If applicable, employment-related or self-employed-contractor information is stored for up to six (6) years following the end of engagement, in line with UK employment-law limitation periods.

Backup and archived data

Electronic backups within Cliniko and Wix Studio are automatically cycled and overwritten according to each provider’s retention and disaster-recovery policy. Data stored solely for backup purposes are accessible only to system administrators and are permanently deleted at the end of the retention cycle.

Secure disposal

When the retention period expires and no legal reason exists to keep the data, the following destruction methods are applied:

  • Digital records: permanently deleted using data-wiping software conforming to NIST 800-88 or equivalent standards.

  • Paper records: cross-shredded or destroyed by a certified confidential-waste contractor.
    Certificates of destruction are retained for audit.

Responsibility and verification

The Data Protection Lead monitors compliance with retention rules through annual audits. Cliniko automatically timestamps all record modifications and deletions, providing a full audit trail. Any premature deletion must be approved in writing by the Data Protection Lead.

Your rights

You have the following rights, however please note, that the rights are not absolute. The only absolute right you have is to request that we do not use your personal information for direct marketing.

Please do contact us if you are unsure about your rights as detailed below. We will always endeavour to help explain how your rights apply to the personal information we process, for our specified lawful reasons.

The right to be informed

We need to inform you of the name and contact details of our organisation, which is at the top of this document.

You have the right to be informed about how we collect and use your personal data. We are obliged to provide this right to be informed in a clear and concise manner.

This Privacy Notice you are reading is designed to inform you how we collect and use your personal data.

The right of access

You have the right to confirmation that your data is being processed and to view this information. This is known as a Subject Access Request or ‘SAR’ , but you do not have to specify this term when requesting your personal information from us. You also have the right to request a copy of your personal data that we process.

We will need to identify you using reasonable means before we will start the process of collating your personal information.

Once we have identified you, we will reply to any requests for your personal information  (SARs) within 30 days, unless we deem the request to be complex, or repetitive, where we will notify you that we may take an additional two months to provide your personal information.

We will not charge you to request information from us. However, we will charge a reasonable fee if the request for information is repetitive. If we’ve provided information to you and you wish to request it again, we ask that you contact us beforehand to discuss what our reasonable fee is.

If the request is manifestly unfounded or excessive, particular because if the request becomes repetitive, we might decide to:

  • charge a reasonable fee taking into account the administrative costs of providing the information; or

  • refuse to respond.

 

When we refuse to respond to a request, we will explain why to you, informing you of your right to complain to the ICO without undue delay and at the latest within one month of our refusal.

The right to rectification

You have the right to request rectification of your personal information. However, we only consider requests to correct factual information. Any clinical opinions will remain valid as they were the opinion at the time of being recorded. If it is later determined that a clinical opinion or diagnosis was then found to have changed, we will update your personal information to reflect this, but we will not change or remove the original clinical opinion.

The right to erasure

You have the right to request erasure of personal information.

If you have subscribed to any of our email educational or marketing correspondence, you have the right to request erasure from our email list, or you can click on the ‘unsubscribe’ link that appears in all emails we send. We will only use your personal information to send you marketing or educational material if you have given us your explicit permission.

We will consider all requests in conjunction with our legal obligation to retain information relating to your health care provided by us, as well as data protection law which clearly states when the right to erasure does not apply. Normally, this means we will not erase any information, unless it was not required for legal reasons.

If we determine we cannot delete data, you still have the right to ask us to restrict processing of your personal data.

The right to restrict processing

You can request that we restrict processing of personal information. This means that we will stop actively processing it, and it will just be stored. Stopping processing will mean that we will not add any additional information to your existing information.

The right to data portability

As we do not process personal information using a lawful basis of either a) consent or b) for the performance of a contract, the right to data portability is not applicable. You still have the right to request this, however.

The right to object

You have the right to object if processing is based on legitimate interests, or if processing is being used for direct marketing.

 

Rights in relation to automated decision making and profiling.

We do not make any kinds of automated decisions or perform any profiling with your personal information.

The right to lodge a complaint with a supervisory authority

We ask that you first contact us if you feel you wish to make a complaint.  Please see the template letter and guidelines listed on the ICO website.

https://ico.org.uk/for-the-public/raising-concerns/

 

You can also contact the ICO directly:

https://ico.org.uk/concerns/

 

They can also be contacted at the following address:

Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Copyright notice

This Privacy Notice has been created for Complete Physio Limited by The Fernandes Clinic Limited.

The Fernandes Clinic Limited has the right to edit the text contained within this notice as they require, as long as it remains solely for the use of The Fernandes Clinic Limited.

Any redistribution or reproduction of part or all of the contents in any form is prohibited, including by The Fernandes ClinicLimited, who limited use of this Privacy Notice is licensed to.

The Fernandes Clinic Limited may however publish a copy on their website which currently is https://www.thefernandesclinic.com.

Licensed use and derivative works

The Fernandes Clinic Ltd grants a limited, non-transferable licence to its clinicians, administrative staff, and legal advisors to reproduce or distribute this policy internally for legitimate clinic operations only. No part of this policy may be published externally, copied for use by another healthcare provider, or integrated into any commercial template, privacy-management software, or consultancy service without written approval from The Fernandes Clinic Ltd.

Any unauthorised reproduction, distribution, or adaptation of this policy, including minor edits or rebranding, constitutes a breach of copyright and may result in legal action and/or financial damages.

Enforcement and penalties

The Fernandes Clinic Ltd reserves all rights to enforce copyright ownership through legal means if this document or its contents are used without permission. This includes pursuing damages for unauthorised use, distribution, or misrepresentation. Any breach of these terms will be interpreted as deliberate infringement under UK intellectual property law.

Disclaimer

You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system. This Privacy Policy is designed specifically for The Fernandes Clinic Ltd and reflects its internal systems, data processors, and governance structure. It must not be construed as a general-purpose policy for other clinics, healthcare providers, or commercial entities. The Fernandes Clinic Ltd assumes no liability for loss or damages arising from the unauthorised or inappropriate use of this document by third parties.

bottom of page