Privacy Policy

Last updated: April 2026

Introduction

Growing Together Physiotherapy ("we", "us", or "our") is committed to protecting your privacy and handling your personal data responsibly.

This policy explains how we collect, use, and protect your data when using our website, booking system, or services.

Information we collect

We may collect:

  • Name, email, phone number
  • Appointment and booking details
  • Account/login details (if applicable)
  • Clinical and health information
  • Communications (emails/messages)
  • Technical data (IP, browser, usage)

We only collect information necessary to provide safe and effective care.

Children's data

Our services are provided to children and young people.

Personal data relating to children is provided by a parent or legal guardian, who is responsible for ensuring accuracy.

We take additional care to protect children's data due to its sensitive nature.

How we use your information

We use your data to:

  • Provide physiotherapy services
  • Manage bookings and appointments
  • Communicate (including reminders via email/SMS)
  • Process payments securely
  • Improve our website and services
  • Meet legal and clinical obligations

We do not sell your data.

Lawful basis for processing

We process data under UK GDPR based on:

  • Contract: to deliver booked services
  • Legal obligation: clinical/legal record keeping
  • Legitimate interests: running and improving our services

Where we process health data (special category data), this is for the provision of healthcare under UK GDPR Article 9.

Data processors and third-party services

To operate our services, we use the following trusted third-party data processors:

  • Supabase (database and file storage) — hosted in the European Union (EU). All patient records, clinical notes, and uploaded documents are stored within EU data centres, ensuring compliance with UK GDPR data residency requirements.
  • Stripe (payment processing) — handles all payment card transactions. Stripe is PCI DSS Level 1 certified. We do not store full card details on our systems. Stripe's privacy policy is available at stripe.com/gb/privacy.
  • Resend (transactional email) — used to send booking confirmations, appointment reminders, and other service-related communications. Email content may include your name and appointment details.
  • Twilio (SMS messaging) — used to send appointment reminders and service-related notifications via text message. SMS content may include your name, appointment time, and clinic details.

All third-party processors are contractually required to handle your data securely and in accordance with applicable data protection legislation.

Payments

Payments are processed securely via Stripe, a PCI DSS Level 1 certified payment provider.

When you make a payment, your card details are transmitted directly to Stripe via their secure, encrypted connection. We do not store, process, or have access to your full card number.

Stripe may process personal and payment data in accordance with their own privacy policy.

Data hosting and security

Your data is stored securely using Supabase, hosted within the European Union.

We implement appropriate technical and organisational security measures, including:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Role-based access controls for authorised users
  • Two-factor authentication (2FA) for staff access
  • Strong password policies and authentication controls
  • Regular automated backups with recovery capability
  • Audit logging of administrative and system activity

All data is stored within the UK/EU. No personal data is transferred outside these jurisdictions.

Data retention

We retain data only as long as necessary:

  • Clinical records for children are typically retained until the child reaches 25 years of age, in line with NHS and professional body guidance
  • Booking and contact data is retained for the duration of the care relationship plus any legally required retention period
  • Account data is deleted upon request or when no longer needed

Data is securely deleted or anonymised when no longer required. Automated retention checks ensure records are not held beyond their required period.

Sharing your data

We may share data with:

  • Our data processors (Supabase, Stripe, Resend, Twilio) as described above
  • Other healthcare professionals involved in the child's care (with consent)
  • Legal or regulatory authorities (if required by law)

We will never sell your data or share it for marketing purposes.

Your rights

Under UK GDPR, you have the right to:

  • Access your data (Subject Access Request)
  • Correct inaccurate data
  • Request deletion (where applicable and not overridden by legal retention requirements)
  • Restrict or object to processing
  • Data portability (receive a copy of your data in a structured format)
  • Withdraw consent at any time (where processing is based on consent)

To exercise these rights, please contact us using the details below. We will respond within one month.

Complaints

If you are not satisfied with how we handle your data, please contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk

Cookies and analytics

We use essential cookies required for the website to function. We may also use analytics cookies (such as Google Analytics) to understand how visitors use our website.

Analytics cookies are only activated with your explicit consent, which you can manage via the cookie settings in the website footer.

Changes to this policy

We may update this policy from time to time. The latest version will always be available on our website. Where changes are significant, we will take reasonable steps to notify you.

Related

Terms & ConditionsSecurity & Privacy

Contact us

Growing Together Physiotherapy

30 Bickerdikes Gardens

Sandy, SG19 1UX

Email: info@growingtogetherphysio.co.uk

Phone: 07481899242