Privacy Policy
Updated October 2025
Guildford and Godalming Physiotherapy (“we”, “us”, “our”) are committed to protecting your privacy and handling your personal data responsibly and in compliance with UK data protection law (UK GDPR and the Data Protection Act 2018). This Privacy Policy explains how we collect, use, store, share, and protect your personal information, and your rights in relation to that data.
1. Data We Collect
We may collect personal information about you when you contact us, book an appointment, use our services, or visit our website. This may include:
- Personal identifiers – name, address, phone number, email, date of birth.
- Health information – medical history, assessment findings, treatment notes, and progress records.
- Administrative information – appointment history, payments, insurance details.
- Website and technical data – IP address, cookies, analytics data.
- Marketing preferences – information provided when you subscribe to our newsletter or opt into communications.
2. Lawful Basis for Processing
We process your personal data under the following lawful bases as defined by UK GDPR:
- Contractual necessity – to provide physiotherapy and related services.
- Legal obligation – to meet regulatory, tax, or clinical record-keeping requirements.
- Legitimate interest – to improve our services and communicate relevant updates.
- Consent – for marketing, cookies, and the use of AI transcription tools (see Section 6).
3. How We Use Your Information
We use your information to:
- Deliver physiotherapy and wellness services.
- Maintain accurate treatment and billing records.
- Communicate appointment details, changes, and follow-ups.
- Improve our clinical processes and website experience.
- Send marketing emails (only where you have opted in).
4. Storage and Security
Your data is stored securely in Cliniko, our electronic clinical notes system, which complies with UK GDPR. Access is restricted to authorised clinicians and administrative staff. Physical and digital safeguards protect your data from loss, misuse, or unauthorised access.
We take appropriate technical and organisational measures to protect your personal data. However, please note that the transmission of information over the internet is never completely secure, and any electronic communication is at your own risk.
5. Data Retention
We retain your health records for at least seven years after your last appointment (or until your 25th birthday if treated as a child), in line with professional and legal standards. After this period, records are securely deleted or anonymised.
6. Use of AI-Assisted Medical Transcription (Ask Heidi)
We use Ask Heidi (operated by Heidi Health) to assist with clinical note transcription. This tool processes audio in real time during your consultation to generate a written summary.
Key facts about Ask Heidi:
- Audio is processed in real time and not permanently stored.
- Transcripts are automatically deleted after 30 days.
- Only your treating clinician can view your transcript before it is saved into your clinical record.
- Heidi Health does not use your data to train its AI models.
- Heidi Health complies with UK GDPR and data security standards (see https://www.heidihealth.com/compliance/uk and https://trust.heidihealth.com).
Before each session, we will ask whether you consent to using Ask Heidi. You may refuse without any impact on your care. You may also review the transcript before it becomes part of your medical record.
7. Data Sharing
We will never sell your personal data to any third party. We may disclose information when required by law, regulation, or court order, or to comply with lawful requests from regulatory bodies. Such disclosures will always be limited to what is strictly necessary.
We may share information with:
- Healthcare providers or insurers involved in your care.
- Service providers (e.g. Cliniko, Ask Heidi, Mailchimp) who act as data processors.
- Legal or regulatory bodies when required by law.
All third parties are bound by confidentiality and data protection agreements.
8. Marketing and Communications
We use Mailchimp to manage our email communications. We operate a double opt-in process, and you can unsubscribe at any time by using the link in our emails or contacting us directly. We do not share your details with third parties for marketing purposes.
9. Website Cookies and Analytics
Our website (www.guildfordgodalmingphysio.co.uk) uses cookies for essential functionality, Google Analytics, and Google Ads. Non-essential cookies are only used with your consent via our cookie banner. You can withdraw consent or disable cookies in your browser at any time, though some features may not function properly.
Blocking cookies:
Most browsers allow you to refuse or delete cookies.
- In Internet Explorer: click “Tools” → “Internet Options” → “Privacy” and choose “Block all cookies.”
- In Firefox: click “Tools” → “Options” → “Privacy & Security” and uncheck “Accept cookies from sites.”
- In Chrome: click “Settings” → “Privacy and security” → “Cookies and other site data” and select “Block all cookies.”
Blocking cookies may affect website functionality.
10. Your Rights
Under UK GDPR, you have the right to:
- Access your data.
- Rectify inaccurate or incomplete data.
- Request erasure (“right to be forgotten”) where applicable.
- Restrict or object to processing.
- Withdraw consent for processing based on consent.
- Request data portability.
To exercise these rights, contact us using the details below.
11. Contact and Questions
If you have any questions, concerns, or complaints about how we handle your data, please contact us using the details below. We welcome the opportunity to resolve any concerns directly. You also have the right to contact the Information Commissioner’s Office (ICO) if you are unhappy with our response.
Guildford and Godalming Physiotherapy
Surrey Holistic, The Barn, Wiggins Yard, Bridge Street,
Godalming, GU7 1HL
Email: naomi@ggphysio.co.uk