Privacy Policy

Clinicall: Physio and Diagnostics

Banbury, Oxfordshire

Version 1.0 | Effective Date: June 2025 | Review Date: June 2026

1. Introduction and Who We Are

Clinicall: Physio and Diagnostics (“we”, “us”, “our”) is a private physiotherapy and diagnostic clinic
located in Banbury, Oxfordshire. We are committed to protecting the privacy and confidentiality of all
personal and clinical data we collect from our patients and service users.
This Privacy Policy explains how we collect, use, store, share, and protect your personal and health
information in accordance with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• The Access to Health Records Act 1990
• NHS Codes of Practice on Confidentiality (where applicable)
• The common law duty of confidentiality
  We act as the Data Controller for all personal data processed in connection with your care at our
  clinic.

2. Personal and Clinical Data We Collect

We collect and process the following categories of data:

2.1 Personal Identification Data

• Full name, date of birth, gender
• Contact details: address, telephone number, email address
• GP and emergency contact details
• Insurance or self-pay billing information

2.2 Special Category (Health) Data

• Medical history, diagnoses, and clinical presenting complaints
• Clinical assessment notes and treatment records
• Physiotherapy treatment plans and progress notes
• Diagnostic results, including ultrasound imaging
• Medications and relevant surgical or medical history
• Referral letters and correspondence with other healthcare providers
  Health data is classified as ‘special category’ data under UK GDPR and is subject to additional
  safeguards.

3. How We Collect Your Data

We collect your personal and clinical data through:

• Referrals from GPs, consultants, and other healthcare professionals
• New patient registration forms (paper and digital)
• Clinical consultations, assessments, and treatments
• Diagnostic imaging sessions
• Communications via telephone, email, or online booking systems

4. Legal Basis for Processing Your Data

We process your data under the following legal bases:

• Article 6(1)(b) UK GDPR – Processing necessary for the performance of a contract (your
  care and treatment)
• Article 6(1)(c) UK GDPR – Processing necessary to comply with a legal obligation
• Article 9(2)(h) UK GDPR – Processing of special category health data for the purposes of
  preventive or occupational medicine, medical diagnosis, and the provision of health care or
  treatment
• Article 6(1)(a) / Article 9(2)(a) UK GDPR – Your explicit consent where required (e.g. for
  sharing with third parties beyond your direct care team)

5. Technology Platforms and Data Processors

We use a number of carefully selected, secure third-party platforms to manage your clinical and
administrative data. Each platform is appointed as a Data Processor under UK GDPR and is bound
by contractual obligations to process data only on our instructions.

5.1 Hedi AI – Clinical Note-Taking

We use Hedi AI, an AI-powered clinical note-taking tool, to support our clinicians in generating
accurate and efficient consultation records. Hedi AI processes voice or text input during or following
consultations to produce structured clinical notes.

• Data processed: verbal consultation content, clinical assessments, patient-reported history
• Purpose: to produce accurate clinical notes efficiently and reduce administrative burden on
  clinicians
• Data minimisation: only the minimum data necessary to produce a clinical record is
  processed
• All notes generated by Hedi AI are reviewed and approved by your treating clinician before
  being added to your record
• Hedi AI operates under a Data Processing Agreement (DPA) with Clinicall

You have the right to request that your notes are not created using AI-assisted tools. Please inform
your clinician or our administrative team if you wish to opt out.

5.2 Zanda – Clinical Practice Management

Your clinical records, appointment information, and administrative data are stored and managed
within Zanda, a healthcare practice management platform. Zanda provides an encrypted, cloud-
based environment for storing patient records.

• Encryption: all data is encrypted at rest and in transit using industry-standard AES-256
  encryption and TLS protocols
• Access controls: only authorised Clinicall staff are granted access to your records, based on
  role and clinical need
• Data hosting: Zanda is hosted on secure cloud infrastructure; data residency is maintained
  within approved jurisdictions
• Zanda operates under a Data Processing Agreement with Clinicall in compliance with UK
  GDPR
• Audit trails: all access to patient records is logged for security and governance purposes

5.3 PostDICOM – Ultrasound Image Storage

All ultrasound diagnostic images produced during your assessment or treatment are stored using
PostDICOM, a DICOM-compliant medical imaging cloud platform.

• Data processed: ultrasound images, associated DICOM metadata, and patient identifiers
  linked to each study
• Retention period: ultrasound images are retained for a minimum of 10 years in accordance
  with clinical best practice and NHS Records Management guidance
• Security: PostDICOM provides end-to-end encryption and DICOM-standard access controls
• Access: images are accessible only to authorised clinicians at Clinicall and, where
  applicable, to referring clinicians with your consent
• PostDICOM operates under a Data Processing Agreement with Clinicall in compliance with
  UK GDPR

If you require copies of your ultrasound images, please submit a Subject Access Request (see
Section 9 below). Images can be provided in DICOM or standard image format upon request.

6. How We Use Your Data

We use your personal and clinical data to:

• Provide, manage, and coordinate your physiotherapy and diagnostic care
• Maintain accurate and comprehensive clinical records
• Communicate with you regarding appointments, treatment plans, and follow-up
• Process invoicing, insurance claims, and payment administration
• Liaise with your GP, consultant, or other healthcare professionals involved in your care (with
  your knowledge)
• Comply with our legal and regulatory obligations
• Improve our clinical services and internal audit (using anonymised or aggregated data only)

We will never use your personal data for marketing purposes without your explicit and separate
consent.

7. Sharing Your Data

We will not share your personal or health data with any third party except in the following
circumstances:

• Your direct care: sharing with other healthcare professionals involved in your treatment (e.g.
  your GP, referring consultant, or specialist), always with your knowledge
• Your explicit consent: where you have asked us to share information with a specific party
• Legal obligation: where we are required to disclose information by law, court order, or a
  statutory body such as the Care Quality Commission (CQC)
• Safeguarding: where disclosure is necessary to protect the safety of you or another person,
  in accordance with our safeguarding obligations
• Insurance and billing: with your insurer or their authorised representatives, for the purposes
  of processing your claim

We do not sell, rent, or trade your personal data to any third party.

8. Data Retention

We retain your personal and clinical data in accordance with applicable legislation and professional
guidance:

• Adult clinical records: retained for a minimum of 8 years from the date of last treatment, or
  until age 25 if the patient was a minor at the time of treatment
• Children’s records: retained until the patient’s 25th birthday, or 26th birthday if the young
  person was 17 at the conclusion of treatment
• Ultrasound images (PostDICOM): retained for a minimum of 10 years from the date of the
  study
• Financial and billing records: retained for 6 years in accordance with HMRC requirements

After the relevant retention period, data is securely and irreversibly deleted or destroyed in
accordance with our data disposal policy.

9. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights:

Right of Access (Subject Access Request)
You may request a copy of all personal data we hold about you. We will respond within one calendar
month of receipt of your request. There is no charge for a standard request.

Right to Rectification
You may request that we correct inaccurate or incomplete personal data we hold about you.

Right to Erasure (‘Right to be Forgotten’)
You may request that we delete your personal data where it is no longer necessary for the purpose
for which it was collected. Note that this right is subject to limitations where we are required to retain
data by law (e.g. clinical records retention requirements).

Right to Restriction of Processing
You may request that we restrict the processing of your data in certain circumstances, for example
while the accuracy of data is disputed.

Right to Data Portability
Where processing is based on your consent or a contract, you may request that we provide your
data in a structured, commonly used, and machine-readable format.

Right to Object
You may object to the processing of your data where processing is based on legitimate interests.

Rights Relating to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing, including
profiling, that produce significant effects concerning you. Where AI tools are used (such as Hedi AI),
all clinical decisions are made by a qualified clinician.

To exercise any of these rights, please contact us using

10. Data Security

We take the security of your personal and health data seriously and have implemented appropriate
technical and organisational measures to protect against unauthorised access, accidental loss,
destruction, or disclosure. These include:

• Encrypted data storage (Zanda) and encrypted image storage (PostDICOM)
• Role-based access controls limiting data access to authorised staff only
• Regular staff training on data protection and information governance
• Secure, password-protected devices and systems
• Regular review of third-party supplier security practices
• Incident response procedures in the event of a data breach

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and
freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, where
required, notify you directly without undue delay.

11. Contact Us and Complaints

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a
concern about how we have handled your data, please contact us:

Clinicall: Physio and Diagnostics
Banbury, Oxfordshire
Email: hello@clinicallphysio.com
Telephone: 01295 981208

If you are not satisfied with our response, you have the right to lodge a complaint with the Information
Commissioner’s Office (ICO):

Information Commissioner’s Office
Website: www.ico.org.uk
Helpline: 0303 123 1113

12. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology,
legal requirements, or other factors. Where changes are material, we will notify you via email or a
prominent notice on our website. The effective date at the top of this document will always reflect the
most recent revision.

We encourage you to review this policy periodically. Continued use of our services following any
updates constitutes your acknowledgement of the revised policy.