BOOK NOW

Privacy Policy

OPTIMAL PHYSIO LTD

Privacy Policy

Version Date: April 2026  |   ICO Registration: ZB309629   |   Company No. SC543302

This policy applies to: optimalphysio.co.uk and all clinical services provided by Optimal Physio Ltd

1. Who We Are

Optimal Physio Ltd (“Optimal Physio”, “we”, “us”, “our”) is a private musculoskeletal physiotherapy company registered in Scotland (Company No. SC543302), operating clinics in Clarkston (East Renfrewshire) and Largs (North Ayrshire).

We are registered as a Data Controller with the Information Commissioner’s Office (ICO). Our ICO registration number is ZB309629.

We are committed to protecting your personal data and processing it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as our professional obligations under HCPC and CSP governance guidelines.

For any questions about this policy or how we use your data, please contact us at:

Email: treatment@optimalphysio.co.uk

Telephone: 0333 301 0205

Post: Optimal Physio Ltd, Clarkston Clinic, [Full Address], Glasgow

2. What Personal Data We Collect

2.1 Identity & Contact Data

When you interact with us through our website, by phone, or in clinic we may collect:

  • Full name, date of birth and gender
  • Address, email address and telephone number
  • Emergency contact details
  • GP / referrer details

2.2 Clinical & Health Data

As a healthcare provider, we collect sensitive personal data (special category data under UK GDPR) including:

  • Medical history, current medications and allergies
  • Details of your presenting complaint, diagnosis and treatment
  • Clinical assessment findings and outcome measure scores
  • Physiotherapy treatment records and progress notes
  • Details of onward referrals

We collect this data only where you have given your explicit informed consent, or where it is necessary for the provision of healthcare or to comply with a legal obligation.

2.3 Technical & Usage Data

When you visit our website, we automatically collect:

  • IP address, browser type and device information
  • Pages visited, time on site and referral source (via Google Analytics)
  • Cookie data (see Section 9 for full details)

2.4 Communications Data

We retain records of communications between us, including:

  • Enquiry form submissions and email correspondence
  • Call recordings or transcripts where AI-assisted telephony (e.g. Aeva) is in use — you will be informed of this at the start of any such call
  • Marketing email engagement data (via Mailchimp)

3. How We Collect Your Data

We collect personal data through the following channels:

  • Our website contact and booking forms
  • Telephone enquiries and appointment bookings (including via our AI-assisted call answering service, Aeva)
  • Direct in-clinic registration and intake forms
  • Our online booking platform (Cliniko)
  • Email correspondence
  • Referral letters from GPs, consultants or other healthcare providers
  • Insurance or medico-legal referral documentation
  • Marketing communications where you have opted in (via Mailchimp)

4. Our Legal Basis for Processing Your Data

Under UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely upon are:

  • Legitimate interests — for business administration, website analytics and general communications
  • Contract performance — to deliver the services you have booked and paid for
  • Legal obligation — to comply with our regulatory, tax and record-keeping duties
  • Vital interests — where your safety or that of another person requires it

For special category data (health information), we rely on:

  • Explicit consent — obtained before your assessment and treatment begins
  • Provision of health or social care — where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis or the management of health systems (Article 9(2)(h) UK GDPR)

You may withdraw your consent for marketing or non-essential processing at any time without affecting the lawfulness of prior processing.

5. How We Use Your Data

We use your personal data for the following purposes:

  • Providing physiotherapy, massage, orthotics and other clinical services
  • Booking, managing and following up appointments
  • Communicating appointment reminders and clinical updates
  • Clinical audit and quality improvement (using anonymised data where possible)
  • Processing payments and managing accounts
  • Liaising with GPs, consultants, insurers or other healthcare providers involved in your care (with your consent)
  • Complying with our legal, regulatory and professional obligations
  • Sending marketing communications where you have opted in
  • Improving our website and digital services through analytics

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

6. Third-Party Data Processors

We use a number of trusted third-party services to operate our business. Where these providers process your personal data on our behalf, we have Data Processing Agreements (DPAs) in place with each of them. Our current key data processors are:

Cliniko

Practice management software used to store and manage clinical records, appointments and patient demographics. Data is stored on secure, encrypted servers. Cliniko is GDPR-compliant and holds appropriate certifications. More: http://www.cliniko.com/privacy

Clinic Coach

Our CRM and marketing automation platform, used to manage enquiry pipelines, lead follow-up, and marketing funnels. Contact data entered through our website forms may be processed within this system. Clinic Coach  (GoHighLevel) is GDPR-aware with EU/UK data hosting options. More: http://www.gohighlevel.com/privacy-policy

Aeva (AI-Assisted Call Handling)

We may use an AI-powered telephone answering service (Aeva) to handle inbound calls, triage enquiries and book appointments. Aeva integrates with Cliniko. Where this service is active, callers will be informed at the start of the call that AI is in use and that the call may be recorded or transcribed. No sensitive clinical decisions are made solely by AI all clinical matters are reviewed by a qualified practitioner.

Mailchimp (Intuit)

Email marketing platform used to send newsletters and health information to patients who have opted in. You can unsubscribe at any time via the link in any email. Mailchimp is GDPR-compliant. More: http://www.mailchimp.com/gdpr

Google (Analytics & Ads)

We use Google Analytics to understand website traffic and user behaviour. Data collected is anonymised and does not identify you personally. We may also use Google Ads for remarketing. You can opt out at: tools.google.com/dlpage/gaoptout. More: policies.google.com/privacy

Meta (Facebook / Instagram)

We may use Meta Pixel for website remarketing to users who have previously visited our site. You can manage your ad preferences at: facebook.com/ads/preferences. More: facebook.com/privacy/explanation

We do not sell your personal data to any third party, and we do not share it for third-party marketing purposes without your explicit consent.

7. International Data Transfers

Some of our third-party processors (including GoHighLevel/GHL and Mailchimp) operate servers in the United States or other countries outside the UK. Where data is transferred internationally, we ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the UK ICO
  • The UK International Data Transfer Agreement (IDTA)
  • The provider’s certification under an equivalent adequacy framework

You can request details of the safeguards in place for any specific transfer by contacting us.

8. How Long We Keep Your Data

We retain your data only for as long as necessary for the purposes for which it was collected, and in accordance with our legal and regulatory obligations. Our current retention periods are:

  • Adult clinical records: 8 years from the date of last treatment (in line with NHS Scotland guidelines and HCPC standards, extended from the minimum 6 years for additional legal protection)
  • Children’s records: Retained until the patient’s 26th birthday, or 8 years from last treatment if later
  • Deceased patients: 8 years from date of death
  • Financial records: 7 years (HMRC requirement)
  • Marketing contact data: Until you unsubscribe or withdraw consent, or 3 years of inactivity — whichever is sooner
  • Website analytics data: Per Google Analytics default retention settings (up to 26 months)
  • Call recordings / transcripts (Aeva): Retained for 90 days for quality assurance, then securely deleted

After the applicable retention period, data is securely deleted or anonymised.

9. Cookies

Our website uses cookies — small text files stored on your device — to improve your browsing experience and help us understand how our website is used.

9.1 Types of Cookies We Use

  • Essential cookies: Required for the website to function (e.g. booking system sessions). Cannot be disabled.
  • Analytics cookies: Google Analytics — anonymised data on page visits and user journeys. No personal identification.
  • Marketing/remarketing cookies: Google Ads and Meta Pixel — used to show relevant ads to visitors who have previously visited our site.
  • Functionality cookies: Remembering your preferences (e.g. location or language settings).

9.2 Managing Cookies

You can control cookies through your browser settings or by using the cookie consent tool on our website. Disabling certain cookies may affect website functionality.

For full information on managing cookies, visit: http://www.aboutcookies.org or http://www.allaboutcookies.org

10. Your Data Protection Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access to request a copy of the data we hold about you (Subject Access Request, SAR). Free of charge for the first request; a reasonable fee may apply for manifestly unfounded or excessive repeat requests.
  • Right to rectification to ask us to correct inaccurate or incomplete data.
  • Right to erasure (‘right to be forgotten’) — to ask us to delete your data where there is no lawful basis for continued processing. Note: we may need to retain clinical records for the periods set out in Section 8 above regardless of this request.
  • Right to restrict processing to ask us to pause processing of your data in certain circumstances.
  • Right to data portability  to receive your data in a structured, commonly used format to transfer to another provider.
  • Right to object to object to processing based on legitimate interests, or to direct marketing at any time.
  • Rights related to automated decision-making  to request human review of any automated decision that significantly affects you.

To exercise any of these rights, please contact us using the details in Section 1. We will respond within one calendar month.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

ICO website: http://www.ico.org.uk   |   ICO helpline: 0303 123 1113

11. How We Protect Your Data

We take the security of your personal and health data seriously. Our technical and organisational measures include:

  • Encryption of data at rest and in transit within Cliniko and other key systems
  • Access controls ensuring only authorised staff can access clinical records
  • Regular staff training on data protection and confidentiality
  • Secure password policies and multi-factor authentication where available
  • Regular review of third-party processor security standards
  • Incident response procedures for data breaches, including ICO notification within 72 hours where required

No internet transmission is completely secure. Enquiry form submissions sent over the web are transmitted at your own risk. Once received, we protect your data using the measures above.

12. Children’s Data

Where we treat patients under the age of 16, we will obtain consent from a parent or guardian before collecting health data. Parental consent is documented in our clinical management system (Cliniko). Children’s records are retained in accordance with the retention periods in Section 8.

Our website is not directed at children under 13 and we do not knowingly collect data from children through our website without parental consent.

13. Marketing Communications

We will only send you marketing communications where you have given your explicit consent. This may include:

  • Health tips, clinic news and service updates via email (managed through Mailchimp)
  • SMS appointment reminders and follow-up messages (via Cliniko)

You can withdraw your consent at any time by:

  • Clicking the unsubscribe link in any email
  • Texting STOP in response to any SMS
  • Contacting us directly at treatment@optimalphysio.co.uk

Withdrawing consent for marketing will not affect the processing of your clinical data, which we are required to retain for the periods described in Section 8.

14. Artificial Intelligence & Automated Processing

We use AI-powered tools to support our operations, specifically:

  • Aeva (AI call handling): Used to answer inbound calls, capture enquiry information and book appointments. Callers are informed at the start of calls when AI is in use. Transcripts or call summaries generated by Aeva may be passed into Cliniko as part of your patient record. No clinical decisions are made solely by this system.

We do not use automated decision-making that produces legal or similarly significant effects on you without human review. Any AI-assisted process that touches clinical care is reviewed and confirmed by a qualified HCPC-registered clinician.

As we adopt new AI-assisted tools in the future, this policy will be updated to reflect how they are used and what data they process.

15. Changes to This Privacy Policy

We review this policy regularly. Any material changes will be posted on this page with an updated version date. For significant changes, we will notify active patients by email where we hold a valid address.

Your continued use of our website or services after any changes constitutes acceptance of the updated policy.

16. Contact & Complaints

For any privacy-related query, to exercise a data subject right, or to raise a concern:

Optimal Physio Ltd — Data Controller

Email: treatment@optimalphysio.co.uk

Telephone: 0333 301 0205

Post: Optimal Physio Ltd, Clarkston Clinic, 11 Mearns Road, Clarkston, Glasgow, G76 7ER. 

To make a complaint to the ICO:

Website: http://www.ico.org.uk/make-a-complaint

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

This Privacy Policy was last reviewed: April 2026. It supersedes all previous versions including the policy dated 2nd April 2018.

© Optimal Physio Ltd 2026. All rights reserved.