Last Updated:  22 May 2025

Effective Date: 22 May 2025

1. Controller Information

Business Name: Haraka Physio Ltd 

Registered Address: Office 55, Hemel Hempstead Spaces, The Maylands Building, HP27TG, United Kingdom 

Website: https://harakaphysio.uk 

Contact:

  • Email: [email protected]
  • Phone: +44 7789778517
  • Postal: Office 55, Hemel Hempstead Spaces, The Maylands Building, HP27TG, United Kingdom

2. Scope of This Policy

This Privacy Policy applies to all personal data collected when:

  • You use our physiotherapy services (home visits or telehealth).
  • You visit our website ( https://harakaphysio.uk ).
  • You contact us via phone, email, or postal mail.

As a GDPR-compliant healthcare provider, we ensure transparent and lawful processing of your personal and medical data.

3. Types of Personal Data We Collect

A. Directly Provided Data

  • Identity & Contact Information:
  • Full name, date of birth, NHS number (if applicable).
  • Email, phone number, postal address (including ZIP/postal code).
  • Health & Medical Data (Special Category under GDPR Article 9):
  • Medical history, referral details, treatment records, rehabilitation progress.
  • Any relevant conditions (e.g., post-surgical status, chronic pain, mobility limitations).
  • Financial & Transaction Data:
  • Payment details (when using PayPal or local payment methods).

B. Automatically Collected Data

  • Website Analytics (Google Analytics):
  • IP address, browser type, pages visited (anonymized where possible).
  • Cookies (see Section 9 for details).
  • Communication Tracking:
  • Email open rates (if marketing consents are given).

4. How We Use Your Data (Purposes & Legal Bases under GDPR)

Purpose

Legal Basis (GDPR Article 6/9)

Providing physiotherapy services

Contractual necessity (for appointments & treatment plans)

Maintaining medical records

Legal obligation (HCPC & UK healthcare laws)

Processing payments

Contractual necessity

Responding to inquiries

Legitimate interest

Sending service-related emails (e.g., appointment reminders)

Contractual necessity

Sending marketing emails (if opted-in)

Consent (opt-in required)

Compliance with legal/regulatory requirements (e.g., insurance claims)

Legal obligation

5. Data Sharing & Third Parties

We only share data:

  • With Your Consent:
  • Referrals to GPs or NHS specialists.
  • For Legal/Operational Needs:
  • Payment processors (PayPal – GDPR-compliant).
  • IT service providers (must meet UK/EU data protection standards).
  • Legal Compliance:
  • If required by UK law (e.g., safeguarding adults, court orders).

We never sell your data.

6. Data Security & Retention

Security Measures

  • Encryption: All medical records encrypted (AES-256).
  • Access Control: Only HCPC-registered & DBS-checked staff handle sensitive data.
  • Infection Control: Paper records are securely stored/disposed.

Retention Periods

  • Medical records: 8 years (or until age 25 for minors).
  • Financial data: 7 years (HMRC compliance).

7. Your Rights (GDPR & UK DPA 2018)

  • Access: Request a copy of your data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request deletion (unless legal exceptions apply).
  • Restriction: Limit processing (e.g., pause marketing emails).
  • Portability: Receive your data in a structured format.
  • Object: Object to processing (e.g., opt out of analytics).

To exercise rights, contact us via:

  • Email: [email protected]
  • Phone: +44 7789778517
  • Post: Office 55, Hemel Hempstead Spaces, The Maylands Building, HP27TG, UK.

We respond within 30 days.

8. Cookies & Tracking Technologies

We use:

  • Essential Cookies: For booking functionality.
  • Google Analytics: Anonymized usage data. Opt out via: Google’s tool .

9. Updates to This Policy

We review this policy annually. Changes will be posted on our website with an updated “Last Revised” date.

10. Questions?

For privacy concerns, contact our Data Protection Officer at [email protected] or via our Contact Form.