Business: Brightside Physio Ltd
Company number: 12878646
Clinic address: 4 Mitchells Corner, Boscawen Road, Perranporth, Cornwall TR6 0EW
Contact: paula@brightsidephysio.co.uk / 07757 219910
Policy owner: Paula Bright, Director / Physiotherapist
Applies to: Patients booking or receiving Brightside Physio services
Version: V1.2
Last updated: March 2026
1. Purpose
This Privacy and Data Protection Policy explains how Brightside Physio collects, uses, stores, protects and shares personal information. Brightside Physio is a sole director, 0-worker physiotherapy and rehabilitation micro business. Paula Bright is responsible for data protection, confidentiality and record-keeping within the business. Because Brightside provides physiotherapy services, some information collected is health information. This is treated as special category data under UK GDPR and managed with extra care.
This policy is intended to be publicly available so that patients, prospective patients and website users can understand:
- what data Brightside collects;
- how the data is used;
- how long it is kept;
- whether and when it may be shared with other parties;
- what choices and rights people have about their data.
This policy is guided by UK GDPR, the Data Protection Act 2018, confidentiality duties, the Equality Act 2010, safeguarding and duty of care expectations, the HCPC Standards of Conduct, Performance and Ethics, the HCPC Standards of Proficiency for Physiotherapists, and the CSP Code of Members’ Professional Values and Behaviour. It also supports Brightside’s B Corp impact commitment to balancing people, planet and profit in a practical and proportionate way.
This policy also supports Brightside’s customer stewardship approach by explaining how client information is managed securely, confidentially and proportionately as part of safe physiotherapy care, outcome review, feedback, complaints handling, service improvement and ethical public communication.
2. What Data Brightside Collects
Brightside may collect and store the following information where relevant:
- contact details, including name, title, address, email address and phone number;
- Gender identity and pronouns;
- date of birth and emergency contact information;
- GP, consultant or other healthcare contact details where needed;
- health data, including medical history, symptoms, medication, diagnosis, injury history, lifestyle factors and relevant clinical information;
- clinical notes, including assessment findings, treatment notes, rehabilitation plans, clinical reasoning, consent records, progress notes and discharge information;
- referrals, reports, letters or communications with other healthcare professionals;
- appointment information, attendance, payments and invoices;
- emails, texts, forms, phone notes and other communications;
- feedback, outcome information, satisfaction information, testimonials or reviews where provided;
- complaints, concerns, incident or service improvement records where relevant;
- accessibility or reasonable adjustment information where relevant to safe and appropriate care;
- marketing preferences and consent records where a person has opted in;
- testimonial, case example, image, video or media consent records where relevant;
- website contact form information;
- limited website analytics information.
Brightside will only collect information that is relevant and proportionate for providing physiotherapy care, managing appointments, running the business safely, meeting legal or professional duties, improving services, and communicating with patients or contacts.
3. How Brightside Uses Information
Brightside may use personal information to:
- assess, treat and support patients safely;
- provide physiotherapy, rehabilitation, education and self-management support;
- make clinical decisions and keep accurate patient records;
- manage appointments, reminders, cancellations, payments and invoices;
- communicate about care, referrals, reports, feedback or service information;
- support safeguarding, duty of care, complaints, incidents or insurance matters;
- review service quality, client satisfaction and client outcomes;
- manage feedback, concerns, complaints and service improvement;
- meet legal, tax, accounting, regulatory, professional and insurance duties;
- manage website enquiries and business administration;
- send email marketing only where consent has been given or where otherwise lawful;
- manage consent for testimonials, case examples, photography, video or other identifiable client content;
- improve the website and understand general website use;
- support summary-level impact reporting where individual clients are not identified.
Brightside does not sell personal information.
4. Legal Basis for Using Data
Brightside will only use personal information where there is a lawful reason under UK GDPR Article 6.
Depending on the situation, Brightside may rely on:
- contract - to provide appointments and physiotherapy services;
- legal obligation - to meet legal, tax, accounting, safeguarding or regulatory duties;
- legitimate interests - to manage appointments, records, enquiries, service quality, feedback, complaints and business administration;
- vital interests - where information is needed to protect someone’s life or safety;
- consent - for optional uses, such as email marketing, testimonials, case examples, photography, video or other identifiable client content. Because health data is special category data, Brightside must also identify a condition under UK GDPR Article 9. Where relevant, Brightside may rely on:
- health or social care purposes - to provide physiotherapy assessment, treatment, rehabilitation and care;
- legal claims or insurance purposes - where records are needed for legal, professional or insurance matters;
- explicit consent - where required for specific optional uses;
- vital interests - where there is serious risk and the person cannot give consent.
- 5. Clinical Records and Confidentiality
- Brightside will keep clinical records that are accurate, relevant, secure and proportionate.
- Patient records may include health history, clinical notes, assessment findings, treatment plans, rehabilitation advice, consent records, referrals, correspondence and outcome information.
- Brightside will treat patient information as confidential. Information will only be shared where there is a lawful, professional, safeguarding, insurance, legal or patient safety reason to do so.
- Where possible and appropriate, Brightside will discuss information sharing with the patient first. In serious risk, safeguarding or legal situations, information may need to be shared without consent.
6. How Data Is Stored
Brightside stores personal and clinical information using secure systems that are appropriate for a sole director physiotherapy business.
This may include:
- Cliniko, Brightside’s secure cloud-based practice management system, used for patient records, appointments, clinical notes, outcome feedback and safe client record management where relevant;
- secure email and cloud-based business systems;
- accounting or payment systems;
- website enquiry systems;
- Mailchimp for email marketing where someone has opted in;
- Google Analytics for website usage information;
- secure folders or business records where needed;
- email communications via Google workspace/ gmail;
- files, photos, videos on iCloud Brightside account.
Brightside will use reasonable measures to protect information from unauthorised access, loss, misuse or disclosure. As a sole director business with 0 workers, access to patient records is limited to Paula and essential service providers who support the secure running of Brightside’s systems. Brightside will keep proportionate evidence of Cliniko’s privacy, security and UK GDPR support, such as a saved screenshot, downloaded information, privacy policy link or security statement. This supports Brightside’s evidence trail for secure clinical record handling.
7. Website Analytics and Email Marketing
Brightside may use Google Analytics to understand how visitors use the website. This helps Brightside understand website use and improve information for patients and prospective clients. Brightside does not use Google Analytics for the purpose of identifying individual visitors.
Brightside may use Mailchimp for email marketing where someone has actively opted in. Mailchimp may store email addresses and email campaign interaction data.
Brightside will manage email marketing and email list building in line with UK GDPR and relevant PECR expectations where applicable.
Brightside will not use pre-ticked boxes for email marketing consent. Marketing consent must be freely given, and people can unsubscribe or opt out of marketing communications at any time.
8. Data Sharing
Brightside does not share personal information unnecessarily.
Brightside may share information where relevant with:
- a GP, consultant or other healthcare professional, usually with patient consent;
- safeguarding services or statutory agencies where required or justified;
- professional advisers, insurers or regulators where needed;
- accounting, payment, booking, cloud, website, email marketing or clinical software providers;
- legal or regulatory bodies where required by law;
- emergency services where needed to protect health or safety.
Where Brightside uses cloud software or third-party service providers, Brightside will take reasonable steps to check that appropriate security and data protection measures are in place.
Aggregate website, outcome, satisfaction or impact information may be used for service review or public reporting, but it will not identify individual patients.
9. International Data Transfers
Some digital service providers, such as cloud software, analytics or email marketing platforms, may store or process data outside the UK. Where this happens, Brightside aims to use providers that have appropriate data protection safeguards in place, such as contractual protections, privacy terms, security controls or recognised transfer safeguards where required.
10. Retention Period
Brightside will keep information only for as long as needed for clinical, legal, professional, insurance, tax, accounting or business reasons.
Clinical records will normally be retained in line with physiotherapy and healthcare record-keeping expectations:
- adult patient records: usually kept for 8 years after the last appointment;
- children’s records: usually kept until the patient turns 25 years old, or longer where required;
- records may be kept longer where needed for legal, insurance, safeguarding or professional reasons.
Marketing data will usually be kept until a person unsubscribes, withdraws consent, or the information is no longer needed.
Business, tax and accounting records will be kept in line with legal and accounting requirements. Because clinical records must be retained for legal, professional and insurance reasons, Brightside may not be able to delete patient records immediately if a person requests deletion.
11. Data Security
Brightside will take reasonable steps to keep personal information safe.
This may include:
- secure clinical record systems;
- password protection and access controls;
- secure cloud storage where used;
- limiting access to personal information;
- secure handling of emails and documents;
- regular review of systems and records;
- secure disposal or deletion when records no longer need to be kept.
As a regulated physiotherapy business, Brightside will keep client records accurate, relevant, timely and protected from inappropriate access. Brightside will not use patient-identifiable information for public impact reporting, website content, case examples, marketing, testimonials, images or videos unless there is an appropriate lawful basis and consent where required.
12. Data Breaches
If a data breach occurs, Brightside will review what has happened and take appropriate action. Where required under UK GDPR, Brightside will report a notifiable breach to the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to create a high risk to a person’s rights, privacy or safety, Brightside will inform the affected person where required.
13. Patient and Individual Rights
You have rights under UK GDPR, including the right to:
- ask what personal information Brightside holds about you;
- request access to your information;
- request a copy of your information;
- ask for inaccurate information to be corrected;
- ask for information to be deleted where legally possible;
- object to certain uses of your information;
- ask Brightside to restrict how your information is used in some circumstances;
- request data portability where applicable;
- withdraw consent where processing is based on consent;
- opt out of marketing communications at any time;
- complain to the Information Commissioner’s Office.
Clients can decide how their data is used where Brightside relies on consent, for example email marketing, testimonials, photographs, videos, case examples or other optional public-facing use of identifiable information. Brightside will not use pre-ticked boxes for marketing consent or other optional consent-based uses of client information.
Some rights may be limited where Brightside has a legal, clinical, professional, safeguarding or insurance duty to keep or use the information. For example, clinical records may need to be retained even where a deletion request is made.
To make a request, withdraw consent, request deletion, restrict processing, or ask a question about data use, email: paula@brightsidephysio.co.uk.
14. Safeguarding, Duty of Care and Legal Exceptions
Brightside will respect confidentiality, but confidentiality is not absolute.
Brightside may use or share information without consent where this is required or justified by law, safeguarding, public interest, professional duty, insurance requirements, or the need to protect a person from serious harm.
This may include concerns about children, vulnerable adults, serious risk, abuse, neglect, fraud, legal claims, regulatory matters or urgent health and safety situations.
15. Testimonials, Case Examples, Media and Public Reporting
Brightside may use testimonials, reviews, case examples, photographs, videos or client stories only where this is lawful, appropriate and not misleading.
Brightside will seek appropriate consent before using identifiable testimonials, images, names, case examples, photographs, videos or client stories.
Brightside will avoid using testimonials, case examples, feedback scores or outcome summaries in a way that implies guaranteed clinical results.
Where Brightside uses outcome, satisfaction or impact data for public reporting, this will be presented at summary level where possible and will not identify individual clients unless appropriate consent has been given.
Clients can withdraw marketing or optional consent where applicable, although this may not affect lawful processing that has already taken place.
16. B Corp Impact Commitment and Ethical Use of Data
Brightside’s wider business approach is guided by its B Corp impact commitment to balancing people, planet and profit.
For privacy and data protection, this means Brightside will:
- collect only information that is needed;
- keep patient information secure and confidential;
- use data honestly and proportionately;
- avoid unnecessary data sharing;
- not sell personal information or client data to third parties;
- not share client data with third parties for their own marketing;
- keep public impact and outcome reporting at summary level where possible;
- use outcome, feedback, satisfaction and service improvement data responsibly, and only publish or report it in a way that avoids identifying individual clients unless appropriate consent has been given;
- avoid using patient-identifiable information in marketing or public reporting without appropriate consent;
- review data practices periodically as part of wider governance and impact commitments.
Where relevant, Brightside aims to consider ILO framework principles, including dignity, non-discrimination and safe working conditions, in future worker, contractor, supplier or business relationships.
17. ICO Complaint Process
If you have questions or concerns about how Brightside uses your information, contact:
Paula Bright
Email: paula@brightsidephysio.co.uk
Phone: 07757 219910
You can also complain to the Information Commissioner’s Office if you are unhappy with how your information is handled.
18. Updates to This Policy
Brightside may update this policy from time to time if services, systems, legal requirements, professional duties or business needs change.
The most recent version will apply from the date shown below.
Date of last update: April 2026
Next review due: April 2027
19. Evidence
Supporting evidence may include:
- this publicly available Privacy Notice & Data Protection Policy;
- evidence that the policy explains what data is collected, how it is used, how long it is kept, and when it may be shared;
- Cliniko privacy, security or UK GDPR support evidence;
- a saved screenshot, download or policy link showing Cliniko’s secure cloud-based record system;
- evidence that clinical records, client information, outcome feedback and satisfaction data are stored securely;
- ICO registration evidence where applicable;
- marketing opt-in and unsubscribe evidence where relevant;
- confirmation that marketing consent is not collected using pre-ticked boxes;
- testimonial, media or case example consent records where relevant;
- relevant data handling, consent, client rights, complaints or customer stewardship records where appropriate.
This helps show that Brightside has a clear privacy policy, secure clinical record system, proportionate data handling approach, client choice process, client rights process, GDPR-compliant marketing approach, and evidence trail for privacy and security of client data.
20. Contact Details
Brightside Physio Ltd
4 Mitchells Corner, Boscawen Road, Perranporth, Cornwall TR6 0EW
Email: paula@brightsidephysio.co.uk
Phone: 07757 219910
Company number: 12878646
21. Version Control
Version 1.0
Approved by: Paula Bright (Founder)
March 2025
Policy adopted and active. Documents Brightside Physio’s existing approach to privacy, confidentiality, data protection and responsible handling of client, clinical and business information.
Version 1.2
Approved by: Paula Bright (Founder)
April 2026
Annual review completed. Minor updates made to reflect current business practice, privacy responsibilities, data protection processes and how the policy is applied in practice.