1. Who we are & how to contact us

Data Controller: Rehalign Ltd

Trading as: Rehalign Ltd

Company Number: 16649377

Registered Address: 133 Franchise Street, Wednesbury, WS10 9RH, England

Contact Email: contact@rehalign.com

2. Scope of this policy

This privacy policy applies to our physiotherapy clients and their families/carers, website visitors and users, individuals who contact us for inquiries or appointments, and healthcare professionals who refer patients to us.

This policy covers data processing through our website, email communications, appointment booking systems, and physiotherapy services, including domiciliary care and clinic-based treatments.

3. The data we collect

We collect the following categories of personal data:

Identification & Contact Data: Name, address, phone number, email address, date of birth, NHS number (where applicable)

Appointment & Billing Data: Appointment history, treatment plans, billing information, payment records

Special Category Health Data: Medical history, assessment results, treatment notes, progress reports, rehabilitation goals, functional assessments, and other health information relevant to neurological rehabilitation. Health data is classified as "special category personal data" under UK GDPR Article 9.

Device & Usage Data: IP address, browser type, device information, website usage patterns, cookies

Communications: Email correspondence, phone call records, feedback, complaints

4. Purposes & lawful bases

We process personal data for the following purposes and lawful bases:

Provide assessment & treatment: Contract (Art. 6(1)(b)) + Health (Art. 9(2)(h))

Clinical record-keeping & safety: Legal obligation + Health (Art. 9(2)(h))

Payment processing: Contract (Art. 6(1)(b))

Communications & reminders: Legitimate interests (Art. 6(1)(f)) - with opt-out

Marketing newsletters: Consent (Art. 6(1)(a))

Safeguarding / vital interests: Vital interests (Art. 6(1)(d), Art. 9(2)(c))

Analytics & site improvement: Legitimate interests (Art. 6(1)(f)) or Consent

5. How we use special category (health) data

We process special category health data only when necessary for providing physiotherapy assessment and treatment, maintaining clinical records as required by professional standards, ensuring patient safety and continuity of care, communicating with other healthcare professionals (with your consent), and complying with legal obligations under healthcare regulations.

All health data is kept strictly confidential and is only accessed by registered physiotherapists involved in your care, administrative staff on a need-to-know basis, and authorized personnel for technical support (with appropriate safeguards).

Our processing complies with professional standards set by the Chartered Society of Physiotherapy (CSP) and Health and Care Professions Council (HCPC) requirements.

6. Data sources

We collect personal data from the following sources: directly from you during consultations, through our website forms, email communications, and phone calls; from your referrer (GP, consultant, or other healthcare professional with your consent); from your GP/consultant medical history and referral information (with your explicit consent); from devices and our website automatically collected technical data and usage information; and from family members/carers with your consent for appointment coordination and care planning.

7. Sharing your data

We use the following third-party processors to provide our services: Stripe for payment processing (billing information, payment details encrypted), Postmark for email delivery (contact information, appointment reminders), and Vercel Analytics for website analytics (anonymized usage data, no personal identifiers).

We may also share data with healthcare professionals (your GP, consultant, or other specialists with your explicit consent), professional advisers (legal, accounting, or insurance professionals under confidentiality agreements), regulators (HCPC, CSP, or other professional bodies as required for compliance), emergency services (where necessary to protect vital interests), and legal authorities (when required by law or court order).

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

8. International transfers

Some of our data processors may process personal data outside the UK/EEA. When this occurs, we ensure appropriate safeguards are in place including adequacy decisions (where the country has been deemed adequate by the UK government), Standard Contractual Clauses (SCCs) with approved contractual terms ensuring adequate protection, Binding Corporate Rules for internal data protection policies for multinational companies, and certification schemes demonstrating compliance with UK GDPR.

For more information about specific international transfers, please contact us at contact@rehalign.com.

9. Retention

Clinical Records: Adults retained for 8 years after last contact or treatment. Children retained until 25th birthday (whichever is longer).

Financial Records: Retained for 6 years as required by UK tax law.

Marketing Data: Retained until consent is withdrawn or 3 years of inactivity.

Website Analytics: Anonymized data retained for up to 2 years.

Communication Records: Retained for 3 years unless part of clinical records.

10. Your rights

Under UK GDPR, you have the following rights: Right of Access (Art. 15) to request copies of your personal data and information about how it's processed; Right to Rectification (Art. 16) to correct inaccurate or incomplete personal data; Right to Erasure (Art. 17) to request deletion of your personal data in certain circumstances; Right to Restriction (Art. 18) to limit how we process your personal data; Right to Data Portability (Art. 20) to receive your data in a structured, machine-readable format; Right to Object (Art. 21) to object to processing based on legitimate interests or for direct marketing; and Rights related to Automated Decision-Making (Art. 22) - we do not use automated decision-making that significantly affects you.

To make a request, contact us at contact@rehalign.com. We will respond within 1 month of receiving your request. We may need to verify your identity before processing.

11. Cookies & analytics

We use cookies on our website to improve your browsing experience and analyze website usage. We use privacy-focused analytics that do not use personal identifiers, do not track users across websites, provide anonymous aggregated statistics, and comply with GDPR without requiring consent.

12. Security measures

We implement appropriate technical and organizational measures to protect your personal data including encryption (data encrypted in transit TLS 1.3 and at rest AES-256), access controls (role-based access with multi-factor authentication), audit logs (comprehensive logging of data access and modifications), least privilege (staff only access data necessary for their role), regular updates (security patches applied promptly), staff training (regular data protection and security awareness training), incident response (documented procedures for security incidents), and backup security (encrypted backups with secure off-site storage).

13. Data breach

In the unlikely event of a personal data breach, we will assess the breach and determine if it poses a risk to individuals' rights and freedoms, notify the Information Commissioner's Office (ICO) within 72 hours where required, inform affected individuals without undue delay if the breach poses a high risk, document all breaches and our response actions, and take immediate steps to contain and mitigate any ongoing risks.

If you become aware of a potential data breach, please contact us immediately at contact@rehalign.com.

14. Children's data

We provide physiotherapy services to children and young people. For individuals under 16, we require explicit consent from a parent or guardian before processing personal data, clinical records are retained until 25th birthday (whichever is longer), we ensure age-appropriate communication and involve parents/guardians in decision-making, and special care is taken to protect the privacy of young people while maintaining necessary clinical records.

If you are under 16 and wish to contact us, please ask a parent or guardian to do so on your behalf.

15. Third-party links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to read the privacy policies of any third-party websites you visit.

16. Complaints

If you have concerns about how we process your personal data, please contact us first at contact@rehalign.com with the subject "Data Protection Complaint".

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint/. ICO Helpline: 0303 123 1113 | Website: ico.org.uk

17. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any significant changes by posting the updated policy on our website, sending an email notification to registered users, and displaying a prominent notice on our website.

The "Last updated" date at the top of this policy indicates when it was last revised.

18. Version & sign-off

Privacy Policy Version: 18 September 2025

Rehalign Ltd

Rehalign Ltd

133 Franchise Street, Wednesbury, WS10 9RH, England

This policy has been approved by the Data Protection Lead and is effective as of 18 September 2025.