Privacy Policy

This Privacy Policy sets out how we, PhysioSpace Cardiff, collect, store and use information about you when you (the ‘data subject’) use or interact with our website ( and where we otherwise obtain or collect information about you when using or purchasing our services. This Privacy Policy is effective from 01/01/2018.

1) Our Details

The data controller is PhysioSpace Cardiff. You can contact the data controller by emailing We have appointed a data protection officer who is responsible for overseeing questions in relation to this privacy policy who is Edward Doe, Director of PhysioSpace Cardiff. Email:

2) What information do we collect about you?

We use different methods to collect data from and about you including;

Direct interactions:

– Calling us or using our online booking service. When calling and booking you will be asked for your name, date of birth, telephone number and email address in order to confirm the booking.

– When you attend an appointment for physiotherapy or massage therapy where the therapist will collect personal data as well as special categories of personal data relating to health – see below for further information.

– Communications received (phone or letter) from other multidisciplinary professionals involved in your care e.g. referral letters or treatment updates

Automated technologies

– When you enquire about services or appointments via the ‘contact us’ page of the website

– Provide testimonials via the website, Google reviews or email

– As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. Our website is hosted by Wix.

3) Personal Data collected

This can include (but is not limited to) :

– name

– address(es)

– email address(es)

– date of birth

– next of kin or similar contact details (if required)

– financial details that relate to payments for our services

– account details relating to your private medical insurance provider

3ii) Legal basis for processing any personal data

Where we process any personal data relating to you we need to have a legal basis to do so. The legal basis for processing of personal data relating to you will be (in descending order of use) that the processing:

1. is necessary to perform a contract with you, for example to provide treatment to you and to invoice you (‘Contract’),

2. is necessary to comply with our legal obligations, for example to retain personal data for a specified period (‘Legal Obligation’),

3. is necessary for our legitimate interests in carrying out our business, including to maintain, improve and market our products and services, provided those interests are not outweighed by your rights and interests (‘Legitimate Interests’),

4. is based on your consent (‘Consent’), in which case we will identify the processing purposes and provide you with relevant information to make the processing fair and transparent, or

5. is necessary to protect your or another person’s vital interests (‘Vital Interests’).

4) Special Category Data Collected:

Due to the nature of our business, patient sensitive personal data is collected with relation to health matters, and if relevant sex life and sexual orientation pertinent to the provision of our services. Such data is provided with explicit consent of the patient, by themselves or their representatives

4ii) Legal basis for processing special categories of personal data

Where that personal data is in a ‘special category of personal data’ such as your health data, we will also need a separate legal basis for that processing. In descending order of use, that legal basis will be that the processing:

1. is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of you as an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or UK law or pursuant to contract with us as health professionals (‘Healthcare’),

2. is based on your explicit consent (‘Explicit Consent’) in which case we will identify the processing purposes and provide you with relevant information to make the processing fair and transparent, or

3. is necessary to protect your or another person’s vital interests where you are physically or legally incapable of giving consent (‘SC Vital interests’).

5) How do we use personal data?

We use personal data in the normal course of our business, for example:

– to respond to enquiries about our Services. Lawful basis: Legitimate Interests.

– to provide our Services, including to treat patients and to provide advice and support. Lawful basis: Contract and Healthcare.

– to analyse and improve the Website and the Services, for example to improve the visitor or patient experience. Lawful basis: Legitimate Interests, however where for example applicable law requires your consent to use certain cookies, we will ask for your Consent having provided you with relevant information.

– to market our Services, for example to GP practices – if we do so, we will provide you with an easy and free way to opt-out of receiving such communications in the future. Lawful basis: Legitimate Interests (or Consent as above).

– in certain circumstances, to share it with a limited number of third parties as described in this policy, for example for operational requirements and business continuity purposes. The legal bases are discussed below.

6) Sharing Data & International Transfers

We will not give, sell or rent your personal data to third parties so they can market their services to you. Nor do we accept advertising from third parties on the Website. We may share personal data in the following limited circumstances. In each case, we share the minimum personal data necessary.

– For purposes of your treatment and direct care, we may share your personal data and discuss our treatment of you as our patient with the healthcare professional who referred you to our practice. Legal basis: Contract and Healthcare.

– For purposes of your treatment and direct care, we may recommend that we refer you to a third-party practitioner or practice as their patient. We will only share your personal data in this situation with your prior explicit consent. Legal basis: Explicit Consent.

– To protect your or another person’s vital interests. Legal basis: Vital Interests or SC Vital Interests.

– Your employer, insurance company or solicitor may request access to your personal data, which we will only allow on your explicit consent. Legal basis: Explicit Consent.

– We may be obliged to disclose your personal data to comply with a law, order or request of a court, government authority, other competent legal or regulatory authority or any applicable code of practice or guideline. Legal basis: Legal Obligation.

We may also share your personal data for the following purposes:

– For provision of the Services, and for our own disaster recovery and business continuity purposes, we may store or transmit personal data to or through third party providers, such as with our contractors and advisors to help us operate, secure and analyse our business. Legal basis: Legitimate Interests or Contract.

– If we enter negotiations with a third party for the sale or purchase of all or part of our business, we will only disclose personal data to that third party to the extent it relates to that business and only under conditions of confidentiality requiring the third party to be bound by the privacy policy that applies to that data. Legal basis: Legitimate Interests.

7) 3rd Parties

– For the day to day running of the business we use TM3 as a practice management system. TM3 acts as a data processor. For more information on their privacy policy please see A full Data Protection Agreement (DPA) has been signed by all parties in accordance with GDPR rules.

– We provide personalised exercise programmes for each patient.

– Google collects information through our use of Google Analytics on our website. Google uses this information, including IP addresses and information from cookies, for a number of purposes, such as improving its Google Analytics service. Information is shared with Google on an aggregated and anonymised basis. To find out more about what information Google collects, how it uses this information and how to control the information sent to Google, please see the following page:

– You can opt out of Google Analytics by installing the browser plugin here:

8) Your rights

You have certain rights concerning the information we hold about you, as defined under the General Data Protection Regulation. If you wish to exercise these rights, please contact us, with your name and email address.

– Requesting a copy of your information – You may request a copy of any data we hold about you. Upon request, we will provide a CSV file containing the personal data we hold on record about you.

– Updating or correcting your information – It is important that the information we hold about you is accurate. If you change email address, or any of the other information we hold is inaccurate or out of date, please contact us so that we can correct our records.

– Deleting your information – You have the right to request erasure of your personal information. However, Physiotherapists have a legal obligation to hold your health records for 8 years from the date of your last treatment

– Automated decision making – We do not use any personal information for automated decision making or profiling; your data is not subject to automated decision making or profiling.

9) Security

PhysioSpace Cardiff takes your data security very seriously and have put in place physical, electronic and managerial procedures to safeguard and secure your information these include

– The use of an email encryption service for sending and receiving letters and referrals

– Password best practice including two factor identification where applicable

– Online security best practice including staff training on such matters

– Staff training and accountability on data protection

10) Cookies

We use cookies and similar technologies on our website. You can reject some or all of the cookies we use on or via our website by changing your browser settings but doing so can impair your ability to use our website or some or all of its features. For further information about cookies, including how to change your browser settings, please visit or see our cookies policy.

If you have any questions about this privacy policy please contact us.