policies
Privacy Policy
Last updated: 15/06/2026
Introduction
Physio Fundamentals / Ann Ferguson (“I”, “me”, “my”) is committed to protecting your privacy and handling your personal information in a transparent and secure manner.
This Privacy Policy explains how I collect, use, store, and protect your personal data when you contact me, enquire about services, or receive therapy from me.
I am the data controller for the personal information processed in connection with my therapy practice.
Contact details
Physio Fundamentals (Ann Ferguson CSP and HCPC registered)
Sunside Studio, Chaloners Road, Braunton, EX33 2ES
Email: info@physiofundamentals.net
Telephone: 07423 663054
What Information I Collect
Depending on the services provided, I may collect:
-
Your name, address, telephone number and email address
-
Date of birth
-
Emergency contact details
-
GP details (where relevant)
-
Information relating to your health, wellbeing, personal circumstances and therapy needs
-
Session notes and records
-
Payment and invoicing information
-
Correspondence between us
How I Collect Your Information
I collect personal information when:
-
You contact me by phone, email, website form or social media
-
You complete intake or consent forms
-
You attend therapy sessions
-
You make payments for services
-
You otherwise communicate with me
Lawful Basis for Processing
Under UK data protection law, I process personal data on the following legal bases:
-
Contract – to provide therapy services requested by you
-
Legitimate Interests – to manage and operate my practice effectively
-
Legal Obligation – where I am required to comply with legal or regulatory requirements
-
Explicit Consent – where special category data, such as health information, is processed and consent is appropriate
How Your Information Is Used
I use your information to:
-
Respond to enquiries
-
Arrange and provide therapy sessions
-
Maintain clinical records
-
Manage appointments and communications
-
Process payments and maintain accounts
-
Comply with legal, ethical and professional obligations
-
Protect the safety and wellbeing of clients and others where necessary
Confidentiality
Information shared during therapy is treated as confidential.
However, confidentiality may be broken where:
-
There is a serious risk of harm to you or another person
-
There is a legal obligation to disclose information
-
Disclosure is required by a court order
-
Safeguarding concerns arise involving children or vulnerable adults
Where possible, I will discuss any necessary disclosure with you first.
How Your Information Is Stored
I take appropriate technical and organisational measures to protect personal information from unauthorised access, loss, misuse or disclosure.
Records may be stored securely in electronic and/or paper format. Access is restricted to the therapist and authorised service providers where necessary.
Data Retention
Client records are retained only for as long as necessary to fulfil their purpose and meet legal, insurance, professional, and regulatory requirements.
Typically, therapy records are retained for up to 7 years after the end of therapy, although retention periods may vary depending on circumstances and professional guidance.
After this period, records will be securely deleted or destroyed.
Sharing Information
Your personal information will not be sold or shared for marketing purposes.
Information may be shared with:
-
Professional advisers, supervisors, or insurers where appropriate and subject to confidentiality obligations
-
Technology providers used to operate the practice, in this case Cliniko.
-
Legal or regulatory authorities where required by law
Only the minimum necessary information will be shared.
Your Rights
Under UK data protection law, you have the right to:
-
Access your personal information
-
Request correction of inaccurate information
-
Request erasure of information in certain circumstances
-
Restrict or object to processing in certain circumstances
-
Request transfer of your data where applicable
-
Withdraw consent where processing is based on consent
To exercise any of these rights, please contact me using the details above.
Complaints
If you have concerns about how your personal information is handled, please contact me first so that I can try to resolve the issue.
You also have the right to complain to the UK’s data protection regulator:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Website and Cookies
If this website uses cookies, basic information about your use of the website may be collected. Any non-essential cookies will only be used with your consent.
Further information can be found in the website’s Cookie Policy.
Changes to This Policy
This Privacy Policy may be updated from time to time. The latest version will always be available on request and on the website where applicable.
Data Protection
Complaints Procedure
Required under the Data (Use and Access) Act 2025 | In force from 19 June 2026
Business name: Physio Fundamentals
Document owner : Ann Ferguson
Date adopted : 15/06/2026
Review date : 15/06/2027 Version 1.0
1. Purpose
This procedure sets out how Physio Fundamentals handles complaints from individuals about the way we process their personal data. It meets the legal requirement introduced by the Data (Use and Access) Act 2025, which requires all organisations to have a complaints process in place from 19 June 2026.
We are committed to handling complaints fairly, consistently, and transparently.
2. Scope
This procedure applies to all data protection complaints received from:
-
Customers and clients
-
Website visitors
-
Suppliers and contractors
-
Any other individual whose personal data we process
A data protection complaint may relate to any aspect of how we collect, store, use, share, or delete personal data, including but not limited to:
-
A refusal to provide information in response to a subject access request (SAR)
-
Concern about how we use personal data for marketing
-
Belief that their data has been lost, stolen, or shared without authorisation
-
Objection to how long we retain their data
-
Any other alleged breach of UK GDPR or the Data Protection Act 2018
3. Who Is Responsible
The following person is appointed as our Data Protection Complaints Owner:
Complaints Owner
Ann Ferguson
Job title
Physiotherapist
Email address
Phone
07423 663054
4. How to Make a Complaint
We make it easy for individuals to raise a data protection complaint. Any of the following methods are accepted:
-
Email: info@physiofundamentals.net
-
Post: Sunside Studio, Chaloners Road, Braunton, EX33 2ES
-
In person: during business hours to Ann Ferguson, at: Physio Fundamentals
Sunside Studio, Chaloners Road, Braunton, EX33 2ES
Complaints do not need to be in a specific format. We will accept them verbally or in writing. Where a complaint is made verbally, we will make a written record of it.
5. The Complaints Process
The table below sets out each stage of our process, who is responsible, and the expected timeframe.
Stage 1. Receipt
Receive complaint (email, letter, in person)
Responsible: Ann Ferguson
Timeframe: Day 0
Stage 2. Acknowledgement
Send written acknowledgement to complainant
Responsible: Ann Ferguson
Timeframe: Within 30 days
Stage 3. Log
Record in Complaints Log with reference number
Responsible: Ann Ferguson
Timeframe: Within 2 working days
Stage 4. Investigation
Review the complaint; gather relevant records
Responsible: Ann Ferguson
Timeframe: Within 30 days of acknowledgement
Stage 5. Update
Keep complainant informed of progress
Responsible: Ann Ferguson
Timeframe: As needed
Stage 6. Decision
Reach outcome; prepare written response
Responsible: Ann Ferguson
Timeframe: Without undue delay
Stage 7. Response
Inform complainant of outcome and next steps
Responsible: Ann Ferguson
Timeframe: Without undue delay
Stage 8. Escalation
If unresolved, signpost ICO (ico.org.uk/concerns)
Responsible: Ann Ferguson
Timeframe: At closure
Stage 9. Closure
Close complaint; update log with outcome
Responsible: Ann Ferguson
Timeframe: After response sent
6. Timescales
The following timescales apply:
-
30 days from receipt. Acknowledgement:
-
Without undue delay after acknowledgement. In most straightforward cases this will be within 30 days. For complex cases we may take longer; if so, we will inform the complainant and explain why. Investigation and response:
-
If we need to request further information from the complainant to investigate, the clock may be paused while we await their response. Stop-the-clock:
7. Acknowledgement
Within 30 days of receiving a complaint, we will send the complainant a written acknowledgement that includes:
-
Confirmation that we have received their complaint
-
The reference number assigned to their complaint
-
The name and contact details of the person handling it
-
An outline of the next steps and expected timeframe
8. Investigation
The complaints owner will investigate the complaint by:
-
Reviewing the complaint in full
-
Gathering relevant records, documents, or data
-
Consulting peers or systems involved where appropriate
-
Assessing whether a breach of data protection law has occurred
-
Identifying any remedial action required
We will keep the complainant informed of progress throughout the investigation, particularly if there are any delays.
9. Outcome and Response
On completing our investigation, we will send the complainant a written response that includes:
-
A clear statement of our findings
-
Whether we uphold, partially uphold, or reject the complaint, and why
-
Any action we have taken or will take as a result
-
Information about their right to escalate to the ICO if they remain dissatisfied
If we uphold the complaint, we will take prompt corrective action — for example, correcting inaccurate data, deleting data, or updating our practices.
10. Escalation to the ICO
If a complainant remains unhappy with our response, or if we fail to respond within a reasonable time, they have the right to complain to the Information Commissioner's Office (ICO):
ICO website
ICO helpline
0303 123 1113
We will always include ICO escalation information in our final response letter.
11. Record Keeping
We maintain a Complaints Log to record all data protection complaints received. The log is kept confidentially and reviewed by the complaints owner. It records:
-
A unique reference number
-
The date the complaint was received
-
The name of the complainant
-
A brief description of the complaint
-
The date of acknowledgement
-
The outcome and date of closure
Records are retained for 3 years after the complaint is closed, in line with our Data Retention Policy.
12. Complaints Log Template
Use the table below (or a separate spreadsheet) to record each complaint:
Ref No.
Date Received
Complainant Name
Nature of Complaint
Date Acknowledged
Outcome
Date Closed
This log should be stored securely and access limited to authorised staff only.
13. Learning and Improvement
We treat complaints as an opportunity to improve. The complaints owner will:
-
Review complaints periodically (at least annually) to identify any patterns or recurring issues
-
Report significant complaints to senior management
-
Update our data protection practices where complaints reveal gaps or weaknesses
-
Review this procedure at least annually, or following any significant change in the law or our business
14. Related Documents
-
Privacy Notice
-
Data Protection Policy
-
Subject Access Request Procedure
-
Data Retention Policy
-
Data Breach Response Procedure
15. Review and Sign-Off
Approved by
Ann Ferguson
Date approved
15/06/2026
Next review date
15/06/2027