Privacy notice
Pivot Point Ltd
Last updated 11 May 2026
This Privacy Notice explains how Pivot Point Physio Ltd collects, uses, stores and shares personal information about patients, prospective patients, parents or guardians, emergency contacts, website visitors, people who contact us, referrers and other professional contacts.
We may update this Privacy Notice from time to time. The latest version will be published on our website with the date it was last updated.
1. Who we are
Pivot Point Physio Ltd is the data controller for the personal information described in this Privacy Notice.
Registered address: Studio 4 Hove Gardens Studios, Foundry Hove, 3 Ellen Street, Hove, BN3 3LN.
Company number: 16740574
Website: https://pivotpoint.physio
Queries about this Privacy Notice can be sent to: privacy@pivotpoint.physio
2. What personal data we collect
We collect personal data that is relevant and necessary for providing physiotherapy services, responding to enquiries, operating the clinic, managing our website and meeting our legal, professional and business obligations. We aim to collect only the information we reasonably need for the relevant purpose. We ask patients not to provide information that is not relevant to their care or enquiry.
The information we collect may include the following:
a) Personal and contact information
Name
Address
Email address
Telephone number
Date of birth
Sex
Gender (where relevant to your care, preferences or communication with us)
Emergency contact details
Parent/guardian details
Accessibility or communication needs
b) Health and treatment information
Medical history and relevant health information
Assessment findings and clinical notes
Treatment plans and progress records
Exercise prescriptions and rehabilitation programmes
Communications with referrers such as GPs or consultants
Medical imaging and related reports from third-party providers
Consent forms
GP details
Safeguarding information (where relevant)
c) Administrative and financial information
Correspondence, including complaints
Appointment bookings and attendance records
Type of appointment or service booked
Invoices, receipts, and payment records
We do not store or have access to full payment card details. In-person card payments are processed securely via Square using a Square Terminal. Square processes payment card information directly and provides us only with confirmation of payment and transaction records for accounting purposes.
d) Marketing preferences, referral source and website interaction
Referral source
Records of whether you have opted in or out of receiving marketing communications
IP address, device/browser information and cookie data (subject to your cookie preferences)
Information submitted through website forms
e) CCTV
CCTV in communal areas of the building, including the waiting area, is operated by the building management and not by Pivot Point Physio Ltd. We do not control those systems or decide how footage is used. For information about the building’s CCTV, please contact Foundry Hove on 01273 442 956.
3. Children and young people
Where a parent or guardian provides information on behalf of a child, we may use that information to arrange and provide care. As children mature, they may have their own confidentiality and data protection rights. We will consider the child’s age, understanding and best interests when deciding what information can be shared with parents or guardians.
We may share information without consent where this is necessary to protect a child or another person from serious harm, to meet safeguarding duties, or where required by law.
Further details about consent, parental responsibility, and attendance requirements for children and young people are set out in our Terms and Conditions.
4. How we collect your data
We collect personal information when:
You book an appointment online or in person
You use our online booking system or complete an online form
You respond to an appointment reminder, booking confirmation, or other service-related message
You contact us by phone, email, or via our website
You attend appointments and provide information verbally or in writing
A third-party healthcare provider shares relevant information with us
You make payments for services
You opt in to receive marketing communications
We may receive personal information about you from third parties, including GPs, consultants, other healthcare professionals, insurers, parents or guardians, referrers, or people making enquiries on your behalf. Where we receive information about you from someone else, we will provide you with privacy information where required by law, unless an exemption applies.
5. Why we use your data and our lawful bases
We use personal information only where we have a lawful basis under UK GDPR. Where we use health information or other special category data, we also rely on a special category condition because this information receives additional legal protection.
We may contact you by email, telephone, SMS or booking-system message about appointments, reminders, cancellations, treatment administration and service-related matters.
We do not use your personal data to make decisions based solely on automated processing that have legal or similarly significant effects on you.
We do not use all categories of personal data for all purposes. The examples below explain the main types of information we use for each purpose.
a) Providing physiotherapy assessment and treatment
We use your personal, contact, health and treatment information to assess your condition, provide physiotherapy treatment, prepare treatment plans, prescribe exercises, monitor progress, communicate with you about your care, and liaise with other healthcare professionals involved in your care where appropriate.
Examples of data used: name, contact details, date of birth, relevant medical history, symptoms, assessment findings, clinical notes, treatment plans, consent records, imaging reports, GP or consultant details, accessibility or communication needs, and relevant correspondence about your care.
Lawful basis: Contract, because we need to process this information to provide physiotherapy services requested by you.
Special category condition: Article 9(2)(h): provision of health care or treatment.
b) Managing appointments, reminders and clinic administration
We use personal information to arrange appointments, manage bookings, send service-related communications, deal with cancellations or missed appointments, maintain patient administration records, and operate the clinic safely and efficiently.
Examples of data used: name, contact details, appointment history, attendance records, booking notes, service-related correspondence, parent or guardian details where relevant, accessibility or communication needs, and limited health information where needed for safe attendance or appropriate appointment management.
Lawful basis: Contract, where the processing is needed to provide services requested by you; and legitimate interests, where processing is needed for effective clinic administration.
Special category condition: Article 9(2)(h): provision of health care or treatment, where health information is involved.
c) Maintaining clinical records
We keep clinical records to support safe and continuous care, professional accountability, clinical audit, complaints handling, insurance, and legal or regulatory requirements.
Examples of data used: assessment findings, clinical notes, medical history, treatment plans, progress records, exercise prescriptions, consent records, correspondence with you or other healthcare professionals, imaging reports, safeguarding information where relevant, and records of relevant clinical decisions.
Lawful basis: Contract, legitimate interests, and legal obligation where applicable. We keep clinical records to provide safe ongoing care, meet professional record-keeping expectations, respond to complaints or claims, and comply with legal, regulatory and insurance obligations.
Special category condition: Article 9(2)(h): provision of health care or treatment; and Article 9(2)(f): establishment, exercise or defence of legal claims, where relevant.
d) Safeguarding and serious risk
We may use or share relevant information where necessary to protect a child, an adult at risk or another person from harm, to meet safeguarding responsibilities, to protect someone’s vital interests, or where required by law.
Examples of data used: relevant identity and contact details, parent or guardian details, emergency contact details, health and treatment information, attendance records, safeguarding concerns, communications with relevant authorities, and other information necessary to assess or respond to risk.
Lawful basis: Legal obligation, vital interests or legitimate interests, depending on the circumstances.
Special category condition: Article 9(2)(h), Article 9(2)(c), Article 9(2)(f), and where applicable Article 9(2)(g).
e) Payments and accounting
We use personal information to issue invoices, process payments, manage receipts, deal with payment queries, process refunds where applicable, maintain accounting records, and comply with tax and financial obligations.
Examples of data used: name, contact details, appointment or service details, invoice details, receipt details, payment status, transaction references, refund information and accounting records.
Payment card information is processed directly by our payment provider as described above.
Lawful basis: Contract, because payment processing is part of providing services requested by you; and legal obligation, where we need to keep accounting and tax records.
f) Complaints, incidents, insurance and legal claims
We may use personal information to respond to complaints, investigate incidents, obtain professional advice, notify or liaise with insurers, deal with legal claims, respond to regulatory or professional enquiries, and protect our legal position.
Examples of data used: name, contact details, appointment history, relevant health and treatment information, clinical notes, correspondence, complaint records, incident records, payment records where relevant, and records of communications with insurers, advisers, regulators or other relevant bodies.
Lawful basis: Legitimate interests, legal obligation, and where applicable the establishment, exercise or defence of legal claims.
Special category condition: Article 9(2)(h): provision of health care or treatment; and/or Article 9(2)(f): establishment, exercise or defence of legal claims, where health information is involved.
g) Marketing communications
We use personal information to send marketing communications only where you have actively consented to receive them. You can opt out at any time by using the unsubscribe link in our emails or by contacting us. Withdrawing consent will not affect the lawfulness of any marketing sent before you withdrew consent.
We do not use your clinical notes or detailed health information for marketing without your explicit consent.
Examples of data used: name, email address, marketing preferences, records of consent or unsubscribe requests, how you heard about us, the type of service you enquired about, and limited booking or attendance information where relevant to ensuring that communications are appropriate.
Lawful basis: Consent, where you actively opt in to receive marketing communications.
h) Understanding and improving our services
We may use limited information to understand how people find out about us, which services are being requested, how the clinic is used, and how we can improve our services, communications and website.
Examples of data used: referral source, enquiry type, appointment type, attendance information, general service usage information, feedback, complaints themes, website analytics information and cookie data, subject to your cookie preferences.
Where possible, we use this information in an aggregated or non-identifiable form.
Lawful basis: Legitimate interests, namely understanding and improving our services, managing demand, reviewing the effectiveness of our communications, and operating our business responsibly.
Special category condition: Article 9(2)(h), where health-related information is involved in service review connected to healthcare provision. Where possible, this information will be anonymised or aggregated.
i) Website and online forms
We use website information to operate our website, maintain security, respond to online enquiries, and understand basic website operation.
Examples of data used: IP address, device and browser information, pages visited, time and date of visits, analytics data, and information you submit through website forms.
Lawful basis: Legitimate interests for essential website operation, security and responding to online enquiries.
At the date this Privacy Notice was last updated, our website does not use cookies or similar technologies. If we introduce non-essential cookies or similar technologies in future, we will ask for consent where required by law.
What happens if you do not provide data
If you do not provide information that we reasonably need for assessment, treatment, booking, payment or clinical record keeping, we may be unable to provide physiotherapy services safely or at all.
6. How we store and protect your data
All records are stored electronically. We do not maintain paper clinical records. Access to personal information is restricted to people who need it for their role. Staff and clinicians are required to keep patient information confidential and to follow appropriate information security procedures.
We use reputable third-party service providers to support our clinic systems, including booking, clinical records, exercise prescription, email, payments and accounting. Where those providers process personal data on our behalf, we require appropriate contractual, confidentiality and security safeguards.
Some providers act as our processors, meaning they process personal data only on our instructions. Some providers, such as payment providers, may also act as independent controllers for certain activities, for example fraud prevention, payment security and legal compliance.
We try to limit the amount of health information sent by email. Where clinical information is sent by email, we take reasonable steps to ensure it is sent securely and to the correct recipient. Please be aware that ordinary email may not always be fully secure, and you should avoid sending highly sensitive information by email.
7. Sharing your information
We do not sell or trade your personal data. We will usually seek your agreement before sharing information with another healthcare professional involved in your care. In some circumstances, we may share relevant information without your agreement where this is necessary for your care, required by law, needed for safeguarding, or necessary to protect someone from serious harm.
We may share personal information where necessary and lawful with:
Healthcare professionals involved in your care, such as your GP, consultant or referrer
Parents, guardians or carers, where appropriate and lawful
Emergency contacts, where necessary
Safeguarding authorities, where required or necessary to protect a child or adult at risk, or to protect someone’s vital interests. This may include emergency services or other appropriate bodies.
Our professional advisers, insurers and legal representatives
Providers of IT systems for clinic management, booking, payment processing and accounting
HMRC, professional or healthcare regulators, courts, law enforcement bodies or other authorities where required or permitted by law.
8. Data retention
We retain records in accordance with professional guidance and legal requirements.
Adult clinical records: normally retained for eight years from the date of the last appointment.
Children and young people’s clinical records: normally retained until the patient’s 25th birthday, or for eight years after the last appointment if this is later.
Financial records: normally retained for six years from the end of the relevant financial year, unless a longer period is required.
We may retain records for longer where this is necessary for legal, regulatory, insurance, safeguarding or dispute-related reasons. When information is no longer required, we will securely delete it, anonymise it, or otherwise dispose of it securely.
9. Your rights
You have rights under UK GDPR, including:
The right to access your personal data
The right to request correction of inaccurate data
The right to request deletion of data in certain circumstances
The right to restrict processing
The right to object to certain processing activities
The right to data portability where applicable
The right to withdraw consent where consent has been given
These rights are not absolute and may not apply in every situation. For example, we may need to retain clinical records where this is required for professional, legal, insurance or regulatory reasons. The right to data portability applies only in certain circumstances, for example where processing is based on consent or contract and carried out by automated means.
Your right to object
You have the right to object to processing based on our legitimate interests. If you object, we will consider your request and stop the processing unless we have compelling legitimate grounds to continue or need the information for legal claims.
To exercise these rights, please contact privacy@pivotpoint.physio.
You have the right to complain to the Information Commissioner’s Office, the UK regulator for data protection. You can contact the ICO at www.ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to deal with your concern first, but you are not required to contact us before contacting the ICO.
10. Data security and breaches
We take appropriate technical and organisational measures to protect personal data.
If we become aware of a personal data breach, we will assess the risk and take appropriate steps to contain and investigate it. Where required, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay.
11. International data transfers
Some of our service providers may process or store personal data outside the UK. Where this involves a restricted transfer under UK data protection law, we will ensure that an appropriate safeguard is in place, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.
12. Cookies and website use
At the date this Privacy Notice was last updated, our website does not use cookies or similar technologies.
Our website may still process limited technical information when you visit it, such as information needed to deliver webpages to your device, maintain website security, or diagnose technical issues. This does not currently involve placing cookies on your device.
If we introduce cookies or similar technologies in future, we will update our Cookie Policy and provide appropriate information and controls. Where required by law, we will ask for your consent before using non-essential cookies or similar technologies.