Take part in our Wellness Hub Prize Draw!

GDPR & Data Protection Policy

The Wellness Hub Ltd
(Including Physiotherapy, Wellness Services & Counselling Services)
Policy Version: 1.0
Effective Date: May 2026
Review Date: May 2027

1. Introduction

The Wellness Hub Ltd is committed to protecting the privacy, confidentiality and security of all personal information held by the clinic. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and all relevant professional confidentiality obligations.

This policy applies to all staff, practitioners, contractors, counsellors, associates and third parties working on behalf of The Wellness Hub Ltd.

The purpose of this policy is to ensure that all personal data is processed lawfully, fairly,
transparently and securely.

2. About The Wellness Hub Ltd

The Wellness Hub Ltd provides healthcare, wellness and counselling services including but not limited to:

  • Physiotherapy
  • Sports Therapy
  • Massage Therapy
  • Acupuncture
  • Women’s Health Services
  • Hyperbaric Oxygen Therapy
  • Whole Body Cryotherapy
  • Red Light Therapy
  • Rehabilitation Services
  • Counselling & Talking Therapy
  • Wellness & Recovery Services

As a healthcare provider, we process sensitive personal data (special category data) relating to health and wellbeing.

3. Data Controller

The Wellness Hub Ltd acts as the Data Controller for personal information collected and
processed within the clinic.

Contact Details:
The Wellness Hub Ltd
Website: www.the-wellness-hub.co.uk
Email: reception@the-wellness-hub.co.uk
Telephone: 01442 870686

4. Types of Personal Data We Collect

We may collect and process the following information:

Personal Information

Name
Date of birth
Address
Email address
Telephone number
Emergency contact details

Health & Clinical Information

  • Medical history
  • GP and consultant details
  • Treatment records and clinical notes
  • Assessment findings
  • Medication information
  • Mental health information where relevant
  • Counselling session notes
  • Safeguarding information where applicable

Financial Information

  • Payment records
  • Invoices
  • Insurance information

Website & Marketing Data

  • IP addresses
  • Website analytics
  • Social media engagement
  • Marketing preferences

5. Lawful Basis for Processing

The Wellness Hub Ltd processes personal data under the following lawful bases:
Healthcare Provision
Processing is necessary for:

  • The provision of healthcare and treatment
  • Medical diagnosis
  • Preventative healthcare
  • Health management

(Article 6(1)(e) and Article 9(2)(h) UK GDPR)

Contractual Obligations
Processing necessary to fulfil appointments, bookings and services.

Legitimate Interests
For clinic administration, service improvement and operational management.

Consent
Where required, we will obtain explicit consent for:

  • Marketing communications
  • Use of testimonials/images
  • Certain counselling disclosures

Clients may withdraw consent at any time.

6. Confidentiality & Counselling Services

Counselling and talking therapy services are strictly confidential.
Counsellors and therapists working within The Wellness Hub Ltd adhere to:

  • UK GDPR
  • Data Protection Act 2018
  • Professional ethical frameworks (such as BACP where applicable)
  • Safeguarding responsibilities

Counselling Notes
Counselling notes are:

  • Stored securely
  • Accessed only by authorised therapists
  • Kept separate where appropriate
  • Retained in line with legal and professional requirements

Limits of Confidentiality
Confidentiality may only be broken where:

  • There is a serious risk of harm to the client or another person
  • Safeguarding concerns arise
  • Disclosure is required by law or court order
  • There is a risk involving terrorism, serious crime or public protection

Where possible, the client will be informed before disclosure.

7. How We Store Information

We implement appropriate technical and organisational measures to protect personal data.

This includes:

  • Password protected systems
  • Secure practice management software
  • Locked filing cabinets for paper records
  • Restricted staff access
  • Encrypted devices where possible
  • Secure email systems
  • Regular software updates and cyber security measures

All staff receive appropriate confidentiality and GDPR awareness training.

8. Data Retention

Records are retained only as long as necessary and in accordance with professional guidance and legal requirements.

Typical retention periods may include:

  • Personal data (names, emails, account details)
  • Financial records (payments, invoices)
  • Communications (emails, chats, calls)
  • System logs and security data
  • Employee and legal records
  • Analytics, backups, and archived data