Privacy Policy

Effective date: 12 January 2026 Last updated: 12 January 2026

This notice explains how Revival Physiotherapy (“we”, “us”, “our”) collects, uses, shares and protects your personal data when you visit revival.physio, contact us, book appointments (online or in‑clinic), receive care, or otherwise interact with our services.

It is written to meet the requirements of the UK GDPR and the Data Protection Act 2018 for services provided in the United Kingdom, and the Digital Personal Data Protection Act, 2023 (India) for services provided in India. Where laws differ, we apply the rules relevant to the location where the service is delivered and where the individual is located.

1) Who we are (The Data Controller)

Depending on where you receive services, the relevant data controller is:

United Kingdom:

  • Entity: Revival Neuro Physio – Cambridge (UK)
  • Email: [email protected]
  • Phone: +44-07777793832
  • UK Data Protection Lead: Rishee Patel

India:

  • Entity: Revival Physiotherapy – Anand, Vadodara & Nadiad
  • Address: 103, Maruti Samvid, Sardar Patel Road, Near APC Circle, Off Anand Vidhyanagar Road, Anand, Gujarat 388001, India
  • Email: [email protected]
  • Phone: +91 81609 57753
  • Grievance Officer (India): Dr. Keyur Patel

We accept data rights requests via email only.

2) Scope

This notice covers:

  • Our public website revival.physio (including contact, booking and enquiry forms).
  • In‑clinic and home-visit services, telehealth, workshops, and events.
  • Communications (email, SMS, WhatsApp, phone) and marketing where permitted.
  • CCTV on premises (if and where installed).

This notice does not cover third‑party websites or services we link to (see §14).

3) Personal data we collect

We collect the following categories of data, depending on your interactions with us:

  • Identity & contact: Name, date of birth, age, gender (if you choose to provide), postal address, email, phone, emergency contact.
  • Care & clinical (Special Category Data): Medical history, referral letters, assessment notes, treatment plans, exercise prescriptions, imaging and lab results you share, outcome measures, medication/allergy information, GP/consultant details, health insurance member ID, and information relevant to neurorehabilitation or musculoskeletal care.
  • Administrative & billing: Invoices, payment status, insurance authorisations, UTR/GST/VAT details where applicable.
  • Appointment & engagement: Booking history, cancellations, telehealth session metadata (date/time, duration), preferences.
  • Device & usage: Device/browser type, pages viewed, approximate location derived from IP, cookies and similar technologies (see §11).
  • Media: Photos or videos used for clinical posture/gait analysis (only with your consent), testimonials (with your consent), and CCTV footage (if applicable).
  • Recruitment: CVs, references and interview notes if you apply for a role.

We do not knowingly collect information about criminal convictions or offences unless required for safeguarding or legal reasons.

4) How we collect data

  • Directly from you: Web forms, emails, messaging apps, calls, in‑clinic registration, consent forms, assessments, exercise programmes.
  • From third parties: (With your permission or where lawful) GP/consultant referrals, insurers, case managers, other clinicians, family or carers.
  • Automatically: Via cookies/analytics when you use our website or telehealth tools (see §11).

5) Lawful bases for processing

For United Kingdom / EU (UK GDPR): We rely on one or more of the following lawful bases:

  • Consent: E.g., for certain communications, cookies, testimonials, or photographs.
  • Contract: To provide appointments, care, and related services at your request.
  • Legal obligation: Tax/VAT records, clinical record‑keeping, safeguarding.
  • Vital interests: To protect life/health in emergencies.
  • Legitimate interests: To run and improve our clinic and website, secure our systems, and handle queries (balanced against your rights).
  • Special category data: Processed primarily under Article 9(2)(h) (health care and management) and, where applicable, Article 9(2)(a) (explicit consent).

For India (DPDP Act): We process your personal data based on your Consent and for Legitimate Uses, such as providing requested healthcare services, complying with law, responding to medical emergencies, or for reasonable purposes notified to you.

6) How we use your data

  • Provide assessment, treatment, and follow‑up care, including telehealth.
  • Communicate about appointments, exercises, test results you share, and care updates.
  • Coordinate with your GP/consultant, insurers, or other clinicians (with your knowledge/consent unless law allows otherwise).
  • Manage billing, payments, claims, and accounting.
  • Quality assurance, clinical audit, training, and service improvement (data minimised and pseudonymised where possible).
  • Respond to enquiries, feedback, and complaints.
  • Protect our website, IT systems, and premises.
  • Comply with legal and regulatory requirements.

We do not use your clinical data for automated decision‑making that produces legal or similarly significant effects. We do not use data collected via the website for third-party marketing.

7) Sharing your data

We share personal data only as necessary and with safeguards:

  • Healthcare partners: Your GP/consultant, laboratories, imaging centres, other clinicians involved in your care.
  • Insurers/case managers: To obtain approvals and process claims.
  • Service providers (Processors): Web hosting, electronic health record (EHR) platforms, booking tools, secure messaging, analytics, payment processors, and IT support.
  • Legal & regulatory: Auditors, advisers, regulators, or law enforcement when required.
  • Business transfers: If we reorganise or merge, your data may transfer under equivalent protections.

We do not sell your personal data.

8) International data transfers

We operate clinics in the UK and India and may transfer data between these locations and to service providers in other countries (e.g., for web hosting or telehealth).

  • UK/EEA transfers: Where data leaves the UK/EEA, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs), plus technical and organisational measures.
  • India transfers: Cross‑border transfers occur as permitted by the DPDP Act and any applicable government notifications.

9) Data retention

We keep data only for as long as necessary. Typical retention periods are:

  • Adult clinical records: At least 8 years from the date of last treatment/entry.
  • Children/young people: Until the 25th birthday (or 26th if aged 17 at last treatment), or longer if required for ongoing care or legal reasons.
  • Financial records: 6–10 years (depending on jurisdiction and tax rules).
  • CCTV: Normally 30–90 days, unless needed for investigation.
  • Marketing preferences: Until you opt out or consent is withdrawn.

10) Your privacy rights

UK/EU (UK GDPR): You have the right of access, rectification, erasure, restriction, data portability, and to object to processing. You may withdraw consent at any time. You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) (ico.org.uk).

India (DPDP Act): You have the right to access, correction, erasure, and grievance redressal (Contact: Dr. Keyur Patel). You may also nominate another person to exercise rights in the event of incapacity or death.

To exercise these rights: Email us at [email protected]. We may need to verify your identity before acting on a request.

11) Cookies, analytics & similar technologies

We use essential cookies for security and to make the site work. With your consent, we may use optional cookies for analytics.

  • Controls: A cookie consent banner will allow you to manage preferences. Only essential cookies run by default.
  • Analytics: Google Analytics 4 (IP anonymisation enabled).
  • See Appendix B for details.

12) Telehealth and digital tools

If you choose telehealth, we use secure platforms. We do not record sessions without explicit notice and consent. Platform metadata (date/time) may be stored.

  • Note regarding Messaging: While we may use apps like WhatsApp for scheduling, we advise against sharing sensitive clinical documents via standard messaging apps unless end-to-end encryption is verified and agreed upon.

13) CCTV on premises

We currently do not use CCTV at our premises. If this changes for security purposes, we will update this notice and display clear signage at the location.

14) Third‑party links

Our website may include links to third‑party sites. We are not responsible for their privacy practices.

15) Security

We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including access controls, encryption in transit, secure storage, and staff training. No system is completely secure, but we work to prevent, detect, and respond to risks.

16) Marketing

We only send marketing by email or WhatsApp with your opt‑in consent. You can opt out at any time by using the unsubscribe link or contacting us. Service messages (e.g., appointment reminders) are not marketing.

17) Children

We obtain consent from a parent/guardian when required by law and act in the best interests of the child.

18) Changes to this notice

The latest version will always be available at revival.physio/privacy-policy.

19) Contact us

Privacy Team:

Regulatory Complaints:

  • UK: Information Commissioner’s Office (ICO) at ico.org.uk.
  • India: Data Protection Board of India (once established).

Appendix A – Key Service Providers

  • Website hosting & email: Bluehost (hosting), Cloudflare (CDN), Zoho Mail.
  • Practice Management/EHR: In‑house custom EHR system; RehabGuru (exercise programming).
  • Online booking & telehealth: Cliniko and/or RehabGuru.
  • Payments: Stripe.
  • Analytics: Google Analytics 4.
  • Forms: Typeform / Google Forms (where applicable).

Appendix B – Cookie Notice (Summary)

  • Strictly necessary: Session ID, security tokens (Expires: End of session).
  • Functional: Language/Location preferences (Expires: 6–12 months).
  • Analytics: GA4 cookies (e.g., _ga, _gid).
  • Advertising: We do not use advertising cookies.

 

Scroll to Top