Skip to main content

Privacy Policy for Cheam Osteopaths


Last Updated: May 2026

       

1. Introduction

           

Cheam Osteopaths is committed to protecting the privacy and security of your personal information. This privacy policy describes how we collect and use personal information about you during and after your treatment with us, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.


2. Data Controller and Contact Details

Cheam Osteopaths is the "Data Controller" for the purposes of your personal data. This means we are responsible for deciding how we hold and use personal information about you.

  • Practice Name: Cheam Osteopaths
  • Address: 143 Cheam Road, Cheam, Sutton, Surrey, SM1 2BP
  • Email: petermidgley@gmail.com
  • Telephone: 020 8643 3990


3. The Categories of Data We Collect

We collect, store, and use the following categories of personal information about you:

  • Personal Identifiers: Full name, title, date of birth, and gender.
  • Contact Information: Home address, telephone numbers, and personal email addresses.
  • Special Category Data (Health Records): As an osteopathic practice, we collect highly sensitive data including your medical history, current symptoms, lifestyle factors (such as physical activity and occupation), clinical examination results, treatment plans, and progress notes.
  • Financial Information: Payment card details and transaction history for services provided.
  • Website & Technical Data: IP addresses, browser types, and usage patterns collected via Matomo Analytics.


4. How Your Personal Information is Collected

We collect personal information through the following channels:

  • Direct Interaction: Information you provide by filling in intake forms, during physical consultations, or by corresponding with us by post, phone, or email.
  • Automated Technologies: As you interact with our website, we may automatically collect Technical Data via Matomo.
  • Third Parties: Occasionally, we may receive information from other healthcare professionals, such as your GP or consultant, provided you have consented to such sharing.


5. Lawful Basis for Processing

We will only use your personal information when the law allows us to. Most commonly, we use it under the following circumstances:

  • Contractual Necessity: Where we need to perform the contract we have entered into with you to provide healthcare services.
  • Legal Obligation: Where we need to comply with a legal or regulatory obligation, such as the mandatory retention of medical records.
  • Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Special Category Data: We process your health data under Article 9(2)(h) of the UK GDPR: "processing is necessary for the purposes of preventive or occupational medicine... [and] the provision of health or social care or treatment."


6. Website Analytics (Matomo)

Our website uses Matomo Analytics to monitor site performance. Unlike other providers, Matomo is configured with a privacy-first approach:

  • Anonymisation: All IP addresses are masked to ensure visitors cannot be personally identified.
  • No Data Sharing: Data is used exclusively by Cheam Osteopaths and is not shared with third parties for marketing or advertising purposes.
  • Opt-Out: You can choose to disable tracking via our website's cookie settings or your browser's "Do Not Track" feature.


7. Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Access to your medical records is strictly limited to clinical staff and authorised personnel who have a business need to know.


8. Data Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • Adult Patients: Clinical records are retained for a minimum of 8 years after the conclusion of the last treatment.
  • Minor Patients: Records for children must be retained until the patient reaches the age of 25 (or 26 if they were 17 at the conclusion of treatment).


9. Data Sharing

We do not sell your data. We only share your information with:

  • Healthcare Professionals: Your GP, consultant, or other specialists, but only with your explicit consent.
  • Service Providers: Third-party providers who provide IT and administration services, provided they comply with UK GDPR.
  • Legal Authorities: If required by law, we may share information with regulatory bodies (such as the GOsC) or law enforcement.


10. Your Legal Rights

Under certain circumstances, you have the right by law to:

  • Request Access: Request a copy of the personal information we hold about you (a "Subject Access Request").
  • Request Correction: Ask us to correct any incomplete or inaccurate information we hold about you.
  • Request Erasure: Ask us to delete personal information where there is no good reason for us continuing to process it (noting that medical retention laws may override this).
  • Object to Processing: Object to the processing of your personal information where we are relying on a legitimate interest.


11. Complaints

If you have any questions about this privacy policy or how we handle your personal information, please contact us. You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO).


ICO Contact Details:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 | Website: https://www.ico.org.uk