Privacy policy
Last updated: 21 June 2026
Milton Keynes Sports Therapy Limited(“we”, “us”) takes your privacy seriously. This page explains what personal data we collect when you use this website or book a treatment, what we do with it, and what choices you have. We’re the data controller for everything described here.
What we collect
When you book or contact us, we collect:
- Contact details — your name, email, and (optionally) phone number, so we can confirm your appointment and reach you about it.
- Booking details — the treatment, the therapist, the date and time, and the price you paid.
- Payment data — handled by Stripe. We never see or store your card number; Stripe sends us a confirmation that payment cleared.
- Clinical notes — only if you tick the consent box on the booking form. Notes are written by the therapist after your appointment to help with continuity of care. They are encrypted before they touch the database.
- Site usage — anonymised page-view and funnel data via PostHog. No cookies are set; we cannot identify you from this data.
Lawful basis
We rely on:
- Contract — to provide the treatment you booked and process payment.
- Legal obligation — to keep booking and financial records as required by HMRC.
- Legitimate interest — to send transactional emails (confirmation, reminder, cancellation), and to run anonymised analytics so we can improve the site.
- Explicit consent — to record clinical treatment notes. You can decline at booking time and you can withdraw consent later (see below).
Who else sees your data
We share the minimum necessary with a small set of UK/EU/US processors:
- Stripe (payments) — your name, email, and the booking total. Stripe is the card-data controller.
- Clerk (staff sign-in) — staff identity only. Customers are not in Clerk.
- Amazon Web Services (hosting, EU regions) — the database and app servers.
- PostHog (analytics) — anonymised usage events; no cookies, no identifiers.
- Email provider (transactional) — sends booking confirmations, reminders, and cancellation messages.
We do not sell or rent your data. We do not use it for marketing without separate consent.
How long we keep it
We hold data only as long as we need it. Our retention rules differ by category to match the UK regulatory floors that apply to each:
- Clinical treatment notes — 8 yearsfrom the date of your last treatment, in line with Chartered Society of Physiotherapy and professional-indemnity guidance. For minors, records are kept until the patient’s 25th birthday.
- Financial and booking records — 6 years, as required by HMRC for accounting purposes.
- Contact details and other personal data — 2 years from your last booking, after which we delete or anonymise it.
Treatment notes consent
Clinical notes are only created if you tick the consent box at booking. We store the timestamp and IP address of your consent for audit purposes. You can withdraw consent at any time by emailing swond03@googlemail.com. On withdrawal we stop adding new notes; existing notes are retained for the professional retention period above unless you also ask us to delete them.
Your rights
Under UK GDPR you can ask us to:
- tell you what data we hold about you (subject access);
- correct anything that’s wrong;
- delete your data, where we’re not required to keep it by law (we can’t delete financial records inside the HMRC window, for example);
- port your data to another provider in a machine-readable format;
- object to a particular use, or restrict how we use it.
Email swond03@googlemail.com to exercise any of these. We aim to respond within 30 days.
Security
The site runs over HTTPS. Clinical notes are encrypted with AES-256-GCM before being written to the database; the encryption key is held outside the database. Payments are handled entirely by Stripe’s PCI-compliant infrastructure. We log access to identifiable data and review it periodically.
Cookies
We don’t set marketing or tracking cookies. The site uses a small number of strictly necessary cookies that keep you signed in (staff only) and remember your booking session while you’re mid-flow. No cookie consent banner is needed because no consent-bearing cookies are set.
Complaints
If you’re unhappy with how we handle your data, please contact us first at swond03@googlemail.com and we’ll do our best to put it right. If you’re still unsatisfied, you have the right to complain to the UK Information Commissioner’s Office at ico.org.uk.
Changes
We may update this policy from time to time — material changes will be flagged on the booking form or by email. The current version is dated at the top of this page. See also our terms and cancellation policy.