PRIVACY POLICY

Riverside Physiotherapy is committed to protecting your personal data. This notice explains what information we collect, why we collect it, how we use it, how long we keep it, and your rights under UK data protection law.

1. What information we collect and why

We are required by law to collect and use personal information so we can provide safe, effective physiotherapy care and manage your appointments and treatment episodes.

Personal information we may collect:

  • Name, address and contact details

  • Date of birth

  • Gender

  • Emergency contact or next of kin details

  • Insurance policy details (if relevant)

  • Payment information (if required for billing)

Sensitive information we collect:

  • Health information relevant to your physiotherapy care (medical history, clinical notes, injuries, imaging reports, medications, allergies, and other clinical details)

This information is required for:

  • Physiotherapy assessment, diagnosis, and treatment

  • Appointment management

  • Meeting legal and professional obligations under the HCPC and GDPR

  • Quality assurance and safe clinical governance

  • Communicating with your GP, consultant, or insurer when appropriate and with consent

2. How we collect personal information

We collect information:

  • Directly from you

  • From referring GPs, consultants, or other healthcare professionals

  • From parents or caregivers for children

  • From insurers, case managers or other relevant third parties involved in your care

3. Use of Heidi AI during consultations

Some physiotherapists at Riverside Physiotherapy use Heidi AI, a clinical-grade digital note-taking tool, to help produce accurate and timely clinical records.

  • Your consent will be requested before Heidi AI is used in your consultation.

  • No audio is ever recorded or stored. It is transcribed and immediately deleted after the note is generated. Text-based records are copied into our clinical notes and then deleted from Heidi Health.

·        You have the right to decline use of the tool at any time. Your physiotherapist will take notes manually and your care will not be affected.

How Heidi AI processes your data:

  • Heidi AI records and transcribes relevant clinical information during the consultation for note-taking purposes only.

  • Data is processed and stored securely within Heidi AIs encrypted, GDPR-compliant systems.

  • Only authorised clinicians involved in your care have access to notes produced via Heidi AI.

  • Data is not used for marketing, sold, or shared with external third parties.

If you would like more information about Heidi AI, please contact the Data Controller.

 

4. How we use and share your information

Riverside Physiotherapy will never sell your information or share it for marketing purposes.

We may share your information with:

  • Your GP or consultant, for example via a discharge letter at the end of your treatment

  • Your health insurance provider, if applicable. Other healthcare providers involved in your clinical care

  • Legal bodies when required (e.g., court orders or safeguarding duties)

We adhere to the common-law duty of confidentiality. Information is only shared when:

  • You have given consent, or

  • There is a legal requirement, or

  • There is an overriding public interest (e.g., serious crime or safety concerns), assessed case by case.

 

5. Lawful bases for processing your data

Under UK GDPR, we rely on the following lawful bases:

For physiotherapy treatment

  • Legitimate interests: Processing is necessary to assess and treat you safely and to meet professional HCPC requirements.

  • Consent: When sharing information with insurers or third parties beyond direct care.

For legal and regulatory obligations

  • Legal obligation: We must retain and manage clinical records according to statutory and professional rules.

 

6. How long we keep your information

We retain information in line with clinical and legal requirements:

  • Adult records: retained for 8 years after your last appointment

  • Children’s records: retained until age 25, or 8 years after discharge, whichever is later

  • Records older than 2 years may be securely archived

  • Disposal is carried out by authorised personnel following strict confidentiality protocols

All clinical records are stored securely on our encrypted, cloud-based patient management system, accessible only to authorised clinicians and administrative staff.

7. Your data protection rights

You have the right to:

  • Access the personal data we hold about you.

  • Request correction of inaccurate or incomplete personal data. Factual errors will be amended promptly, and where a clinical opinion is disputed, a supplementary note may be added without altering the original record.

  • Request erasure of your data in certain circumstances. You have the right to request erasure of your personal data in certain circumstances. However, we are required to retain clinical records to meet our legal, regulatory and professional obligations. Where erasure is not possible, we will explain the reasons to you.

  • Request restriction of processing in certain circumstances; where applicable, we will limit how your data is used while retaining it in line with our legal, regulatory, and professional obligations. Please note that we may be required to continue processing your information where it is necessary for your clinical care or to comply with legal and regulatory obligations.

  • Request we provide your personal data in an electronic format or transfer it to another healthcare provider where applicable.

We will respond to all rights requests within one month.

 

8. Contact us

For questions about this Privacy Notice or to make a data protection rights request, please contact:

Data Controller:
Tracie Bolger, Practice Principal
info@riversidephysio.com