Privacy & Security Policy

Data Protection

We are committed to protecting your privacy. We will only use the information that we collect about you lawfully (in accordance with the data protection act 1998) and according to which web trader code of conduct. We are registered and compliant with ICO (Information Commissioner’s Office).

We are fully compliant with the GDPR guidelines which are being introduced 25th May 2018.

Sunderland Physiotherapy Clinic is a data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: TT Therapy Services Ltd, Trading as Sunderland Physiotherapy Clinic, 37 Mere Knolls Road, Sunderland, SR69LG.

For all data matters contact Michelle Scott or Lindsey Graham (Data Protection officers/ controllers) on 01915483388 or email

This includes any disputes or requests you may have about your data.All other staff/ associates/ contractors that are based at Sunderland Physiotherapy Clinic (see team page for names) are Data Processors.

If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England, UK.


GDPR- Data collection and processing

Booking an appointment

We collect information (your name and telephone number) at the time of you booking your appointment. This information is stored in paper format, which is locked away in a filing cabinet and only accessed by business admin and relevant clinical staff. Your details are also stored at this stage on our online system Cliniko, which is also fully GDPR compliant. 

You may also choose to book your own appointment via our online diary system on Cliniko. You are required at this point to enter your full name, DOB, address, email and contact telephone number. A member of staff will use these details to confirm the appointment with you and process your deposit.  

The lawful basis and legitimate reasons for processing- Your first appointment

At the time of your first appointment you will be asked to complete a registration form which asks for further detailed information such as your DOB, address, GP and further contact numbers. The therapist you see will then undertake a medical history as part of your initial appointment. This is a legal requirement and is classed as sensitive data and we therefore have a lawful obligation to process and retain this information in accordance with Article 6 of the GDPR guidelines. 

All of this information is secured stored in paper format before being transferred to our online system for storage and updates (Cliniko). Any duplicate paper records are then securely destroyed. As therapists we are required by law and our own professional standards to retain these details for at least 8 years (following your last visit to the clinic). All clients details from 2016 onwards are stored on Cliniko. Prior to this all notes and diaries are stored in a locked filing cabinet and only accessed by appropriate admin / clinical staff. The length of time we securely hold information for is different if clients are under 16 years when they first visited us or if they have have come to us with a Women’s Health complaint. We audit/ review the sensitive and lawful data we store at the end of each calendar year, meaning no data is kept beyond its necessary time frame. 

If you have been referred to us by a third party, such as insurance company, employer, solicitor we will be sent additional information about you at the point of referral. Again this information is stored and accessed safely and held appropriately along with your medical records. We may be required to send information back to your referrer. This will only be done with your consent and will be fully compliant with the GDPR guidelines. The referral company will also have their own GDPR privacy policy including the safe transference of information.

Deposits- Paying by card

If you pay for your treatment we do ask for a 50% deposit at the time of booking. This can be done in person (card or cash) or over the phone. Should you choose to pay by card over the phone your details will be immediately put into the card machine and no information is recorded or stored separately. The details will not be repeated or read out loud. 

The machine prints off 2 copies of the receipt, one for you and one for us. We keep your copy (again this is stored in a locked drawer) and pass that onto you at your first appointment. We retain our copy (again in a locked drawer). This copy is then held for at least 18 months and is kept securely before being destroyed. 

You may also wish to come into the clinic to pay your deposit by card. 

If you pay for a treatment in person by card. You will only be required to check the amount to be processed, put your card in the machine and enter your PIN information / or pay by contactless. You will be given your copy of the receipt immediately and again our copy is stored securely as mentioned above. Should you wish to use contactless we will still give you the option should you like a copy of your receipt.

If you order a gift voucher from us (over the phone) we will ask for full payment in order to process the voucher. If you choose to pay this by card your details will be immediately put into the card machine and no information is recorded or stored separately. The details will not be repeated or read out loud.

The machine prints off 2 copies of the receipt, one for you and one for us. We keep your copy (again this is stored in a locked drawer) and we will ask you what you would like us to do with your copy of the receipt, You can choose to come and collect the receipt in person (with the relevant ID to prove you are the card holder). You have the option for us to securely destroy your copy should you not wish to collect it. We retain our copy (again in a locked drawer). This copy is then held for at least 18 months and is kept securely before being destroyed.

Buying a gift voucher and storing information

We are required to take your name and contact number (for future reference) as well as the recipients name and number where possible. We will hold all these details for up to 1 year (at expiry of gift voucher). Once the recipient attends the clinic we no longer require the buyers details (unless you are a current customer) and they are then securely destroyed.

Paying by Paypal

If you order a gift voucher from us in person your order and payment details are processed securely by the 3rd party PayPal. They have their own GDPR policy and this can be viewed on their website. We will then process the gift voucher and retain only you name/ contact information and the recipients details you provide us up until the point they redeem their voucher or up to 12 months (whichever is sooner). Any duplicate information will then be destroyed securely.

GDPR- Marketing

If you are an existing customer we will have asked you to fill in a registration form. Part of this form contains a tick box with regards to you consenting to receive marketing information, mews and offers from us via email. If you did tick the box and therefore consent, we will have added you to our marketing list, which is held on Mailchimp. Mailchimp is a 3rd party and has its own GDPR privacy policy which can be found here. We also have a ‘sign up to our newsletter’ option on our website, where by you can add your own details to our Mailchimp mail list. We send out occasional emails via Mailchimp to inform clients (that have consented/ signed up) of news and any offers/ discounts. Our newsletters always contain an unsubscribe button should you wish to do this at any point and stop receiving information. You can also unsubscribe here or email us at We will remove you from the mailing list at this point but you will remain on our customer list for the allocated amount of time as previously stated above. 

We confirm that we will not pass on any of your information to any other company. Any information collected with consent by us will only be used to send further offers or promotional items to you by Sunderland Physiotherapy Clinic solely. Only authorised employees, agents and contractors (who have agreed to keep information secure and confidential) have access to this information.

Legal rights

 Right of access (Article 15)

Individuals have a right to access their personal information/ data. This is referred to as subject access. This request can be done in writing but it must be accompanied by proof of identification. We will respond to the request within 1 month and we do not have a right to charge you.

However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.

We can also charge a reasonable fee if an individual requests further copies of their data following a request, based on the administrative costs of providing further copies.

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

Other legal rights

  • The right to request that we correct any personal data if it is found to be inaccurate or out of date; We can’t amend any medical information we hold about you once it has been written, but we can write an additional entry that is logged at the end of your medical records of any requests to amend information. We can of course amend any contact details that are no longer correct 
  • The right to request your personal data is erased where it is no longer necessary to retain such data; In this instance this can only be done with your marketing information, as we have a legal obligation to retain your sensitive data for a specific time frame (listed above). 
  • The right to withdraw your consent to the processing at any time. We would still need to store the information and data collected up to this point. 
  • The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).

Security breaches

All of our staff and associates have been trained in Data processing and have specific instructions on how to handle and process data. Should we feel any data has been breached or mishandled or a data breach is reported to us, we have strict policies in place to ensure a suitable and timely response plan. These will be dealt with by the Data Controllers Michelle Scott or Lindsey Graham, this includes notifying the ICO of a breach where relevant as well as the individual (s). All breaches are documented accordingly. 

Code of conduct
Our team of Physiotherapists are registered with the Health and Care Professions Council (HCPC), The Chartered Society of Physiotherapy (CSP) and The Acupuncture Association of Chartered Physiotherapists (AACP). We abide by all professional standards of care, code of conduct and data protection. Our associate therapists are all fully registered and insured and abide by their professional regulations, such as the FHT.

Cookie/Tracking Technology
The Site may use cookie and tracking technology depending on the features offered. Cookie and tracking technology are useful for gathering information such as browser type and operating system, tracking the number of visitors to the Site, and understanding how visitors use the Site. Cookies can also help customise the Site for visitors. Personal information cannot be collected via cookies and other tracking technology, however, if you previously provided personally identifiable information, cookies may be tied to such information. Aggregate cookie and tracking information may be shared with third parties. You may wish to disable cookies in your browser by following the instructions on your web browser directly.

Third party links outside of our control

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.

When you leave our website, we encourage you to read the privacy notice of every website you visit.

Distribution of Information We may share information with governmental agencies or other companies assisting us in fraud prevention or investigation. We may do so when: (1) permitted or required by law; or, (2) trying to protect against or prevent actual or potential fraud or unauthorised transactions; or, (3) investigating fraud which has already taken place. The information is not provided to these companies for marketing purposes.