Privacy

This privacy policy outlines how Rameena Naik t/a Sapana Physiotherapy collects, uses, and protects personal data by the Health and Care Professions Council (HCPC) Standards of Conduct, Performance and Ethics, Chartered Society of Physiotherapy (CSP) guidance, and UK GDPR. This policy applies to all patients, staff, and business partners of the practice.

Compliance with HCPC and CSP Standards

We are committed to maintaining confidentiality and handling personal data in line with the HCPC’s professional and ethical guidelines, particularly:

  • HCPC Standard 10: Duty to protect patient information and maintain accurate records.

  • HCPC Standard 2: Responsible and clear communication regarding data use.

  • CSP Data Protection Guidance: Ensuring best practice in the collection, storage, and sharing of patient information.

What Personal Data We Collect

We collect and store the following personal information:

  • Patient details (name, date of birth, contact details, GP details, next of kin)

  • Medical history, treatment notes, and referrals

  • Payment details (for billing purposes)

  • Communications with patients (emails, letters, and forms)

  • Marketing preferences (where applicable and with consent)

Purpose of Data Collection

Patient data is collected and processed for the following purposes:

  • Providing physiotherapy assessment and treatment

  • Maintaining accurate health records in line with HCPC and CSP guidelines

  • Processing payments and managing billing records

  • Sending appointment reminders and relevant health information

  • Conducting anonymous audits for quality assurance and clinical improvement

  • Contacting you  to promote our services and offers if opted in

Data Storage and Security Measures

We use secure systems to store and manage patient data:

  • Patient records are stored digitally using cloud storage software,

compliant with UK GDPR.

  • Physical records (if applicable) are stored securely with restricted access.

  • Access to data is limited to treating clinicians and essential administration staff only.

  • All staff handling patient data undergo data protection training to ensure compliance.

Data Retention Period

Patient records are kept in line with HCPC guidelines:

  • Adult patient records: Retained for 8 years after the last appointment.

  • Children’s records: Retained until the patient turns 25 years old.

  • After the retention period, data is securely destroyed in compliance with ICO regulations.

Data Sharing and Third-Party Processors

We do not sell or share personal data with third parties for marketing purposes. However, in order to deliver our services effectively, we use trusted third-party providers who process personal data on our behalf.

Third Party Processors

Stripe

Purpose: Billing

Data shared: Name; Payment Information

Acuity Scheduling

Purpose: Appointment scheduling and note taking

Data shared: Name; DOB; Contact Information; Health Intake Forms and Notes

Google

Purpose: Email service provider

Data shared: Emails you send to the clinic; Correspondence with other healthcare professionals (for example, a referral). 

We ensure that all third-party providers we use are compliant with applicable data protection laws and have appropriate safeguards in place to protect personal data.

We may also share personal data in the following circumstances:

  • Where required by law, regulation, or professional obligation

  • Where referral letters are required (e.g., to GPs or consultants), patient consent is obtained beforehand.

  • For clinical audits, supervision, or training purposes, in which case all data will be fully anonymised

Marketing and Communications

  • Patients will only receive marketing communications if they have opted in.

  • Every patient has the right to withdraw consent for marketing at any time.

ICO Registration and Compliance

As a data controller, we are registered with the Information Commissioner’s Office (ICO). Patients can contact the ICO if they have concerns about how their data is handled.

Data Breaches and Reporting

In the event of a data breach:

  • We will notify the ICO within 72 hours if required under UK GDPR.

  • Affected individuals will be informed where there is a risk to their rights or privacy.

Patient Rights and How to Contact Us

Patients have the right to:

  • Request access to their data

  • Ask for corrections to inaccurate information

  • Withdraw consent for marketing or data processing

  • Request deletion of personal data where legally permitted

This privacy policy is subject to regular review. When new changes are introduced, this policy will be updated accordingly, and the most current version will be published on our website.

Last updated: 21/04/2026


For any queries, data access requests, or concerns, please contact Sapana Physiotherapy contact@sapanalondon.com.