Context

In the UK there are relevant Data Protection Obligations. Data Protection Legislation means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder); the Data (Use and Access) Act 2025; and the Privacy and Electronic Communications Regulations 2003 as amended.

We have put together this privacy statement to give our clients more information about what we do with your personal data and the rights you have as an individual in relation to the data that we hold for you.

This policy will explain what data we hold, how we use your data, and how we take measures to ensure the data held is kept securely and safely.

Your Rights

Balanced Bodies will ensure that it treats personal information lawfully and correctly. To this end, we fully endorse and adhere to the principles and your rights as set out in the UK GDPR as outlined below:

  • Your personal data shall be processed fairly and lawfully and shall not be processed unless specific conditions are met.
  • Your personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data collected shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes (see Retention Periods later in this statement for details).
  • Personal data shall be processed in accordance with the rights of data subjects under UK GDPR, GDPR and the Data Protection Act 2018.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside of the UK unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data or contractual clauses are in place to ensure that data is stored with a level of protection at least equal to that provided under UK GDPR.

Furthermore, under the UK General Data Protection Regulations (UK GDPR) you have the right to:

  1. The right to be informed about what data is being held about you and how it is processed and managed which has been clearly outlined within this privacy statement.
  2. You have the right to request a copy of any of your Personal Data that We hold (where such data is held). Under the Data Protection Legislation, no fee is payable, We are required to reply to you within one month, and we will provide any and all information in response to your request free of charge, provided the request is reasonable. If We require clarification to help Us locate the information you are seeking, We may pause the one-month response period until We receive that clarification. We will also carry out a search that is reasonable and proportionate based on the scope and nature of your request. 
  3. The right to rectification if the data that is held about you is inaccurate or incomplete and you can request this to be undertaken by contacting us.
  4. The right to request the erasure of the data we hold for you, which is also known as the right to be forgotten. To request the right of erasure please contact us. If there are legal or professional reasons why data needs to be retained, it may not be possible for us to erase your data. If this is the case, we will write to you to let you know.
  5. The right to restrict the processing of the data we hold upon you. This means not deleting the data we hold upon you but placing certain restrictions or total restrictions on how we process it. To request the restriction of processing please contact us.
  6. The right to data portability to receive the data we hold on you in an open-source format such as in a CSV format. To request the data we hold in such a format, please contact us 
  7. The right to object to the way your data is being held, processed or managed and you can do so by contacting us.
  8. Rights in relation to automated decision making and profiling to be outlined to you. Currently, Balanced Bodies does not undertake any form of automated decision making.

What Data Is Held

Balanced Bodies holds the following data for legitimate client communication regarding booking initial / follow up appointments and to comply with the current legislation.

  • First name
  • Last Name
  • Email address and/or telephone number
  • Address where applicable
  • Date of Birth
  • Medical History / Medical Records as shared by you the client.

Balanced Bodies holds the following data for invoicing purposes:

  • First name
  • Last Name
  • Email address and/or telephone number
  • Address where applicable.

Data Storage and Data Sharing

Balanced Bodies takes the security of your information seriously. Only your Therapist and / or instructor will have access to your data for the purposes specified in this privacy statement. Your data may sometimes be shared with third parties such as other health care professional’s e.g. referrals to a GP or a consultant for further imaging or investigation, which would be always be discussed primarily with you before doing so.

Any data collected will be clearly outlined to clients at the point of data collection and will only be kept in locations for the length of time required to process such information for its intended purpose. Any handwritten notes are stored and used in a confidential manner and confidentially disposed of after the intended purpose.

Balanced Bodies uses the following UK GDPR compliant systems to store and / or process data:

  • Gmail for email correspondence, calendar and contact software.
  • Sports Injury Fix and Cliniko for patient notes storage, calendar and contact software.
  • GymCatch for class participant notes storage, calendar and contact software.
  • Rehab my Patient for client rehabilitation programmes, contact software, email correspondence.
  • Mail Chimp for managing newsletters.
  • Instagram, LinkedIn, Whats App, SMS and Facebook for marketing & communications purposes.
  • Stripe to process online payments. Sum-Up for in clinic card payments.
  • Zoom, Whats App, Face Time and Facebook for video conversations.

Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your personal data (e.g. because you have shared sensitive data with us), because it is necessary to fulfil a legal obligation, because it is necessary to protect the vital interests of you or someone else or because it is in our legitimate interests.

Retention Periods

Medical and health records are retained by Balanced Bodies for 7 years following the last appointment in accordance with applicable professional, legal and insurance requirements in force at the time. Handwritten notes are retained and stored securely for a maximum of 12 months.

Data Protection Concerns and Complaints

If you have any concerns or complaints about how your personal information has been collected, stored, used, shared, protected, retained, or deleted, please Contact Us in the first instance. 

We take all data protection concerns seriously and will investigate them fairly and without undue delay. We will acknowledge complaints within 30 days and aim to provide a full response within 30 days where possible. Where a concern is complex or requires additional time to investigate, We will keep you informed of progress.

If you remain dissatisfied following Our response, or if you would prefer not to contact Us first, you have the right to complain to the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection matters:

www.ico.org.uk

We keep this Privacy Policy under regular review and will update it where necessary to reflect changes in legislation or Our data processing activities. This Privacy Policy was last updated on 13 June 2026.