SB Physiotherapy
Professional physiotherapy services in Horley & Reigate

Privacy Policy for Clients


In accordance with the General Data Protection Regulation (GDPR) we have implemented this privacy notice to provide you, our clients, with details of how we collect and process your personal data through your use of our site including any information you may provide through our site. We also include within this policy the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
We need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide treatment
By providing us with your data, you warrant to us that you are over 13 years of age.
SB Physio Ltd  is the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice).
We have appointed a Data Protection Officer who is in charge of privacy related matters for us. If you have any questions about this privacy notice, please contact the Data Protection Officer using the details set out below.

Contact Details
Our full details are:
Data Protection Officer: Celia Johnson
Full name of legal entity: SB Physio Ltd
Email address:
Postal address: SB Physiotherapy, The Centre for Health, Caledonian House, Reigate Road, Horley, Surrey, RH6 8PF
Telephone number: 01293 365011
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.
It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at


Personal data means any information capable of identifying an individual. It does not include anonymised data.
We may process certain types of personal data about you as follows:
Identity Data may include your first name, maiden name, last name, marital status, title, date of birth and gender.
Contact Data may include your address, email address and telephone numbers.
Financial Data may include your bank account and payment card details.
Transaction Data may include details about payments between us and other details of purchases made by you.
Profile Data may include your purchases, feedback and survey responses.
Marketing and Communications Data may include your preferences in receiving marketing communications from us and your communication preferences.
External medical records may include records we collect from you, external records from GPs/consultants/procedures. These will always be collected with your consent.
Treatment notes may include notes written during and following your consultations.
Sensitive Data
We collect sensitive data about your health to help us assess and treat you appropriately. We do not collect any other Sensitive Data about you. Sensitive data refers to data that may detail about your race or ethnicity, religious or philosophical beliefs, sex life, and information about your health. We do not collect any information about criminal convictions and offences.


We collect data about you through a variety of different methods including:

  • Direct interactions: You may provide data by filling in forms on our site (or otherwise) or by communicating with us by post, phone, email or otherwise, including when you:
  • Enquire about our services
  • book an appointment with us;
  • buy products from us;
  • subscribe to our publications;
  • request resources or marketing be sent to you;
  • give us feedback;
  • during your consultation/treatment sessions
  • From an external data controller i.e. insurer or intermediary company

Social media: We publish our Facebook and twitter page on our website which is available for general viewing. Personal information is not collated from using social media interactions although third parties may track you. You should refer to the Privacy Policy of the social media channel concerned. By following SB Physiotherapy on any of these channels you recognise that you are visible to others also using these social media platforms. We will never initiate conversations with you over social media, so as not to identify you as a client of the clinic. Should you initiate conversations with SB Physiotherapy over social media, then you are consenting to communication with us, in the public domain. You do this in the full recognition that you are not anonymous in doing so, and that you are identifiable. Should you have any personal queries or queries that relate to your care with us, then we kindly ask you submit this via email or contact us by phone 01293 365011. Please do not submit these via social media

If you send us a direct message via social media, the details may be retained by us only as relevant to any ongoing contract or to further our legitimate business interests or as required for legal purposes. The third party provider (i.e. Facebook/Twitter) may also retain details in accordance with their Privacy Policy.


The law on data protection allows us to process your data for certain reasons only. In the main, we process your data to comply with a legal requirement or in order to manage your treatment/ healthcare.
Generally, we do not rely on consent as a legal ground for processing your personal data, other than in relation to sending marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by emailing us at

Purposes for processing your personal data
Set out below is a description of the ways we intend to use your personal data and the legal grounds on which we will process such data. We have also explained what our legitimate interests are where relevant.

We may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. Please email us at you need details about the specific legal ground we are relying on to process your personal data.

Purpose/Activity Type of Data Lawful basis for Processing
To register you as a new client Identity
Legal obligation
To provide effective physiotherapy treatment using external medical notes and treatment notes Identity
Treatment notes
External medical notes
Legal obligation
To manage our relationship with you which will include: Notifying you about changes to our terms or privacy policy. Asking you to leave a review or take a survey. Identity
Marketing and Communications
Legal obligation
Legitimate Interest
To ensure we receive payment for treatments and products Contact
Legal obligation
Legitimate Interest
To administer and protect our business and our site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). Identity
Legal obligation
Legitimate Interest
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences Technical
Legal obligation
Legitimate Interest

Marketing communications
You may receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have agreed to receiving that marketing.
You can ask us to stop sending you marketing messages at any time by emailing us at at any time.
Where you opt out of receiving our marketing communications, this will not apply to personal data provided to us as a result of a service or product purchase, or other transactions.

Change of purpose
We will only use your personal data for the purposes for which we have collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to find out more about how the processing for the new purpose is compatible with the original purpose, please email us at
If we need to use your personal data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal ground of processing.

We may process your personal data without your knowledge or consent where this is required or permitted by law.


We will never share your data with anyone who does not need access without your written consent. Only the following people/agencies will have access to your data:

  • Your practitioner(s) in order that they can provide you with treatment
  • Our reception staff because they organise our practitioners’ diaries, and coordinate appointments
  • Our electronic diary software support team and accountants (access to contact details only)
  • Where appropriate a summary of medical notes will be written in the Residential and/ or Nursing Home documentation. These notes are locked away in accordance with the care homes privacy policy. Please contact the relevant residential/nursing home for a copy of their Privacy Policy.
  • Where you have been referred via an insurance company/intermediary, they may require reports to be written. By initiating treatment via an insurance company/intermediary you are consenting to this. Should the insurer/intermediary require your medical notes, they must have a copy of an Authority and Request to Release Records, signed by you.
  • We can share information about yourselves with other individuals/companies, e.g family/next of kin/referring clinicians. This will only occur with your explicit consent, and should you wish this information to be shared you must sign a ‘Sharing of information contract’ where you will be able to specify who you wish for your medical data to be discussed with.  

We may have to share your personal data (not medical data) with the parties set out below for the purposes set out in the table in paragraph 4 above:

  • Service providers who provide IT and system administration services.
  • Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other relevant jurisdictions who require reporting of processing activities in certain circumstances.
  • Our Accountancy supplier and our online Accountancy package supplier.

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

As part of our obligations as primary healthcare practitioners there may be circumstances related to your treatment, on-going care or medical diagnosis that will require the sharing of your medical records with other healthcare practitioners e.g GPs, consultants, surgeons and/or medical insurance companies. Where this is required we will always inform you first unless we are under a legal obligation to comply, for example under The Human Rights Act 1998.


We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Data is stored

  • On paper, in locked filing cabinets, and the offices are always locked with inside and outside doors out of working hours
  • Electronically on our office computers. These are password protected and the software is also password protected, backed up regularly and the offices are locked out of working hours.
  • Electronically on passcode protected mobile phones/tablets
  • There may be times where paper notes are transported between locations, i.e. between a care home and our offices. These notes are kept on the clinician at all times, and are not left unattended. As soon as it is practically possible they are locked away in our filing cabinets, as per above.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.


We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Treatment notes, External medical notes, Financial and Transaction Data) for seven years after they cease being customers. For children, we keep data for seven years after their 18th birthday or until they are 25 years old.
In some circumstances you can ask us to delete your data: see below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.


Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
  • The right to withdraw consent

 You can see more about these rights at:
If you wish to exercise any of the rights set out above, please email us at
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

Scroll to Top