Skip to main content
  • You are here /
  • Home
    • /
  • Privacy Policy

Privacy Policy

Last updated: 28th September 2025

1) Who we are (Data Controller)

  • Practice name: [Dr Marwan / Clinic 360]
  • Website: drmarwan.co.uk
  • Registered address:
    Laurel House,
    Main Street,
    Garforth
    LS25 1HB
  • Contact (privacy): [email protected]

2) What data we collect

We collect information when you browse our site, contact us, or receive care.

  • Identity & contact: name, date of birth, email, phone, address.
  • Clinical information (special category): medical history, symptoms, medications, diagnostic results, referral letters, notes.
  • Appointment & billing: appointment details, invoices, insurance details, payment confirmations (we do not store full card details).
  • Website/technical: IP address, device/browser info, pages viewed, cookies/analytics.
  • Communications: emails, messages, feedback, testimonials (with consent).

3) Sources of data

  • Directly from you (forms, calls, email, consultations).
  • From referrers/other clinicians (with your consent or where permitted by law).
  • From technology providers (e.g., analytics, booking).

4) Why we use your data (purposes) & lawful bases

  • Clinical care and administration (scheduling, referrals, records, follow-up).
    • Lawful bases: Contract (Art.6(1)(b)), Legal obligation (Art.6(1)(c)), Vital interests (Art.6(1)(d)) in limited cases, Public task/Legitimate interests (as applicable).
    • Special category basis: Article 9(2)(h) (health/clinical care), and 9(3) under professional confidentiality.
  • Payments and billing (invoicing, insurance).
    • Lawful bases: Contract, Legal obligation.
  • Practice operations (audit, quality, safety, secure record-keeping).
    • Lawful bases: Legal obligation, Legitimate interests (Art.6(1)(f)).
  • Communications (responding to enquiries, sending appointment info).
    • Lawful bases: Contract, Legitimate interests.
  • Marketing (optional) (news, services).
    • Lawful basis: Consent (you can withdraw anytime).
  • Website analytics & improvement.
    • Lawful bases: Consent (non-essential cookies), Legitimate interests (aggregate analytics if strictly necessary/anonymous).

5) Sharing your data

We share data only when necessary:

  • Healthcare providers (e.g., your GP, physiotherapists, imaging centres) with your consent or where permitted/required.
  • Service providers (secure IT hosting, practice management/booking systems, email/SMS, payment processors).
  • Legal/Regulatory (e.g., HMRC, ICO, professional bodies) where required by law.
  • Insurers (where applicable and authorised).

All processors are under written data processing agreements.

6) International transfers

Where services host data outside the UK (e.g., EEA/US), we use appropriate safeguards (UK Addendum/IDTA, SCCs, or adequacy decisions). Details available on request.

7) How long we keep data (retention)

  • Clinical records: retained in line with professional/medico-legal guidance (typically at least 7–8 years after last contact, and longer for children—until age 25 or 26 if 17 at treatment).
  • Enquiries/booking records: [e.g., 2 years].
  • Billing/finance: 6 years (legal requirement).
    We securely delete or anonymise data when no longer required.

8) Your rights

Under UK GDPR you have the right to:

  • Access, rectification, erasure (where applicable), restriction, portability, and to object to processing.
  • Withdraw consent at any time (for consent-based processing).
  • Complain to the Information Commissioner’s Office (ICO): https://ico.org.uk/
    (We’d appreciate the chance to resolve concerns first: [email protected].)

9) Children’s data

Where we provide care to minors, we process data with appropriate parental responsibility and apply enhanced confidentiality and retention rules.

10) Security

We use technical and organisational measures to protect data (encryption in transit, access controls, least-privilege, regular updates). No system is 100% secure, but we take reasonable steps to mitigate risks.

11) Cookies & analytics

See our Cookie Policy for details of cookie categories, providers, and how to manage consent.

12) Changes to this notice

We may update this policy to reflect legal or service changes. We’ll post updates here with a new “Last updated” date.