Privacy Policy

LAST UPDATED: MAY, 2018

At various times during your interaction with David Thunder and colleagues, you will be asked to provide personal information. 

Your privacy and confidentiality is incredibly important to us, we take the security of personal data seriously and are committed to keeping you fully informed of your rights under the General Data Protection Regulation. We aim to act transparently at all times and to provide you with accessible information on how we use your personal data.

We have produced this document to tell you;

  • What information is used and Why.

  • Who can see it and Where we keep it secure.

  • How you can access, amend or erase it.

This policy covers the key points that we need to obtain your explicit consent for in order to offer our services to you and act as a processor and controller of your sensitive data. Through agreeing to this privacy policy you are consenting to us processing your personal data for the purposes outlined. You can withdraw consent at any time by using the details provided at the end of this policy document. 

More information can be read in our full data protection policy document, cookies policy and terms & conditions. If you have any more questions relating to your data and personal information we’d be happy to answer them, please send your requests to reception@dthunder.com.

What…and Why…

We request the minimum amount of information possible from you to uniquely identify you and give you the best possible service we can.

  • Medical Notes (this may include; name, date of birth, supplements and medicine details, lifestyle, diet and occupation, presenting complaints, severity, injury history, relevant videos or photos, scans, questionnaires, treatment, diagnosis, progress reports and referral letters). We will only collect what is relevant and necessary for your treatment.

We need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide you with our services. It is  therefore a condition of any treatment that you give your explicit consent to allow us to document and process your personal medical data.

  • We have a legal obligation to retain your records for 8 years after your most recent appointment (or age 25, if this is longer). We will retain your records indefinitely (unless instructed by you otherwise) in order that we can provide you with the best possible care should you need to see us at some future date.

  • We have a “Legitimate Interest” in collecting your information, because without it we would not be able to do our job effectively and safely.

  • Email address & contact details

    • We think it is important that we can contact you in order to;

      • Send referral letters for you to specialists with your consent.

      • Contact you directly to discuss your treatment and appointments.

      • Send appointment confirmations and reminders.

      • Book and cancel appointments.

This again constitutes as “Legitimate Interest”, but this time it is your legitimate interest. You can also update this preference with us at any time should you prefer not to receive any of the above but remember it may impact how we are able to offer our service to you.

You provide us with personal data in the following ways;

  • Through email, over the telephone or by post.

  • During a treatment or consultation.

  • By completing an online questionnaire.

  • From signing up to our newsletter.

  • By using our online booking services.

  • When making payment using card and online payment.

Who…and Where…

The confidentiality of your personal information is of paramount concern to us. Your medical information, history, and treatment plan, if any, will remain confidential, and will only be disclosed to those involved with your treatment, treatment plan, or care, or in accordance with UK law and guidelines from any relevant professional bodies.

We have put in place physical, electronic and operational procedures intended to safeguard and secure the information that we hold about you. All of our staff, have a legal duty to respect the confidentiality of your personal data and medical information, and access to this information is restricted only to those who have a reasonable need to access it. All our data is held securely and all our data processors have been vetted to comply with GDPR safety regulations.

Some of our data is held outside the EEA by our appointed data processors.

Your data will be stored in the following external platforms, depending on how you provided it to us.

  • Cliniko: All data in relation to your clinical management is processed and stored here. We use Cliniko to book your appointments online, provide electronic note keeping and storage for your special category data, send out invoices, send out receipts and store clinical/referral letters. Cliniko is an encrypted cloud based patient management platform located in Australia. Cliniko has signed a contract with us to protect patient data subject rights in accordance with GDPR. Cliniko’s own privacy policy can be found here. This is accessed by David Thunder; who is the only person able to view your medical notes and enter any special category data and our reception/administrative team; who have access to basic information to book your appointments and send out reminders, invoices and receipts, they do not have access to view your medical notes.

  • Google: Your email and any other documents or communication you may have sent to us via email through direct contact or contacting us through our website go through gmail. Google’s own privacy policy can be found here.

  • Mailchimp: When explicitly signing up to our newsletter you agree for us to store your email and preferences in Mailchimp, you can unsubscribe from this list at anytime. Their privacy policy can be read here.

  • Square: Transaction details for any payments made using our portable card reader are processed by Square. Their updated privacy policy can be read here

  • ScheduleOnce: If you book an online coaching call or appointment via ScheduleOnce you will be asked to provide information which is fed back to us by email (Google). Their updated privacy policy can be viewed here.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it). We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

David Thunder is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website.

How…

You have the right to see what personal data of yours we hold, and you can also ask us to correct any factual errors. Provided the legal minimum period has elapsed, you can also ask us to erase your records. 

If you want to access your data you must make a subject access request in writing to reception@dthunder.com, you do not need to give a reason to see your data. We shall respond within 30 working days from the point of receiving the request and all necessary information from you. 

To access what personal data is held, identification will be required.

If you have a complaint regarding the use of your personal data then please contact us and we will do our best to help you.

If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information Commissioner’s Office (ICO), you can contact them on 01625 545745 or 0303 1231113.