Privacy Notice

Last updated: 10 June 2025

This notice tells you what personal information Moving Fox Osteopathy (“we”, “our”, “us”) collects, why we need it, and the rights you have under UK data‑protection law.

1. Who we are & how to contact us

  • Trading name: Moving Fox Osteopathy 

  • Clinic base: London, United Kingdom

  • E‑mail: [email protected] (postal address supplied on request)

  • Regulator: Information Commissioner’s Office (ico.org.uk, 0303 123 1113).

We are the data controller for the information described here.

2. The information we collect

  • Contact & identity – name, email, phone number.
  • Health & treatment – case history, examination findings, PAR‑Q answers, therapy notes, imaging or test results.
  • Appointments & payments – dates, invoices, card receipts.
  • Website & device data – cookie IDs, IP address, browser type.
    Essential cookies keep the site working; optional analytics cookies help us understand usage (see Section 8).

We do not collect “tracking” location data, biometrics or social‑media log‑ins.

3. Why we use your data & our lawful bases

We process personal information only where we have a clear lawful basis under the UK GDPR:

  • Provide osteopathic and movement services – we use your contact and health information to assess, diagnose and treat you. Legal basis: Contract (Article 6 (1)(b)); special‑category condition: Health‑care provision(Article 9 (2)(h)).

  • Maintain mandatory clinical records – required by the Osteopathic Practice Standards. Legal basis: Legal obligation (Article 6 (1)(c)); special‑category condition: health‑care provision.

  • Run bookings, take payment and send reminders (Acuity Scheduling, Stripe, Lopay). Legal basis: Contract and Legitimate interests (efficient operations).

  • Provide follow‑up advice by e‑mail, WhatsApp Business or SMS. Legal basis: legitimate interests; special‑category condition: health‑care provision.

  • Send newsletters or gift‑voucher offers. Legal basis: Consent – you can withdraw at any time.

  • Protect and improve our website – essential security logs and optional Google Analytics. Legal basis: legitimate interests.

We do not make automated decisions that have legal or similar effects on you.

4. Who we share it with

We share the minimum information required with trusted service providers who help us run the clinic. They are bound by confidentiality contracts and include:

  • Acuity Scheduling (Squarespace Inc., USA) – online bookings, forms and secure storage of treatment notes

  • Stripe, Inc. (USA) and Lopay Ltd. (UK/EU) – card payments.

  • Proton AG (Switzerland) – encrypted storage of business finance records.

  • Meta Platforms – WhatsApp Business messaging.

  • Heidi Health AI Medical Scribe (EU/EEA) – securely transcribes consultations and drafts notes.

  • SMS gateway providers for text reminders.

We never sell or rent your data. We will disclose it to authorities only if the law requires it.

5. International transfers

Some suppliers operate in the United States. We rely on the UK‑US Data Bridge or Standard Contractual Clauses to keep those transfers lawful. Proton Drive is hosted in Switzerland, a country recognised by the UK as providing adequate protection.

6. How long we keep it

Adult treatment notes8 years after last visit
Under‑18 notesUntil age 25
Financial & tax records7 years
Analytics & server logsUp to 12 months
Marketing listUntil you opt out or 2 years after last interaction

7. Your rights

You can ask us to access, correct, erase, restrict or object to our use of your personal data, and to transfer it to another provider. If we rely on consent you can withdraw it at any time.

E‑mail [email protected] and we will respond within one month. You may complain to the ICO if you are unhappy.

8. Cookies & analytics

    • No cookies on the main site – our informational pages load without placing any cookies or tracking pixels on your device.

    • Booking page cookies – when you open our Acuity Scheduling calendar, Squarespace sets:

      • essential session cookies so the calendar works; and

      • a single Google Analytics cookie (_ga) that tells us how many visitors reach the booking page. We do not use Google Ads, remarketing or any other marketing cookies.

    • Managing analytics – you can block or delete the Google Analytics cookie at any time using your browser settings or Google’s opt‑out browser add‑on. The booking page will still function.

    • Security logs – like most websites, Squarespace, our Acuity Scheduling provider, automatically records basic access logs (IP address, browser type and date/time) for security and troubleshooting. We do not actively collect additional logs.

9. Keeping your data safe

Your information is encrypted in transit, stored on access‑controlled systems, and backed up securely.  

10. Changes to this notice

If we change anything important—such as new software providers or marketing activities—we’ll update this page.

Scroll to Top