Privacy Policy

What is a privacy notice

Under EU wide general data protection regulation (GDPR) you, as a patient, have specific rights. To communicate these rights to you in a clear and concise manner, we are providing you with this privacy notice.

To be able to document and process your personal data, under GDPR you must give us explicit consent. This Privacy Policy describes how and when we collect, use, and share information when you attend an appointment at any of the Back on Track Healthcare Clinics, purchase a product from us, contact us, or otherwise use our services. This is to comply with the General Data Protection Regulations (GDPR) 2018.

Who we are

Practitioners at our clinics diagnose, treat and rehabilitate health conditions. This is carried out in accordance with the individual governing bodies of the practitioners. All are insured with their relevant governing bodies.

 Personal Data

We have a legal contractual obligation to collect personal data for the purposes of providing care and practitioners may require detailed medical information. We will only collect what is relevant and necessary for your care.

This data is always held securely and is not shared with anyone not involved in your care. For data storage purposes non-medical pre-vetted staff that have signed a GDPR processor agreement will handle some of the data.

We may use your contact details to remind you of future appointments, or other information concerning your treatment. We may also use your contact information to send you our newsletter or other information which the practice believes may be of use to you – for which you must give us explicit consent.

We occasionally take part in surveys or medical studies and we would use your anonymised data to add to the advancement of understanding within healthcare.

Our website uses which uses cookies to help us to identify and track visitors and their website access preferences. Any website visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using the website.

Sharing your personal data

We will only share your personal data with outsourced providers of accounting services to process your payments and insurance payments and we use a telephone answering service to handle our excess calls. These providers are deemed our processors and we have a contract with them to ensure your data is secure.
We may also share your medical data with external treatment providers such as your GP or a medical consultant with your explicit consent.

Data storage

All Data is held in the United Kingdom. We do not store personal data outside the EEA.

Your rights

At any point whilst we are in possession of, or processing your personal data, all data subjects have the following rights:
Right of access – you have the right to request a copy of the information we hold about you – you can make a subject access request and you will need to provide identification. There is no charge for this. Please ask at reception if you require more information.
Right of rectification – you have the right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right of restriction of processing- where certain conditions apply you have the right to restrict the processing.
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – we don’t do this at our clinics. As healthcare providers in the COVID-19 global pandemic we are obliged to provide your contact details to track and trace when required. This overrides your rights under GDPR.

Online payment 

We have the ability through our card provider (Stripe), to take payment via our online booking facility, but no payment is taken in advance of an appointment and full terms to consent to our payment processing are available to view on the intake form which is required to be completed before your first appointment. 

Should a refund for any reason be required to be made (for example payment being taken in error), we can apply payment back to the card which has been registered with Stripe at the time of booking.

Data breaches

Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay. The breach will be dealt with by our data protection officer (details below), who will explain to you the nature of the breach and the steps we are taking to deal with it.



How to Contact Us

For purposes of the GDPR, Kieran Chhabra is the data controller of your personal information. If you have any questions or concerns, you may contact me via email:

In the event that you wish to make a complaint about how your personal data is being processed by us you have the right to complain to us. If you do not get a response within 30 days, you can complain to the ICO.
Wycliffe House, Water Lane, Wilmslow, SK9 5AF Telephone +44 (0) 303 123 1113 or email:

Updates due to CoVID-19 – as of 7 June 2020

With Guidance from NHS England we are able to see patients for face to face consultations. If you are shielded we cannot see you face to face but can offer you an online consultation – see the guidance below.

If you are moderate risk; over 70 and/or have some types of chronic health conditions such as high blood pressure or diabetes we will risk asses you to help guide you as to whether a face to face consultation is appropriate. If not an online consultation may be able to help you until we can get you in, please see the guidance below. Please ring the clinic for advice.

We take the security and privacy of your data very seriously. During this pandemic we need to make you aware that GDPR guidance is superseded by the legal requirement to provide basic contact information should Public Health England require it under the track and trace system.


CoVID-19:  Online Communication Guidance during CoVID19 

The healthcare system is facing many challenges, and in the current circumstances delivering care to our patients will change. 

The clinic will still follow GDPR guidelines as laid out in its policy.  However, in these extenuating circumstances we have had to implement a rapid approach to the creation of online remote services to minimise risk and exposure to patients and staff.

Remote consultations may be essential as we cannot see all of our patients face to face.

If you feel you need to have a physical examination, or do not consent to sharing your information via these methods, this service may not be appropriate for you.  

We will use the Jane App for the majority of communication via email, SMS, phone and one to one consultations.

Guidance for Video calls

Video conferencing is encouraged by Public health England and the NHS to support patients. This will reduce the spread of CoVID19. 

It is fine to use a variety of Video conferencing tools – we will be using Jane app for all one to one consultations.

It is your own responsibility to ensure that the device you use to access remote consultations and classes is secure. It is best to use your own WiFi, and not public WiFi. 

  • Ensure you have adequate security, anti-virus and anti-spyware protection on your computer or device. 
  • No consultation will be recorded by the clinic or the clinician. Please advise the clinic and clinician if you wish to record the consultation. 
  • If using a mobile, you must know this is only as secure as any other phone call on that mobile network. 
  • Ensure privacy and close the door with a sign on the door if necessary. We appreciate some will be looking after children. It is your responsibility to consider safeguarding of other adults and minors who are in your care, and who may be present during classes and consultations. 
  • There will be an option to either have a video of yourselves appear during the consultation.  This your choice and can be turned off if you prefer not to, or if it is in the interest of your own/family’s confidentiality and safeguarding. 


Remote consultations are voluntary for any patient but as we are no longer able to offer face to face classes or consultations for some patients this provides a way to continue to offer good healthcare advice, exercise and classes. In addition, it’s a way of staying connected and some routine when we are all somewhat isolated. 

The consent of you the patient or service user is implied by accepting the invite and entering the consultation. 

We will take all possible steps to ensure patient confidentiality and safeguarding at all times. 

Information We Collect

To aid your treatment or as part of purchasing something from our business you will normally provide us with certain information, such as your name, email address, postal address, medical information and payment information. We will store your information on an electronic patient record and diary system which is fully password protected. This data is always held securely, is not shared with anyone not involved in your treatment, although for data storage purposes it may be handled by pre-vetted staff who have all signed an integrity and confidentiality agreement.

Why We Need Your Information and How We Use It
We will only collect what is relevant and necessary for your treatment. We rely on a number of legal bases to collect, use, and share your information, including:

  • where it is necessary for the purposes of the provision of health care as needed to provide our services, such as when we use your information to fulfil your assessment and treatment, or to provide customer support, remind you of future appointments, annual assessments, provide reports or other information concerning your treatment;
  • if necessary to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases if required by tax law;
  • When you contact us, we may use the contact details provided by you to respond to your enquiries, including making telephone contact and emailing information to you which the clinic believes may be of interest to you.
  • In making initial contact with the clinic you consent to us maintaining a marketing dialogue with you until you either opt out (which you can do at any time) or we decide to desist in promoting our services.
  • We do not broker your data and you can ask to be removed from our marketing database by emailing or phoning the clinic using the contact details provided at the end of this Privacy Notice.
  • Some basic personal data may be collected about you from the marketing forms and surveys you complete, from records of our correspondence and phone calls and details of your visits to our website, including but not limited to, personally identifying information like Internet Protocol (IP) addresses.

Information Sharing and Disclosure

Information about our patients/customers is important to our business. We share your personal information for very limited reasons and in limited circumstances, as follows:

  • Medical professionals. With your consent we will share information with medical professionals such as your GP or consultant to allow continuity of care.
  • Service providers. We engage with certain trusted third parties to perform functions and provide services to our business, such as external reception services, orthotic laboratories for bespoke orthotic manufacture, and health insurers. We will share your personal information with these third parties, but only to the extent necessary to perform these services.
  • Business transfers. If we sell or merge this business, we may disclose your information as part of that transaction, only to the extent permitted by law and with your consent.
  • Compliance with laws. We may collect, use, retain, and share your information if we are legally required to.

Data Retention

We retain your personal information only for as long as necessary to provide you with our services and as described in our Privacy Policy. However, we may also be required to retain this information to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements. The retention of records is normally a minimum of 8 years, after the last appointment, or until the age of 25 in the case of someone aged 16 – 18. For customers who are not patients but may have bought products from my business we will keep any data you may have provided for a minimum of 6 years.

Promotional Information

For the purposes of promoting healthcare including offers and advice the clinic would also like to stay in touch with you, with information that may be of interest to you. This may include promotions, product offers, advice and tips, seasonal and birthday promotions, general information, newsletters, health awareness and well-being.