This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe.
We know that there’s a lot of information here but we want you to be fully informed about your rights, and how Core Clapton uses your data.
We hope the following sections will answer any questions you have. If not, please do get in touch with us.
It’s likely that we’ll need to update this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.
Core Clapton is a Registered Charity (No. 1166246) whose premises are at 161 Northwold Road, Upper Clapton, London, E5 8RL.
CORE stands for the Centre for Osteopathic Research and Excellence and is a pioneering social healthcare clinic, set up to provide reduced cost osteopathic treatment to those who normally wouldn't be able to afford it. It is also a centre of excellence for newly graduated osteopaths keen to further their learning with our team of expert mentors, and a research hub for advancing osteopathic healthcare.
At Core Clapton’s premises, we hold various wellness and exercise classes, that are on offer to anyone whether they are receiving osteopathic treatment from us or not.
We also use the Core Clapton premises as an event space, hiring it for private events and holding our own community events in the building.
For simplicity throughout this notice, ‘we’ and ‘us’ means Core Clapton.
The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.
There are several bases for which we collect your data:
In specific situations, we collect and process your data with your consent.
For example, when you tick a box to receive email newsletters, information about events or classes being held at Core Clapton, or when you tick a box to receive details of offers and services or marketing information.
In certain circumstances, we need your personal data to comply with our contractual obligations.
For example, if you provide your data to us so that you can enrol into classes and wellness sessions, we will use this data to ensure we fulfil that contract with you.
If the law requires us to, we may need to collect and process your data.
For example, we have to collect your personal data to process and retain payment details for wellness classes and osteopathy treatments, as these constitute financial transactions. We also have a legal requirement to collect, process and retain medical or clinical data about you, when you attend for treatments.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running Core Clapton and which does not materially impact your rights, freedom or interests.
For example, we use anonymised medical and clinical data about our patients for analysis, to include in our research and this may be used in publications e.g. papers or journals.
Special Category Data
If you are a patient, medical and clinical data about you is classified as Special Category Data. When we collect this data, processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
If you attend one of our clinic appointments or treatments, we record details such as your name, address, gender, date of birth, email, telephone number and any relevant medical history. We also record details of the appointment, what happened, what treatment and advice was provided or recommendations made. If you provide us with any medical documentation, we may also record a copy of this in our system.
If you register to book onto a class using our online software, you create an account which includes details such as your name, address, gender, email, telephone number and preferences about classes you are interested in. It also stores details of classes you are booked onto or have attended.
If you have expressed an interest in our events hire or management, staying in touch with Core Clapton or receiving details of offers, products and services, we record your name, address, email and telephone number.
We want to give you the best possible customer experience. In addition, we have legal obligations in respect of financial data and medical or clinical data.
The data privacy law allows us to process medical and clinical data as part of our legitimate interest in understanding how osteopathy benefits our patients and providing the highest levels of service as well as contributing to the field of research in this subject area.
Of course, if you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below.
Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.
For example, if you’ve asked us to let you know when an event is happening, we can’t do that if you’ve withdrawn your general consent to hear from us.
Here’s how we’ll use your personal data and why:
We know how much data security matters to all our customers and patients. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We insist that access to all transactional areas of our websites and systems use ‘https’ technology.
Access to systems containing your personal data is password-protected, and sensitive data such as payment card information is secured to ensure it is protected. We limit the number of people that have access to our systems and your data and only give access to those who absolutely require it.
We work with the suppliers of our business systems to regularly monitor our system for possible vulnerabilities and attacks.
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis.
Some examples of data retention periods:
When you have entered into a financial transaction with us, we’ll keep the personal data you give us for seven years so we can comply with our legal and contractual obligations.
Medical and Clinical Records
Core Clapton will process personal data during the duration of any treatment and will continue to store only the personal data needed for eight years after the contract has expired to meet any legal obligations. After eight years all personal data will be deleted, unless basic information needs to be retained by us to meet our future obligations to you, such as erasure details. Records concerning minors who have received treatment will be retained until the child has reached the age of 25.
We sometimes share your personal data with trusted third parties. Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:
Examples of the kind of third parties we work with are:
To help us provide our services to you, we currently use the following companies who will process your personal data as part of their contracts with us:
In some very specific circumstances, we may need to share your data with third parties for their own purposes, for example:
For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.
For further information please contact us on firstname.lastname@example.org
Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).
Protecting your data outside the EEA
The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA such as Australia or the USA.
If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact our administration team on email@example.com.
Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.
You have the right to request:
You can contact us to request to exercise these rights at any time as follows:
To ask for your information please contact firstname.lastname@example.org To ask for your information to be amended or deleted please update your own account in Mind and Body Online or contact our administration team on the above email.
If we choose not to action your request we will explain to you the reasons for our refusal.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on legal compliance
In cases where we are processing your personal data on the basis of legal compliance, we may not be able to delete or amend your data.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. Core Clapton will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If Core Clapton is dissatisfied with the quality, further information may be sought before personal data can be released. In the case of a child, identity will be confirmed for both the child and their parent or guardian making the access request.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Click the ‘unsubscribe’ link in the email communication that we send you. We will then stop any further emails from that particular system.
If it relates to our class booking system, log in to Mind Body Online, visit the ‘My Account’ area and change your preferences.
Contact our administration team on email@example.com
Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.