Privacy Policy

1. Introduction

This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe.

We know that there’s a lot of information here but we want you to be fully informed about your rights, and how Core Clapton uses your data.

We hope the following sections will answer any questions you have. If not, please do get in touch with us.

It’s likely that we’ll need to update this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.​

2. What is Core Clapton?

Core Clapton is a Registered Charity (No. 1166246) whose premises are at 161 Northwold Road, Upper Clapton, London, E5 8RL.

CORE stands for the Centre for Osteopathic Research and Excellence and is a pioneering social healthcare clinic, set up to provide reduced cost osteopathic treatment to those who normally wouldn't be able to afford it. It is also a centre of excellence for newly graduated osteopaths keen to further their learning with our team of expert mentors, and a research hub for advancing osteopathic healthcare.

At Core Clapton’s premises, we hold various wellness and exercise classes, that are on offer to anyone whether they are receiving osteopathic treatment from us or not.

We also use the Core Clapton premises as an event space, hiring it for private events and holding our own community events in the building.

For simplicity throughout this notice, ‘we’ and ‘us’ means Core Clapton.

3. Explaining the legal bases we rely on

The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.

There are several bases for which we collect your data:


In specific situations, we collect and process your data with your consent.

For example, when you tick a box to receive email newsletters, information about events or classes being held at Core Clapton, or when you tick a box to receive details of offers and services or marketing information.

Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations.

For example, if you provide your data to us so that you can enrol into classes and wellness sessions, we will use this data to ensure we fulfil that contract with you.

Legal compliance

If the law requires us to, we may need to collect and process your data.

For example, we have to collect your personal data to process and retain payment details for wellness classes and osteopathy treatments, as these constitute financial transactions. We also have a legal requirement to collect, process and retain medical or clinical data about you, when you attend for treatments.

Legitimate interest

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running Core Clapton and which does not materially impact your rights, freedom or interests.

For example, we use anonymised medical and clinical data about our patients for analysis, to include in our research and this may be used in publications e.g. papers or journals.

Special Category Data

If you are a patient, medical and clinical data about you is classified as Special Category Data. When we collect this data, processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

4. When do we collect your personal data?

  • When you book or attend a clinic appointment or treatment session
  • When we record what happened in a clinic appointment or treatment session and any background information about your relevant medical history
  • When you contact us by telephone, email or through our website and express an interest in being sent information or kept up to date on any of the services that Core Clapton has to offer
  • When you register to use our booking system, and use your account to book a place on or pay for a class being held at Core Clapton
  • When you engage with us on social media and ask us to keep in touch with you about our offers and services
  • When you contact us by any means with queries, complaints etc
  • When you choose to complete any surveys we send you or enter any competitions
  • When you fill in any forms. For example, registration forms for treatment, or any other forms you may complete relating to Core Clapton’s services

5. What sort of personal data do we collect?

If you attend one of our clinic appointments or treatments, we record details such as your name, address, gender, date of birth, email, telephone number and any relevant medical history. We also record details of the appointment, what happened, what treatment and advice was provided or recommendations made. If you provide us with any medical documentation, we may also record a copy of this in our system.

If you register to book onto a class using our online software, you create an account which includes details such as your name, address, gender, email, telephone number and preferences about classes you are interested in. It also stores details of classes you are booked onto or have attended.

If you have expressed an interest in our events hire or management, staying in touch with Core Clapton or receiving details of offers, products and services, we record your name, address, email and telephone number.

6. How and why do we use your personal data?

We want to give you the best possible customer experience. In addition, we have legal obligations in respect of financial data and medical or clinical data.

The data privacy law allows us to process medical and clinical data as part of our legitimate interest in understanding how osteopathy benefits our patients and providing the highest levels of service as well as contributing to the field of research in this subject area.

Of course, if you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below.

Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.

For example, if you’ve asked us to let you know when an event is happening, we can’t do that if you’ve withdrawn your general consent to hear from us.

Here’s how we’ll use your personal data and why:

  • We use your data to inform you of Core Clapton offers, services or products that you might be interested in. This is commonly known as direct marketing;
  • We use your data to keep you up to date with what’s happening at Core Clapton, via our regular newsletters;
  • We use your medical and clinical data to ensure continuity of care and to give you the very best care possible through our osteopathy treatments;
  • We use your data, with your permission, to keep your GP updated about your treatment episode;
  • We use anonymised medical and clinical data in our research, for example, to analyse trends, treatment paths or efficacy which in turn allows us and other osteopathic professionals to constantly improve the service we provide you. The outputs of our research may be published in industry papers or journals but we would never refer to any of our patients specifically, or publish any information about you that could lead to you being recognised

7. How we protect your personal data

We know how much data security matters to all our customers and patients. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.

We insist that access to all transactional areas of our websites and systems use ‘https’ technology.

Access to systems containing your personal data is password-protected, and sensitive data such as payment card information is secured to ensure it is protected. We limit the number of people that have access to our systems and your data and only give access to those who absolutely require it.

We work with the suppliers of our business systems to regularly monitor our system for possible vulnerabilities and attacks.

8. How long will we keep your personal data?

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.

At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis.

Some examples of data retention periods:


When you have entered into a financial transaction with us, we’ll keep the personal data you give us for seven years so we can comply with our legal and contractual obligations.

Medical and Clinical Records

Core Clapton will process personal data during the duration of any treatment and will continue to store only the personal data needed for eight years after the contract has expired to meet any legal obligations. After eight years all personal data will be deleted, unless basic information needs to be retained by us to meet our future obligations to you, such as erasure details. Records concerning minors who have received treatment will be retained until the child has reached the age of 25.​

9. Who do we share your personal data with?

We sometimes share your personal data with trusted third parties. Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:

  • We provide only the information we need to perform our specific services
  • They may not use your data for their own purposes
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

Examples of the kind of third parties we work with are:

  • IT companies who support our website and other business systems.
  • Direct marketing companies who help us manage our electronic communications with you.

To help us provide our services to you, we currently use the following companies who will process your personal data as part of their contracts with us:




In some very specific circumstances, we may need to share your data with third parties for their own purposes, for example:

For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.

We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.

For further information please contact us on

10. Where your personal data may be processed

Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).

Protecting your data outside the EEA

The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.

We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA such as Australia or the USA.

If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact our administration team on

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.

11. What are your rights over your personal data?

You have the right to request:

  • Access to the personal data we hold about you, free of charge in most cases.
  • The correction of your personal data when incorrect, out of date or incomplete.
  • That we stop using your personal data for direct marketing (either through specific channels, or all channels).
  • That we stop any consent-based processing of your personal data after you withdraw that consent

You can contact us to request to exercise these rights at any time as follows:

To ask for your information please contact  To ask for your information to be amended or deleted please update your own account in Mind and Body Online or contact our administration team on the above email.

If we choose not to action your request we will explain to you the reasons for our refusal.

Your right to withdraw consent

Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

Where we rely on legal compliance

In cases where we are processing your personal data on the basis of legal compliance, we may not be able to delete or amend your data.

Where we rely on our legitimate interest

In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.

We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. Core Clapton will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If Core Clapton is dissatisfied with the quality, further information may be sought before personal data can be released. In the case of a child, identity will be confirmed for both the child and their parent or guardian making the access request.

If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

12. How can you stop the use of your personal data for direct marketing?

You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.

Click the ‘unsubscribe’ link in the email communication that we send you. We will then stop any further emails from that particular system.

If it relates to our class booking system, log in to Mind Body Online, visit the ‘My Account’ area and change your preferences.

Contact our administration team on

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.