PRIVACY POLICY
1. Introduction
This Privacy Policy explains how MyFootMedic (“MFM”, “we”, “our”, “us”) collects, processes, stores, and protects your personal data. We are committed to meeting the obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
MFM is registered with the Information Commissioner’s Office (ICO) as a Data Controller.
Contact details:
Data Controller: Luke McCarthy
Email: manager@myfootmedic.com
Clinic Address: 11A Stephenson Court, Fraser Road, Priory Business Park, Bedford, MK44 3WJ
2. What Personal Data We Collect
We may collect and process the following categories of personal data:
a. Patient Data
- Full name
- Date of birth
- Address
- Email and telephone number(s)
- Medical history, health records and consent forms
- GP/consultant/referrer details
- Clinical photographs, videos and images (where applicable)
- Appointment history
- Payment and invoicing information
- Emergency contact details
- Patient communications
b. Marketing and Communication Preferences
- Newsletter subscriptions
- Consent records for promotional communication
c. Website and Technical Data
- IP addresses
- Cookie preferences
- Website analytics (via services such as Google Analytics)
3. Lawful Basis for Processing
We only process personal data where we have a valid legal basis. Under Article 6 and Article 9 of the UK GDPR, our legal bases include:
Provision of healthcare (Article 6(1)(e); Article 9(2)(h)) – Necessary for medical diagnosis and provision of health or social care.
Consent (Article 6(1)(a)) – For marketing communications or optional data collection.
Legal obligation (Article 6(1)(c)) – To comply with tax, health, and safety regulations.
Legitimate interests (Article 6(1)(f)) – To improve services, provided your rights do not override these interests.
4. Use of AI in Clinical Documentation
MyFootMedic may use an AI-assisted tool to aid clinicians in documenting clinical notes.
- The AI tool is used only to support record-keeping efficiency and accuracy.
- No automated decision-making or diagnosis is carried out by the AI.
- Data is processed in accordance with UK GDPR requirements on encryption, access controls, and retention.
- You may opt out of AI-assisted documentation by contacting us directly.
Legal basis: Article 9(2)(h) – provision of health care.
5. How We Use Your Data
We use your data to:
- Provide podiatry and foot health services
- Maintain accurate medical and appointment records
- Communicate with you (appointment reminders, treatment updates)
- Manage billing and payment processes
- Ensure compliance with legal, regulatory, and clinical governance requirements
- Send marketing materials (if you have opted in)
We do not use your data for automated profiling or decision-making.
6. Sharing Your Personal Data
We only share your data when necessary and with appropriate safeguards:
- Healthcare professionals: With your consent or where necessary for continuity of care (e.g., GP or hospital consultant).
- Third-party service providers: Reception cover, IT systems (e.g., Cliniko), cloud-based storage, payment processors.
- Regulators and auditors: HCPC, ICO, HMRC, or where legally required.
- Legal claims or obligations: As required for defence or exercise of legal rights.
- Risk of serious harm: We may share information without your consent if we believe there is a serious risk of harm to you or others. This may include contacting appropriate medical professionals, emergency services, or safeguarding authorities, in line with our professional duty of care.
We require all third parties to adhere to UK GDPR standards via written data processing agreements.
7. Data Retention
We retain personal data for only as long as necessary, including:
- Medical records: 8 years after the last appointment (or until age 25 if treated as a child, whichever is longer)
- Financial records: 6 years (in line with tax and accounting requirements)
Marketing consent: Until you withdraw consent or request deletion
8. International Data Transfers
Some data processors (e.g., software providers or cloud services) may store data outside the UK. In such cases:
- We only use providers with adequate safeguards (e.g., UK-US Data Bridge, Standard Contractual Clauses, or UK adequacy decisions).
- You can request a copy of relevant safeguard documentation.
9. Your Data Protection Rights
You have the following rights under UK GDPR:
- Right to access – Request a copy of the personal data we hold about you
- Right to rectification – Correct inaccurate or incomplete data
- Right to erasure – Request deletion of data where lawful and applicable
- Right to restrict processing – In limited circumstances
- Right to object – Particularly to marketing or processing based on legitimate interests
- Right to data portability – In certain cases
- Right to withdraw consent – Where processing is based on consent
- Right to complain – To the ICO at www.ico.org.uk
To exercise any of your rights, please contact: manager@myfootmedic.com
10. Security Measures
We take appropriate technical and organisational measures to safeguard your data, including:
- Encrypted data storage
- Password-protected systems and devices
- Staff confidentiality agreements and regular GDPR training
- Access controls on patient records
- Routine audits and system reviews
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Any changes will be published on our website and clearly dated.
Where material changes affect your rights or processing practices, we will notify you directly.
12. Contact Details
If you have any questions about this policy or how we handle your data, please contact:
Luke McCarthy
Email: manager@myfootmedic.com
Clinic: MyFootMedic