Privacy Policy

Who we are

Our website address is:

Privacy policy and GDPR

The Clinic is aware of its obligations under data protection law, known as the General Data Protection  Regulation (“GDPR”) and is committed to protecting the privacy and security of each patient’s personal information.

This privacy policy describes how we collect and use personal data about each patient during and after your time as a patient of this Clinic. It also sets out how the Clinic uses that information, how long the Clinic keeps it for and other relevant information about your personal data.

Please note in this policy:“you” and “your” refers to any patient receiving osteopathic, remedial massage, acupuncture, reflexology treatment or care at the Clinic, whether current or at any time in the past. “We”, “our” and “us” refers to the chiropractic practitioner(s) and any staff representing the Clinic.

Data Controller Details

The Clinic is a data controller, meaning that it determines the processes to be used when using your personal data.

Our contact details are as follows: 21 Queen Charlotte St, Leith, Edinburgh, EH6 6BA.

Data Protection Principles

In relation to your personal data, we will comply with our obligations under GDPR. This says that the personal information we hold about you must be:

  • processed fairly, lawfully and in a clear, transparent way;
  • collected only for valid reasons that we find proper for the course of your time as a patient and not used in any way that is incompatible with this purpose;
  • only used in the way that we have told you about;
  • accurate and up to date;
  • kept only as long as is necessary for the purposes outlined in this privacy policy;
  • process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed
  • kept securely;

Types of Information We Hold About You

Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed. Such data may include:

  • your personal details including your name, address, date of birth, email address, phone numbers;
  • gender;
  • personal medical or health information, including past medical history
  • information concerning examination and treatment at your first and subsequent visits;
  • letters of referral to or from the Clinic regarding your treatment with us.

How We Collect Your Data

We collect data about you in a variety of ways and this will usually start when you make an initial enquiry to the Clinic or book an online appointment and continue when you attend your first and subsequent appointments.

We keep both paper and electronic records. Information we write down on paper may be transferred to our electronic system. We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us continue with your treatment. We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the Clinic.

Personal data is kept in the Clinic: hard copies are kept secure in cabinets that are locked at all times. Electronic copies of data are kept secure encrypted computers that are password protected, backups of data are done on encrypted media. We also use cloud storage to protect data from hazards such as fire or
floods. The cloud storage we use is two factor authenticated and data transfer is encrypted.

Why We Process Your Data

GDPR allows us to process your data for specific reasons only, these are classified as legitimate interests. Most commonly, we will use your personal information in the following circumstances:

  • in order for us to perform our services contract with you (your requesting treatment/care and our agreement to provide it to you constitutes a contract) which will include confirming appointments, informing you of changes to appointments or Clinic arrangements, changes to facilities or services at the
  • in order to provide you with the best possible treatment by recording health and treatment information which would be in your best interest;
  • in order to carry out legal duties such as those required by me or my government-appointed regulator;
  • where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests.

In exceptional circumstances, we may use your personal information where:

  • we need to protect your or someone else’s interests;
  • it is in the public interest or for official purposes.

How We Will Use Your Personal Information

We collect all the categories of personal information in order to allow us to perform our contract delivering treatment/care services to you and to enable us to comply with our legal obligations.

If You Do Not Provide Your Data To Us

One of the reasons for processing your personal data is to allow us to perform our obligations under your contract of services with us. If you do not provide us with the personal data needed to do this, we will be unable to perform those services of providing care/treatment in your best interests. Not providing us with your personal data means that we will be unable to meet our legal obligations and ethical duties as practitioners in the Clinic and this may prevent us from providing any care/treatment to you.

Change of Purpose

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, where this is required or permitted by law.

Automated Decision-Making

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

Sharing your Data

Your personal data will be shared with colleagues within the Clinic but only where it is necessary for them to undertake their duties at the Clinic. This includes, for example, other practitioners working for, at or on behalf of the Clinic, reception and other administrative staff.

We may share your data with third parties in order to facilitate a referral to another healthcare practitioner such as an X-ray/scan provider, for other investigation or to keep your GP informed about your progress with treatment.

We may also share your data with third parties as part of a Clinic sale or restructure, or for other reasons to comply with a legal obligation upon us. We would always keep you informed of these situations.

Transferring information outside the EU

We do not share your data with bodies outside of the European Economic Area.

Data Security – Protecting Your Data

We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We have implemented processes to guard against such. Such measures include but are not limited to data encryption, firewalls, up to date
security software, data backups, password security protocols, locked filing cabinets for paper files, secured windows and doors to the Clinic.

In addition, we limit access to your personal information to those employees, agents, contractors and third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

Where we share your data with third parties, we provide written instructions to them to ensure that your personal data are held securely and in line with GDPR requirements. GDPR requires third parties must implement appropriate technical and organisational measures to ensure the security of your data.

Cookie Policy

The Clinic website uses basic session cookies in order to facilitate your use and online experience of the website and ensure that it functions as it is intended to.

To avoid any doubt, “cookies” are small text files that are automatically saved to your device when you access our website. A list of “cookies” used by our website can be found in the attached schedule at the bottom of the page.

How Long We Keep Your Data For

In accordance with GDPR principles, we only keep your data for as long as we need it, which will be at least for the duration of your being a patient with us. We are legally required, by the osteopathic regulator (the “General Osteopathic council”), to keep this data for eight years after your time as a patient has ended.

To determine any appropriate retention period for personal data beyond eight years, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we
can achieve those purposes through other means and the applicable legal requirements.

Once we no longer have a lawful use for retaining your personal information, we will dispose of it in a secure manner that seeks to maintain data security.

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Your Duty To Inform Us Of Changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if any of your personal information changes during your time as a patient with us.

Your Rights In Relation To Your Data

The law on data protection gives you certain rights in relation to the personal
data we hold on you, as follows:

  • right of access – you have the right to access the data that we hold on you.
  • right for any inaccuracies to be corrected – if any data that we hold about you is incomplete or inaccurate, you can require us to correct it.
  • right to be informed – we are required to tell you how we use your data, and this is the purpose of this privacy policy. We also must inform you of any changes to how we use your data.
  • right to have information deleted – if you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.
  • right to restrict the processing of the data – for example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
  • right to portability – you may request transfer of the data that we hold on you for your own purposes.

If you want to access your data, review, verify or correct your data, request we erase your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Clinic’s Data Protection Officer by email at or in writing and send by post marked for the attention of The Data Protection Officer, 21 Queen Charlotte St, Leith, Edinburgh, EH6 6BA


You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee for a second or subsequent copy of information or if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What We May Need From You

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right To Withdraw Consent

Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal
reason for doing so.

To withdraw your consent, please contact the Clinic’s Data Protection Officer by email at or in writing and send by post marked for the attention of The Data Protection Officer, Soma Clinic, 21 Queen Charlotte St, Leith, Edinburgh, EH66BA

Making A Complaint

If you have any questions about this Privacy Policy or how we handle your information, please contact the Clinic’s Data Protection Officer by email at or in writing and send by post addressed to The Data Protection Officer, Soma Clinic, 21 Queen Charlotte St, Leith, Edinburgh, EH6 6BA.

You have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (“ICO”).

Cookies That Can Be Found on our Site

The cookies shown below are for statistical purposes to monitor the number of visitors to our website, through Google Analytics and for receiving payment through paypal.

Cookie Name Cookie Purpose
_ga Google analytics anonymous type – to detect number of statistic ie users to the site etc
_gid Google analytics anonymous type – to detect number of statistic ie users to the site etc
_gat This cookie does not store any user information, it’s just used to limit the number of requests that have to be made to PYPF Paypal : used for paypal login system