Privacy Policy — Your Privacy Matters

Salveo Forma — Home Physiotherapy & Occupational Therapy
Effective: 12 June 2026

1. Who we are

Salveo Forma is the trading name of Debbie Richards, a sole trader (“Salveo Forma”, “we”, “us”, “our”). We arrange home physiotherapy and occupational therapy across Dorset, Hampshire, Wiltshire, and Somerset & Avon, and we operate the website www.salveo-forma.com (the “website”).

For the purposes of UK data protection law, the data controller is Debbie Richards trading as Salveo Forma Physiotherapy. We are registered with the Information Commissioner’s Office (ICO) as a data controller, registration reference ZB666876 (registered 6 March 2024).

You can contact us about anything in this policy by phone on 07384 590177 or by email at enquiries@salveo-forma.com.

This policy explains how we collect, use, protect and share personal data when you use our website or our services. It starts with a short plain-English summary, followed by the full detail.

2. In simple terms

Do we collect your data?

Yes. We need some information from you to contact you and arrange appointments. If you use our contact forms, that information is stored for those purposes. If you call us, we will take notes to build a contact profile for you should you wish to make an appointment. If you become a client, your therapist will keep clinical records of your assessment and treatment.

Do we share your data?

We never sell your data, and we do not share it for marketing. Your information is used only for the purpose it was given — contacting you and providing your care. The exception is information that needs to be shared with another healthcare professional involved in your care, such as your GP — and this is only done with your consent, or where the law requires it.

How long do we keep your data?

Contact information is kept only as long as needed — if you decide not to proceed with treatment, it is deleted. Clinical records are kept for the periods required of healthcare providers: typically 8 years after your last treatment for adults, and until age 25 for children (see section 10). Records are stored on WriteUpp, a secure clinical system that is ISO 27001 compliant with 256-bit SSL encryption, and all our systems use two-factor authentication.

3. Definitions

  • Personal data — any information that can identify a living person, such as your name, email address, phone number or date of birth.
  • Special category data — more sensitive personal data with extra legal protection, including information about your health, ethnic origin, religious beliefs or sexual orientation.
  • Data controller — the person who decides why and how personal data is processed. For this policy, that is Debbie Richards trading as Salveo Forma Physiotherapy.
  • Data processor — any person or organisation that processes personal data on the controller’s behalf, such as our clinical records system or our self-employed therapists.
  • Usage data — information collected automatically about how you use our website, such as the pages you visit and how long you spend on them.
  • Cookies — small pieces of data stored on your device by websites you visit (see section 8).

4. The information we collect

Basic contact information

When you make an enquiry: your name and contact details such as email address and phone number.

Client information

If you become a client: your address, date of birth, gender, marital status, and next of kin (with their basic contact details); medical information relevant to your condition or treatment plan, including relevant medical history; records of your examination and treatment from your first assessment and all subsequent visits; and clinical referral letters.

Special category data

Health information is special category data and has greater legal protection. We use it to ensure your treatment and care are appropriate to your condition and beliefs, and to identify any limitations, requirements or adjustments needed for your care. We process health data under Article 9(2)(h) of the UK GDPR — the provision of health or social care — alongside the duty of confidentiality owed by our HCPC-registered therapists. Where consent is the appropriate basis for a particular use, we will ask for it explicitly and record it.

Website usage data

When you visit our website, usage data such as pages visited and time on page is collected through cookies and analytics (see section 8).

5. How and why we use your information

UK data protection law requires a lawful basis for each use of your data. We most commonly use your information:

  • To carry out our contract with you — confirming, arranging and adjusting appointments, and providing your treatment and care.
  • To record health information — keeping accurate clinical records so your therapist can plan and deliver safe, effective treatment.
  • To meet legal and regulatory obligations — for example responding to a regulator or a court order.
  • For our legitimate interests — running the business effectively, where your interests and rights do not override those interests. This includes evaluating clinical performance through audit (data is anonymised), managing incidents, investigating concerns or complaints, and maintaining effective IT and governance.
  • To seek feedback — we monitor our service to keep improving it, and feedback is normally collected in a way that does not identify you.

In rare circumstances we may also use or share data: to protect someone’s vital interests; where it is in the public interest or required for official purposes; where we are defending a legal claim (sharing relevant information with our insurers and legal advisers); or to support organisations with regulatory functions. We may be required to share data without consent in limited cases, such as the prevention or detection of serious crime, protecting someone from serious harm, or under a court order.

A full record of our lawful bases and retention periods is available in our Data Retention Record.

If you choose not to provide data

You are always free to decide what information you share. However, if we do not have the information needed to deliver your care safely and effectively, we may be unable to provide or continue treatment.

Changing the purpose of data use

We only use your data for the purpose it was collected, unless another use is compatible with that purpose. If we ever need to use your information for an unrelated purpose, we will tell you and explain the legal basis.

Automated decision-making

We do not use automated decision-making. No decision that affects you will ever be made about you without the involvement of a person.

6. Our therapists and your data

Our HCPC-registered physiotherapists and occupational therapists are self-employed practitioners engaged by Salveo Forma. Each therapist is bound by a written agreement that requires them to process your personal data only on our instructions, keep it confidential, store it securely, and never transfer it outside the UK. They are also bound by the professional confidentiality standards of the HCPC. Within the team, your information is shared only where strictly required for your care — for example, when a physiotherapist hands over to an occupational therapist so your treatment can continue.

7. Who we share your data with

We never sell your data. We may share information:

  • With healthcare professionals involved in your care — such as your GP, consultant or case manager — with your consent, or where it is clearly in your best interests or required by law.
  • With your private medical insurer, where you have asked us to invoice them for your treatment.
  • With trusted service providers who support our business (see section 9), all of whom are bound by data processing obligations.
  • With regulators, courts or law enforcement where the law requires it.

Transfers outside the UK

We do not routinely transfer your data outside the UK. In the unlikely event we need to — for example, sharing your treatment history with a healthcare provider abroad at your express request — we would only do so where appropriate safeguards required by the UK GDPR are in place and the recipient’s data protection standards are comparable to our own.

8. Cookies and analytics

Our website is built on Squarespace, which sets cookies that are strictly necessary for the site to function and to remember your preferences. We also use Google Analytics, which sets cookies to help us understand how visitors find and use our site — such as which pages are visited and how people arrive. We use this only to improve the website.

We do not use cookies to sell advertising or share your activity with third-party advertisers.

You can manage cookies through the Privacy Settings link in the footer of our website, through your browser settings, or by installing the Google Analytics opt-out browser add-on. Disabling some cookies may affect how the website works.

9. The systems we use

Your clinical records are not stored on our website. We use trusted, secure platforms:

  • Clinical notes: WriteUpp — a secure practice management system widely used by UK healthcare professionals, ISO 27001 compliant with 256-bit SSL encryption.
  • Website and enquiry forms: Squarespace.
  • All our systems use two-factor authentication as standard.

Where data must be shared with a service provider, we ensure the recipient has equivalent data security measures in place, in line with UK GDPR requirements.

10. How long we keep your data

We keep personal data only as long as necessary for your care and our legal obligations. The headline periods are:

  • Enquiries that do not proceed to treatment: deleted once no longer needed.
  • Adult clinical records: 8 years after your last treatment, in line with healthcare record-keeping guidance.
  • Children’s clinical records: until the child’s 25th birthday (or 26th if they were 17 at the end of treatment).
  • Records of long-term illness or illness that may recur: 30 years, or 8 years after death.
  • Invoices and financial records: 6 years.

Our full retention schedule, including lawful bases for each record type, is published in our Data Retention Record.

11. Marketing

We do not send marketing communications. If you have joined our mailing list, we hold your email address but do not currently use it for marketing and have no plans to do so. If that ever changes, we will only contact you with your consent, and every message will include a simple way to unsubscribe. You can ask us to remove your details from the mailing list at any time.

12. Children’s data

We provide Paediatric Physiotherapy, and so we process children’s personal data. Where a client is under 16, we ask a parent or legal guardian to provide information and consent on their behalf, and we involve the child in decisions about their care in an age-appropriate way. Children’s clinical records are retained until the child’s 25th birthday, as set out in section 10.

13. Data security

We have measures in place to protect your data against accidental loss, disclosure, alteration, unauthorised access, destruction and misuse. Data is only accessible to those who need it to deliver your care or run the service. All our systems use two-factor authentication, and our clinical system is ISO 27001 compliant with 256-bit SSL encryption.

14. Keeping your information up to date

Please tell us if your personal information changes while you are receiving care from us, so that we can keep your records current and accurate.

15. Your rights

Under UK data protection law you have the right to:

  • Access — request a copy of the personal data we hold about you (a subject access request).
  • Rectification — ask us to correct data that is inaccurate or incomplete.
  • Erasure — ask us to delete your data where there is no good reason to keep processing it. This right is limited for clinical records we are required to retain.
  • Restriction — ask us to pause processing, for example while a correction is checked.
  • Portability — ask for your data in a format you can take elsewhere.
  • Object — object to processing based on our legitimate interests, and to any direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without consequence. If consent is withdrawn it may not be possible to continue treatment, and in some circumstances we may continue to hold data where we have a legal reason to do so.
  • Be informed — know how your data is used, which is the purpose of this policy.

To exercise any of these rights, please email enquiries@salveo-forma.com. We will respond within one month. There is no fee, although we may charge a reasonable fee for repeated or clearly excessive requests.

16. Complaints

If you have a concern about how we handle your data, please contact us first at enquiries@salveo-forma.com and we will do our best to resolve it. You also have the right to complain to the UK supervisory authority, the Information Commissioner’s Office (ICO): Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — or online at ico.org.uk/make-a-complaint.

17. Changes to this policy

We review this policy regularly and will publish any updates on this page, with a new effective date. If we make a significant change — for example to a lawful basis for processing — we will take reasonable steps to bring it to your attention.