No products in the basket.
Last updated: 02 October 2025
Who we are (data controller)
The Staywell Clinic Ltd (“we”, “us”, “our”)
62–64 West Street, Sittingbourne, England, ME10 1AR
Email: admin@thestaywellclinic.com | Tel: 01795 720 049
We are the data controller for personal data we process about patients, website users and customers. This notice explains what we collect, why, how long we keep it, who we share it with, and the choices you have. It is designed to meet the UK GDPR and the Data Protection Act 2018 requirements for transparency (Articles 13–14). See the ICO’s guidance on what privacy information must be provided. (Information Commissioner’s Office)
If we provide services for another provider (e.g., a pharmacy or employer), we will tell you whether we act as a controller or a processor for that work.
What data we collect
A) Clinical/patient data (special category)
- Identity and contact details (name, date of birth, address, phone, email).
- Medical history and presenting concerns, measurements, test results, clinician notes, care plan, and relevant images/documents.
- Emergency contact details and safeguarding information where relevant.
Because this includes health data, it is “special category data”. We process it primarily under UK GDPR Article 9(2)(h) (preventive/occupational medicine, medical diagnosis and provision of health care by or under the responsibility of a health professional), alongside an Article 6 lawful basis (usually “contract” and/or “legal obligation”). (Information Commissioner’s Office)
B) Bookings, shop and support
- Account and order details (products/services purchased, billing, delivery, VAT-relief declarations where applicable).
- Payment status and fraud-prevention signals from our payment provider (we do not store full card numbers).
- Messages you send us by email, web forms or phone.
C) Website and device data
- Basic technical data (IP address, device/browser, pages viewed) captured for security and performance.
- Cookies or similar technologies where you consent (e.g., analytics/marketing). See Cookies below. The ICO’s cookies guidance explains these rules and recent updates. (Information Commissioner’s Office)
Why we use your data (purposes & legal bases)
| Purpose | Examples | Legal basis (Art 6) | Special category condition (Art 9) |
|---|---|---|---|
| Provide clinical care | Consultation, assessment, treatment planning, follow-up | Contract; Legitimate interests; Legal obligation | 9(2)(h) health/medical care by a health professional |
| Referrals & prescriptions | Referring you (with consent) or sending a prescription to your nominated pharmacy | Contract; Legitimate interests | 9(2)(h) |
| Shop orders & delivery | Managing orders, delivery/collection, returns | Contract; Legal obligation (tax) | N/A (no health data required for most orders) |
| Safety & safeguarding | Managing risks to you/others; incident reporting | Vital interests; Legal obligation | 9(2)(c) vital interests; 9(2)(h) |
| Finance & records | Invoicing, accounting, VAT-relief evidence | Legal obligation; Legitimate interests | N/A |
| Queries & support | Responding to emails, calls, web forms | Legitimate interests | 9(2)(h) if clinical context |
| Analytics/marketing | Measuring site use; sending updates where allowed | Consent (or soft opt-in where applicable) | N/A |
We do not use your clinical data for unrelated advertising. We do not engage in solely automated decisions that produce legal or similarly significant effects. If this changes, we will explain the logic involved and your rights.
Where your data comes from
- Directly from you (in person, by phone/video, forms or email).
- From your GP/another provider or laboratory with your knowledge or consent (or where permitted by law for safety).
- From our website and systems (security logs, cookies/analytics where you consent). (Information Commissioner’s Office)
Who we share data with
We share only what is necessary, with:
- Your nominated UK-registered pharmacy (where a prescription is issued for supply).
- Laboratories for tests you consent to.
- Technology suppliers acting as our processors, e.g., website hosting, email, booking, ecommerce (WooCommerce), payments (e.g., Stripe), analytics and security.
- Professional advisers/insurers, and authorities where required by law (e.g., safeguarding).
If personal data is transferred outside the UK (e.g., to a supplier’s sub-processor), we use a valid transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus risk assessment and safeguards. (Information Commissioner’s Office)
How long we keep data (retention)
- Clinical records: normally at least 8 years from the date of last contact for adults; for children/young people, until their 25th birthday (or 26th if aged 17 at last entry). Certain records (e.g., maternity, radiology) may have different periods. We follow the NHS Records Management Code of Practice 2021 as a baseline for private providers. (NHS Transformation Directorate)
- Order/financial records: typically 6 years after the end of the financial year (legal obligation).
- General enquiries: typically 12–24 months from last interaction unless you ask us to delete sooner (unless needed for legal claims).
We securely delete or anonymise data when no longer needed.
Cookies, analytics and similar technologies
When you visit our site, we may store/read information on your device (e.g., cookies) for essential functions (security, checkout, preferences). We only use non-essential cookies (analytics/marketing) with your prior consent and provide a “Manage cookies” link to change choices at any time. See our Cookie Policy for details of each cookie, provider and retention. (See ICO guidance on cookies/PECR and recent updates.) (Information Commissioner’s Office)
Keeping your data secure
We use technical and organisational measures including: encrypted transport (TLS), access controls and multi-factor authentication for admin systems, regular updates/backups, least-privilege access, and contracts with processors requiring appropriate security. We assess suppliers—especially where data is stored or accessed outside the UK—and use approved transfer tools (IDTA/Addendum) when needed. (Information Commissioner’s Office)
Your rights
You have rights under the UK GDPR, subject to conditions: access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent where we rely on consent. You also have the right to be informed (this notice) and to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data. See the ICO’s guidance on transparency and privacy information. (Information Commissioner’s Office)
- How to exercise your rights: email admin@thestaywellclinic.com. We will respond within one month (extendable by two months for complex requests, we will tell you if so).
Marketing
We only send marketing (e.g., clinic updates) with your consent or where permitted under the “soft opt-in” for existing customers. You can opt out at any time using the unsubscribe link or by contacting us. Marketing preferences do not affect essential service messages (appointments, orders).
Children’s information
We provide services to young people with appropriate consent/authority. We take extra care when communicating and retaining children’s records (see Retention above). (NHS Transformation Directorate)
Third-party links and platforms
Our site may link to third-party websites or social media platforms. Their privacy practices are separate; please read their privacy notices.
Changes to this notice
We may update this notice to reflect changes in services, law or guidance. Material changes will be highlighted on this page. Please check back periodically.
Contact & complaints
Questions about this notice or your data?
Email: admin@thestaywellclinic.com | Tel: 01795 720 049
Post: The Staywell Clinic Ltd, 62–64 West Street, Sittingbourne, ME10 1AR
If you remain concerned, you can complain to the Information Commissioner’s Office (ico.org.uk). (Information Commissioner’s Office)
