top of page

Privacy Policy

Last updated: 6 August 2025


Who we are: Magda Sports Therapy (“we”, “our”, “us”) provides sports therapy treatments and related services in the United Kingdom. We are the data controller for the personal data described in this notice.

How this notice may change: We keep this notice under review and will post updates here. Where changes are significant, we’ll notify clients directly where appropriate (e.g., by email). We are monitoring the Data (Use and Access) Act 2025 as it is introduced and will update this notice as relevant provisions come into force.

1. What data we collect

  • Identity & contact: name, email, phone, and any details you provide when contacting us.

  • Client-provided documents: information you choose to share (e.g., MRI/scan reports or letters you personallysupply). We do not independently request or collect information from other providers.

  • Treatment & session notes: clinical information you provide during appointments (health information), rehabilitation plans, and relevant medical/lifestyle history needed to provide care.

  • Website usage: cookie IDs, analytics and technical data (see Cookies).

  • Payments: No online payments are taken on our website. If you pay us offline (e.g., bank transfer or card in person), we keep only basic transaction records; we do not store full card details.

  • Sources: primarily you (via email/phone, contact forms, and during appointments).

  • Social media: Our site includes icons that link to our profiles on Facebook and Instagram. Clicking these links takes you to those platforms, which process your data under their own privacy notices. We do not receive your social media login details.

  • Messaging (WhatsApp): If you contact us via WhatsApp, we process your phone number, display name and message content. Please avoid sending sensitive documents by WhatsApp unless we ask you to; for confidentiality we may move the conversation to email.

2. Why we use your data (lawful bases)

We only process personal data when we have a lawful basis:

  • Contract – to arrange and deliver the treatment you request (even if arranged by phone or email).

  • Legal obligation – to keep tax/insurance records and comply with regulatory requirements.

  • Legitimate interests – to run, secure and improve our services and website (only where your rights are not overridden).

  • Consent – for optional marketing emails and if you ask us to share information with another clinician; you can withdraw consent at any time (see Your Rights).

Health (special-category) data: For clinical notes and treatment information, we rely on UK GDPR Article 9(2)(h)(provision of health or social care) and apply strict confidentiality, security and access controls.

We do not carry out automated decision-making that produces legal or similarly significant effects.

3. How we share data

We do not sell your data. We share it only with:

  • Processors (service providers): companies that help us run the website and communications (e.g., hosting/IT support, email). They act on our instructions under contract.

  • Another clinician / your GP (UK): We share information only at your request and with your explicit consent(for example, if you want a referral suggestion or summary for your GP). By default, we provide the summary for you to forward. If you prefer, we can send it directly to your GP practice once you give us the practice details and written consent. We do not request or collect records from your GP or other providers unless you supply them yourself.

  • Legal or safeguarding: We may disclose information where the law requires it (e.g., a court order) or to protect someone’s vital interests in rare situations involving a serious risk of harm.

  • Social media messaging: If you contact us via Facebook or Instagram, your messages are processed by those platforms. We will usually ask to move the conversation to email for confidentiality. We do not share your clinical information on social media.

  • WhatsApp: Our site includes a WhatsApp button that opens a chat in WhatsApp. WhatsApp (Meta Platforms) processes your data under its own privacy notice. We do not receive your WhatsApp login details. We may copy key information from messages into your clinical record where relevant. For sensitive matters we usually switch to email.

4. International transfers & where your data is stored

Our website is hosted on Wix, which uses a global infrastructure and vetted sub-processors (e.g., in the EU and US). Where personal data is transferred outside the UK, we rely on the UK’s adequacy regulations (where available) or on appropriate safeguards such as Standard Contractual Clauses (SCCs). Some US providers may also participate in the UK-US Data Bridge (the UK extension to the EU-US Data Privacy Framework). We also use cloud/email services that may process data outside the UK on the same basis.

5. How long we keep data (retention)

We keep personal data only as long as necessary for the purposes above, including to meet legal, insurance and professional obligations:

  • Clinical records (adults): typically 8 years from your last appointment.

  • Clinical records (children): until their 25th birthday (or 26th if treatment ended when aged 17).

  • Financial/tax records (invoices, payments): generally 6 years.

  • Enquiries (email/contact form): up to 12 months from last contact, unless you become a client or ask us to delete sooner.

  • Marketing records (consent/unsubscribe): until you withdraw consent; unsubscribes actioned within 30 days.

6. Cookies & analytics

We currently use only necessary cookies to run and secure our website. We do not use analytics, advertising, or social-media tracking cookies at this time.

Because there are no non-essential cookies, we do not display a cookie consent banner. If we introduce optional cookies in the future (e.g., analytics or advertising), we will ask for your choice via a banner with Accept / Reject / Customiseoptions and provide a persistent “Cookie settings” link so you can change your preferences at any time. Under UK PECR, non-essential cookies will only run with your consent.

Social media features: We use simple link icons for Facebook and Instagram. These links do not set third-party cookies until you click them and leave our site. If we later add embedded social widgets (e.g., a live feed or “Like” button), they may set marketing cookies; such widgets would load only after consent.

Social & messaging features: Our WhatsApp button is a simple link and does not set third-party cookies until you click it. If we later add an embedded chat widget, it may use marketing cookies; such widgets would load only after consent.

You can also manage or block cookies using your browser settings at any time.

7. Your rights

Under UK data protection law, you can:

  • Access your personal data.

  • Rectify inaccurate or incomplete data.

  • Erase data (where applicable).

  • Restrict or object to processing in certain circumstances (including objection to direct marketing at any time).

  • Portability – receive certain data in a machine-readable format or request we send it to another provider.

  • Withdraw consent where processing is based on consent (e.g., marketing or sharing info with another clinician).

  • Complain to the ICO (see Complaints below).

We’ll respond within one month (extensions possible for complex requests). If we cannot action a request, we’ll explain why.

8. Children’s data

Our website and marketing are not aimed at children. We do not knowingly collect data from children online. If we provide treatment to someone under 18, we seek appropriate parent/guardian authorisation and apply the retention rules in Section 5.

9. Security

We use HTTPS encryption and secure Wix hosting. Access to the site’s admin panel is restricted to the business owner only. We do not accept online payments on this website and we do not store payment-card details.

10. Marketing

We only send marketing (e.g., updates, offers, newsletters) with your consent or as permitted by PECR (e.g., “soft opt-in” for similar services to existing clients). You can unsubscribe at any time via the link in our emails or by contacting us.

11. Contact, controller details & complaints

Data controller: Magda Sports Therapy (sole trader)
Email: magdasportstherapy@gmail.com
Phone: +44 7934 248251

Questions or requests: Please email us first—we’re happy to help.

Complaints: You can complain to the Information Commissioner’s Office (ICO) at any time: www.ico.org.uk or 0303 123 1113.

bottom of page