1. Who We Are This policy covers personal data collected by Leah Madden Osteopathy. You can contact Leah at leahosteo@gmail.com with any privacy-related queries. Registered Osteopath - GOSC - 10671.

2. What Personal Data We Collect

When you use this website:

• Name and email address (if you submit the contact form)

• Your message content

• IP address and browser information (collected automatically via Squarespace analytics, if enabled)

• Cookie data — see our Cookie section below

When you book an appointment:

• Name, email address, and phone number

• Health information relevant to your treatment (collected by and held within the clinic's booking and records system)

• Payment information (processed directly by the clinic — we do not store card details)

3. Special Category (Health) Data

Health information is 'special category' data under the UK GDPR and is afforded additional protection. We collect and process health information solely for the purpose of providing you with osteopathic treatment. The lawful basis for processing this data is:

• Article 9(2)(h) UK GDPR — processing necessary for the provision of health care or treatment by a health professional

• Explicit consent, where required

4. Why We Use Your Data

We process your personal data for the following purposes:

• To respond to enquiries submitted via the contact form

• To facilitate appointment bookings and deliver osteopathic treatment

• To maintain clinical records as required by our professional regulatory body (GOsC)

• To send appointment reminders (where you have consented to this)

• To comply with our legal and professional obligations

• To analyse website usage and improve our services (anonymised analytics only)

5. Legal Basis for Processing

We rely on the following lawful bases for processing your personal data:

• Contract — processing your data to book and deliver your appointment

• Legitimate interests — responding to enquiries and improving our services

• Legal obligation — maintaining clinical records as required by law and professional standards

• Consent — where specifically requested, e.g. for marketing communications

6. Who We Share Your Data With

We do not sell your personal data to third parties. We may share data with the following trusted service providers, strictly for the purposes outlined above:

• Squarespace Inc. — website hosting and contact form processing (USA; Squarespace is covered by the UK-US Data Bridge)

• Cliniko — appointment booking and clinical records management (covered by appropriate data processing agreements)

• Google LLC — analytics and search tools, where enabled (anonymised)

We may also share data where required by law, for example with the GOsC or other regulatory bodies.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right to access — request a copy of the data we hold about you

• Right to rectification — request corrections to inaccurate data

• Right to erasure — request deletion of your data ('right to be forgotten'), subject to our legal obligations to retain clinical records

• Right to restriction — ask us to limit how we use your data

• Right to data portability — receive your data in a structured, machine-readable format

• Right to object — object to processing based on legitimate interests

• Rights relating to automated decision-making — we do not use automated decision-making or profiling

To exercise any of these rights, please contact us at leahosteo@gmail.com. We will respond within 30 days. If you are unhappy with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Cookies

What are cookies?

Cookies are small text files stored on your device when you visit a website. They help websites function correctly and allow us to understand how visitors use the site.

Cookies we use:

• Essential cookies — required for the website to function (e.g. Squarespace session cookies). These cannot be disabled.

• Analytics cookies — used to understand how visitors interact with the website (e.g. page views, session duration). These are only enabled with your consent.

When you first visit our website, you will be shown a cookie banner allowing you to accept or decline non-essential cookies. You can change your preferences at any time by clearing your browser cookies and revisiting the site.

9. Data Security

We take reasonable technical and organisational measures to protect your personal data from unauthorised access, loss, or misuse. Our website is hosted by Squarespace, which maintains industry-standard security practices. Clinical records are stored securely within Cliniko.

No method of transmission over the internet is 100% secure. If you have concerns about the security of your data, please contact us.

10. Children's Data

Our website is not directed at children under the age of 16. We do not knowingly collect personal data from children without parental or guardian consent. If you believe a child has provided data to us without appropriate consent, please contact us and we will take steps to delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The most recent version will always be available on this page, with the effective date shown at the top.

12. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your data, please contact: leahosteo@gmail.com