Privacy policy.
Version: 2.2 Last updated: June 2026
About this notice
Total Balance Clinic Ltd provides chiropractic, massage, sports therapy, and dry needling services from our clinic at 106a London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. This privacy notice explains what personal information we collect about you, why we collect it, how we use it, and your rights in relation to it. It applies to patients, prospective patients, and anyone who contacts or engages with us.
For the purposes of UK data protection law, Total Balance Clinic Ltd is the data controller.
Contact details
Address: Total Balance Clinic Ltd, 106a London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD Telephone: 01442 211899 Email:info@totalbalanceclinic.co.uk
What information we collect, use, and why
To provide services and treatment
We collect and use the following information to provide our clinical services and manage your care:
Names and contact details
Address
Date of birth
Health information (including medical history, diagnosis, treatment records, allergies and health conditions)
Photographs or video recordings (used for postural and clinical assessment purposes; retained as part of your clinical record and not shared with third parties)
Records of treatment sessions and clinical decisions
Purchase or account history
Payment details (including bank information for direct debits)
Account information
Information relating to compliments or complaints
Special category data: Health information is special category data under UK GDPR Article 9 and is subject to additional protection. We process your health information on the following basis:
Article 9(2)(h) — processing is necessary for the purposes of preventive medicine, medical diagnosis, and the provision of health care and treatment, carried out by a health professional subject to the obligation of professional secrecy.
Explicit consent — for any processing of health data that goes beyond your direct clinical care (for example, use in anonymised case studies or marketing materials), we will always ask for your explicit written consent beforehand.
Our Article 6 lawful bases for processing personal information to provide services are:
Consent — we have your permission after giving you all relevant information. You have the right to withdraw your consent at any time.
Legal obligation — we are required to collect or use your information to comply with the law.
Legitimate interests — we collect or use your information because it benefits you, our organisation, or someone else, without causing undue risk of harm. Our legitimate interests are set out in full below.
Our legitimate interests:
Total Balance Clinic collects and uses personal information to provide our services and to run our clinic effectively. Our legitimate interests include:
Delivering and managing our services — booking and scheduling appointments, sending reminders, and following up after treatment to support patient recovery and continuity of care.
Running our business — processing payments, managing payroll for our team, maintaining accurate business records, and administering the clinic day-to-day.
Communicating with existing patients — letting patients know about relevant services, health information, and community events such as free workshops that may benefit them.
Fraud prevention and security — protecting the clinic and our patients from fraudulent activity and ensuring the security of personal data we hold.
Professional referrals and correspondence — sharing relevant information with GPs, consultants, and insurers where this supports a patient's care or is required to process an insurance claim.
Why our interests are greater than the risks to individuals: The personal information we collect is used directly to benefit the people it relates to — either by providing them with effective care, keeping them informed about their treatment, or ensuring the clinic can operate safely and professionally. We only collect what is necessary, we do not sell personal data, and we do not use automated decision-making or profiling. Where we share data with third parties — including our booking system (Cliniko), payment processor (GoCardless), SMS provider (TextMagic), email platform (Brevo), insurers, referral professionals, and payroll accountants — we do so only to the extent necessary and expect those parties to handle data responsibly. Patients can expect their information to be used in ways that are consistent with the reason they provided it, and we do not place our commercial interests above their right to privacy.
For the operation of customer accounts, pre-payment courses, and memberships
We collect and use the following information to manage pre-payment courses of care and membership agreements:
Names and contact details
Address
Payment details (including bank information for direct debits)
Purchase history
Account information, including registration details
Marketing preferences
Health information (to the extent relevant to the agreement)
Our lawful basis is contract — this information is necessary to fulfil the agreement we have entered into with you, or to take steps at your request before entering into that agreement. This includes:
Recording and managing pre-paid courses of care, including tracking sessions used and applicable discounts
Administering membership agreements, including payment schedules, benefits, and renewal
Processing payments via GoCardless
Communicating with you about your account status, upcoming payments, or changes to your agreement
All account information is managed internally by the clinic. We do not operate patient-facing online accounts.
For service updates and marketing purposes
We collect and use the following information to send service updates and marketing communications:
Names and contact details
Address
Marketing preferences
We do this on two lawful bases depending on our relationship with you:
Consent — where you have explicitly opted in to receive marketing communications from us, such as through a sign-up form for a free workshop or event. We use consent as our lawful basis for contacting new contacts who are not yet patients of the clinic. You may withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting us directly.
Legitimate interests — where you are an existing patient of the clinic, we may contact you with relevant updates, health information, and details of services or events that may benefit you. We believe our interest in keeping patients informed is proportionate and would not override your reasonable expectations, given your existing relationship with us. You may opt out of such communications at any time by contacting us directly.
We use the following platforms to manage and send communications: Brevo (email), TextMagic (SMS). We may in future manage communications through additional platforms; this policy will be updated to reflect any such changes. All marketing communications will clearly identify Total Balance Clinic as the sender and will include a straightforward way to opt out.
Opting out of SMS communications: To stop receiving SMS messages from us, reply STOP to any message we send. Reply HELP for assistance. Consent to receive SMS communications is not a condition of receiving treatment or purchasing any service from us.
Email engagement tracking: Our email platform (Brevo) collects standard engagement data, including whether emails are opened and whether links are clicked. This information is used solely to improve our communications and is not used for profiling or automated decision-making.
To comply with legal requirements
We collect and use the following information where we are required to do so by law or regulatory obligation:
Name and contact information
Health information (special category data, as above)
Our lawful basis is legal obligation. This includes:
Regulatory compliance — retaining patient records in accordance with the requirements of the General Chiropractic Council (GCC) and the professional standards of other relevant regulatory and membership bodies to which our practitioners belong
Financial and tax records — retaining records as required by HMRC, including payments, invoices, and payroll
Employment law — collecting and retaining employee information as required by law, including right to work documentation, payroll records, and statutory employment records
Safeguarding — where we have a legal duty to share information with relevant authorities to protect the safety of an individual
Legal proceedings — disclosing personal information where required by a court order, regulatory investigation, or other lawful authority
We do not use personal information collected under this lawful basis for any other purpose, and we retain it only for as long as the relevant legal obligation requires.
Where we get personal information from
Directly from you
Healthcare providers (e.g. GPs or consultants who refer you or to whom we write)
Insurance companies
How long we keep information
We retain personal data only for as long as necessary for the purpose for which it was collected. Our standard retention periods are as follows:
Category Retention Period Patient clinical records (adults) 8 years from the date of last treatment Patient clinical records (children) Until the patient's 25th birthday, or 26th birthday if aged 17 at the end of treatment Patient contact, booking, and assessment information (including photographs/video) Retained for the duration of the clinical record retention period above Pre-payment and membership records 7 years from the end of the agreement (HMRC requirement) Financial and payment records 7 years (HMRC requirement) Employee records 6 years from the end of employment Marketing contacts (workshop or offer sign-ups who have not become patients) Until unsubscription, or 12 months from last engagement, whichever is earlier Suppression lists (unsubscribed contacts) Indefinitely, to prevent re-contact GP/consultant correspondence Retained as part of the clinical record
Who we share information with
Data processors
We use the following third-party processors to help us operate our services. All are required to handle your data securely and in accordance with UK data protection law.
Cliniko (Red Guava Pty) Patient management software. Holds all patient records, generates appointment confirmations and reminders, stores payment history (but not card details), and tracks account credit.
GoCardless Payment processor. Facilitates monthly direct debits for our membership and processes pre-payment transactions.
Brevo Email marketing platform. Stores email addresses for the purpose of email communications.
TextMagic SMS platform. Stores mobile phone numbers for the purpose of SMS correspondence.
Squarespace Website provider. Hosts our website including our contact form and e-voucher shop. Processes contact form submissions and e-voucher purchase data on our behalf.
AngloDutch Ltd UK-based payroll accountants. Processes personal data relating to our employed team members for the purposes of payroll administration. No patient data is shared with AngloDutch Ltd.
Meta Platforms Inc. Advertising platform. We use the Meta Pixel on our website to measure the effectiveness of our advertising on Facebook and Instagram. The Pixel only operates when a website visitor has consented to marketing cookies. We do not share patient clinical data with Meta. Data collected is limited to website behaviour (pages visited, actions taken) for advertising measurement purposes only.
Others we share information with:
Insurance companies (in connection with insurance-funded treatment)
Healthcare providers (GPs and consultants, where we correspond about your care)
Professional or legal advisors
Relevant regulatory authorities
Sharing information outside the UK
Where necessary, our data processors may transfer personal information outside of the UK. When doing so, they comply with UK GDPR, ensuring appropriate safeguards are in place. Current international transfers are as follows:
Cliniko (Red Guava Pty) Category: Patient management software Country: Australia Safeguard: UK Data Processing Addendum
Squarespace Category: Website provider Country: United States Safeguard: European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum (UK Addendum)
Brevo Category: Email provider Country: Belgium (European Union) Safeguard: EU-US Data Privacy Framework; Standard Contractual Clauses and additional measures
TextMagic Category: SMS provider Country: European Union Safeguard: Adequacy Decision
AngloDutch Ltd and GoCardless process data within the UK and/or European Economic Area and do not transfer personal data outside these territories.
Meta Platforms Inc. Category: Advertising platform (Meta Pixel); Country: United States; Safeguard: EU-US Data Privacy Framework and Standard Contractual Clauses
Your data protection rights
Under UK data protection law, you have the following rights:
Right of access — you have the right to ask us for copies of your personal information, including details of where we get it from and who we share it with. Some exemptions may apply.
Right to rectification — you have the right to ask us to correct or complete personal information you believe is inaccurate or incomplete.
Right to erasure — you have the right to ask us to delete your personal information in certain circumstances.
Right to restriction of processing — you have the right to ask us to limit how we use your personal information.
Right to object to processing — you have the right to object to our processing of your personal data in certain circumstances.
Right to data portability — you have the right to ask us to transfer personal information you have provided to us to another organisation, or to you directly.
Right to withdraw consent — where we rely on consent as our lawful basis, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to complain directly to us — under the Data (Use and Access) Act 2025, you have the right to make a data protection complaint directly to us. See the section below for how to do this.
If you make a rights request, we must respond without undue delay and in any event within one month. To make a request, please contact us using the details at the top of this notice.
Data protection complaints
If you have a concern about how we have collected or used your personal information, we encourage you to contact us directly in the first instance. We take all data protection complaints seriously and will handle them promptly and fairly.
How to make a complaint:
You can submit a complaint to us by any of the following means:
Post: Total Balance Clinic Ltd, 106a London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD
Telephone: 01442 211899
In person at the clinic
We will accept complaints however they are submitted, including via social media.
What happens next:
We will acknowledge your complaint within 30 days of receiving it
We will investigate your concern and respond to you without undue delay
Where possible, we will aim to resolve your complaint to your satisfaction
Our full data protection complaints procedure is available at: https://www.totalbalanceclinic.co.uk/dataprotectioncomplaints
If you remain dissatisfied:
If you are not happy with our response, you have the right to escalate your complaint to the Information Commissioner's Office (ICO):
Website: https://www.ico.org.uk/make-a-complaint Telephone: 0303 123 1113 Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Automated decision-making and profiling
We do not use any automated decision-making or profiling in relation to your personal data.
Data breaches
Should personal data that we hold be lost, stolen, or otherwise breached in a way that constitutes a high risk to your rights and freedoms, we will notify you without undue delay. We will explain the nature of the breach, provide contact details for the person handling it, and describe the steps we are taking to address it.
Changes to this notice
We may update this privacy notice from time to time to reflect changes in our practices or in applicable law. When we do, we will update the version number and the "last updated" date at the top of this page.
Total Balance Clinic Ltd | Registered in England and Wales | 106a London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD | info@totalbalanceclinic.co.uk | 01442 21189