Privacy Policy

Last updated: April 2026

1. Who We Are

The PhysioSphere is operated by Harshitha Bhaskaracharya, a HCPC-registered physiotherapist (PH120373), trading as The PhysioSphere Ltd, registered office 71-75 Shelton Street, Covent Garden, London WC2H 9JQ. We are registered with the Information Commissioner's Office (ICO) under reference ZC104926.

We are committed to protecting your personal data in accordance with UK GDPR and the Data Protection Act 2018. For data protection matters, contact us at: hello@thephysiosphere.co.uk

2. What Data We Collect

We collect and process the following categories of personal data:

• Name, email address, and phone number (when you contact us, book an appointment, or send a WhatsApp enquiry)
• Health and medical information relevant to your physiotherapy care — this is special category data under Article 9 of UK GDPR and is handled with a higher standard of care
• Appointment history and clinical records
• Website usage data including pages visited, session duration, and device information (collected via analytics tools — see Section 6)
• Behavioural data including mouse movements, clicks, and scroll patterns (collected via session recording tools — see Section 6)
• IP address (processed by our hosting provider and font delivery service)

3. How We Use Your Data

• To manage and deliver your physiotherapy appointments
• To communicate with you about your care and appointment scheduling
• To maintain clinical records as required by HCPC professional standards
• To comply with our legal and regulatory obligations
• To respond to general enquiries
• To understand how our website is used and improve its performance

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis for Processing

For general personal data, we process on the basis of: your consent; the performance of a contract (your treatment); our legitimate interests as a healthcare provider; and compliance with legal obligations.

For special category health data, our lawful basis is Article 9(2)(h) of UK GDPR — processing necessary for the provision of health care and treatment by a health professional. Harshitha Bhaskaracharya (HCPC PH120373) is the responsible clinician and data controller for all clinical records.

For website analytics and behavioural tracking, our lawful basis is legitimate interests, balanced against your right to privacy. You may opt out at any time by contacting us.

5. Data Retention

• Clinical records: retained for a minimum of 8 years following your last appointment, or until age 25 for minors — in line with HCPC and NHS guidance
• Enquiry and contact data: retained for 2 years from last contact, then deleted
• Website analytics data: retained per the default settings of the analytics providers listed in Section 6 (typically 14 months for Google Analytics)
• Session recordings (Clarity): retained for 30 days by default, then deleted by Microsoft

6. Third-Party Data Processors

We use the following third-party services that process personal data on our behalf. Each operates under its own privacy policy and a data processing agreement with us where required by UK GDPR.

Cliniko — our practice management and booking platform. When you book an appointment, your name, contact details, appointment information, and health intake data are processed by Cliniko (Cliniko Pty Ltd, Australia). Cliniko is ISO 27001 certified and GDPR compliant. Cliniko Privacy Policy

Google Analytics 4 / Google Tag Manager — we use Google Analytics 4 (via Google Tag Manager, container ID GTM-KNXHJ9H3) to collect anonymised website usage data including pages visited, session duration, traffic source, and device type. IP addresses are anonymised. Google LLC processes this data under a data processing agreement. Google Privacy Policy

Microsoft Clarity — we use Microsoft Clarity to record anonymised session replays and generate heatmaps. This tool captures mouse movements, clicks, and scroll behaviour to help us understand how visitors use our website. Clarity is configured to mask form inputs and does not record identifiable health information. Microsoft Corporation processes this data. Microsoft Privacy Statement

Google Fonts — our website loads typefaces from Google Fonts, which causes your browser to make a request to Google's servers. Google may process your IP address as part of this request. Google Privacy Policy

Netlify — our website is hosted on Netlify. Netlify processes standard server access logs including IP addresses and request metadata. Netlify Privacy Policy

WhatsApp / Meta — if you contact us via our WhatsApp link (07876 889638), your message and contact details are processed by WhatsApp LLC (a Meta company) under WhatsApp's own terms. We recommend not sending sensitive health information via WhatsApp. WhatsApp Privacy Policy

ClassPass — if you book via ClassPass, your booking and contact data is processed by ClassPass under their own privacy policy. ClassPass may share your name and contact details with us to facilitate your appointment. You are also subject to ClassPass's terms of service. ClassPass Privacy Policy

7. Your Rights

Under UK GDPR, you have the right to: access your personal data; correct inaccurate data; request erasure (subject to our legal obligations to retain clinical records); restrict or object to processing; data portability; and withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@thephysiosphere.co.uk. We will respond within one calendar month.

8. Data Protection Complaints

If you have a complaint about how we handle your personal data:

• Submit your complaint in writing to hello@thephysiosphere.co.uk
• We will acknowledge receipt within 30 days and keep you informed throughout

You may also lodge a complaint directly with the Information Commissioner's Office (ICO) — ICO registration reference ZC104926 — at ico.org.uk or by calling 0303 123 1113.

9. Cookies

Our website uses the following categories of cookies:

• Essential cookies: required for the website to function (e.g. session state). No consent required.
• Analytics cookies: set by Google Analytics to collect anonymised usage data (pages visited, session duration, traffic source). These activate on page load.
• Behavioural cookies: set by Microsoft Clarity to support session recording and heatmap analysis. These activate on page load and are configured to mask form inputs.

You may disable analytics and behavioural cookies by adjusting your browser settings or by contacting us to opt out. Disabling these cookies will not affect your ability to use the site.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services or legal obligations. The current version, including the date of last update, will always be available on this page.