Aspire Wellness is committed to protecting your personal and health information. As a healthcare provider, we handle sensitive patient data with the highest standards of care, in compliance with applicable data protection regulations. This policy explains how we manage your information throughout your relationship with us.
1. Introduction
This Data Protection and Patient Information Policy applies to all personal data collected, processed, and stored by Aspire Wellness in the course of providing physiotherapy and wellness services. It covers information collected through:
- In-person consultations and treatments at our clinic
- Our website and online booking system
- Phone calls, emails, and WhatsApp messages
- Patient registration forms and medical questionnaires
- Online purchases through our shop
This policy should be read alongside our Privacy Policy which covers website-specific data handling practices.
2. Personal Data We Collect
Personal Identification Data
- Full name, date of birth, gender
- Contact information (phone number, email address, home address)
- CNIC/passport number (for identity verification where required)
- Emergency contact details
Health & Medical Data
- Medical history and current health conditions
- Medications and allergies
- Physiotherapy assessment findings and clinical notes
- Treatment plans, progress notes, and discharge summaries
- Diagnostic reports and imaging results (provided by referring practitioners)
- Referral letters from doctors or other healthcare professionals
Financial Data
- Payment records and transaction history
- Insurance details (where applicable)
- Billing address
Sensitive Data
Health and medical data is classified as sensitive personal data and receives an elevated level of protection. We only collect health information that is directly relevant to the physiotherapy services you are receiving.
3. How We Use Your Data
We use your personal and health data for the following purposes:
- Providing safe and effective physiotherapy assessment and treatment
- Maintaining accurate and up-to-date patient records
- Communicating with you about appointments, treatment plans, and follow-up care
- Processing payments and managing billing
- Sending appointment reminders via SMS, WhatsApp, or email
- Corresponding with your referring doctor or other healthcare providers (with your consent)
- Complying with legal and regulatory obligations
- Improving our services through anonymised clinical audits and quality assurance
We will not use your data for purposes beyond those listed above without first obtaining your explicit consent.
4. Legal Basis for Processing
We process your personal data under the following legal bases:
| Legal Basis | Application |
|---|---|
| Consent | Where you have given clear consent for us to process your data for a specific purpose (e.g., marketing communications) |
| Contractual Necessity | Processing required to fulfil our service agreement with you (e.g., providing treatment, processing payments) |
| Vital Interests | Processing necessary to protect your health or safety in emergency situations |
| Legal Obligation | Processing required to comply with applicable laws and regulations |
| Legitimate Interests | Processing necessary for our legitimate interests such as clinical quality improvement, provided these are not overridden by your rights |
5. Data Storage & Security
We implement appropriate technical and organisational measures to protect your personal data:
Physical Security
- Paper records are stored in locked filing cabinets in secure areas
- Access to patient record areas is restricted to authorised clinical staff only
- The clinic premises are secured with access controls
Digital Security
- Electronic patient records are stored on password-protected, encrypted systems
- Access to digital records is role-based, with access limited to relevant staff
- Regular data backups are maintained to prevent data loss
- Our website uses SSL/TLS encryption for all data transmission
- Anti-virus and firewall protection is maintained on all clinic systems
Staff Training
All staff members who handle patient data receive training on data protection practices, confidentiality obligations, and the proper handling of sensitive information.
6. Data Sharing & Disclosure
We do not sell, rent, or trade your personal information to third parties. Your data may be shared only in the following circumstances:
- With your consent: To your referring doctor, general practitioner, or other healthcare providers involved in your care
- Service providers: With trusted third-party service providers who assist our clinic operations (e.g., appointment software, payment processors). These providers are contractually obligated to protect your data.
- Legal requirements: Where disclosure is required by law, regulation, or court order
- Safety concerns: Where there is a serious risk to your health or safety, or the health and safety of others
7. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Adult patient clinical records | 7 years from last contact |
| Minor patient clinical records | Until patient turns 25, or 7 years from last contact (whichever is longer) |
| Financial and billing records | 7 years (as required by tax regulations) |
| Marketing consent records | Until consent is withdrawn |
| Website analytics data | 26 months (anonymised) |
At the end of the retention period, records are securely destroyed. Paper records are shredded, and electronic records are permanently deleted.
8. Your Data Rights
You have the following rights regarding your personal data:
- Right of Access: You can request a copy of the personal data we hold about you
- Right to Rectification: You can request correction of inaccurate or incomplete data
- Right to Erasure: You can request deletion of your data where there is no compelling reason for its continued processing (subject to legal retention requirements)
- Right to Restrict Processing: You can request that we limit how we use your data
- Right to Data Portability: You can request your data in a structured, commonly used format to transfer to another provider
- Right to Object: You can object to certain types of processing, including direct marketing
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please contact us using the details provided below. We will respond to your request within 30 days. Please note that some rights may be subject to legal limitations, particularly where we are required to retain records for regulatory purposes.
9. Data Breaches
In the unlikely event of a data breach that poses a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where applicable
- We will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- We will take immediate steps to contain the breach and mitigate any potential harm
- We will document all breaches, including those that do not require notification, for internal audit purposes
Data Protection Enquiries
For any questions about how we handle your data, or to exercise your data rights, please contact us.
Contact Us