← Back to Home

Privacy Policy

Last Updated: December 12, 2025

Introduction

Alaw Therapies ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our booking services.

Information We Collect

Personal Information

We collect personal information that you voluntarily provide when booking an appointment:

  • Contact Information: Name, email address, phone number
  • Medical History: Current medications, medical conditions, previous treatments (encrypted and securely stored)
  • Booking Information: Appointment dates, service preferences, special requests
  • Payment Information: Processed securely through Stripe (we do not store your full card details)

Automatically Collected Information

  • IP address and browser type
  • Device information and operating system
  • Pages visited and time spent on site
  • Referring website addresses

How We Use Your Information

We use your information to:

  • Process and manage your appointments
  • Send booking confirmations and appointment reminders
  • Process payments securely
  • Maintain medical records for continuity of care (7-year retention as required by law)
  • Sync appointments with Google Calendar (with your authorization)
  • Send marketing communications (only with your explicit consent)
  • Improve our website and services
  • Comply with legal obligations

Legal Basis for Processing (GDPR)

Under UK GDPR, we process your data based on:

  • Contract: To fulfill our booking service agreement with you
  • Consent: For marketing communications and optional data processing
  • Legal Obligation: To retain medical records for 7 years as required by UK law
  • Legitimate Interest: To improve our services and prevent fraud

Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption: All medical history data is encrypted at rest using Laravel's encryption
  • Secure Transmission: HTTPS/TLS encryption for all data in transit
  • Access Controls: Role-based access with strong authentication
  • Payment Security: PCI-DSS compliant payment processing via Stripe
  • Regular Backups: Encrypted database backups with secure storage

Third-Party Services

We use the following trusted third-party services:

  • Stripe: Payment processing (Privacy Policy)
  • Google Calendar: Appointment synchronization (with your authorization) (Privacy Policy)
  • Email Service Provider: Transactional emails (Mailgun/SendGrid/SES)
  • Twilio: SMS appointment reminders (optional) (Privacy Policy)

Your Rights (UK GDPR)

You have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Opt out of marketing communications or processing based on legitimate interest
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us using the details below.

Data Retention

  • Medical Records: 7 years from last appointment (UK legal requirement)
  • Booking History: 7 years for accounting and legal purposes
  • Consent Logs: Retained indefinitely as proof of consent
  • Marketing Consent: Until you withdraw consent

Cookies

We use essential cookies to maintain your session and remember your preferences. We do not use tracking or advertising cookies. By using our website, you consent to our use of essential cookies.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

For material changes that affect how we use your personal data, we will:

  • Notify you via email at least 30 days before the changes take effect
  • Display a prominent notice on our website
  • Update the "Last Updated" date at the top of this page

For minor changes (such as clarifications or formatting), we will update this page and the "Last Updated" date. We encourage you to review this Privacy Policy periodically.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Alaw Therapies

Machynlleth, Wales

Email: meg@alaw-therapies.wales

ICO Registration: [To be added if applicable]