Processing Personal Data
We are also registered with the Information Commissioners Office (ico.org.uk).
What personal data may we collect from you?
When we refer to personal data in this policy, we mean information that can, or has the potential to identify you as an individual.
We may hold and use personal data about you as a customer, a service user, or in any other capacity. To avoid confusion, and for the purposes of this document, everyone who chooses to use the services of Cinnamon Health Ltd will be referred to as a “customer”.
Data collection can occur for example, when you visit our website, complete a form, access our services, or speak to us. Depending on what services you receive from us this may include sensitive personal data such as information relating to your health and wellbeing.
What personal data we collect and why we collect it
Personal data we collect from you may include the following:
- Information that you give us when you first enquire, information to become a customer, or apply for a job or training course with us, including name, address, and contact details (including email address and phone number)
- The name and contact details (including phone number) of your next of kin, or carer, or power of attorney / executive.
- Details of referrals, quotes and other contact and correspondence that we may have had with you.
- Details of services and / or treatment that you have received from us or which has been received from a third party and referred on to us.
- Information obtained from customer surveys.
- Notes and reports about your physical and mental health and any treatment and care you have received and / or need, including about clinic and hospital visits, test results and medicines administered.
- Customer feedback and the treatment outcome information that you provide.
- Information surrounding complaints and incidents.
- Information you give us when you make a payment to us, such as financial or credit card information.
- Exercise videos that are submitted through the client portal for our personal trainers to view.
Personal data we may receive from third parties and other sources
We may receive and collect personal data about you from third parties such as:
- Independent consultants – these Consultants, including solicitors, may need to share your personal data and medical records with the Cassia Health Ltd.
The use of personal data
Further details on how we use health related personal data are given below. We may use your personal data to:
- Enable us to carry out our obligations to you arising from any contract entered between you and us, including providing services or treatments to you and related matters such as, billing, accounting and audit, credit or other payment card verification and anti-fraud screening.
- Provide you with information, products or services that you request from us.
- Notify you about changes to our products or services.
- Respond to requests where we have a legal or regulatory obligation to do so.
- Check the accuracy of information about you and the quality of your service.
- Supporting your allied healthcare professional.
- Assess the quality and / or type of care you have received (including giving you the opportunity to complete customer satisfaction surveys) and any concerns or complaints you may raise, so that these can be properly investigated.
- To enable our associates to analyse current form on exercises within the client portal in order to provide feedback and improvement to the customer.
- To conduct and analyse market research.
- To ensure that the content from any of our websites is presented in the most effective manner for you and for your computer.
Security of your personal data
We will protect all personal data we hold about you by ensuring that we have appropriate organisational and technical security measures in place to prevent unauthorised access or unlawful processing of personal data, and to prevent personal data being lost, destroyed or damaged. We conduct assessments to ensure the ongoing security of our information systems.
Any personal data you provide will be held for as long as is necessary having regard to the purpose for which it was collected and in accordance with all applicable UK laws.
How long is your information kept for and how is it stored?
Your information is retained in secure electronic and paper records and access is restricted to only those who need to know. Information will be retained in line with the Records Management Code of Practice for Health and Social Care 2016 retention schedules as follows:
Adult records – Basic health and social care retention period is 7 years after the last appointment.
As part of the services offered to you, for example through our Website, the information you provide to us may be transferred to and stored in countries outside of the European Economic Area (EEA) as we use remote website server hosts to provide the website and some aspects of our service, which may be based outside of the EEA, or use servers based outside of the EEA – this is generally the nature of data stored in “the Cloud”. It may also be processed by staff operating outside the EEA who work for one of our suppliers, e.g. our website server host, or work for us when temporarily outside of the EEA.
We will only use credible IT and information storage hosts with the highest level of security.
The transmission of information via the Internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data during the transmission of it to our site, and any such transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
At your request, we may occasionally transfer personal information to you via email, or you may choose to transfer information to us via email. Email is not a secure method of information transmission; if you choose to send or receive such information via email, you do so at your own risk. Where we have gained your permission to email relevant reports, for example to your GP or consultant, we will use a password protected portal in order to send this information.
All information that you provide to us is stored securely. Any payment transactions will be processed securely by third party payment processors.
We may share your personal data with our payment processors, but only for the purpose of completing the relevant payment transaction. Such payment processors are banned from using your personal data, except to provide these necessary payment services to us, and they are required to maintain the confidentiality of your personal data and payment information. Our payment processors are Wordpay.
Disclosure to third parties
In the usual course of our business we may disclose your personal data (to the minimal extent necessary), with certain third-party organisations that we use to support the delivery of our services. This may include the following:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter with you.
- Organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored.
- Third party debt collectors for the purposes of debt collection.
- Delivery companies for the purposes of transportation of goods.
- We may also disclose your personal data to third parties if we sell or buy any business or assets or where we are required by law to do so.
- We may disclose your information to regulatory bodies to enable us to comply with the law and to assist fraud protection and minimise credit risk.
- Where you have consented for us to do so, we may provide your data to selected third parties who may contact you about their goods or services that you may be interested in, such as equipment that you wish to try or buy.
If you do not want us to use your data for those activities listed above, please do let us know by writing to us or sending us an email to:
Disclosure to external practitioners
Your GP: If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP. You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially dangerous and / or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it.
13.4 Medical regulators: We may be requested, and in some cases can be required to share certain information (including personal data and sensitive personal data) about you and your care with medical regulators such as the General Medical Council or the Health and Care Professions Council for example if you make a complaint, or the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards and the regulator wishes to investigate. We will ensure that we do so within the framework of the law and with due respect for your privacy.
In an emergency and if you are incapacitated, we may also process your personal data (including sensitive personal data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).
Accessing and updating your information
The DPA and GDPR give you the right to access information held about you by us. Please write to us or contact us if you wish to request confirmation of what personal information, we hold relating to you. We will provide this information within one month of your requesting the data.
You have the right to have the personal data we hold about you corrected if it is factually inaccurate. It is important to understand that this right does not extend to matters of opinion, such as medical diagnoses. If any of your personal data has changed, especially contact information such as: email address, postal address and phone number please get in touch us at:
Cassia Health Ltd
In order to protect your privacy, we may ask you to prove your identity before we take any steps in response to such a request.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Processing Personal Data
We are also registered with the Information Commissioners Office (ico.org.uk).