1. Introduction

Midland Medical Group (“we”, “us”, or “our”) is committed to protecting and respecting your privacy. This policy explains how we collect, use, and protect your personal and medical data when you use our website or visit our clinic. As a provider of medical services, we process “Special Category Data” (health information). We handle this data with the highest level of confidentiality and in accordance with UK health sector standards.

2. Data Controller Information

Midland Medical Group is the data controller responsible for your personal data.

• Clinic Address: Osteopathic & Sports Injury Clinic, 312A Charter Ave, Coventry CV4 8DA, United Kingdom.
• Email: info@midlandmed.co.uk

3. Information We Collect

We collect and process data through the following interactions:

• Website Booking & Enquiries: We collect your name and email address via our WordPress contact forms and the Amelia booking system to manage your appointments.
• Payment Information: Payments are processed securely via Stripe. We do not store your credit/debit card details on our servers; they are handled directly by Stripe in compliance with PCI-DSS standards.
• Medical Forms: For specific services (e.g., Visa Medicals, Fit to Fly), you may input data into digital forms. These forms are sent directly via email to the examining doctor and are not stored on the website database; only the doctor’s secure email retains a copy.
• In-Clinic Data: Detailed medical history, physical examination results, and clinical notes are collected at the doctor’s surgery. This data is protected under strict doctor-patient confidentiality and is held securely away from the website.

4. Lawful Basis for Processing

Under the UK GDPR, we rely on the following legal bases:

• Contractual Necessity: We need your name, email, and payment to fulfill your booking.
• Provision of Health or Social Care: For medical data, we process information under Article 9(2)(h) of the UK GDPR, relating to the provision of health or social care or treatment.
• Consent: For the use of cookies and marketing pixels.

5. How We Use Your Data

• To schedule and manage your medical appointments.
• To process payments for services booked.
• To provide accurate medical reports for visas, employment, or travel.
• To improve our website usability and reach new customers via Google Ads and social media pixels.

6. Data Sharing and Third Parties

We do not sell your data to third parties. We only share data when necessary for your care:

• Medical Professionals: Data is shared with the specific GMC-registered doctor performing your assessment.
• Laboratories: If you require blood tests, your data is shared with our partner clinical laboratories. This is discussed with you in person during your appointment.
• Payment Processors: Transaction data is shared with Stripe to facilitate payments.

7. Cookies and Tracking

We use cookies, Google Ads, and social media pixels to enhance your experience and optimize our marketing. These tools collect anonymized data about how you interact with our site to improve usability. You can manage your cookie preferences through your browser settings.

8. Data Retention

In accordance with UK medical record standards, we retain clinical records for a standard period of 10 years. Booking and payment history are retained as required for tax and administrative purposes.

9. Your Rights

You have the following rights regarding your data:

• Access: You can request a copy of the data we hold about you.
• Correction: You can ask us to correct inaccurate information.
• Deletion: You may request the deletion of your data. Please note that medical records must be retained for the legal minimum period (10 years) and cannot be deleted immediately if they are required for medical-legal reasons.

To exercise any of these rights, please contact us at info@midlandmed.co.uk.

10. Security

We employ robust technical and organizational measures to protect your data. Clinical data is stored on secure, encrypted systems away from the website. Medical forms are handled with industry-standard protocols to prevent unauthorized access.

11. Complaints

If you have concerns about how we handle your data, please contact us directly. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection.