Skip to content
Book NOW

Privacy & Cookie Policy.

Book Your Session
Get £20 off your first session

PRIVACY & COOKIES POLICY

Last Updated: October 2025

This Privacy & Cookies Policy (“Policy”) sets out the basis upon which Jack Lewington trading as Kinetix Rehabilitation (“we”, “us”, “our”, or “the Practice”) processes personal data in the course of providing mobile sports-rehabilitation and massage-therapy services within Berkshire and Oxfordshire and through the website www.kinetixrehab.co.uk (“Website”).

The Practice is registered with and regulated by the British Association of Sport Rehabilitators and Trainers (BASRaT) and holds appropriate professional indemnity and public-liability insurance.

We act as Data Controller for the purposes of the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

For the purposes of this Policy—

  • “Client” means any individual who receives or enquires about our services.

  • “Personal Data” means any information relating to an identified or identifiable individual.

  • “Processing” has the meaning given in Article 4(2) UK GDPR.

  • “Special Category Data” means health-related information collected for rehabilitation or treatment purposes.

  • “Services” means any therapy, assessment, consultation, or digital-rehabilitation plan provided by us in person, online, or through any associated platform.

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

  1. Contractual necessity – to provide and administer booked sessions or digital-rehabilitation programmes.

  2. Legitimate interests – to maintain business records, manage appointments, improve client experience, and ensure safety.

  3. Consent – where clients opt in to receive marketing or newsletter communications via Mailchimp.

  4. Legal obligation – to meet statutory and professional-body (BASRaT) record-keeping requirements.

  5. Vital interests – where processing is necessary to protect a client’s life or health in an emergency.

3. Categories of Data Collected

We may collect, store, and process the following categories of data:

  • Identity data: full name, date of birth, gender.

  • Contact data: email address, telephone number, residential address, emergency contact.

  • Health data: injury history, medical background, treatment records, rehabilitation notes, and any information disclosed for clinical purposes.

  • Financial data: payment records relating to Amelia Booking, Rehab Guru, PayPal, Stripe (if enabled), and invoice transactions.

  • Technical data: IP address, browser type, operating system, referring URLs, device identifiers.

  • Usage data: information about how you use our Website and Services.

  • Marketing and communications data: preferences in receiving marketing and newsletter information.

4. Sources of Personal Data

We obtain personal data directly from:

  • Clients and prospective clients through online forms, emails, telephone calls, and in-person sessions.

  • Bookings made through the Amelia Booking System embedded on the Website.

  • Digital rehabilitation plans and booking delivered through Rehab Guru.

  • Newsletter subscriptions and email opt-ins managed through Mailchimp.

  • Analytics and website interaction data collected via Google Analytics, RankMath SEO Pro, and other performance tools.

5. Purpose of Processing

We process data to:

  1. Schedule and confirm appointments, deliver treatment, and issue invoices.

  2. Communicate about appointments, rehabilitation plans, and follow-up care.

  3. Maintain accurate clinical records for BASRaT and insurance compliance.

  4. Provide digital rehabilitation programmes through Rehab Guru.

  5. Administer online payments and bookings via Amelia Booking and integrated gateways.

  6. Send marketing communications (where opt-in consent is given).

  7. Analyse Website usage for service improvement and performance monitoring.

  8. Comply with legal and regulatory obligations.

6. Retention of Data

We retain:

  • Client and treatment records for a minimum of seven (7) years following the last treatment session in accordance with BASRaT and insurer requirements.

  • Financial and accounting records for six (6) years after the end of the relevant tax year.

  • Marketing data until you withdraw consent or unsubscribe.

  • Website analytics data in an anonymised format for statistical purposes only.

7. Security and Storage

We implement appropriate technical and organisational security measures, including:

  • Encryption and password protection on all devices and cloud accounts.

  • Secure servers for Amelia Booking, Mailchimp, Rehab Guru, and CookieYes.

  • Limited access to authorised personnel only.

  • Regular data back-ups and anti-malware controls.

  • Secure disposal of paper records by shredding or certified confidential waste services.

8. Third-Party Processors

We utilise trusted third-party processors that comply with UK GDPR.
These include, without limitation:

  • Amelia Booking System – appointment management and payment processing.

  • Rehab Guru – digital rehabilitation plan delivery.

  • Mailchimp – newsletter and email marketing software.

  • CookieYes – cookie consent and cookie-policy management.

  • Google Analytics and RankMath SEO Pro – Website analytics and performance tracking.

  • LiteSpeed Cache – website optimisation and caching.

  • Google Maps API – location services display.

  • Trust Index – review widget display and verification.

Each third-party provider has its own privacy policy available on its official website.

9. International Transfers

Some third-party providers (e.g. Mailchimp and Google) may transfer data outside the United Kingdom.
Such transfers are made under approved mechanisms including UK International Data Transfer Agreements (IDTAs) or the EU-US Data Privacy Framework, ensuring an adequate level of protection.

10. Disclosure of Personal Data

We may disclose personal data only where necessary to:

  • Professional advisers (including accountants and insurers) bound by confidentiality.

  • Emergency medical personnel where vital interests are concerned.

  • HM Revenue & Customs and other regulators as legally required.

  • Our professional body (BASRaT) in the event of an audit or complaint.

We do not sell or rent personal data to any third party.

11. Cookies

11.1 Use of Cookies

This Website uses cookies to enhance functionality, analyse traffic, and improve user experience. Cookies are small text files placed on your device when you visit the Website.

Cookies used include:

CategoryExamplesPurpose
NecessaryAmelia Booking, LiteSpeed CacheTo enable core website and booking functions.
FunctionalMailchimp form, Google Maps API, Trust Index widgetTo deliver embedded services and contact functionality.
AnalyticsGoogle Analytics (_ga, ga*) and RankMath trackingTo collect aggregated statistics on page visits and traffic sources.
PreferenceCookieYes consent cookie (ccky-consent)To store your consent choices.

Analytics and functional cookies that are not strictly necessary are disabled by default and only activated once you consent via the CookieYes banner.

11.2 Managing Cookies

You may control cookies by:

  • Selecting your preferences in the on-screen CookieYes banner;

  • Adjusting browser settings to refuse or delete cookies; or

  • Using browser plug-ins for privacy management.

Refusing cookies may limit certain website functionality.

11.3 Third-Party Cookies

Some cookies originate from third-party domains (Google, Mailchimp, Trust Index). Such providers have independent privacy policies governing their data use.

12. Data Subject Rights

Under the UK GDPR you have the following rights:

  1. Right of Access – to obtain a copy of your personal data.

  2. Right to Rectification – to correct inaccurate or incomplete data.

  3. Right to Erasure – to request deletion of data, subject to professional and legal retention duties.

  4. Right to Restrict Processing – to limit how data is used.

  5. Right to Data Portability – to request transfer of data to another provider.

  6. Right to Object – to object to processing for marketing or legitimate-interest purposes.

  7. Right to Withdraw Consent – where processing relies on consent.

Requests may be made by email to jack@kinetixrehab.co.uk.
We will respond within one calendar month unless an extension is justified under the legislation.

13. Direct Marketing

Marketing communications are sent only with explicit opt-in consent.
Each Mailchimp email contains an unsubscribe link and preference-management options.
We maintain an internal suppression list to ensure no further contact after opt-out.

14. Children’s Data

Services are intended for individuals aged 16 and above.
Where treatment involves minors (16 and under), data shall be collected and processed only with the explicit consent of a parent or legal guardian.

15. Data Retention and Destruction

All retention periods are reviewed annually.
Upon expiry, digital data are permanently deleted from electronic systems and paper files are securely shredded or disposed of via a certified confidential-waste provider.

16. Data Breaches

Any suspected personal-data breach will be recorded in a breach log and, where required, reported to the Information Commissioner’s Office (ICO) within 72 hours and, if high risk, to affected individuals without undue delay.

17. Social Media and External Links

The Website may contain links to social-media platforms or third-party websites.
Interaction on such platforms is governed by the respective operators’ privacy terms.
We advise users to exercise caution before clicking external links; we accept no liability for the content or practices of third-party sites.

18. Online and Card Payments

Payments may be processed via:

  • Amelia Booking integrated gateways (e.g. Stripe / PayPal);

  • Rehab Guru payment portals;

  • Direct invoice or in-person POS transactions.

All card payments are encrypted through secure third-party systems compliant with the Payment Card Industry Data Security Standard (PCI-DSS).
We do not store or have direct access to your full payment-card details.

19. Professional Regulation and Insurance

The Practice is registered with BASRaT (British Association of Sport Rehabilitators and Trainers).
All clinical activities are carried out under BASRaT’s professional standards and within the scope of practice of a Sports Rehabilitator.
The Practice maintains full professional indemnity and public-liability insurance.

20. Legal Compliance

Processing is carried out in accordance with:

  • United Kingdom General Data Protection Regulation (UK GDPR);

  • Data Protection Act 2018;

  • Privacy and Electronic Communications Regulations (PECR) 2003 as amended;

  • BASRaT professional guidelines and insurer requirements.

21. Changes to This Policy

We reserve the right to update this Policy at any time.
The most current version will always be available at www.kinetixrehab.co.uk/privacy-cookies-policy.
Significant changes will be notified on the Website banner.

22. Contact Information

All enquiries, requests or complaints relating to data protection should be directed to:

Jack Lewington trading as Kinetix Rehabilitation
Registered trading location: Berkshire & Oxfordshire (mobile services)
jack@kinetixrehab.co.uk

If you remain dissatisfied after contacting us, you may lodge a complaint with the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk | Tel: 0303 123 1113 | Address: Wycliffe House, Water Lane, Wilmslow SK9 5AF.

Need Advice First?

Contact for a free online consultation...

Contact