Habilitar Limited (collectively referred to as “we”, “us” or “our” in this policy) respects your privacy and is committed to protecting your personal data. We are dedicated to being transparent about what data we collect about you and how we use it.
This policy aims to provide you with information about how we collect and process your data. This includes what personal data we collect, how we use your data, how we ensure your privacy is maintained and your legal rights relating to your personal data.
What personal data do we collect?
Personal data, or personal information, means any information about an individual from which that person can be identified.
We may collect the following information about you:
- Identity Data: title, first name, last name, age/date of birth and gender;
- Contact Data: your contact details, postal address including billing and delivery addresses, telephone numbers and email addresses;
- Financial data: should you engage our services, your payment details;
- Purchases made by you;
- Your web browsing activities on our website;
- Your communication and marketing preferences;
- Your interests, preferences, feedback and survey responses;
- Your correspondence and communication with us;
- Pictures of your home/workspace, sometimes with you in them;
- Your computer’s IP address.
This list is not exhaustive and in specific instances, we may need to collect additional data for the purposes set out in this policy. Some of the above personal data is collected directly, i.e. volunteered by you when registering for information and other personal data is collected indirectly, i.e. when you are browsing our website.
We may need to collect special category data about you. This is personal data that requires more protection because it is sensitive. We may use certain sensitive personal data only where you have given your explicit consent to us doing so in order to better serve and meet your needs. The data we will collect will be data concerning your health.
We may collect the following sensitive data about you:
- Medication you are taking;
- Any pain you are experiencing;
- Any past health issues;
- Whether you are pregnant;
- Whether you have a disability;
- Stress levels and causes of stress;
- Your general mental wellbeing;
- Family health history;
- Any treatments you have received;
- Any health complaints you have;
- Any physical/functional difficulties you experience.
Sensitive data will be collected with your explicit consent when filling out questionnaires, using clinical screening tools or during consultations and assessments.
The age to consent to collection of personal data in the UK is 13. Should we need to collect personal data from a child younger than 13, we will obtain consent from their parent or legal guardian. We will not collect any data from children without appropriate consent.
How do we use your data?
We use your personal data for:
- Providing our services to you;
- Providing information to you that you request from us relating to our courses or services;
- Internal record keeping;
- Providing you with access to materials;
- Improving and personalising our services;
- Sending you relevant information updates should you sign up to receive them;
- Processing payments;
- Promotional and Marketing purposes: with your agreement, to contact you via email, phone or mail about relevant promotional offers, products and events which we think may interest you;
- Developing new services;
- Client insight and market research purposes, which helps us to better understand your needs;
- Informing you of any changes to our website, services or goods and products;
- Enabling us to manage all interactions with you;
- Where we have a legal right or duty to disclose your information (for example in relation to an investigation by a public authority or in a legal dispute).
We may use your sensitive data to:
- Obtain a comprehensive assessment of your health;
- To develop exercise programmes and management plans;
- Provide individualised advice;
- Ensure health and safety.
We may use your personal data for electronic marketing purposes and to provide updates on courses and services which are of interest and relevant to you.
You have the right to opt out of receiving personal communications at any time by:
- Clicking the “unsubscribe” link at the bottom of emails
- Contacting us directly via the contact details within this policy
We do not use sensitive data for marketing purposes.
If you visit our website, you may receive personalised advertisements for our products and services whilst using other websites. Any advertisements you will see will relate to products or services you have viewed whilst browsing our website on your computer or other devices or which we believe are of interest to you.
We may process data about your use of our website and services (“usage data”). The usage data may include your IP address, location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing and pattern of your service use. This is used to allow us to process and analyse the use of our website.
Legal basis for using your data
We are required to set out the legal basis for our processing of your personal data.
We collect and use your personal data as it is necessary:
- To pursue our legitimate interests;
- For the purposes of complying with our duties and exercising our rights under a contract for the sale of services to a client;
- To comply with our legal obligations; or
- Where you have consented to the use.
You have the right to withdraw your consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.
We are relying on the condition of explicit consent for the processing of sensitive data.
Our legitimate interests
The usual basis for processing your data is that it is necessary for our legitimate interests which include:
- Selling and supplying services to our clients;
- Promoting, marketing and advertising our courses and services;
- Sending promotional communications which are relevant and tailored to clients;
- Understanding client behaviours, preferences and needs;
- Improving existing services and developing new courses and services;
- Complying with legal and regulatory obligations;
- Preventing crime and fraud;
- Handling client contracts, queries, complaints and disputes (including refunds);
- Managing any claims made by clients (including legal).
Sharing data with Third Parties
Our services providers and suppliers
To make certain services available to you, we may need to share your personal data with some of our service partners. These include payment processing providers such as Stripe and Paypal, on-line survey platforms such as Google Forms, video conferencing platforms such as Zoom and Microsoft Teams, on-line scheduling tools such as Calendly, email marketing platforms such as MailerLite, practice/clinic management systems (which covers on-line scheduling, video conferencing and secure email and data transfer) such as WriteUpp, and patient engagement and telehealth systems such as Physitrack.
We only allow our service providers to handle your personal data when we have confirmed that they apply appropriate data protection and security controls. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may need to share your sensitive data with our client record management system WriteUpp. We have ensured that they use appropriate security measures to protect your data such as encryption and two factor authentication. For more information please contact [email protected]
Your employer may request a Digital Screen Assessment (DSE). This is an assessment of the risks that arise from the way one uses computers, laptops and other display screens at their workstation. The assessment identifies hazards and their likelihood to cause harm and then recommends steps to reduce them to as low as is reasonable.
If a DSE has been requested by and carried out for your employer, I may share your personal data and completed assessment with your employer in the form of a report.
I will obtain your informed consent prior to obtaining this information and for this information to be sent to your employer.
All reports will be sent to a named person in a secure format.
You can request to see the report before it is shared with your employer and can request the correction of any incorrect factual information. No sensitive data will be shared in the report without your prior explicit consent.
Other third parties
Aside from our service providers, we will not disclose your personal data to any other third party, except for those set out below:
- Third party marketing partners such as Google or Facebook (to deliver advertising);
- We store your information on all or some of the following: Mailerlite, Namecheap Private Email, One Drive, Google Drive, Physitrack and WriteUpp.
- Government bodies, regulators, law enforcement agencies, courts/tribunals and insurers, where we are required to do so.
We will never sell or rent your data to other organisations for marketing purposes.
To deliver products and services to you, it may be necessary for us to share your data outside of the United Kingdom (“UK”). This will occur when service providers are located outside the UK. We shall ensure a similar degree of protection is afforded to your data when using these service providers.
How we protect your data
We are committed to keeping your personal data safe and secure. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
The measures we have implemented are:
- Encryption of data;
- Strong passwords;
- Carrying out regular virus and malware checks;
- Limit access to personal data to those with a business need to know.
Where sensitive data is collected, extra protection measures will be taken. Such as:
- The sensitive data will be stored and processed separately;
- Encryption of data;
- Controlled access;
- Securely destroyed when no longer needed.
We will strive to protect your data in all means reasonably required by us to do so. However, no internet site can be 100% secure and so we cannot be held responsible for unauthorised or unintended access that is beyond our control.
We have appropriate measures in place to deal with any personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.
How you can help us protect your data
We will never ask you to confirm any bank account or credit details via email, if you receive an email claiming to be from us asking you to do this, please ignore it and do not respond.
How long do we keep your data?
We will only retain your data for as long as necessary for the purpose we collected it for. The longest we will normally hold any personal data is 8 years after contact with you ceases, 8 years after your 18th birthday or until you reach 25 years of age as required by the Health and Care Professions Council (HCPC) codes of practice. Sensitive data will only be held for as long as is necessary and will be securely destroyed when no longer required.
If you no longer wish for us to hold your information, you can contact us (see rights below). However, please note we have a legal requirement to keep some of your personal data even after you have asked us to delete it to ensure that we can meet our legal or regulatory requirements, resolve disputes, prevent fraud or enforce our contract with you.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Your rights in respect of your data
You have rights relating to your personal information, these are:
- To ask for a copy of the personal data that we hold about you and check that we are lawfully processing it (right to access);
- To request that we delete or remove personal data held on you, where we no longer have any legal reason to retain it (right of erasure). Note: we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
- To ask us to update and correct any incomplete or inaccurate personal data that we hold about you (right of rectification);
- To opt out of any marketing communications that we may send to you and to object to using/holding your personal data if we have no legitimate reasons to do so (right to object);
- To ask us to restrict processing of data, this enables you to ask us to suspend the processing of your personal data (only in certain circumstances);
- To ask us to supply you or a third party with some of the personal data we hold about you in a machine-readable format (right to data portability/transfer);
- To withdraw consent at any time where we are relying on consent to process your personal data. If you withdraw your consent, we may not be able to provide services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the above rights, please contact us using the contact details below.
You will not have to pay a fee to exercise any of the rights above. We may need to request specific information from you to help us confirm your identity, this is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We try to respond to all requests within one month. This may be longer if the request is complex, we will notify you if this is the case.
Exercising your rights
61 Bridge Street
Email address: [email protected]
You have the right to lodge a complaint at any time with the Information Commissioner’s Office (ICO). You can find further information, including contact details at https://ico.org.uk
This policy was last updated on 13th July 2021. We may update this policy from time to time so please check this page occasionally to ensure you are happy with any changes to this policy.