Find a Physio

Legal

Privacy policy

We keep this short. Find a Physio is a directory and booking platform — we hold the minimum data needed to connect you with a practitioner, and we never sell it.

Last updated: 8 May 2026

Who we are

Find a Physio is operated by HL London Ltd (“we”, “us”). We act as the data controller for the personal data you share with us when you create an account, book an appointment, or contact a practitioner through the platform.

You can reach us at privacy@findaphysio.uk.

What we are not

We are not a healthcare provider. We do not deliver treatment, hold clinical records, or process health data within the meaning of UK GDPR Article 9. Any clinical notes, assessments or treatment outcomes remain with the individual practitioner you book, who is the data controller for that information.

Because of this, we never ask for and never store medical history, diagnoses, treatment notes, prescriptions or any other special-category health data.

What we collect

  • Account details: full name, email address, phone number (optional), postcode (optional), password (hashed by Supabase Auth — we never see it).
  • Booking details: practitioner, service, requested time, your card-authorisation reference (held by Stripe — we store only an identifier), and any preferred-times note you write.
  • Reviews you choose to publish, with your chosen display name.
  • Search logs: the queries and filters you run, used to improve coverage. Stored against your account if signed in, otherwise as anonymous rows.
  • Cookies: a small set of session and consent cookies. See our cookie policy for the full list.
  • Server logs: standard request metadata (IP, user agent, time, path) retained for up to 30 days for abuse-prevention.

Why we collect it

  • To create and secure your account, and to authenticate you on each visit (contractual necessity).
  • To process bookings and pass essential details to the practitioner you choose, and to settle payments via Stripe (contractual necessity).
  • To detect and prevent fraud, abuse and spam (legitimate interest).
  • To send you booking confirmations, password resets, and important service notices (contractual necessity).
  • To send you optional product updates, only if you opt in (consent).
  • To analyse aggregate site usage anonymously where Plausible analytics is enabled (legitimate interest; no cookies are set, no personal data is collected).

Who we share it with

  • The practitioner you book with — name, email, phone, your preferred times note, and the booked service.
  • Stripe (Stripe Payments UK Ltd) — payment authorisation and capture. We pass your email and the order amount; they hold the card data.
  • Supabase (Supabase Inc., EU region hosting) — managed Postgres + auth + object storage that powers the site.
  • Google Maps — server-side geocoding when you save a postcode or a practitioner sets a location.
  • Sentry — error reporting, with PII scrubbed.

We do not sell your data. We do not run targeted advertising. We do not transfer data outside the UK / EEA without an Article 46 transfer mechanism in place.

How long we keep it

  • Account data: until you delete your account, plus 30 days for backup expiry.
  • Bookings and payment records: 6 years from the date of the booking, to satisfy HMRC record-keeping requirements.
  • Reviews: indefinitely, but anonymised the moment you delete your account.
  • Search logs: 90 days, then aggregated and the originals discarded.
  • Server logs: 30 days.

Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you,
  • have it corrected if it's wrong,
  • have it deleted (with limited exceptions for the retention periods above),
  • port it to another service,
  • object to processing based on our legitimate interests, and
  • withdraw any consent you've given at any time.

Most of these are self-service: settings live at /dashboard/settings. To make a Subject Access Request, email privacy@findaphysio.uk from the address on your account and we'll respond within 30 days.

You also have the right to complain to the Information Commissioner's Office (ICO). We'd appreciate the chance to fix any concern first.

Children

Find a Physio is intended for adults aged 18 and over. We do not knowingly process the personal data of under-18s. If you are a parent or guardian and believe your child has signed up, contact us and we'll delete the account.

Changes to this policy

When we make material changes we'll bump the “Last updated” date and, where the change affects how we use existing data, email registered users in advance.

Privacy policy | Find a Physio