Skip to main content

Privacy Policy for Shift Wellness

Last Updated: March 2026

1. Introduction

Shift Wellness ("we," "us," or "our") provides advanced regenerative treatments, including Platelet-Rich Plasma (PRP) and Stem Cell therapy. We are committed to protecting your privacy. This policy explains how we process your personal data in compliance with the UK GDPR, the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), and the EU GDPR.

2. Data We Collect and Why

We collect information to provide medical consultations, manage bookings, and improve our website.

A. Appointment & Clinical Data (Via Acuity Scheduling)

When you book an appointment, we collect:

  • Identity & Contact: Name, email address, telephone number, and home address.
  • Appointment Details: The type of treatment requested (PRP/Stem Cell) and the date/time.
  • Health Data: Any medical history or symptoms provided during the booking process.
    • Lawful Basis: Contract (to manage your booking) and Healthcare Provision (Article 9(2)(h) GDPR) for processing health-related information.

B. Website Analytics

We use two types of analytics to understand how visitors use our site:

  • Matomo Analytics: We use Matomo for privacy-first, cookieless tracking. This data is hosted on [our own servers / Matomo’s EU Cloud] and is used purely for statistical purposes to improve our service.
  • Google Analytics (GA4): We use Google Analytics to track site performance. This involves cookies.
    • Lawful Basis: Legitimate Interests (for anonymised Matomo tracking under 2025 UK reforms) and Consent (for Google Analytics cookies).

3. Third-Party Service Providers

We share your data with trusted partners who help us run our clinic:

  • Acuity Scheduling (Squarespace): Our booking engine. They store your contact and appointment data. They are GDPR compliant and use standard contractual clauses for data processed outside the UK/EEA.
  • Analytics Providers: Google (USA) and Matomo (EU/UK).

4. Special Category (Health) Data

As a wellness clinic, we handle sensitive health data. We apply enhanced security measures to this data, including encryption and restricted access. We do not sell or share your health data with third-party marketers.

5. International Data Transfers

Since we use Acuity Scheduling and Google Analytics, some data may be transferred to the United States. We ensure these transfers are protected by:

  • UK-US Data Bridge and EU-US Data Privacy Framework certifications.
  • Standard Contractual Clauses (SCCs) to ensure your data receives an equivalent level of protection as it does in the UK/EU.

6. Your Rights

Under the UK and EU GDPR, you have the following rights:

  • Access: Request a copy of the data we hold about you (Subject Access Request).
  • Rectification: Ask us to correct inaccurate information.
  • Erasure: Ask us to delete your data (subject to medical record retention laws).
  • Withdraw Consent: If you opted into marketing or non-essential cookies, you can opt out at any time via our Cookie Settings.

7. Data Retention

  • Administrative Data: Kept for as long as you are an active client plus 6 years for tax/legal purposes.
  • Medical Records: As a provider of PRP and Stem Cell treatments, we are required by UK law to retain clinical records for a minimum period (typically 8–10 years depending on the specific treatment type).

8. Cookie Management

Under the UK Data Act 2025, we may deploy "low-risk" analytics cookies (like Matomo) without a pop-up, provided they are for site improvement and do not identify you personally. For all other tracking (Google Analytics), we will ask for your consent via our cookie banner.

9. Contact Us

For any privacy-related queries, please contact:

Data Privacy Lead: Amanda Bradshaw

Email: hello@shiftwellness.co.uk