Kelsall Surgical Centre

Privacy Notice & Cookie Policy

1.   WHO WE ARE AND IMPORTANT INFORMATION 

Registered address: Kelsall Surgical Centre, Church Street, Kelsall, CW6 0QG

Data controller:

Cheshiremedica Ltd is the controller and responsible for your personal data ("we", "us" or "our") in this privacy notice.

• If you have general questions about your information, want to see or update your records, or have any everyday concerns about how we use your data, please contact our Practice Manager at info@kelsallsurgicalcentre.co.uk or call 01829 863719.

• If you need to report a serious issue like a data breach, want to discuss legal or privacy compliance matters, or have a significant complaint about how your information is handled, please contact our Data Protection Officer at info@kelsallsurgicalcentre.co.uk or call 01829 863719.

What is the purpose of this privacy notice?

This privacy notice explains how we collect, use, retain and share personal data when you use our website, book appointments, receive healthcare services or otherwise interact with Kelsall Surgical Centre. It applies to all patients, website visitors, referrers and other contacts. The website is not intended for children below 16 years; we do not knowingly collect data about children under 16.

You must read this privacy notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

Third-party links outside of our control

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.

When you leave our website, we encourage you to read the privacy notice of every website you visit.

2.   THE PERSONAL DATA WE COLLECT ABOUT YOU

Personal data, or personal information, means any information about an individual from which that person can be identified. You can find out more about personal data from the Information Commissioners Office.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

·           Identity Data includes first name, last name, title, date of birth, gender, job title, profession, business name, company name.

·           Contact Data includes postal address, email address, telephone numbers.

·           Special Category Data including health information, medical notes and treatment details.

·           Technical Data includes IP address (anonymised where possible), web browser type and version, operating system and URL if used a referring site and activity on this third party site.

·           Payment Data transaction details processed by Square; we do not store full card numbers.

·           Other data: marketing preferences and consent records.

If you fail to provide personal data

Where we need to collect your personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

3.   HOW WE COLLECT YOUR PERSONAL DATA

We use different methods to collect data from and about you from: website booking forms; direct contact by phone, post or email; referrals from other clinicians; third-party providers (where applicable); and analytics tools that run only after consent.

4.   HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

·         Performance of Contract this means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

 ·         Legitimate Interest this means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting the practice manager. Our contact details are Kelsall Surgical Centre, Church Street, Kelsall, CW6 0QG, info@kelsallsurgicalcentre.co.uk,  01829863719.

 ·         Comply with a legal or regulatory obligation this means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to. This includes articles 6(1)(b) and Art. 9(2)(h) for providing healthcare appointments, services and processing of health data.

We do not use automated decision-making or profiling that could have a significant effect on you. If this changes in future, you will be informed prior to any use and provided with the necessary rights to request human intervention or contest a decision.

Generally we rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us. Our contact details are Kelsall Surgical Centre, Church Street, Kelsall, CW6 0QG, info@kelsallsurgicalcentre.co.uk,  01829863719.

Purposes for which we will use your personal data

We have set out below, a description of all the ways we plan to use your personal data, with the legal bases we rely on to do so.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. Our contact details are Kelsall Surgical Centre, Church Street, Kelsall, CW6 0QG, info@kelsallsurgicalcentre.co.uk,  01829863719.

Personalising and tailoring your experience on this site, supplying our products/services to you, replying to emails from you, supplying you with emails that you have opted into, market research, analysis of your use of this website and gathering feedback to improve this website and your experience. To do this identity and contact information are collected and the Lawful basis for processing including basis of legitimate interest include performance of a contract with you.

In some cases, we process personal data under the lawful basis of ‘legitimate interests’ as recognised by current UK legislation. This includes processing for service evaluation, communications essential to your care, or fraud prevention. These interests are balanced carefully against your privacy rights. You have the right to object to processing on this basis.

In addition to direct care, your health data may be used for approved medical research or to plan healthcare services, always subject to strict ethical and statutory safeguards. Data for these purposes is anonymised wherever possible and relevant governance is in place. You will be informed and may opt out of non-essential data uses in line with statutory rights.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. With your permission. we might need to contact you for marketing purposes which may include contacting you by email/telephone/SMS text message or via post with information about our products/services.

We have established the following personal data control mechanisms:

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and, in each case, you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any company outside the COMPANY group of companies for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time. Our contact details are Kelsall Surgical Centre, Church Street, Kelsall, CW6 0QG, info@kelsallsurgicalcentre.co.uk,  01829863719.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, service experience or other transactions.

Cookies

We use essential cookies for website functionality. For analytics or marketing cookies, your consent is obtained prior to the collection of any personal data. Analytics data is retained in anonymised form for no more than 12 months, in accordance with the Data (Use and Access) Act 2025. For more details, see our Cookie Policy in section 10.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact Kelsall Surgical Centre, Church Street, Kelsall, CW6 0QG, info@kelsallsurgicalcentre.co.uk,  01829863719.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

5.   WHO WE SHARE YOUR PERSONAL DATA WITH

We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above.

·            Healthcare providers or referrers such as your GP, Optometrist or pharmacy based in the UK.

·            We use WriteUpp (UK-based medical practice management platform) for patient records, appointments, and secure communication as a data processor.

·            We use Square as our payment provider. Square acts as an independent data controller for payment card data. We do not process or store full card details. Square only receives transaction-related information (amount, name, payment method). They do not receive any medical or appointment notes and they are an independent data controller. We never sell your data. We never share medical notes with Square.

·            We use Google Analytics to monitor website usage analytics as an independent data controller. Google Analytics may transfer anonymised data outside the UK/EU using approved safeguards (UK Data Bridge / EU–US Data Privacy Framework). We never sell your data. We never share medical notes with Google Analytics.

·            We may need to allow external third parties access to some or all of your data to supply products or services on your behalf, which might include marketing, advertising, search engine facilities, delivery of goods and payment processing. Where your data is required in such circumstances, we will take reasonable steps to ensure that your data will be handled safely, securely and in accordance with your rights, our obligations and the obligations of the third party.

·            Private healthcare insurance providers based in the United Kingdom, who require reporting of processing activities in certain circumstances.

·            We might be legally required to share certain data held by us, which may include your personal data, for example, where we are involved in legal proceedings, where we are complying with legal obligations, a court order or a governmental authority.

·         Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We have Data Processing Agreements in place with all third-party processors.

6.   INTERNATIONAL TRANSFERS

Where personal data is transferred outside the UK/EEA (for example to cloud or analytics providers), we rely on appropriate safeguards such as the UK–US Data Privacy Framework, Standard Contractual Clauses (SCCs) with UK addenda, or other recognised transfer mechanisms. Details are available on request.

7.   DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Steps we have taken to secure and protect your data include: using verified suppliers and secure SSL connections.

8.   DATA RETENTION

We review our privacy notice annually and whenever significant changes occur in data protection law or in our data practices. You will be notified on our website and, where possible, by email of any substantive changes before they take effect.

We retain personal data only as long as necessary for the purpose and in line with legal, clinical and business needs:

• Adult clinical records: 8 years from last treatment.

• Appointment and booking records: 6 years for business/tax and clinical audit purposes unless clinical need requires longer retention.

• Financial records and tax documents: 6 years (as required for HMRC).

• Marketing consents and preference records: retained while consent is active and for up to 1 year after withdrawal for audit purposes.

• Website analytics data: retention limited and/or aggregated/anonymised; default retention set in analytics configuration (typically up to 26 months or as configured).

• Data processing agreements, contracts and supplier documentation: retained for the life of the contract + 6 years.

If you request erasure, we will apply retention rules and legal exemptions; in some cases we must retain records to meet legal or clinical obligations.

9.   YOUR LEGAL RIGHTS

Unless subject to an exemption under the data protection laws, you have the following rights with respect to your personal data:

·           The right to request a copy of the personal data which we hold about you;

 ·           The right to request that we correct any personal data if it is found to be inaccurate or out of date;

 ·           The right to request your personal data is erased where it is no longer necessary to retain such data;

 ·           The right to withdraw your consent to the processing at any time, where consent was the lawful basis for processing your data;

 ·           The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), where applicable i.e. Where our processing is based on consent or is necessary for the performance of our contract with you or where we process your data by automated means);

 ·           The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;

 ·           The right to object to our processing of personal data, where applicable i.e. Where processing is based on our legitimate interests (or in performance of a task in the public interest/exercise of official authority); direct marketing or processing for the purposes of scientific/historical research and statistics).

If you wish to exercise any of the rights set out above, please contact the practice manager: Kelsall Surgical Centre, Church Street, Kelsall, CW6 0QG, info@kelsallsurgicalcentre.co.uk,  01829863719.

 No fee required – with some exceptions

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable admin fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

10. INFORMATION ABOUT OUR USE OF COOKIES

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

We use the following cookies:

·         Strictly necessary cookies.                                                                           

These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.

·         Analytical/performance cookies.                                                                 

They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

·         Functionality cookies.                                                                                 

These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

·         Targeting cookies.                                                                              

These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

We do not place any first party Cookies on your computer or device and third party Cookies from Google Analytics may be placed on your computer or device. We provide a Cookie Consent banner, so that analytics Cookies only load after consent. Google Analytics is a tool used to collect and analyse anonymous information about the usage of our website to better understand how it is being used. IP anonymisation is enabled so that your IP address is truncated before being stored by Google. This enables us to improve the website, products and services offered through it and your user experience.

See end of page for the Cookies we use.

We use these third party Cookies to:

·         Estimate our audience size and usage pattern.

·         Store information about your preferences, and so allow us to customise our site and to provide you with offers that are targeted to your individual interests

·         Speed up your searches.

·         Recognise you when you return to our site.

·         Allow you to use our site in a way that makes your browsing experience more convenient, for example, by allowing you to store items in an electronic shopping basket between visits. If you register with us or complete our online forms, we will use cookies to remember your details during your current visit, and any future visits provided the cookie was not deleted in the interim.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use Cookies, over which we have no control and we cannot accept any liability for the third party’s compliance with its legal obligations. These cookies are likely to be analytical/performance cookies or targeting cookies: Google Analytics.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

11. Changes to this notice and your duty to inform us of changes

This version was last updated on 04/11/2025 and historic versions can be obtained by contacting us.

Please keep us informed if your personal data changes during your relationship with us. It is important that the personal data we hold about you is accurate and current.

12. Data protection Queries, requests, complaints or concerns

If you believe your personal data has not been handled in accordance with our privacy notice or UK data protection laws, you may make a complaint directly to our Data Protection Officer at info@kelsallsurgicalcentre.co.uk or by calling 01829 863719. We have a dedicated complaints process to investigate your concerns and will respond within 30 days.

If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England, UK or via www.ico.org.uk.

13. Accessibility of Information

Our privacy notice is available in alternative formats, including large print and audio, to ensure accessibility for all users. Please contact our primary data contact to request information in your preferred format.