Privacy policy.

Last updated: 30.11.2025

1. Data controller

This website is operated by [PH. HEALTH STUDIOS] (“we”, “us”, “our”).

We are the data controller of personal data collected via this website and in the course of delivering our services.

Contact details:
Registered name: ZSPharm Ltd
Address: The Old Surgery, 5 Tufnell Gardens, Derby, DE22 4DY
Email: hello@phderby.com

2. Scope of this notice

This privacy notice explains how we collect and use personal data when you:

  • browse or use our website;

  • submit an enquiry or request via an online form;

  • use a booking link which redirects you to our clinical platform WriteUpp; or

  • communicate with us by email, phone or other channels.

This notice sits alongside our professional and clinical confidentiality duties.

3. Categories of data collected

We may process the following categories of personal data:

  • Identification and contact data – name, date of birth, address, email, telephone number.

  • Appointment and service data – appointment type, booking details, correspondence and notes relating to your enquiry.

  • Health data (special category data) – limited clinical information you choose to submit via forms or messages (for example, relevant conditions, medicines or symptoms).

  • Technical and usage data – IP address, device identifiers, browser type/version, time zone setting, and information about how you interact with our website (including via cookies and similar technologies).

We aim to minimise collection of health data through general website forms. Detailed clinical information is normally collected directly within our secure clinical record system or during consultation.

4. Sources of data

We obtain personal data:

  • directly from you (e.g. through forms, bookings, emails, calls);

  • from technical systems we use to operate this website (e.g. analytics tools, security logs); and

  • where applicable, from other healthcare professionals or services, with your knowledge or where we are legally permitted or required to do so.

5. Booking links and WriteUpp

When you choose to book an appointment online, you may be redirected from our website to WriteUpp, a third-party clinical booking and records platform used to manage appointments and clinical documentation.

  • On our website, we process only the information necessary to route you to the appropriate booking page or to confirm your request.

  • Once you land on WriteUpp, data you provide is processed within that platform on our instructions. WriteUpp acts as our data processor for appointment management and clinical records.

  • We remain responsible for the use of your personal data and have a written data processing agreement in place with WriteUpp.

6. Lawful bases for processing

We process personal data under the UK General Data Protection Regulation and the Data Protection Act 2018 on the following legal bases:

  • Performance of a contract (Article 6(1)(b) UK GDPR)

    • To register you as a patient or client.

    • To arrange, confirm and manage appointments.

    • To provide healthcare and related services you have requested.

  • Compliance with legal obligations (Article 6(1)(c))

    • To maintain accurate medical and business records.

    • To comply with healthcare, tax, accounting and regulatory requirements.

  • Legitimate interests (Article 6(1)(f))

    • To respond to general enquiries.

    • To manage and improve our website, services, IT security and business operations.

    • To defend or establish legal claims.
      We balance these interests against your rights and expectations and limit data accordingly.

  • Consent (Article 6(1)(a))

    • For sending direct marketing communications (e.g. newsletters) by email or SMS, where required.

    • For the use of non-essential cookies and similar technologies, where required.
      You may withdraw consent at any time (see section on “Your rights”).

For special category data (health information), we rely on:

  • Article 9(2)(h) – processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health or social care or treatment; and

  • Article 9(2)(c) – where necessary to protect your vital interests, in limited emergency situations where you are unable to give consent;
    together with the relevant UK Data Protection Act 2018 provisions.

7. Purposes of processing

We use personal data for the following purposes:

  • to provide healthcare consultations, assessments, prescriptions and follow-up;

  • to manage bookings, amendments, cancellations and reminders;

  • to respond to enquiries and communicate with you about our services;

  • to maintain accurate clinical and business records;

  • to operate, maintain and secure our website and IT systems;

  • to comply with professional, legal and regulatory requirements; and

  • where you have opted in, to send you information about our services or events which may be of interest to you.

We do not sell or rent your personal data to third parties.

8. Sharing of personal data

We may share personal data, where necessary and lawful, with:

  • WriteUpp – for appointment management and clinical record-keeping, acting as our data processor;

  • Other healthcare professionals or services – such as your NHS GP or specialist, where this is necessary for your care, with your knowledge or where we are legally required to share;

  • Service providers – including website hosting, email and SMS services, IT support, analytics and security providers, payment processors and document storage providers, acting as data processors under contract;

  • Regulators, insurers, professional bodies, law enforcement or courts, where we are legally required or where this is necessary to establish, exercise or defend legal claims, or to address safeguarding concerns or serious risk of harm.

All third parties are required to process personal data securely, only in accordance with our written instructions, and only for the specified purposes.

9. International transfers

Where any service provider or system used by us transfers personal data outside the UK, we will ensure that an adequate level of protection is in place, for example by:

  • transferring to a country which has been recognised as providing an adequate level of protection; or

  • entering into UK-approved Standard Contractual Clauses or equivalent legal safeguards.

Details of relevant safeguards can be provided on request.

10. Data retention

We retain personal data only for as long as is necessary for the purposes set out in this notice, including to:

  • provide care and manage our relationship with you;

  • comply with legal, regulatory, tax and accounting requirements; and

  • establish or defend legal claims.

Clinical records are usually retained in line with applicable healthcare record-keeping guidance and statutory limitation periods. Non-clinical enquiry data collected through the website is typically retained for a shorter period and deleted or anonymised when no longer required.

11. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

  • role-based access controls and authentication;

  • secure clinical systems and encrypted transmission where appropriate;

  • regular backups and security monitoring;

  • staff training on confidentiality and data protection; and

  • policies and procedures to respond to suspected data breaches.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will act in accordance with our legal obligations, including notification to you and, where required, the Information Commissioner’s Office (ICO).

12. Cookies and similar technologies

Our website may use cookies and similar technologies to:

  • enable core site functionality;

  • remember user preferences; and

  • collect aggregated statistics on website usage (analytics).

Where required by law, we will present a cookie banner or preference tool when you first visit the site and record your choices. You can adjust your browser settings to refuse cookies; however, some parts of the site may not function correctly if you do so.

Details of specific cookies in use may be set out in a separate cookie notice.

13. Your data protection rights

You have the following rights in relation to your personal data, subject to certain conditions and exemptions in law:

  • Right of access – to obtain confirmation of whether we process your personal data and a copy of that data.

  • Right to rectification – to have inaccurate or incomplete data corrected.

  • Right to erasure – to request deletion of your personal data where there is no lawful basis for us to continue processing it.

  • Right to restriction of processing – to request that we limit the processing of your data in certain circumstances.

  • Right to object – to object to processing based on our legitimate interests, and to object at any time to direct marketing.

  • Right to data portability – to receive certain data in a structured, commonly used, machine-readable format and to request that we transmit it to another controller, where technically feasible.

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.

To exercise any of these rights, please contact us using the details in section 1. We may need to verify your identity before responding.

14. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can seek to resolve the issue.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
ICO Helpline: 0303 123 1113

15. Changes to this notice

We may update this privacy notice from time to time to reflect changes in the law, our services or our data processing practices. The updated notice will be published on this page with a new “Last updated” date. We encourage you to review this notice periodically.

Non-legal-advice disclaimer
This notice is intended to explain, in clear terms, how we handle personal data. It is not a substitute for independent legal advice on your specific situation.