Helping you towards permanent relief from back pain, neck pain, and sciatica
Spine clinic
Appletree Clinic Logo

Privacy policy

Privacy policy


The following addresses the expectations on Appletree Clinic (the ‘Data Controller’) as a private medical business which controls personally identifiable data.

Appletree Clinic has registered with the ICO - the Information Commissioner's Office. The ICO is the UK's independent body set up to uphold information rights.

Data held
Appletree Clinic collects data as part of initial registration and subsequent consultations, and uses them to facilitate operation of the clinic for the benefit of patients. These personally identifiable data include:
• Name
• Address
• Telephone Number
• Email
• Date of birth
• NI number
• Next of kin name and contact details
Note if registering on behalf of a child, Appletree Clinic will request a parent’s or guardian’s contact details.

How Appletree Clinic uses your data
• To support clinical diagnosis and the formation of treatment plans
• To liaise with your GP and other medical professionals
• To send you news about the clinic – business communication.

Appletree Clinic will not give, sell or otherwise your data to third parties other than those mentioned below.

Third parties and data sharing

Appletree Clinic uses the private company PracticePal to provide an online appointment booking and medical records system. PracticePal holds your data in an Appletree Clinic dedicated database to fulfil these functions. PracticePal deploys the latest SSL and TLS encryption to support data security. The passwords are fully encrypted in transit and statically with salt encryption.
The data held are those listed above that you input as part of your initial registration (or may have been input on your behalf by Appletree Clinic).
The PracticePal terms and conditions of service can be found here. https://www.practicepal.co.uk/terms-and-conditions/

Stripe payment system.
Appletree Clinic use this US/Irish international payment and e-commerce company to process payments as part of a software as a service agreement. Stripe processes payments made by debit/credit cards on behalf of the Club. This payment function is integrated within the PracticePal system but neither PracticePal or Appletree Clinic has access to full debit/credit card details.
The Stripe privacy policy can be found here. https://stripe.com/en-gb/privacy-center/legal

Under the UK-GDPR, Appletree Clinic is seen as a ‘data controller’ as it decides what data are collected, the purpose for their collection, and any processing of that data. Within this policy Appletree Clinic has exercised its responsibility
• To be transparent about the personally identifiable data held about its patients,
• To minimise by design the data held,
• To explain how and why these data are used,
• To identify how these are data are held and with whom they are shared – this is outlined in this policy.

Patients have the right
• To access any personal data Appletree Clinic holds about them.
• To request that Appletree Clinic erase their personal data.
• To update the personal information held.
• To object to the ways in which personal data are processed.

Under the UK-GDPR the third parties identified in this policy that engage with by Appletree Clinic, are ‘Data Controllers’. These entities have their own legal responsibilities with respect to data.

Changes to this policy
The most recent version of this policy applies – Rev 1. If and when there are significant changes to this policy Appletree Clinic actively will bring this to the attention of patients.

Version Control
Rev 1 Original Nov 2022

If you have any concerns about your data privacy or have any queries about this policy, please email
reception@appletree.clinic


The UK General Data Protection Regulations “UK-GDPR” takes from the EU-GDPR Regulation established to protect the rights and freedoms of EU Citizens with respect to Personally Identifiable Information (PII). It defines who and how PII data could be used and retained by
organisations. It came into effect 1 January 2020 and is complemented by the Data Protection Act 2018.