PRIVACY POLICY

How I collect, use and protect your personal data
Last Updated: 15th May 2026

When you supply your personal details to this clinic, they are stored and processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. I process your data for the following reasons:

How I use your information

  • To provide you with treatment I need to collect personal information about your health in order to provide you with safe and effective care. Your request for treatment, and my agreement to provide it, constitutes a contract. If you choose not to provide this information, I may not be able to offer treatment.

  • For the provision of healthcare (special category data) As I process health-related information, I do so under Article 9(2)(h) of the UK GDPR, which permits the processing of personal data for the provision of healthcare.

  • For administration and communication I may contact you to confirm appointments or provide information relevant to your care. This is carried out under legitimate interests, to ensure the safe and effective management of your treatment.

  • For marketing (with your consent) With your consent, I may occasionally send you general health information, such as articles or newsletters. You can withdraw your consent at any time by contacting me.

How your data is stored
Your records are stored securely in the following ways:

  • On paper, in locked filing cabinets

  • Electronically, using a specialist medical records system that complies with UK GDPR and acts as a data processor under a formal agreement

  • On a password-protected computer, with appropriate technical and organisational safeguards in place


Access to your data is restricted to those who have a legitimate need to view it.

Who I may share your data with

I will not share your personal data without your consent, except where required to do so by law or where there is a legitimate need (for example, safeguarding or regulatory requirements).

The following may have access to your data:

  • The medical records system provider (data processor)

  • An email communication platform, where applicable (for example, for appointment reminders or newsletters)

From time to time, I may engage professional services (such as IT or administrative support) who may have limited access to personal data. They are required to keep your information confidential and are bound by appropriate agreements.

How long I retain your data
Your records are retained for a minimum of seven years after your last treatment, in line with professional and legal guidelines.

Your rights
You have the right to:

  • Request access to the personal data I hold about you

  • Request correction of any inaccurate or incomplete data

  • Request erasure of your data, where applicable

  • Request restriction of processing

  • Object to processing

  • Request data portability, where applicable

Complaints
I am committed to handling your personal data responsibly. If you have any concerns about how your data is handled, you can contact me directly:

Data controller: Kerstin Lehr / kerstin lehr acupuncture
71 Spring Road
Letchworth Garden City SG6 3SL

kerstin@kl-acupuncture.com
M  07817 454 451
If you are not satisfied with my response, you have the right to lodge a complaint with the Information Commissioner’s Office.

Additional information
I am registered with the Information Commissioner’s Office (ICO), registration number: ZA348344.