Privacy Policy



I’m Anna Winstanley and I trade as Anna Winstanley Physiotherapy. Part of my professional commitment to you is to ensure the trust and confidence of my clients and visitors to my website. My passion is to help you to get the best out of your body. I’m not really interested in selling or trading email lists with any other companies or traders. This Privacy Policy outlines when and why I collect your personal data, how I use it, the limited conditions under which I may disclose it to others and how I keep it secure. 

How, When and Why I collect your information.

When you request to join a class, or a waiting list for a class, I add your name to an email group. Please see below for how I manage mailing lists. When you start a new class, I ask clients to complete a registration form, which asks for Name, contact details, GP contact details, Emergency (next of kin) contact details. This ensures that I am able to contact you, and it also fulfils my professional standards according to Chartered Society of Physiotherapy’s Quality Assurance Standards for Physiotherapy service delivery. I also gather information about your lifestyle, your goals and your medical background. This data constitutes Special category data under GDPR Article 9 (2). This enables me to screen your suitability for the class, and to highlight any particular problems you have, that will require me to make suitable adaptations to the exercises given in class. It’s to help keep you moving safely. Information about your lifestyle and work, also helps me to foster a holistic view of you as a whole person, so that I can be sensitive to any external stresses on your body or mind. 

How I store it and keep it secure.

Paper records are kept safe in an A4 binder that stays with me during the class. At my home the file is stored in a locked filing cabinet. When you leave the class, your records are transferred to an archive section of the same filing cabinet, and remain there for the legal duration that I am bound to keep them. 

Electronic Records

In the past I have used Google Forms to gather information about my clients which they will have been asked to complete at the time of onboarding with me. From September 2021, I will be using a more complete Client management system called Cliniko which enables me to take bookings, deliver telehealth and keep electronic notes in one place. Cliniko is based in Australia, but upholds UK GDPR law for its many UK customers and has its own UK and EU Data Protection Officers. Cliniko acts as the processor of my clients data, but I remain the controller of your data. Should I ever change client management systems or close my business, I am able to export all of the client data I hold, so it will not be lost. 

For more information on the security of Cliniko visit 

How long do I keep your data?

The Chartered Society of Physiotherapy advises that this duration should be eight years from the date of last treatment for adult records, and for children eight years after their 18 birthday or until 25 years of age.

How do I dispose of your data?

Once the 8 years retention period is over, I dispose of paper records by shredding and either burning or composting. Electronic records will be manually permanently deleted from Cliniko, Google Suite, Mailchimp or any other application.

Mobile devices

I may also hold your name and telephone number on my mobile phone, so that I am able to contact you quickly and easily to arrange, change or cancel classes or appointments. I may access a variety of apps including Google Suite and Cliniko using my iPhone or iPad. These devices are password protected as are the apps which I use therein.

Visitors to the Website

When you visit I use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. I do not make, and do not allow Google to make, any attempt to find out the identities of those visiting my website.

Mailing Lists

Since May 2019 I use Mailchimp to manage my mailing lists and electronic communication. It makes it easier for me to connect with existing and potential new clients as well as generate more user friendly emails. All clients already attending classes on the 1st May were manually added to the Mailchimp list. Subsequent clients may either self-subscribe, or be added manually. All emails that are send via Mailchimp have the option for client to unsubscribe themselves from further communications. Mailchimp’s Privacy policy can be viewed here:

My business is still relatively small so I also maintain my email lists manually and may still on occasion send emails directly from a Google for business account (G Suite). Google has made amendments to its privacy and security protections in order to be GDPR compliant, and I have updated my account to accept their Data Processing Amendment. Google regularly updates users with any changes, and these are reviewed and updated as appropriate. You can find out more information about Google and GDPR here: 

I usually send out group emails to let clients know about the class times and any changes to that schedule. When I send group emails, I enter the recipients under ‘bcc’ so that nobody else can see your email address. If you’d like to swap email addresses with another client you’ve befriended in class – I’ll leave that up to you! Sometimes I send group emails that are not bcc, and this would occur within a group of friends or colleagues who have commissioned me to teach a class at their workplace or other pre-arranged venue. 

If you contact me to find out about classes, I will add your email to the waiting list email group with your consent. If you later tell me you no longer need to be on the waiting list, I’ll remove your details from my database. 

Social Media

Like many small businesses, I use Facebook and Twitter to help share information about my services, and connect with potential and existing clients. It’s fun! You should know that if you choose to interact with me via social media, you are agreeing to the terms and conditions of those platforms. 


All the information you share with me is treated with respect and discretion. Personal data disclosed with the registration forms or physiotherapy assessment are  confidential and treated as such.

During group classes I may openly advise you that certain exercises are not suitable, offer  modifications relevant to your particular condition or indicate to you exercises which are  likely to be particularly beneficial for you. I always do my best to remain discreet in these  instances. I begin each class asking the group if there are any issues I need to be aware of.  

The onus is on individual clients to approach me in confidence or via email prior to the class  if they prefer to keep this information confidential.  

Third Parties

I don’t routinely share personal information with any third parties. If you were to become unwell during a class, I may then share your information with any attending emergency services, or with your GP if that is more appropriate. If necessary I would also inform the emergency contact person that you have given me on your registration form. Similarly, if I had any concerns about you that you might harm yourself or others, I would be legally obliged to share that information with relevant health and social care providers.

Right to Access your Personal Data

Under the General Data Processing Regulations, 2018 people have the right to access information that we have stored about them.

If you want to view, amend or delete your personal data as is your right, please contact me at Legal exemptions may apply.

Changes to Privacy Notice

This policy was created on the 18th May 2018 and will be reviewed annually, or at any time that my data controlling methods or practices change before that date. 

Updated 19th June 2019.

Updated 20th September 2021