PRIVACY POLICY

Rob Gardner Sports Therapy Limited

Trading as NRG Sports Therapy

Effective date: 26 March 2026 | Last reviewed: 26 March 2026

1. Introduction

Rob Gardner Sports Therapy Limited (“we”, “us”, or “our”) operates the website www.nrgsportstherapy.com and provides sports therapy, injury assessment, personal training, and sports massage services (collectively, the “Services”).

We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our Services, visit our website, or otherwise interact with us. It also sets out your rights under applicable data protection law.

This policy is issued in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA), which introduced reforms to the UK data protection framework effective from February 2026. Where we refer to “data protection law” in this policy, we mean these enactments and any other applicable legislation.

2. Data Controller

Rob Gardner Sports Therapy Limited is the data controller responsible for your personal data. Our contact details are:

• Address: 4a Streatham Street, London, England, WC1A 1JB, United Kingdom

• Email: info@nrgsportstherapy.com

• Telephone: 07584 027210

If you have any questions about this policy or our data practices, please contact us using the details above. We have not appointed a Data Protection Officer as we are not required to do so given the nature and scale of our processing activities. However, our named contact for data protection matters is Rob Gardner, who can be reached at the details above.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Information you provide to us

• Identity data: first name, last name, title

• Contact data: email address, telephone number, postal address

• Health and medical data: details of injuries, medical history, physical condition, and treatment notes (this constitutes special category data under data protection law — see Section 4 below)

• Financial data: payment details for services rendered

• Communications: records of correspondence with us, feedback, and reviews

3.2 Information collected automatically

• Technical data: IP address, browser type and version, operating system, device identifiers

• Usage data: pages visited, time and date of visit, duration of visit, clickstream data, and referring URLs

• Cookie data: information collected through cookies and similar tracking technologies (see Section 8)

3.3 Obligation to provide data

Where we need to collect personal data to provide our Services to you (for example, identity, contact, and health data necessary for treatment), failure to provide that data may mean we are unable to deliver the Services. We will make it clear at the point of collection whether the provision of specific data is a contractual requirement.

4. Lawful Bases for Processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases depending on the purpose of processing:

Contractual necessity (Article 6(1)(b)): processing your identity, contact, and financial data to deliver the therapy, training, and massage services you have requested.

Legitimate interests (Article 6(1)(f)): analysing website usage to improve our Services, ensuring network and information security, and managing our business operations, where these interests are not overridden by your rights.

Legal obligation (Article 6(1)(c)): complying with legal, regulatory, or professional requirements, including maintaining records required by our professional body or insurer.

Consent (Article 6(1)(a)): where we send you marketing communications. You may withdraw consent at any time by contacting us.

4.1 Special category data (health information)

Health and medical data is classified as special category data under Article 9 of the UK GDPR and requires an additional condition for processing beyond the Article 6 lawful bases above.

Where we process your health data in the course of providing treatment services, we rely on the condition at Article 9(2)(h) of the UK GDPR: that the processing is necessary for the provision of health care or treatment, and is undertaken by or under the responsibility of a professional subject to an obligation of professional secrecy. This is supported by Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018.

Where health data is processed for purposes outside of direct treatment (for example, testimonials or case studies), we will seek your explicit consent under Article 9(2)(a) of the UK GDPR before doing so. You may withdraw such consent at any time.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

• To provide and manage the Services you have requested, including injury assessments, online physical therapy, personal training, and sports massage

• To communicate with you regarding appointments, treatment plans, and follow-up care

• To process payments and maintain financial records

• To respond to your enquiries and provide customer support

• To improve our website, Services, and user experience through analytics

• To comply with legal and professional obligations, including record-keeping and insurance requirements

• To send you marketing communications where you have opted in (you may unsubscribe at any time)

• To detect, prevent, and address technical issues or security threats

6. Who We Share Your Data With

We may share your personal data with the following categories of recipients, only to the extent necessary for the purposes described in this policy:

• Service providers: IT hosting, website analytics, payment processors, and email service providers who act as our data processors under written agreements

• Professional advisors: accountants, insurers, and legal advisors, as necessary

• Other health professionals: where a referral or joint treatment requires it, and with your knowledge

• Regulatory and professional bodies: where required by law or our professional obligations

• Law enforcement or public authorities: where we are legally required to do so, or to protect our rights, property, or safety

We do not sell, rent, or trade your personal data to any third party for their marketing purposes.

7. International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. Where we transfer personal data outside the UK (for example, if a service provider is based overseas), we ensure that appropriate safeguards are in place in accordance with data protection law. These safeguards may include:

• Transfers to countries that have received an adequacy decision from the UK Secretary of State

• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses

• Other lawful transfer mechanisms recognised under data protection law

You may contact us for further information about the specific safeguards applied to any international transfers of your data.

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your browsing experience and to analyse how the site is used. Cookies are small text files placed on your device by your browser.

We use the following types of cookies:

Strictly necessary cookies: required for the website to function correctly (e.g., session management and security). These do not require consent.

Analytics cookies: help us understand how visitors interact with the website so we can improve its performance and content. Under the Data (Use and Access) Act 2025, these cookies are exempt from the requirement to obtain prior consent, provided they are used solely for statistical purposes. We provide clear information about their use and you may opt out at any time.

Functionality cookies: remember your preferences and settings to enhance your experience. These are also exempt from the prior consent requirement under the DUAA where they are used solely to improve appearance or user experience. You may opt out of these cookies at any time.

You can manage your cookie preferences through your browser settings or through any cookie preference tool displayed on our website. Please note that disabling certain cookies may affect the functionality of the website. For further information about cookies, visit www.allaboutcookies.org.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are:

• Client treatment records and health data: a minimum of 8 years from the date of the last treatment, in line with the NHS Records Management Code of Practice and professional body guidance (such as the Chartered Society of Physiotherapy), and to account for limitation periods under the Limitation Act 1980

• Financial and transaction records: 6 years, in compliance with HMRC requirements

• Website analytics data: up to 26 months, after which it is anonymised or deleted

• Marketing consent records: retained for the duration of your consent and for a reasonable period thereafter to evidence compliance

When personal data is no longer required, we will securely delete or anonymise it in accordance with our internal data retention schedule.

10. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include secure storage systems, access controls, encryption where appropriate, and regular reviews of our security practices.

While we take every reasonable precaution to safeguard your data, no method of transmission over the internet or method of electronic storage is entirely secure. We cannot guarantee the absolute security of your information.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach, and will inform you directly where the breach is likely to result in a high risk to your rights and freedoms, in accordance with Articles 33 and 34 of the UK GDPR.

11. Your Rights

Under data protection law, you have the following rights in relation to your personal data:

Right of access (Article 15): you may request a copy of the personal data we hold about you.

Right to rectification (Article 16): you may ask us to correct any inaccurate or incomplete personal data.

Right to erasure (Article 17): you may request that we delete your personal data where there is no compelling reason for its continued processing, subject to any legal obligations requiring retention.

Right to restrict processing (Article 18): you may ask us to suspend the processing of your personal data in certain circumstances.

Right to data portability (Article 20): you may request that we transfer your personal data to you or to a third party in a structured, commonly used, machine-readable format.

Right to object (Article 21): you may object to processing based on our legitimate interests, or to direct marketing at any time.

Right to withdraw consent: where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at info@nrgsportstherapy.com. We will respond to your request within one month, as required by law. In complex cases, or where we receive a high volume of requests, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons for it. We may ask you to verify your identity before processing your request.

11.1 Right to complain

From 19 June 2026, under Section 164A of the Data Protection Act 2018 (as inserted by the Data (Use and Access) Act 2025), you have a statutory right to complain directly to us if you believe that your personal data has been processed in a manner that infringes data protection law.

You may submit a data protection complaint to us by email at info@nrgsportstherapy.com, by telephone, or by post at the address set out in Section 2 above. We will acknowledge receipt of your complaint within 30 days and will take appropriate steps to investigate and respond to your complaint without undue delay, keeping you informed of progress.

If you are not satisfied with our response, or if you wish to raise a concern directly with the regulator, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO can be contacted at www.ico.org.uk or by telephone on 0303 123 1113.

12. Children’s Privacy

Our Services are primarily directed at adults. We do not knowingly collect personal data from individuals under the age of 16 without parental or guardian consent. Where we provide services to individuals aged 16 or 17, we will obtain parental or guardian consent for the processing of special category data (such as health information) where appropriate.

If you are a parent or guardian and believe that your child has provided us with personal data without appropriate consent, please contact us and we will take steps to delete that information.

13. Links to Third-Party Websites

Our website may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policy of every site you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any changes will be posted on this page with an updated effective date. Where changes are material, we will use reasonable efforts to notify you by email or by a prominent notice on our website prior to the change taking effect.

We encourage you to review this policy periodically to stay informed about how we protect your data.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us:

• By email: info@nrgsportstherapy.com

• By telephone: 07584 027210

• By post: NRG Sports Therapy, 4a Streatham Street, London, England, WC1A 1JB, United Kingdom

Document prepared: 26 March 2026