Privacy Policy
Last updated:19th March 2026
At Versatile Occupational Therapy Services (“Versatile”, “we”, “us”, “our”), we are committed to protecting the privacy and confidentiality of our clients, families, and professional partners. As a provider of specialist occupational therapy services, we handle sensitive health information with the highest level of integrity and in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.
1. Who We Are
Versatile Occupational Therapy Services is the Data Controller for the personal information we collect and process.
We are based in NW10 area of London. We are registered with the Information Commissioner’s Office (ICO).
Contact details:
· General email: info@versatileot.co.uk
· Telephone: 07557 613 333 (Mobile) 0208 036 1131
· Business address: 84 High Street, London NW10 4SJ
· ICO registration number: ZC099102
2. The Information We Collect
To provide professional recommendations, we may collect and process the following categories of information:
· Identity & Contact Data: Name, address, date of birth, and contact details of the client and/or their legal representative or carer.
· Special Category (Clinical) Data: Health and care information required for your assessment and recommendations, which may include health history, diagnosis, health status, functional abilities, risks, and needs pertinent to your case.
· Referral Data: Information provided by professional partners such as solicitors, case managers, housing associations, care providers, or local authorities (where relevant).
· Financial Data: Information required for invoicing and receiving payment by bank transfer, such as invoice details, payment status, and transaction references. We do not collect or store payment card details.
· Website & Communications Data: Enquiries submitted via our website/contact forms, emails, and phone communications. Our website may also collect technical data (e.g., IP address, browser/device information) and cookie/analytics data (see section 10).
3. Lawful Basis for Processing
We process personal data under the following lawful bases (UK GDPR Article 6), as applicable:
· Contractual Necessity: to fulfil our agreement to provide an assessment, consultation, report, training, or related service.
· Legal Obligation: to comply with professional, insurance, safeguarding and record-keeping requirements.
· Legitimate Interests: to run our practice effectively and securely (e.g., scheduling, record-keeping, quality assurance, responding to enquiries), where those interests are not overridden by your rights.
When processing special category (health) data, we rely on one or more of the following (UK GDPR Article 9), as applicable:
· Provision of Health or Social Care (Article 9(2)(h)): processing necessary for health care purposes, including assessment, recommendations, and report writing, subject to appropriate safeguards and professional confidentiality.
· Explicit Consent (Article 9(2)(a)): where needed, for example for certain sharing beyond what is necessary for the service you have requested, or for photos/video (if used), testimonials, or marketing [if applicable]. You can withdraw consent at any time.
Where we rely on Article 9(2)(h) for the provision of healthcare, we do not rely on consent as the primary legal basis for processing necessary clinical information.
4. How We Use Your Data
Your information is used only as necessary to:
· Conduct specialist occupational therapy assessments.
· Produce clinical reports for rehousing care planning, equipment provision, or organisational decision-making.
· Liaise with relevant professional partners and stakeholders involved in your case where this is necessary for the requested service, authorised by you, or otherwise lawful.
· Manage the administrative and operational side of our work, including enquiries and initial consultations (including 15-minute strategy consultations), appointments, invoicing, and service communications.
· Maintain safety and safeguarding, where concerns arise.
· Improve service delivery and maintain quality standards (using appropriate safeguards and, where possible, anonymised/aggregated information).
We do not make decisions about you using solely automated processing.
5. Data Sharing & Disclosure
We value clinical confidentiality and will never sell your personal data.
We only share information with third parties when:
· It is necessary for your direct care or for the service you have requested (e.g., sharing an OT report with your solicitor, case manager, housing officer, care provider, or relevant clinical professional).
· You have authorised us to share it, where consent is required.
· We are required to do so by law, court order, or for safeguarding purposes.
· We use trusted third-party service providers (“processors”) to support our operations (e.g., secure email, cloud storage, practice administration, invoicing/accounting, secure file transfer, website hosting/forms). These providers only process data on our instructions and must protect it appropriately.
Examples of processors we may use:
· Website hosting/platform: Squarespace
· Email/communications: Google Workspace
· Cloud storage / secure record storage: WriteUpp
· Invoicing/accounting: Personal data may be processed for invoicing and financial record-keeping purposes. Accounting services are provided by a regulated third-party accountant.
· Payments: bank transfers
· Analytics/newsletter tools: Google Analytics & Squarespace Email Campaigns
These third-party providers act as data processors and are contractually required to process personal data only on our instructions and in compliance with UK data protection law.
6. Data Security
We prioritise the security of your records. We implement robust technical and organisational measures, which may include:
· Encrypted storage and secure systems where appropriate.
· Secure email communication and/or secure file transfer for reports.
· Restricted access to clinical files (on a need-to-know basis).
· Procedures for handling and storing sensitive information securely.
· Regular review of our data handling practices.
Sending confidential information:For medical or confidential documents, we recommend password-protecting attachments and sending the password separately (e.g., by text message). If you’d prefer a secure upload option, please ask and we’ll provide one.
No method of transmission or storage is completely secure, but we take appropriate steps to protect your information and respond promptly to any suspected data security incident.
In the event of a personal data breach, we will assess and respond in accordance with our legal obligations, including notifying the ICO and affected individuals where required.
7. Data Retention
· We retain personal information only for as long as necessary in line with clinical, legal, insurance, and regulatory requirements and professional record-keeping standards. Clinical records and reports: typically retained for at least 8 years after the conclusion of our involvement, and longer where necessary (e.g., cases involving children, ongoing risk, safeguarding concerns, or litigation).
· Financial/invoicing records: typically retained for 6 years to meet HMRC requirements.
· Enquiries that do not proceed: typically retained for up to 12 months for the purposes of which it was collected. Enquiries that do not proceed to assessment are not routinely retained unless there is a legitimate reason to do so (e.g. safeguarding).
At the end of the retention period, records are securely deleted/destroyed.
8. Your Rights
Under UK GDPR, you have rights including:
· Access: request a copy of the personal data we hold about you.
· Rectification: request correction of inaccurate or incomplete information.
· Erasure: request deletion of your personal data (where applicable). Please note this right is not absolute and may be limited by our legal/professional obligations to retain clinical records.
· Restriction: request we restrict certain processing in specific circumstances.
· Objection: object to processing based on legitimate interests in certain circumstances.
· Data Portability: request transfer of certain data to you or another provider (where applicable).
· Withdraw Consent: where we rely on consent, you can withdraw it at any time.
To exercise your rights: contact us at hello@versatileOT.co.uk though we may need to verify your identity before responding. We normally respond within one month (this can be extended by up to two months for complex requests).
9. Resolving Your Concerns
We value the trust you place in us and aim to handle all information with the utmost care. If you have any questions or concerns about how your data is handled, please contact us first so we can address it promptly and transparently.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk), if you believe your data has been handled unlawfully.
10. Cookies, Analytics & Website Tracking
Our website uses cookies and similar technologies to make the site work properly, improve performance, and understand how visitors use the site.
Some cookies are essential and cannot be switched off. Other cookies (such as analytics) are used only where required and in line with your cookie preferences. You can manage your cookie choices at any time via our cookie banner/settings, or by adjusting your browser settings.
For full details of the cookies we use and how to control them, please see our Cookie Policy at: versatileot.co.uk/cookie-policy.
11. International Transfers
Some of our service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are used (for example, UK adequacy regulations and/or approved contractual protections such as the UK International Data Transfer Agreement or the UK Addendum, as applicable). Where required, we carry out appropriate transfer risk assessments to ensure your data remains protected.
12. Changes to This Policy
We may update this policy from time to time. The latest version will always be available on our website and will show the “Last Updated” date at the top.