Privacy Policy | PFoley Clinic

Who We Are

PFoley Clinic is a functional medicine and nutritional therapy practice operated by Paul Foley. We provide online consultations to clients across the UK and Ireland.

For the purposes of data protection law, the data controller is Paul Foley, trading as PFoley Clinic.

Contact:

Website: pfoleyclinic.com

What Data We Collect

Information you provide directly

Name, email address, phone number and postal address
Health history, symptoms, medical diagnoses and medication details
Functional test results and laboratory reports
Dietary and lifestyle information
Consultation notes and programme documentation
Payment and billing information

Information collected automatically

IP address and approximate location
Browser type and device information
Pages visited on our website and time spent
Referral source (how you found us)

How We Use Your Data

We use your personal data for the following purposes:

To provide clinical consultations and ongoing care
To prepare clinical reports, programme documentation and correspondence
To order and interpret functional laboratory tests
To process payments and manage your account
To communicate with you about appointments, results and your programme
To comply with our legal and regulatory obligations
To improve our website and services

Lawful Basis for Processing

We process your data under the following legal bases as defined by UK GDPR and EU GDPR:

Explicit consent (Article 9(2)(a)) for the processing of health data, including through AI-assisted tools
Contract (Article 6(1)(b)) for the performance of our clinical services agreement with you
Legal obligation (Article 6(1)(c)) where we are required to retain records under healthcare regulations
Legitimate interest (Article 6(1)(f)) for website analytics and service improvement, where this does not override your rights

Health Data (Special Category Data)

Health information is classified as special category data under GDPR and is subject to additional protections. We only process your health data with your explicit consent, which is obtained at the start of your engagement with the clinic. You may withdraw this consent at any time by contacting us directly.

Use of AI-Assisted Tools

PFoley Clinic uses AI-assisted software tools to support the preparation of clinical reports, programme documentation, and client correspondence. These tools are provided by Anthropic (Claude), operating under a formal Data Processing Agreement that complies with UK GDPR and EU GDPR, including Standard Contractual Clauses for international data transfers.

Client data processed through these tools is encrypted in transit (TLS 1.2+) and at rest (AES-256), is not used to train AI models, and is deleted within 30 days of processing.

We only process client data through AI-assisted tools where explicit consent has been provided. No client data is shared with third parties beyond the data processor described above.

Who We Share Your Data With

We do not sell your personal data. We may share your data with:

Functional testing laboratories to process tests you have ordered through the clinic
Payment processors to handle transactions securely
AI software providers (Anthropic) as described above, under a formal Data Processing Agreement
Your GP or other healthcare providers only with your explicit consent or where required by law

We do not share your data with any marketing or advertising third parties.

International Data Transfers

Some of the services we use (including AI-assisted tools) are provided by organisations based outside the UK and EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses and Data Processing Agreements, in compliance with UK GDPR and EU GDPR requirements.

How We Store and Protect Your Data

Your data is stored securely using encrypted systems. We implement appropriate technical and organisational measures to protect against unauthorised access, loss, or misuse. These measures include encrypted storage, access controls, and regular review of our data handling practices.

How Long We Keep Your Data

Clinical records: retained for a minimum of 7 years following your last consultation, in line with professional and regulatory requirements
Payment records: retained for 6 years in compliance with HMRC and Revenue requirements
Website analytics data: retained for a maximum of 26 months
Marketing communications: retained until you unsubscribe or request removal

Your Rights

Under UK GDPR and EU GDPR, you have the right to:

Access your personal data (Subject Access Request)
Rectify inaccurate or incomplete data
Erase your data where there is no compelling reason for continued processing
Restrict the processing of your data in certain circumstances
Port your data to another service provider in a structured, machine-readable format
Object to processing based on legitimate interest
Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, contact us at the email address above. We will respond within one calendar month.

Cookies

Our website uses cookies to improve your browsing experience and to analyse how the site is used. We use:

Essential cookies required for the website to function
Analytics cookies to understand visitor behaviour and improve the site (e.g. Google Analytics)

You can control cookie settings through your browser. Disabling analytics cookies will not affect your ability to use the website.

Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk
Ireland: Data Protection Commission (DPC) — dataprotection.ie

Changes to This Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.

Last updated: 28 March 2026