Privacy Policy
How we collect, use, store and protect your personal data. This policy applies to all visitors to pfoleyclinic.com and all clients of PFoley Clinic.
Who We Are
PFoley Clinic is a functional medicine and nutritional therapy practice operated by Paul Foley. We provide online consultations to clients across the UK and Ireland.
For the purposes of data protection law, the data controller is Paul Foley, trading as PFoley Clinic.
Website: pfoleyclinic.com
What Data We Collect
Information you provide directly
- Name, email address, phone number and postal address
- Health history, symptoms, medical diagnoses and medication details
- Functional test results and laboratory reports
- Dietary and lifestyle information
- Consultation notes and programme documentation
- Payment and billing information
Information collected automatically
- IP address and approximate location
- Browser type and device information
- Pages visited on our website and time spent
- Referral source (how you found us)
How We Use Your Data
We use your personal data for the following purposes:
- To provide clinical consultations and ongoing care
- To prepare clinical reports, programme documentation and correspondence
- To order and interpret functional laboratory tests
- To process payments and manage your account
- To communicate with you about appointments, results and your programme
- To comply with our legal and regulatory obligations
- To improve our website and services
Lawful Basis for Processing
We process your data under the following legal bases as defined by UK GDPR and EU GDPR:
- Explicit consent (Article 9(2)(a)) for the processing of health data, including through AI-assisted tools
- Contract (Article 6(1)(b)) for the performance of our clinical services agreement with you
- Legal obligation (Article 6(1)(c)) where we are required to retain records under healthcare regulations
- Legitimate interest (Article 6(1)(f)) for website analytics and service improvement, where this does not override your rights
Health Data (Special Category Data)
Health information is classified as special category data under GDPR and is subject to additional protections. We only process your health data with your explicit consent, which is obtained at the start of your engagement with the clinic. You may withdraw this consent at any time by contacting us directly.
Use of AI-Assisted Tools
PFoley Clinic uses AI-assisted software tools to support the preparation of clinical reports, programme documentation, and client correspondence. These tools are provided by Anthropic (Claude), operating under a formal Data Processing Agreement that complies with UK GDPR and EU GDPR, including Standard Contractual Clauses for international data transfers.
Client data processed through these tools is encrypted in transit (TLS 1.2+) and at rest (AES-256), is not used to train AI models, and is deleted within 30 days of processing.
We only process client data through AI-assisted tools where explicit consent has been provided. No client data is shared with third parties beyond the data processor described above.
Who We Share Your Data With
We do not sell your personal data. We may share your data with:
- Functional testing laboratories to process tests you have ordered through the clinic
- Payment processors to handle transactions securely
- AI software providers (Anthropic) as described above, under a formal Data Processing Agreement
- Your GP or other healthcare providers only with your explicit consent or where required by law
We do not share your data with any marketing or advertising third parties.
International Data Transfers
Some of the services we use (including AI-assisted tools) are provided by organisations based outside the UK and EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses and Data Processing Agreements, in compliance with UK GDPR and EU GDPR requirements.
How We Store and Protect Your Data
Your data is stored securely using encrypted systems. We implement appropriate technical and organisational measures to protect against unauthorised access, loss, or misuse. These measures include encrypted storage, access controls, and regular review of our data handling practices.
How Long We Keep Your Data
- Clinical records: retained for a minimum of 7 years following your last consultation, in line with professional and regulatory requirements
- Payment records: retained for 6 years in compliance with HMRC and Revenue requirements
- Website analytics data: retained for a maximum of 26 months
- Marketing communications: retained until you unsubscribe or request removal
Your Rights
Under UK GDPR and EU GDPR, you have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate or incomplete data
- Erase your data where there is no compelling reason for continued processing
- Restrict the processing of your data in certain circumstances
- Port your data to another service provider in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
To exercise any of these rights, contact us at the email address above. We will respond within one calendar month.
Cookies
Our website uses cookies to improve your browsing experience and to analyse how the site is used. We use:
- Essential cookies required for the website to function
- Analytics cookies to understand visitor behaviour and improve the site (e.g. Google Analytics)
You can control cookie settings through your browser. Disabling analytics cookies will not affect your ability to use the website.
Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- Ireland: Data Protection Commission (DPC) — dataprotection.ie
Changes to This Policy
We may update this policy from time to time. Any changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.
Last updated: 28 March 2026