09 Jan 2025
Privacy Policy
Privacy Notice — Limitless Orthotics
Last updated: 8 May 2026
1. Introduction
Limitless Orthotics ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Notice explains what personal data we collect about you, how we use it, who we share it with, how long we keep it, and the rights you have over your information.
This notice is provided in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR"). It also reflects our professional obligations as an HCPC-registered prosthetic and orthotic practice.
2. Who We Are
Limitless Orthotics is a private prosthetics and orthotics clinic based in Leeds, United Kingdom, providing clinical assessment, custom orthotic and prosthetic devices, follow-up care, and medicolegal expert witness services.
For the purposes of UK data protection law, Limitless Orthotics is the Data Controller of the personal data described in this notice.
Practitioner: Bobak Massah BSc (Hons), MBAPO, HCPC-registered Prosthetist/Orthotist
Address: Clinic 360, Main Street, Garforth, Leeds LS25 1HB
Website: https://www.limitlessorthotics.co.uk
ICO Registration Number: ZB744832
If you have any questions about this notice or how your data is handled, please use the contact details above.
3. The Personal Data We Collect
We collect and process the following categories of personal data. Categories marked "special category" are health-related and receive additional legal protection.
3.1 Identity and contact data
Name, date of birth, postal address, email address, telephone number, emergency contact details, GP details where provided.
3.2 Health data (special category)
Medical history, presenting condition, physical assessment findings, gait analysis data, biomechanical measurements, prescriptions, treatment plans, clinical notes, and correspondence with other healthcare professionals involved in your care.
3.3 Clinical photographs and video recordings (special category)
With your explicit consent, we may take photographs or video recordings as part of clinical assessment, device fitting, gait analysis, or follow-up. These form part of your clinical record.
3.4 Audio recordings of consultations (special category)
Where you give explicit consent, we use an AI-assisted clinical note-taking tool (Carepatron) to record the audio of your consultation and convert it into a written clinical note. The recording is stored within your clinical record. You may decline this without affecting your care, and you may withdraw consent at any time. See Section 6 for more information about Carepatron.
3.5 Medicolegal data
Where we are instructed to provide an expert witness report, we process the personal and health data of the claimant (which may be you, or a third party where we are instructed by their solicitor or by a court). This includes information contained in instructing solicitors' letters, medical records disclosed to us, accident or incident reports, and any documents relevant to the legal claim.
3.6 Financial and payment data
Billing details, payment records, invoices, and receipts. We do not store full payment card numbers; card and direct debit payments are processed by our payment providers (Stripe, Square, and GoCardless — see Section 6).
3.7 Marketing data
Your contact preferences, history of marketing communications sent to you, and your engagement with those communications.
3.8 Website and technical data
IP address, device type, browser, pages visited, cookie consent records, and other usage information collected via cookies or similar technologies on our website. See Section 11.
4. Source of Your Data
We collect personal data:
Directly from you, when you make an enquiry, complete an intake form, attend a consultation, or correspond with us;
From your GP, consultant, or other healthcare professional where they refer you or share information relevant to your care, with your consent or under appropriate clinical legal basis;
From instructing solicitors, insurers, or courts in medicolegal matters;
Automatically, when you visit our website (see Section 11).
5. How We Use Your Data and Our Legal Basis
UK GDPR requires us to identify a legal basis for each processing activity. For special category (health) data, we must also identify an additional condition under Article 9. The sections below set out our legal basis for each activity.
5.1 Providing clinical care
Activities: Assessment, fitting, treatment, follow-up, record-keeping, communication with you and other healthcare professionals involved in your care.
Article 6 basis: Performance of a contract (Art. 6(1)(b)).
Article 9 basis (special category): Provision of health care by a regulated health professional under a duty of confidentiality (Art. 9(2)(h)), supplemented by Schedule 1 Part 1 of the Data Protection Act 2018.
5.2 Audio recording and AI-assisted note-taking (Carepatron)
Activities: Recording consultation audio and generating a written clinical note via Carepatron.
Article 6 basis: Your consent (Art. 6(1)(a)).
Article 9 basis: Your explicit consent (Art. 9(2)(a)).
You may decline consent without any effect on the care you receive, and you may withdraw consent at any time.
5.3 Clinical photographs and video recordings
Activities: Taking, storing, and using photographs or video for assessment, device fabrication, gait analysis, treatment planning, and follow-up.
Article 6 basis: Your consent (Art. 6(1)(a)).
Article 9 basis: Your explicit consent (Art. 9(2)(a)).
We do not use clinical images for marketing, teaching, or publication unless we obtain a separate written consent from you for that specific purpose.
5.4 Medicolegal and expert witness work
Activities: Reviewing disclosed records, conducting examinations, producing expert reports, and giving evidence.
Article 6 basis: Legitimate interests (Art. 6(1)(f)) — namely, providing expert evidence to assist the administration of justice.
Article 9 basis: Establishment, exercise or defence of legal claims (Art. 9(2)(f)).
5.5 Billing and payments
Activities: Issuing invoices, processing card and direct debit payments, accounting, tax compliance.
Article 6 basis: Performance of a contract (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)).
5.6 Marketing communications
Activities: Sending you newsletters, service updates, or information about related services where you are an existing patient or have asked to hear from us.
Article 6 basis: Legitimate interests (Art. 6(1)(f)) where you are an existing patient and we are marketing similar services (the "soft opt-in" under PECR Regulation 22), or your consent (Art. 6(1)(a)) in all other cases.
Every marketing email contains an unsubscribe link. You can opt out at any time without giving a reason.
5.7 Legal and regulatory compliance
Activities: Responding to lawful requests from regulators (HCPC, ICO, HMRC), responding to court orders, and meeting professional record-keeping duties.
Article 6 basis: Compliance with a legal obligation (Art. 6(1)(c)).
Article 9 basis: Reasons of substantial public interest, including regulatory requirements (Art. 9(2)(g)).
5.8 Website operation
Activities: Operating and securing our website, basic analytics, managing cookie consent.
Article 6 basis: Legitimate interests (Art. 6(1)(f)) for essential operation; consent (Art. 6(1)(a)) for non-essential cookies.
6. Who We Share Your Data With
We share your personal data only where necessary and with appropriate safeguards in place.
6.1 Healthcare professionals
With your consent, we may share relevant clinical information with your GP, consultant, physiotherapist, or other healthcare professional involved in your care.
6.2 Our processors
We use a small number of trusted third-party providers to operate our practice. Each is bound by a written Data Processing Agreement under Article 28 UK GDPR.
Processor | Purpose | Country of processing |
|---|---|---|
Carepatron | Practice management, clinical record-keeping, AI-assisted note-taking | UK and other countries (see Section 7) |
Google (Gmail / Google Workspace) | Email correspondence and document storage | UK and other countries (see Section 7) |
Stripe | Online card payment processing | Ireland, USA |
Square | Card-present (in-clinic) payment processing | UK, USA |
GoCardless | Direct debit payment processing | UK |
Xero | Bookkeeping and tax compliance | UK / EEA |
Framer | Website hosting | Netherlands (EEA) |
Cookiebot (Usercentrics) | Cookie consent management | Denmark (EEA) |
Squarespace Domains | Domain registration only (no patient data) | USA |
6.3 Regulatory and legal recipients
We may disclose your data where we are required to do so by law, including to the Health and Care Professions Council (HCPC), the Information Commissioner's Office (ICO), HMRC, the courts, or law enforcement.
6.4 Medicolegal recipients
In medicolegal matters, we share reports and supporting material with the instructing solicitor, the court, and (as ordered) the opposing party, in accordance with Civil Procedure Rules Part 35 and our duty to the court.
6.5 Professional advisors and insurers
We may share data with our professional indemnity insurer or legal advisors where necessary to defend or pursue legal claims.
We do not sell or rent your personal data to any third party. We do not use your data for advertising profiling.
7. International Transfers
Some of our processors host or process data outside the United Kingdom. Where this happens, we rely on the safeguards required by Article 46 UK GDPR — principally the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the "UK IDTA"), and where appropriate the UK government's adequacy decisions.
Carepatron processes data on cloud infrastructure (AWS, Microsoft Azure, Google Cloud) and does not guarantee UK or EEA-only hosting. Transfers outside the UK are protected by the UK IDTA, which forms part of our Data Processing Agreement with Carepatron.
Google (Gmail / Workspace) may process data outside the UK. Google relies on Standard Contractual Clauses and the UK IDTA, supplemented by additional technical safeguards.
Stripe and Square process payment data in the United States as well as Europe; transfers are governed by the UK IDTA.
Framer, Cookiebot, Xero, and GoCardless primarily process data within the UK or the European Economic Area, which the UK government recognises as providing an adequate level of protection.
You can request a copy of the safeguards in place by contacting us.
8. How Long We Keep Your Data
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, taking into account legal, regulatory, and professional obligations. Our retention periods follow the NHS Records Management Code of Practice 2023, which is the recognised UK benchmark for healthcare records.
Type of record | Retention period |
|---|---|
Adult clinical records | 8 years after the date of last contact |
Paediatric clinical records (under 18 at time of treatment) | Until the patient's 25th birthday (or 26th if the last entry was made when the patient was 17), or 8 years after death, whichever is longer |
Clinical photographs and video recordings | Retained as part of the clinical record to which they relate, for the same period as that record |
Audio recordings (Carepatron) | Retained within your clinical record. Where you request deletion of the raw audio after notes have been generated, we will move the file to deletion immediately on our side. Carepatron then retains deleted items for 90 days in a recoverable state before permanent erasure. The written clinical note derived from the audio is retained as part of your clinical record under the periods set out elsewhere in this table |
Medicolegal reports and supporting material | 30 years from the date of the report, or longer where required by the relevant legal proceedings, indemnity arrangements, or limitation rules |
Financial and tax records | 6 years from the end of the relevant tax year (HMRC requirements) |
Marketing data | Until you unsubscribe or otherwise withdraw consent |
Website analytics data | Up to 26 months |
Email correspondence with patients | Retained as part of the clinical record where clinically relevant; otherwise deleted in line with our document management policy |
When the retention period ends, we securely delete or anonymise the data.
9. How We Protect Your Data
We use appropriate technical and organisational measures to safeguard your personal data, including:
Encryption of data in transit (TLS) and at rest (AES-256) on Carepatron;
Multi-factor authentication on accounts containing patient data;
Role-based access controls;
Encrypted devices;
A documented incident response and breach notification procedure;
Regular review of processors' security and compliance posture.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and will notify you directly where the breach is likely to result in a high risk to you, in accordance with Articles 33 and 34 UK GDPR.
10. Children's Data
We occasionally treat patients under 18. Where we do:
For patients under 13, we obtain consent from a parent or person with parental responsibility for any processing that relies on consent.
For patients aged 13 to 15, we assess Gillick competence — that is, whether the patient has sufficient understanding to give consent themselves — and proceed accordingly. Where the patient is not Gillick-competent, we obtain consent from a parent or person with parental responsibility.
For patients aged 16 and over, we treat them as competent to give their own consent unless there is a specific reason to assess otherwise.
Paediatric records are retained under the extended periods set out in Section 8.
11. Cookies and Website
Our website uses cookies and similar technologies. Strictly necessary cookies are used to operate the site. Non-essential cookies (analytics, functional) are only set with your consent, which you can give or withdraw at any time via our cookie banner, which is managed by Cookiebot.
For full details of the cookies we use, see our Cookie Policy at https://www.limitlessorthotics.co.uk/cookie-policy.
12. Marketing
If you are an existing patient, we may send you marketing emails about similar services we offer, under the PECR "soft opt-in". For all other recipients, we will only send marketing emails where you have given express consent.
Every marketing email contains an unsubscribe link. You can also opt out at any time by emailing hello@limitlessorthotics.co.uk.
13. Automated Decision-Making
We do not make decisions about your care, treatment, or services using solely automated processing. Although we use AI tools (such as Carepatron's AI scribe) to assist with documentation, all clinical decisions are made by a qualified, HCPC-registered practitioner who reviews and signs off every clinical note.
You are not subject to decisions based solely on automated processing within the meaning of Article 22 UK GDPR.
14. Your Rights
Under UK data protection law you have the following rights, which you can exercise at any time by contacting us:
Right of access — to obtain a copy of the personal data we hold about you (Art. 15).
Right to rectification — to have inaccurate or incomplete data corrected (Art. 16).
Right to erasure — to request deletion of your data, subject to overriding legal or regulatory retention obligations. We are unlikely to be able to delete clinical records before the end of the statutory retention period.
Right to restriction — to limit how we use your data in certain circumstances (Art. 18).
Right to data portability — to receive your data in a portable format, where the processing is based on consent or contract and is carried out by automated means (Art. 20). Note that this right does not apply to clinical records held under Article 9(2)(h).
Right to object — to object to processing based on legitimate interests, including direct marketing (Art. 21).
Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to complain to the ICO — see Section 16.
We will respond to a valid request within one calendar month. We may extend this by up to two further months for complex requests, and will tell you if we do.
15. Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in our practice, the services we use, or legal requirements. The "Last updated" date at the top of this notice shows when it was last revised. We recommend reviewing it periodically.
16. Complaints
If you have a concern about how we handle your personal data, please contact us first using the details in Section 2 — we will do our best to resolve it.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
Website: https://www.ico.org.uk
Helpline: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
