Privacy policy

Last Updated: March 2026

At Health by Science, we take your privacy seriously. This policy explains what personal information we collect, why we need it, how we keep it safe, and your rights over it. It applies to all clients and website users in the United Kingdom.

1. Who We Are

Health by Science is a Social Enterprise and Community Interest Company. We act as the data controller for the personal information we hold about you, meaning we are responsible for ensuring it is processed lawfully, fairly, and transparently.

Address: 98 Giles Street, Edinburgh, EH6 6BZ
Email: [email protected]
Phone: 0131 210 0002

2. Information We Collect

We collect information to help provide you with the best possible care and service. This happens in the following ways:

Directly from you
When you fill out an enquiry form, contact us, complete a survey, or book an appointment, we collect details such as your name, contact information, and health history (current symptoms, medical background, and lifestyle information).

Booking appointments
We use Acuity Scheduling to manage our calendar. Acuity collects your contact details and appointment history so we can send you reminders and manage your bookings.

During consultations
We use Google Meet for video consultations. With your explicit consent, we also use Heidi AI to assist with automated clinical note-taking during in-person and online sessions. Notes produced by Heidi AI are pseudonymised within the system. See Section 4a for full details.

Our app (Glide)
We use the Glide platform to deliver your exercise and rehabilitation programmes. Through the app, we collect information about your programme participation, progress, and any activity data you enter. Our staff also use Glide to create and manage your personalised programmes.

Client communications
We use Make (formerly Integromat) to automate communications via WhatsApp (Meta) and our Glide app. This allows us to send you reminders, updates, and programme information efficiently.

Website and AI chat
We use Synflow as our AI receptionist and website chat widget. When you interact with our website chat, Synflow may collect your name, contact details, and the content of your enquiry. We also use cookies and analytics tools to understand how people use our site — this data is anonymised and used to improve our content and services.

AI-assisted clinical reasoning (internal use)
Our clinical and coaching staff may use Google Gemini within Google Workspace to assist with clinical reasoning and programme planning. Before any client data is used with Gemini, all direct identifiers (name, date of birth, contact details, address, NHS/insurance numbers) are removed. Only anonymised data is used.

3. How We Use Your Information

We use your data only for the following purposes:

• Providing care: To give you personalised health advice and maintain accurate records of your sessions.
• Communication: To send you reminders, updates, and responses to your questions via email, app notifications, and WhatsApp.
• Programme delivery: To create, manage, and deliver your personalised exercise and rehabilitation programmes through our Glide app.
• Legal and professional standards: We are required by HCPC guidelines to keep health records for 8 years.
• Improving our service: To analyse trends anonymously so we can improve our website, app, and services.
• Marketing: Where you have not opted out, we may occasionally send you emails about services, news, and offers relevant to your enquiry or appointment. We do this on the basis of soft opt-in under PECR. You can opt out at any time by replying to any marketing email with the word ‘Stop’.

Our lawful bases for processing:
Consent — for special category health data, Heidi AI note-taking, and marketing communications
Contract — to deliver the services you have booked
Legal obligation — to maintain health records as required by HCPC guidelines
Legitimate interest — for service improvement, internal analytics, and soft opt-in marketing communications

4. Who We Share Your Data With

We do not sell your data. We only share it with trusted third-party “data processors” who help us run our business. We have Data Processing Agreements in place with each of these providers:

• App and programme delivery: Glide Apps Inc. — exercise and rehabilitation programme management
• Scheduling and forms: Acuity Scheduling — appointment booking and reminders; Typeform — client intake forms and surveys
• Consultations and notes: Google (Meet, Drive, Workspace) — video calls, document storage, and AI-assisted clinical reasoning; Heidi AI — automated consultation note-taking (with your consent)
• Automation and communications: Make (formerly Integromat) and Zapier — workflow automation; WhatsApp (Meta) — client communications
• Website and AI receptionist: Synflow — AI chat widget and enquiry management

Only authorised Health by Science staff who have completed data protection training may access your information.

4a. AI Usage Information

Health by Science uses two AI tools that may process your health information. This section explains both in full.

Heidi AI — clinical note-taking
Heidi AI is used to assist with note-taking during in-person and online consultations. It transcribes and summarises conversations to help our practitioners produce accurate clinical records.

• What it processes: your spoken words during the consultation, health information you share, and any other information discussed as part of your care.
• How we protect your data: Heidi AI is fully GDPR and HIPAA compliant. Your data is pseudonymised within the system. We have a Data Processing Agreement in place with Heidi AI.
• Lawful basis: explicit consent. You will be asked to consent via a checkbox on our booking form. You may withdraw consent at any time by emailing [email protected].
• Data retention: notes are retained for 8 years in line with HCPC guidelines. Raw transcription data is subject to Heidi AI’s own retention policy.
• Opting out: use of Heidi AI is entirely optional. Leave the checkbox unticked when booking and our practitioners will take notes manually instead. This will not affect your care.

Google Gemini — clinical reasoning (internal use only)
Our staff may use Google Gemini within Google Workspace to assist with clinical reasoning and programme planning. This is an internal tool only — Gemini is never used to communicate with you directly.

• Data protection: HBS has accepted the Google Cloud Data Processing Addendum. Google does not use your data to train its AI models.
• Anonymisation: all direct identifiers are removed before any client data is used with Gemini.
• Lawful basis: legitimate interest, supported by full anonymisation prior to use.

5. Keeping Your Data Safe

• Encryption: your data is encrypted both in transit (SSL/TLS) and at rest.
• Access controls: only staff who need to see your data can access it.
• Staff training: all staff complete mandatory data protection training before accessing client data.
• Regular audits: we review our systems and processes quarterly.
• Breach notification: if anything goes wrong, we will notify you and the ICO within 72 hours.

6. International Data Transfers

Some of our service providers are based outside the UK or EEA, including in the US. When we transfer data internationally, we ensure appropriate safeguards are in place — such as the UK–US Data Bridge, Data Privacy Framework, or Standard Contractual Clauses — to keep your data as safe as it is in the UK.

7. Your Rights

You have the following rights over your personal data. To exercise any of them, email us at [email protected]. We will respond within one month.

• Right of access (Subject Access Request): request a copy of all data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: ask us to delete your data (subject to our legal obligation to retain health records for 8 years under HCPC guidelines).
• Right to data portability: request a digital copy of your data to take elsewhere.
• Right to restrict processing: ask us to limit how we use your data in certain circumstances.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

8. Data Retention

• Health records: 8 years from the date of last treatment, in line with HCPC guidelines.
• Enquiry and contact records: 2 years from the date of last contact, unless you become a client.
• Marketing preferences: until you opt out or withdraw consent.
• Financial records: 7 years in line with HMRC requirements.

For full details please refer to our Data Retention Policy, available on request.

9. Cookies

We use cookies to help our website run smoothly. Some are essential (to keep the site working), while others are performance or targeting cookies (to help us understand how people use our site). You will be asked to consent to non-essential cookies when you first visit our website. You can change your cookie preferences at any time in your browser settings, though some parts of our site may not work as well if you disable certain cookies.

10. Changes to This Policy

If we make significant changes to how we handle your data, we will let you know via email or a notice on our website. The date at the top of this policy will always reflect when it was last updated.

Contact Us

If you have any questions about your privacy or wish to exercise your rights, please get in touch:

Email: [email protected]
Phone: 0131 210 0002
Address: 98 Giles Street, Edinburgh, EH6 6BZ

You also have the right to complain to the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk  | Helpline: 0303 123 1113