Privacy Policy

Introduction

Alaw Therapies ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our booking services.

Information We Collect

Personal Information

We collect personal information that you voluntarily provide when booking an appointment:

• Contact Information: Name, email address, phone number
• Medical History: Current medications, medical conditions, previous treatments (encrypted and securely stored)
• Booking Information: Appointment dates, service preferences, special requests
• Payment Information: Processed securely through Stripe (we do not store your full card details)

Automatically Collected Information

• IP address and browser type
• Device information and operating system
• Pages visited and time spent on site
• Referring website addresses

How We Use Your Information

We use your information to:

• Process and manage your appointments
• Send booking confirmations and appointment reminders
• Process payments securely
• Maintain medical records for continuity of care (7-year retention as required by law)
• Sync appointments with Google Calendar (with your authorization)
• Send marketing communications (only with your explicit consent)
• Improve our website and services
• Comply with legal obligations

Legal Basis for Processing (GDPR)

Under UK GDPR, we process your data based on:

• Contract: To fulfill our booking service agreement with you
• Consent: For marketing communications and optional data processing
• Legal Obligation: To retain medical records for 7 years as required by UK law
• Legitimate Interest: To improve our services and prevent fraud

Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption: All medical history data is encrypted at rest using Laravel's encryption
• Secure Transmission: HTTPS/TLS encryption for all data in transit
• Access Controls: Role-based access with strong authentication
• Payment Security: PCI-DSS compliant payment processing via Stripe
• Regular Backups: Encrypted database backups with secure storage

Third-Party Services

We use the following trusted third-party services:

• Stripe: Payment processing (Privacy Policy)
• Google Calendar: Appointment synchronization (with your authorization) (Privacy Policy)
• Email Service Provider: Transactional emails (Mailgun/SendGrid/SES)
• Twilio: SMS appointment reminders (optional) (Privacy Policy)

Your Rights (UK GDPR)

You have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal retention requirements)
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Opt out of marketing communications or processing based on legitimate interest
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us using the details below.

Data Retention

• Medical Records: 7 years from last appointment (UK legal requirement)
• Booking History: 7 years for accounting and legal purposes
• Consent Logs: Retained indefinitely as proof of consent
• Marketing Consent: Until you withdraw consent

Cookies and Similar Technologies

Our website uses cookies to provide essential functionality. Cookies are small text files stored on your device that help us maintain your session and improve your experience.

Essential Cookies We Use

These cookies are necessary for the website to function and cannot be switched off:

• Session Cookie (alaw-therapies-session): Maintains your logged-in state and preserves your booking progress
• CSRF Token (XSRF-TOKEN): Security cookie that protects against cross-site request forgery attacks
• Authentication Cookies: Remember your login status and two-factor authentication verification

No Tracking or Analytics: We do not use cookies for tracking, advertising, or analytics purposes. We do not use Google Analytics, Facebook Pixel, or any third-party marketing cookies.

Under UK GDPR and PECR regulations, essential cookies do not require your consent as they are strictly necessary for the operation of our service. By using our website, you acknowledge our use of these essential cookies as described.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

For material changes that affect how we use your personal data, we will:

• Notify you via email at least 30 days before the changes take effect
• Display a prominent notice on our website
• Update the "Last Updated" date at the top of this page

For minor changes (such as clarifications or formatting), we will update this page and the "Last Updated" date. We encourage you to review this Privacy Policy periodically.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us: