GDPR

Last updated: 22 June 2026 · CliniForm, United Kingdom

This page sets out how CliniForm complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It supplements our Privacy Policy and explains your rights as a data subject.

1. Data controller

For personal data relating to practice users (account holders, billing contacts, and website visitors), the data controller is:

CliniForm
128 City Road, London, EC1V 2NX
United Kingdom
Email: privacy@cliniform.test

For personal data submitted through consultation forms by end clients, the relevant practice (therapist or clinic) is typically the data controller. CliniForm processes that data on the practice's instructions as a data processor.

2. Our commitment to UK GDPR

We are committed to the principles of UK GDPR, including that personal data shall be:

  • Processed lawfully, fairly, and transparently;
  • Collected for specified, explicit, and legitimate purposes;
  • Adequate, relevant, and limited to what is necessary;
  • Accurate and kept up to date;
  • Kept for no longer than necessary;
  • Processed securely with appropriate technical and organisational measures.

3. Lawful bases for processing

We process personal data only where we have a valid lawful basis, including:

  • Performance of a contract — to provide the CliniForm service to subscribed practices;
  • Legitimate interests — to maintain platform security, prevent fraud, and improve our services;
  • Legal obligation — to comply with tax, accounting, and regulatory requirements;
  • Consent — for marketing communications and non-essential cookies where required.

4. Special category data

Consultation forms may contain special category personal data (including health information). Practices are responsible for ensuring they have an appropriate lawful basis under Article 9 UK GDPR (such as explicit consent, provision of health care, or substantial public interest) before collecting such data.

As a processor, we handle special category data only on documented instructions from the practice and in accordance with our data processing terms.

5. Your rights under UK GDPR

If we are the controller of your personal data, you have the following rights:

5.1 Right of access

You may request a copy of the personal data we hold about you.

5.2 Right to rectification

You may ask us to correct inaccurate or incomplete personal data.

5.3 Right to erasure

You may request deletion of your personal data in certain circumstances (for example, where it is no longer necessary or you withdraw consent).

5.4 Right to restrict processing

You may ask us to limit how we use your data in specific situations.

5.5 Right to data portability

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.

5.6 Right to object

You may object to processing based on legitimate interests or for direct marketing purposes.

5.7 Rights related to automated decision-making

We do not make solely automated decisions that produce legal or similarly significant effects without human involvement. AI features on the platform are assistive tools for practices and do not replace professional judgement.

5.8 Right to withdraw consent

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

6. How to exercise your rights

Send your request to privacy@cliniform.test. Please include enough information for us to verify your identity and locate your data.

We will respond within one month of receiving a valid request. This may be extended by a further two months for complex requests, in which case we will inform you.

There is no fee for most requests. We may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.

7. Data processors and subprocessors

Where we act as a processor for practice users, we:

  • Process personal data only on documented instructions;
  • Ensure personnel are bound by confidentiality;
  • Implement appropriate security measures;
  • Assist practices with data subject requests where reasonably possible;
  • Delete or return data at the end of the service, subject to legal retention requirements;
  • Make available information necessary to demonstrate compliance.

8. International data transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, such as the UK International Data Transfer Agreement or transfers to countries with adequacy regulations.

9. Data breaches

We maintain procedures to detect, report, and investigate personal data breaches. Where we are the controller, we will notify the ICO within 72 hours of becoming aware of a notifiable breach, and affected individuals without undue delay where there is a high risk to their rights and freedoms.

Where we are a processor, we will notify the relevant practice without undue delay.

10. Complaints to the ICO

You have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113

We encourage you to contact us first at privacy@cliniform.test so we can try to resolve your concern.

11. Contact

CliniForm
128 City Road, London, EC1V 2NX
Email: privacy@cliniform.test