0131 221 1415
Active X Clinics

Privacy Policy

BOOK NOW
New Patients

Effective Version Date: May 26, 2026

1. Introduction and Scope

Active X (“we”, “us”, “our”) is dedicated to safeguarding and preserving the privacy of our patients, website visitors, and digital service users. This Privacy Policy outlines how we collect, store, utilize, and protect your personal data when you visit our website, book clinical appointments, or interact with our automated digital assistant, Gavin AI.

We operate as a Data Controller under UK data protection law. We confirm that all personal data is held securely and processed in strict compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Categories of Personal Data We Collect

We collect, store, and process several types of personal information depending on how you interact with our services:

2.1 Information You Actively Provide to Us

  • Identity and Contact Data: Your first name, last name, email address, telephone number, and physical postal address when you submit an inquiry form, book an appointment, or sign up for a digital account.

  • Special Category Health Data: When you register as a patient or interact with Gavin AI, we process highly sensitive health data. This includes clinical self-assessment metrics (e.g., Backscore), functional capacity descriptions, symptom disclosures, injury histories, and the complete text transcripts of your typed interactions with Gavin AI.

2.2 Information Our Platform Automatically Collects

With regard to each of your visits to our digital platform, we automatically collect:

  • Technical Logs: Your Internet Protocol (IP) address (truncated and anonymized), browser type and version, operating system, and platform.

  • Usage Data: Information about your visit, including the pages you view, length of stay, response times, clicking behaviors, and system errors.

2.3 Cookies

Our website uses cookies to distinguish you from other users. This assists us in optimizing your browsing experience and helps us improve our digital tools. For comprehensive details regarding the cookies we deploy, please refer to our dedicated Cookie Policy.

3. Our Lawful Basis for Processing Your Data

Under Article 6 and Article 9 of the UK GDPR, we must establish specific legal grounds to process your data.

                  ┌───────────────────────────────┐
                  │   Data Processing Framework   │
                  └───────────────┬───────────────┘
                                  │
         ┌────────────────────────┴────────────────────────┐
         ▼                                                 ▼
┌─────────────────┐                               ┌─────────────────┐
│  Standard Data  │                               │   Health Data   │
└────────┬────────┘                               └────────┬────────┘
         │                                                 │
 ┌───────┼───────┐                                 ┌───────┼───────┐
 ▼       ▼       ▼                                 ▼       ▼       ▼
Contract Consent Legitimate                        Consent Health  Public
                  Interest                                  Care   Health

3.1 Standard Personal Data (Contact, Identity, Technical Information)

  • Performance of a Contract: Necessary to manage your account, fulfill clinic bookings, and provide access to the Gavin AI interface.

  • Consent: Where you choose to opt into marketing communications (such as newsletters).

  • Legitimate Interests: To troubleshoot, debug, and monitor our website traffic and platform security.

3.2 Special Category Health Data (Symptoms, Clinical Notes, AI Transcripts)

Because health data is highly sensitive, we only process it under the following rigorous UK GDPR Article 9 exceptions:

  • Explicit Consent (Article 9(2)(a)): You grant us explicit, unbundled consent via our mandatory onboarding checkboxes prior to entering data into Gavin AI. You have the right to withdraw this consent to AI processing at any time, though doing so will revoke your access to the tool.

  • Provision of Health or Social Care (Article 9(2)(h)): To enable our human, registered clinicians (GOsC and CSP members) to review your progress, verify suggested recovery pathways, and maintain accurate clinical medical files.

4. How We Use Your Information

We use the information we collect in the following structured ways:

  • To deliver the specific physical therapy, osteopathic, and digital wellness services you request.

  • To supply your human clinician with data inputs (such as your functional capacity or Backscore) to guide your manual treatment plans.

  • To administer, troubleshoot, test, secure, and improve our digital interfaces.

  • To maintain an accurate audit history of terms acceptance for legal and regulatory compliance.

Note: General traffic metrics are processed anonymously via Google Analytics. Find out how Google handles this data at Google Analytics Privacy Policy.

5. Third-Party Disclosures and International Data Transfers

We do not rent, sell, or share your personal details with third-party marketers or non-affiliated companies. However, to operate our digital-first services, data is shared with trusted technical sub-processors:

5.1 Infrastructure and AI Sub-processors

  • Website Management: We utilize FlyWheel to host and manage our primary public web infrastructure.

  • Gavin AI Platform: Gavin AI is built on and hosted by MindStudio Inc. text strings and interactions you enter into Gavin AI are processed by automated Large Language Models (LLMs) managed securely through MindStudio. No underlying diagnostic medical charts or financial profiles are transmitted to these language models, and your inputs are never utilized to train public, open-source AI software.

5.2 International Data Transfers (Outside the UK)

MindStudio Inc. operates infrastructure located primarily within the United States. Because your digital interactions will be transferred outside the United Kingdom, we safeguard this transit by executing strict Data Processing Agreements (DPAs) incorporating UK-approved Standard Contractual Clauses (SCCs). This ensures your information receives an identical standard of security to that required under domestic UK legislation.

6. Data Retention vs. Your Right to Erasure

  • Clinical Records Mandate: In accordance with the statutory guidelines of the General Osteopathic Council (GOsC) and the Chartered Society of Physiotherapy (CSP), all records concerning clinical assessments, consultations, and exercise logs must be legally retained for a minimum period of eight (8) years following your last conclusion of treatment. If the patient is a child, records must be preserved until their 25th birthday (or 26th birthday if they were 17 when treatment concluded).

  • Right to Erasure Exceptions: While you possess the “Right to be Forgotten” (Right to Erasure) under Article 17 of the UK GDPR, this right does not apply to data forming part of an official medical record (per Article 17(3)(b)). If you submit a formal request for erasure to info@active-x.co.uk, we will purge marketing rows, contact info, and non-clinical data, but any clinical chat transcripts or functional metrics reviewed by your practitioner must be securely locked and retained for the statutory period defined above.

7. Data Security and Safeguards

The transmission of information over the internet is never perfectly secure. While we execute technical and organizational safeguards to protect your personal information, transmissions are ultimately at your own risk. Once received, your personal data is isolated on secure servers. Access to health records and underlying text logs within our system is restricted solely to authorized clinic staff who have a legal and professional duty of confidentiality.

8. Third-Party External Links

Our platform may contain links to external third-party sites (such as appointment software or exercise reference hubs). These external platforms maintain separate privacy terms. Active X accepts no legal responsibility or liability for their independent handling of your data. Please check their privacy rules before providing personal data.

9. Your Legal Rights Under UK Data Protection Law

You possess concrete legal entitlements regarding your personal information, which you may exercise at any time by contacting us in writing:

  • The Right of Access (Subject Access Request): You may request a complete copy of all personal and clinical data we hold regarding you. We will deliver this information to you free of charge within the statutory 30-day timeframe.

  • The Right to Rectification: You can request that we update or correct inaccurate details in your records.

  • The Right to Restrict Processing: You may request that we temporarily suspend processing your data while a dispute is resolved.

  • The Right to Lodge a Complaint: If you believe Active X has mismanaged your data or failed to protect your privacy, you have the right to escalate your complaint directly to the Information Commissioner’s Office (ICO) via their official hotline at 0303 123 1113.

10. Modifications to This Privacy Policy

Any structural or compliance updates we make to this policy will be uploaded to this page. Where material modifications alter your rights or introduce new data processing systems, we will notify you explicitly via email or via an interface block on our patient application.

11. Contact Details

Questions, requests, or comments regarding this Privacy Policy are welcomed and should be directed in writing to our Data Protection representative at info@active-x.co.uk.

 

+441312211415
START WITH AN ASSESSMENT