Privacy Policy for Onyx Therapy UK

Last Updated: June, 2026

Onyx Therapy UK is committed to protecting the privacy and security of your personal information. This Privacy Policy outlines how we collect, use, store, and protect your data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a provider of specialist multidisciplinary support, including Speech and Language Therapy and Occupational Therapy, we understand the sensitive nature of the information we handle.

1. Who We Are

Onyx Therapy UK is a private therapy business providing specialist Speech and Language Therapy and Occupational Therapy services. We are the Data Controller responsible for your personal data. Our contact details are:

Onyx Therapy UK Email: admin@onyxtherapy.uk Speech and Language Therapy Email: salt@onyxtherapy.ukSpeech and Language Therapy Phone: 07832 665 865
Occupational Therapy Phone: 07471 350 873

2. Information We Collect

We may collect and process various types of personal data, including:

• Identity Data: Name, date of birth, gender.
• Contact Data: Email address, postal address, telephone numbers.
• Health Data (Special Category Data): Information about your physical and mental health, medical history, diagnoses, therapy notes, assessment results, and other health-related information relevant to the provision of our services. This includes information collected during autism assessments.
• Financial Data: Payment details for services (though actual payment processing may be handled by third-party providers).
• Usage Data: Information about how you use our website and services.
• Technical Data: Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

3. How We Collect Your Information

We collect information through various methods, including:

• Direct Interactions: You may provide us with your Identity, Contact, Health, and Financial Data by filling in forms on our website (e.g., contact forms), corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you:
  • Enquire about or receive our services.
  • Book an assessment or therapy session.
  • Provide feedback or testimonials.
  • Purchase digital products.
• Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies and other similar technologies.
• Third Parties: We may receive personal data about you from various third parties, such as referrers (e.g., schools, GPs) or analytics providers.

4. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis to process your personal data. For sensitive health data, additional conditions apply. We rely on the following lawful bases:

• Performance of a Contract: Processing is necessary for the performance of a contract for services with you, or to take steps at your request before entering into such a contract (e.g., providing therapy, conducting assessments).
• Legitimate Interests: Processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (e.g., for internal administrative purposes, improving our services, or for direct marketing where appropriate safeguards are in place).
• Consent: We may rely on your explicit consent for certain processing activities, particularly for marketing communications or when processing special categories of personal data where other lawful bases do not apply. You have the right to withdraw consent at any time.
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject (e.g., maintaining clinical records for a specified period).
• Vital Interests: Processing is necessary to protect your vital interests or those of another person (e.g., in emergency situations).

For Special Category Data (such as health data), we process this data because it is necessary for the provision of health or social care or treatment, or the management of health or social care systems and services [2]. We may also process special category data with your explicit consent.

5. How We Use Your Information

We use your personal data for the following purposes:

• To Provide Services: To deliver Speech and Language Therapy, Occupational Therapy, assessments, training, supervision, and consultancy services.
• Communication: To communicate with you regarding appointments, services, and inquiries.
• Internal Records: For administrative purposes, record-keeping, and service improvement.
• Billing and Payments: To process payments for services and digital products.
• Website Improvement: To understand how our website is used and to improve user experience.
• Marketing: To send you relevant information about our services, updates, or digital products, where you have consented or where we have a legitimate interest to do so.
• Legal Compliance: To comply with legal and regulatory obligations.

6. Data Sharing and Disclosure

We will not share your personal information with third parties unless we have your explicit permission or are required by law to do so. We may share your data with:

• Multidisciplinary Team: For autism assessments, your data will be shared within the multidisciplinary team involved in your assessment (e.g., Speech and Language Therapists, Occupational Therapists, Clinical Psychologists) [3].
• Service Providers: Third-party service providers who assist us in operating our business (e.g., IT support, payment processors, website hosting). These providers are contractually bound to protect your data and only process it according to our instructions.
• Legal and Regulatory Authorities: When required by law, court order, or governmental regulation.
• Referrers: With your consent, we may share relevant information with referrers (e.g., GPs, schools) involved in your care.

We will not transfer your personal information outside the European Union without ensuring adequate protection measures are in place, such as standard contractual clauses.

7. Data Security

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These measures include:

• Highly encrypted electronic systems.
• Password-protected digital records.
• Locked filing cabinets for any paper records.
• Confidentiality agreements with all staff.
• Regular review of our security practices.

In the event of a data breach, we will follow UK GDPR guidelines and notify you and the Information Commissioner’s Office (ICO) within 72 hours where required.

8. Data Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. For clinical records, we typically retain data for 7 years after the cessation of treatment, or for individuals under 18, 7 years after they turn 18, in accordance with professional guidelines and insurance requirements [1].

9. Your Legal Rights

Under UK GDPR, you have the following rights regarding your personal data:

• The right to be informed: To be informed about how your personal data is collected and used.
• The right of access: To request a copy of the personal data we hold about you (Subject Access Request).
• The right to rectification: To request that inaccurate or incomplete data be corrected.
• The right to erasure (
  ‘the right to be forgotten’): To request the deletion or removal of your personal data where there is no compelling reason for its continued processing.
• The right to restrict processing: To block or suppress the processing of your personal data in certain circumstances.
• The right to data portability: To obtain and reuse your personal data for your own purposes across different services.
• The right to object: To object to the processing of your personal data in certain circumstances, including direct marketing.
• Rights in relation to automated decision-making and profiling: To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

To exercise any of these rights, please contact us using the details provided in Section 1. We may require proof of identity to process your request. We will respond to your request within one month.

10. Cookies

Our website may use cookies to enhance user experience and monitor its usage and performance. Cookies are small text files placed on your device. We primarily use strictly necessary cookies for the operation of the site, which do not require your consent. We do not currently use cookies for functionality or marketing purposes that identify individual users via IP addresses. You can manage your cookie preferences through your browser settings.

11. Third-Party Links

Our website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any changes will be posted on this page with an updated
“Last Updated” date. We encourage you to review this Privacy Policy periodically.

13. Complaints

If you have any concerns about our use of your personal information, you can make a complaint to us at admin@onyxtherapy.uk. You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).