Privacy Policy

Last updated: 1 May 2026

M20 Health & Performance respects your privacy and is committed to protecting your personal information.

This Privacy Policy explains how we collect, use, store and share personal information when you visit our website, contact us, make an enquiry, book an appointment, attend our clinic, use our services, or otherwise interact with us.

This policy is written to help you understand what information we collect, why we collect it, how we use it, who we may share it with, how long we keep it, and what rights you have.

1. Who we are

M20 Health & Performance is a health, rehabilitation and performance clinic based in Manchester.

Clinic name: M20 Health & Performance
Address: 150E Burton Road, West Didsbury, Manchester, M20 1LH
Website: https://m20health.com
Email: contact@m20health.com
Phone: 0161 706 0736

For the purposes of UK data protection law, M20 Health & Performance is the “controller” of the personal information we collect and use.

Legal entity: [INSERT FULL LEGAL ENTITY NAME]
Company number: [INSERT COMPANY NUMBER, IF APPLICABLE]
ICO registration number: [INSERT ICO REGISTRATION NUMBER, IF APPLICABLE]
Data protection contact: [INSERT NAME OR ROLE, e.g. Clinic Manager / Data Protection Lead]

You can contact us about this Privacy Policy or your personal information by emailing:

contact@m20health.com

2. What this policy applies to

This Privacy Policy applies to personal information collected through:

  • our website;
  • our contact forms;
  • phone, email, WhatsApp, social media or direct messages;
  • appointment bookings;
  • clinic consultations;
  • treatment, rehabilitation and performance services;
  • payment and invoicing;
  • reviews, testimonials and feedback;
  • marketing communications;
  • cookies, analytics and similar website technologies.

This policy does not apply to third-party websites that we may link to. If you follow a link to another website, you should read that organisation’s own privacy policy.

3. The types of personal information we collect

The personal information we collect depends on how you interact with us.

3.1 Contact and enquiry information

When you contact us, we may collect:

  • your name;
  • email address;
  • phone number;
  • the reason for your enquiry;
  • preferred clinic location or service;
  • any information you choose to include in your message;
  • your communication preferences;
  • records of our correspondence with you.

3.2 Booking and appointment information

When you book or attend an appointment, we may collect:

  • your name;
  • date of birth;
  • address;
  • email address;
  • phone number;
  • emergency contact details, where appropriate;
  • appointment dates and times;
  • services booked;
  • clinician or practitioner assigned to you;
  • attendance, cancellation and rescheduling history;
  • referral information, if applicable;
  • payment and invoice details.

3.3 Health, clinical and treatment information

Because we provide health, rehabilitation and performance-related services, we may collect information about your health. This may include:

  • injury history;
  • symptoms;
  • pain levels;
  • medical history;
  • medication information;
  • physical activity and training background;
  • rehabilitation goals;
  • lifestyle factors relevant to your treatment;
  • assessment findings;
  • treatment notes;
  • exercise plans;
  • progress notes;
  • outcome measures;
  • images, videos or movement analysis where clinically relevant;
  • information from GPs, consultants, coaches, insurers or other healthcare professionals, where applicable and lawful.

Health information is treated as special category data under UK data protection law. This means it receives a higher level of protection.

3.4 Performance, testing and coaching information

If you use our performance services, we may collect:

  • fitness testing data;
  • movement screening results;
  • gait analysis information;
  • VO₂ max, lactate, strength or body composition data, where applicable;
  • training history;
  • sporting background;
  • performance goals;
  • coaching notes;
  • progress data.

Some of this information may also reveal health-related information and will be treated with appropriate care.

3.5 Payment and transaction information

When you pay for our services, we may collect:

  • payment status;
  • transaction records;
  • invoice details;
  • billing details;
  • partial payment card information, where provided by our payment processor;
  • records required for accounting, tax and financial administration.

We do not usually store full card details ourselves. Payments are normally processed by third-party payment providers.

Payment processor: [INSERT PAYMENT PROVIDER, e.g. Stripe, Square, SumUp, Worldpay, Fresha, Cliniko payments, etc.]

3.6 Website and technical information

When you use our website, we may collect:

  • IP address;
  • browser type and version;
  • device type;
  • operating system;
  • pages visited;
  • time spent on pages;
  • referring website or source;
  • approximate location based on IP address;
  • cookie preferences;
  • form submission data;
  • website analytics data.

Some of this data is collected through cookies and similar technologies. See section 14 below for more information.

3.7 Reviews, testimonials, photos and media

If you choose to provide a review, testimonial, photo, video or case study, we may collect:

  • your name;
  • review or feedback content;
  • image, video or audio content;
  • treatment or service experience;
  • social media handle, if relevant;
  • your consent preferences for publication.

We will only use identifiable testimonials, images, videos or case studies for marketing where we have appropriate permission.

3.8 Marketing information

If you subscribe to updates or agree to receive marketing, we may collect:

  • your name;
  • email address;
  • phone number, where relevant;
  • marketing preferences;
  • consent records;
  • unsubscribe or opt-out history;
  • engagement with marketing emails or messages.

You can opt out of marketing at any time.

4. How we collect your personal information

We may collect information directly from you when you:

  • complete a contact form;
  • book an appointment;
  • call us;
  • email us;
  • message us on WhatsApp or social media;
  • attend the clinic;
  • complete a health questionnaire or intake form;
  • speak with a clinician or practitioner;
  • make a payment;
  • leave a review;
  • subscribe to marketing;
  • use our website.

We may also receive information from third parties, including:

  • GPs, consultants or healthcare professionals;
  • sports coaches or referrers;
  • insurers, where applicable;
  • booking platforms;
  • payment processors;
  • analytics and website providers;
  • review platforms;
  • social media platforms;
  • professional advisers;
  • regulatory or legal bodies, where required.

5. How and why we use your personal information

We only use your personal information where we have a lawful reason to do so.

The table below explains the main ways we use personal information and the lawful bases we rely on.

Purpose Personal information used Lawful basis
Responding to enquiries Name, contact details, enquiry details Legitimate interests, consent, or steps before entering into a contract
Booking and managing appointments Contact details, booking details, appointment history Contract and legitimate interests
Providing treatment, rehabilitation and health services Health information, clinical notes, assessment findings, treatment records Contract, legitimate interests, legal obligations, and Article 9 condition for healthcare/treatment
Providing performance testing, coaching and related services Testing data, goals, training background, performance results Contract, legitimate interests, and Article 9 condition where health data is involved
Keeping clinical records Treatment notes, assessment findings, progress notes Legal obligation, legitimate interests, contract, and Article 9 condition for healthcare/treatment
Sending appointment reminders and service messages Name, phone number, email address, appointment details Contract and legitimate interests
Taking payments and managing accounts Payment status, invoices, transaction records Contract, legal obligation and legitimate interests
Managing cancellations, complaints or disputes Contact details, appointment records, communications, clinical information where relevant Legitimate interests, legal obligation and legal claims
Improving our services and website Feedback, usage data, analytics Legitimate interests or consent where required
Sending marketing communications Contact details, marketing preferences Consent or legitimate interests where permitted by law
Publishing reviews, testimonials, photos or case studies Review content, images, videos, name, treatment experience Consent, and explicit consent where special category data is involved
Protecting patients, staff and the public Relevant contact, health, safeguarding or incident information Vital interests, legal obligation, substantial public interest and legitimate interests
Complying with legal, regulatory, tax and insurance requirements Records relevant to compliance, accounting, insurance, legal claims or regulatory matters Legal obligation, legitimate interests and legal claims

6. Health information and special category data

Some information we collect is health-related. This may include details about injuries, pain, symptoms, medical history, treatment, rehabilitation, physical assessment, exercise prescription, clinical notes and progress.

This type of information is known as special category data under UK data protection law.

We process health information only where necessary for appropriate purposes, such as:

  • assessing your needs;
  • providing treatment or rehabilitation;
  • creating and maintaining clinical records;
  • monitoring progress;
  • communicating with you about your care;
  • referring you to another professional, where appropriate;
  • dealing with complaints, legal claims, safeguarding issues or regulatory matters.

Where we process health information for care, treatment or rehabilitation, we usually rely on the UK GDPR condition that processing is necessary for the provision of health care or treatment. We may also rely on other conditions where appropriate, such as explicit consent, vital interests, legal claims or substantial public interest.

Access to health information is restricted to people who need it for legitimate clinical, administrative, legal or operational reasons.

7. Confidentiality

We understand that health information is personal and sensitive.

We aim to protect your confidentiality by:

  • limiting access to your information;
  • using secure systems where possible;
  • keeping clinical records separate from general marketing data where appropriate;
  • only sharing information where there is a valid reason;
  • requiring staff, clinicians and service providers to handle information responsibly;
  • taking appropriate steps to prevent unauthorised access, loss or misuse.

There may be limited situations where we need to share information without your consent, such as where required by law, where there is a safeguarding concern, where there is a serious risk of harm, or where necessary in connection with legal or regulatory matters.

8. Sharing your personal information

We do not sell your personal information.

We may share personal information with trusted third parties where necessary, including:

8.1 Clinicians, practitioners and clinic staff

We may share relevant information internally with clinicians, practitioners, administrative staff and contractors who need access to provide services, manage appointments, respond to enquiries, process payments or support clinic operations.

8.2 Healthcare professionals and referrers

Where appropriate and lawful, we may share relevant information with:

  • your GP;
  • consultants;
  • physiotherapists;
  • coaches;
  • rehabilitation specialists;
  • insurers;
  • other healthcare professionals involved in your care.

We will usually do this with your knowledge or consent unless there is another lawful reason to share the information.

8.3 Service providers

We may use third-party service providers for:

  • website hosting;
  • website forms;
  • online booking;
  • clinical record systems;
  • payment processing;
  • email hosting;
  • SMS or appointment reminders;
  • analytics;
  • cookie management;
  • customer relationship management;
  • accounting;
  • IT support;
  • data storage;
  • marketing platforms;
  • review platforms.

These providers may process personal information on our behalf. Where required, we expect them to protect your information and only use it for the agreed purpose.

Current or potential providers may include:

  • Website platform: [INSERT, e.g. Webflow]
  • Booking system: [INSERT]
  • Clinical records system: [INSERT]
  • Payment processor: [INSERT]
  • Email provider: [INSERT]
  • Analytics provider: [INSERT, e.g. Google Analytics]
  • Cookie consent tool: [INSERT]
  • Review platform: [INSERT, e.g. Trustindex / Google Reviews]
  • Marketing platform: [INSERT, if applicable]

8.4 Legal, professional and regulatory parties

We may share information with:

  • accountants;
  • legal advisers;
  • insurers;
  • professional bodies;
  • regulators;
  • courts or tribunals;
  • law enforcement;
  • tax authorities;
  • safeguarding authorities.

We will only do this where necessary and lawful.

8.5 Business transfers

If M20 Health & Performance is involved in a business sale, merger, restructure or transfer, relevant personal information may be shared with the parties involved, their advisers and any new owner or operator, where lawful and necessary.

9. WhatsApp, email and social media messages

If you contact us by WhatsApp, email, Instagram, Facebook or another third-party platform, your message may also be processed by that platform.

Please avoid sending highly sensitive medical information through social media or messaging platforms unless necessary. For detailed clinical matters, we may ask you to use a more appropriate communication method or discuss the matter during your appointment.

10. How long we keep your personal information

We keep personal information only for as long as necessary for the purposes for which it was collected, including legal, clinical, insurance, accounting, regulatory and operational requirements.

Typical retention periods are:

Type of information Typical retention period
General website enquiries that do not lead to treatment Up to 24 months, unless we need to keep them longer for legal, complaint or business reasons
Appointment and booking records For as long as needed to manage your appointment, then in line with clinical, legal or accounting requirements
Adult clinical and treatment records Usually 8 years after the last treatment or appointment
Children’s clinical and treatment records Usually until at least the patient’s 25th birthday, or longer where required by professional guidance or law
Payment, invoice and accounting records Usually 6 years from the end of the relevant financial year, or longer if required
Complaints and dispute records For as long as needed to handle the complaint or dispute and protect legal rights
Marketing consent records For as long as you remain subscribed, and then as needed to maintain a suppression or opt-out record
Website analytics data According to the settings of the analytics provider and cookie consent tool
Testimonials, images, videos or case studies Until consent is withdrawn or the material is no longer needed, unless we have another lawful reason to retain it

We may keep information for longer where required by law, professional guidance, insurance requirements, safeguarding duties, legal claims, regulatory matters or ongoing investigations.

When information is no longer needed, we will securely delete, anonymise or archive it where appropriate.

11. International transfers

Some of our service providers may process or store personal information outside the United Kingdom.

Where personal information is transferred outside the UK, we will take reasonable steps to ensure appropriate safeguards are in place. This may include using providers based in countries recognised as providing adequate protection, or using approved contractual safeguards where required.

12. How we protect your information

We take appropriate steps to protect personal information from unauthorised access, loss, misuse, alteration or disclosure.

These steps may include:

  • secure record systems;
  • password protection;
  • access controls;
  • staff confidentiality expectations;
  • limiting access to those who need it;
  • using reputable service providers;
  • keeping systems and devices reasonably secure;
  • reviewing how personal information is stored and handled.

No method of electronic transmission or storage is completely secure, but we aim to use appropriate practical and organisational safeguards.

13. Your rights

Under UK data protection law, you have rights over your personal information.

Depending on the circumstances, you may have the right to:

  • ask for a copy of your personal information;
  • ask us to correct inaccurate or incomplete information;
  • ask us to delete your information;
  • ask us to restrict how we use your information;
  • object to how we use your information;
  • ask for your information to be transferred to another provider;
  • withdraw consent where we rely on consent;
  • complain to the Information Commissioner’s Office.

Some rights are not absolute. For example, we may need to keep certain clinical, legal, tax, insurance or regulatory records even if you ask us to delete them.

To exercise your rights, contact us at:

contact@m20health.com

We may need to verify your identity before responding to your request.

14. Cookies and website tracking

Our website may use cookies and similar technologies.

Cookies are small files placed on your device that help websites function, remember preferences, measure performance and, where enabled, support marketing or analytics.

We may use the following types of cookies:

14.1 Strictly necessary cookies

These cookies are needed for the website to work properly. They may support basic functions such as page navigation, security, form submissions or cookie preference settings.

These cookies do not usually require consent.

14.2 Analytics cookies

Analytics cookies help us understand how visitors use our website, such as which pages are visited most often and how users move around the site.

We use this information to improve the website and user experience.

Analytics cookies should only be used where you have given consent, unless they fall within a legal exemption.

14.3 Functional cookies

Functional cookies help provide enhanced features, such as embedded maps, videos, reviews or third-party tools.

If you disable these cookies, some features may not work properly.

14.4 Marketing cookies

Marketing cookies may be used to help measure advertising, build audiences or show relevant content across other platforms.

We will only use marketing cookies where legally permitted and, where required, with your consent.

14.5 Managing cookies

When you visit our website, you may be asked to accept, reject or manage non-essential cookies.

You can also control cookies through your browser settings. If you block some cookies, parts of the website may not work as intended.

Cookie consent provider: [INSERT COOKIE TOOL NAME]
Analytics tools used: [INSERT ANALYTICS TOOLS]
Marketing pixels used: [INSERT, OR SAY “None currently used”]

15. Marketing communications

We may send you marketing communications about our services, clinic updates, educational content, offers or events where we are legally allowed to do so.

We will only send marketing where:

  • you have given consent; or
  • we are otherwise permitted to contact you under UK marketing rules.

You can opt out of marketing at any time by:

  • clicking the unsubscribe link in an email;
  • replying STOP where SMS opt-out is available;
  • contacting us at contact@m20health.com.

We will still send essential service messages, such as appointment confirmations, appointment reminders, payment information or important updates about your care.

16. Reviews and testimonials

If you leave a review on Google, Trustindex, social media or another third-party platform, that platform will process your review according to its own privacy policy.

If we ask to use your review, testimonial, image, video or case study on our website, social media or marketing materials, we will ask for appropriate permission.

You can withdraw consent for future use of identifiable testimonials, images or videos by contacting us. Please note that withdrawal may not affect materials already lawfully published or printed before your request was received.

17. Children and young people

We may provide services to children and young people.

Where we collect personal information about a child or young person, we will take appropriate care with that information.

Depending on the child’s age, maturity and the circumstances, we may involve a parent or guardian in bookings, consent, communications and treatment decisions.

Where a young person is able to understand and make decisions about their own information, we will take their views and rights into account.

18. Safeguarding and serious risk

In limited circumstances, we may need to share personal information where we believe there is a serious risk of harm, a safeguarding concern, a medical emergency, or a legal obligation to disclose information.

This may include sharing information with healthcare professionals, emergency services, safeguarding authorities, regulators or law enforcement.

We will only share what is necessary and appropriate in the circumstances.

19. Third-party links and embedded content

Our website may include links to third-party websites, maps, social media pages, booking systems, review platforms, videos or embedded content.

These third parties may collect information about you when you interact with their services.

We are not responsible for the privacy practices of third-party websites or platforms. You should read their privacy policies before providing personal information.

20. Automated decision-making

We do not use your personal information to make decisions about you based solely on automated processing that would have a legal or similarly significant effect on you.

21. Complaints

If you have concerns about how we handle your personal information, please contact us first so we can try to resolve the issue.

Email: contact@m20health.com
Phone: 0161 706 0736
Address: M20 Health & Performance, 150E Burton Road, West Didsbury, Manchester, M20 1LH

You also have the right to complain to the UK data protection regulator:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: https://ico.org.uk
Phone: 0303 123 1113

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

When we make changes, we will update the “Last updated” date at the top of this page. If we make significant changes, we may take additional steps to notify you where appropriate.

You should review this page occasionally to stay informed about how we protect your information.

Speak to the M20 Health Team

Whatsapp logoInstagram logo.Facebook logo.
M20 Health & Performance logo
+44 161 706 0736
contact@m20health.com
Explore Our ServicesContact UsOur LocationsFAQsPrivacy Policy
© 2026 M20 Health & Performance. All rights reserved.
Facebook logo.Instagram logo.