privacy policy

Gallos Performance — Privacy Notice

Last updated: June 2026

1. Who We Are

Gallos Performance is a physiotherapy-led strength and conditioning practice operated by Will Phillips (sole trader), based in Cardiff, Wales. We provide physiotherapy, sports massage, and strength and conditioning services to athletes and active individuals.

For the purposes of UK data protection law, Will Phillips is both the Data Controller and the point of contact for all data protection queries.

You can contact us at:

  • Email: gallosperform@gmail.com

If you have any questions about how we handle your personal data, or wish to exercise any of your rights, please contact us using the details above.

2. What This Notice Covers

This privacy notice explains how Gallos Performance collects, uses, stores, and shares your personal data when you enquire about or use our physiotherapy, sports massage, or S&C services (whether in person or remotely via video consultation); complete intake, consent, or health screening forms; make a payment online or in person; sign up to our newsletter or marketing communications; interact with our website or social media; or attend an event at which we provide physiotherapy or sports massage cover.

We are committed to protecting your personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

3. What Personal Data We Collect

Identity and contact data — your full name, date of birth, address, email address, telephone number, and emergency contact details.

Health and clinical data (special category data) — because we provide health services, we collect and process special category personal data. This includes your medical history, injury history, and current health conditions; medications and other relevant clinical information; health screening responses (PAR-Q+); session notes, assessment findings, and clinical records, whether gathered in person or via video consultation; reassessment data and outcome measures; and exercise prescription and programme data.

Video consultation data — where you have a remote consultation with us, this takes place via Google Meet. We do not record video consultations. Clinical information discussed or observed during the call (such as movement assessment or reported symptoms) is documented in your clinical notes in the same way as an in-person session.

Financial data — payment transaction records, processed via Stripe for online payments and Square for in-person payments. We do not store your card details. We also keep invoice and billing records.

Communications data — emails and messages you send us, and your newsletter subscription preferences along with related email engagement data.

Technical and website data — basic website usage data and, where analytics tools are in use, your IP address and device or browser information.

Photography and video — where you have provided explicit written consent, we may collect photographs or video footage for use in case studies or marketing materials.

4. How We Collect Your Data

We collect personal data directly from you through online booking via Setmore; intake and health screening forms submitted via Tally.so; informed consent and liability waiver forms; photography and media consent forms; email, telephone, or in-person enquiries; online payment via Stripe or in-person payment via Square; newsletter sign-up forms via Brevo; and direct messages or interactions on social media.

We may also receive limited data from third parties — for example, where an event organiser shares participant contact details in connection with event physiotherapy cover.

5. How and Why We Use Your Personal Data

We use your data to provide physiotherapy and sports massage services, relying on our contract with you and, for health data specifically, the legal basis of providing health treatment under Article 9(2)(h) UK GDPR.

We use it to provide S&C programming and exercise prescription, on the basis of our contract with you and our legitimate interests in delivering effective rehabilitation and performance support.

We maintain clinical records because we have a legal obligation to do so under HCPC standards.

We process payments under the basis of our contract with you.

We send appointment reminders and follow-up communications based on our contract and our legitimate interests in running an efficient practice.

We manage bookings and scheduling via Setmore based on our contract with you and our legitimate interests in running an efficient, reliable appointment system.

We send newsletters and marketing emails only where you have given consent, and you may withdraw that consent at any time.

We use photography or video for case studies or marketing only where you have given explicit consent.

We analyse website usage and look to improve our services based on our legitimate interests.

We comply with legal or regulatory obligations as required by law.

We provide event physiotherapy cover (for example, at trail running festivals and ultramarathons) based on our contract with event organisers or participants, our legitimate interests, and the provision of health treatment where relevant.

We will not use your personal data for purposes incompatible with those listed above without informing you first.

6. Third-Party Platforms and Data Processors

To deliver our services, we use a number of trusted third-party platforms. Each acts as a data processor on our behalf, processing your data only on our instructions and in accordance with our agreements with them.

Smilenotes handles our clinical record management, processing your identity, contact, and health/clinical notes. Data is held in the UK/EU.

Google Meet facilitates our remote video consultations. We do not record calls; Google may process limited connection and technical data as part of operating the call itself. Google is US-based, and transfers are protected under Standard Contractual Clauses (SCCs) as part of Google's standard data processing terms.

Setmore handles our online booking and appointment scheduling, processing your identity and contact details along with appointment history. Setmore is US-based; transfers are protected under Standard Contractual Clauses (SCCs).

Stripe processes our online payments, handling your identity and financial/card data. Stripe is US-based; transfers are protected under Standard Contractual Clauses (SCCs).

Square processes our in-person payments, handling your identity and financial/card data. Square is also US-based, with the same SCC protections in place.

Tally.so delivers our intake, consent, and health screening forms, processing your identity, contact, and health screening data. Tally is based in the EU (Belgium).

FitPros.io supports S&C programming and exercise delivery, processing your identity, contact, and programme data.

Fitr supports S&C programme delivery and client management, processing your identity, contact, and programme data.

Brevo handles our newsletter and email marketing, processing your identity, contact details, and email preferences. Brevo is based in the EU (France).

We have Data Processing Agreements (DPAs) in place with each of these providers where required. We do not sell your personal data to any third party.

7. International Data Transfers

Most of your data is processed within the UK or European Economic Area (EEA). Where data is transferred to countries outside the UK/EEA — primarily in the case of Stripe and Square, which are US-based — we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner and, where applicable, the International Data Transfer Agreement (IDTA) framework.

If you would like further information about the specific safeguards applied to any transfer, please contact us.

8. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.

Adult clinical and physiotherapy records are kept for 8 years from the date of last treatment, in line with HCPC standards and the NHS Records Management Code. Records for clients treated as minors are kept until the individual's 26th birthday, under the same authority. Sports massage records follow the same 8-year standard. S&C programme records are kept for 3 years from the end of the programme.

Consent and waiver forms are retained for the duration of the client relationship plus 8 years. Photography and media consent forms are kept for the duration of use plus 1 year after any content is removed. Financial and invoicing records are kept for 7 years, as required by HMRC. Non-clinical email correspondence is kept for 3 years, unless it forms part of a clinical record.

Newsletter subscriber data is kept until unsubscribe plus 12 months. Website analytics data is kept for 26 months, the standard analytics retention period. Enquiries where no treatment is commenced are kept for 12 months from last contact.

When data is no longer required, electronic records are securely deleted from all systems and paper records are shredded.

9. Your Rights

Under UK GDPR, you have a number of rights in relation to your personal data.

You have the right of access — to request a copy of the personal data we hold about you, sometimes called a Subject Access Request. Where you make such a request, we will provide your data in a clear, structured format (typically a CSV export of the records we hold).

You have the right to rectification — to ask us to correct inaccurate or incomplete data.

You have the right to erasure — to ask us to delete your data, subject to our legal obligations, such as clinical record retention requirements.

You have the right to restriction — to ask us to limit how we use your data in certain circumstances.

You have the right to object — to processing based on legitimate interests, including for direct marketing.

You have the right to data portability — to receive your data in a structured, machine-readable format.

You have the right to withdraw consent at any time, where processing is based on consent. This does not affect the lawfulness of processing carried out before withdrawal.

We do not use any personal information for automated decision-making or profiling. Your data is never subject to automated decisions that affect you.

To exercise any of these rights, please contact us at gallosperform@gmail.com . We will respond within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — online at ico.org.uk, by telephone on 0303 123 1113, or by post to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

10. Cookies and Website Analytics

Our website uses cookies to improve your experience and to understand how visitors use the site. Cookies are small text files placed on your device.

We use Framer's own built-in, aggregate-only visitor statistics to understand general website traffic. This does not identify individual visitors and does not use tracking cookies.

You can control cookies through your browser settings at any time. Blocking cookies may affect website functionality. Where we use non-essential cookies, we will request your consent via a cookie banner when you first visit the site.

11. Consent and Marketing

We only send marketing emails and newsletters to individuals who have explicitly opted in via our newsletter sign-up form. Each communication includes an unsubscribe link.

You can withdraw your consent to marketing at any time by clicking "unsubscribe" in any email we send you, or by emailing us at gallosperform@gmail.com . Withdrawing consent will not affect the lawfulness of any processing carried out before withdrawal.

12. Children's Data

Our services are primarily intended for adults aged 18 and over. Where we provide services to individuals under 18, we require parental or guardian consent before collecting and processing personal data. Clinical records for clients treated as minors are retained until the individual's 26th birthday, in accordance with HCPC standards.

13. Data Security

We take appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. These measures include password-protected and encrypted digital systems, encrypted communications for sensitive correspondence, secure clinical records management via Smilenotes, the use of reputable third-party processors with their own robust security standards, and restricting access to personal data to Will Phillips unless disclosure is authorised.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals where required.

14. Changes to This Notice

We may update this privacy notice from time to time to reflect changes in our practices or applicable law. The current version will always be available on our website, with the date of the last update shown at the top of the page. Where changes are significant, we will notify you by email where we hold your contact details.

In the event that Gallos Performance is sold or transferred to a third party, your personal data will only be disclosed to the extent it relates to that transfer, and the receiving party will be bound by this same privacy policy.

15. Contact Us

If you have any questions, concerns, or requests relating to your personal data, please contact:

Will Phillips
Gallos Performance gallosperform@gmail.com

Create a free website with Framer, the website builder loved by startups, designers and agencies.