PRIVACY NOTICE AND COOKIE POLICY

Thriving Kids
Last updated: January 2026

1. Purpose of this Privacy Notice

This Privacy Notice explains how Thriving Kids collects, uses, stores, and shares personal data relating to children, parents, carers, and other individuals who engage with our services or website. It is written primarily for parents and carers with parental responsibility and reflects the high standards required when processing children’s personal and health information.

Thriving Kids provides paediatric and allied health services through clinic-based appointments and home visits, and works both independently and, where appropriate, in partnership with Body Mechanix Ltd (Harpenden). We recognise that much of the data we process is special category health data and that children are a vulnerable group. We therefore apply enhanced safeguards, confidentiality, and professional judgment at all times.

This notice is designed to meet the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and to align with safeguarding and healthcare best practice.

2. Who This Notice Applies To

This Privacy Notice applies to:

• Children receiving services from Thriving Kids
• Parents and carers with parental responsibility
• Adults receiving services from Thriving Kids (where applicable)
• Individuals making enquiries or referrals
• Website users
• Professionals we liaise with in connection with a child’s care

3. Data Controller

Thriving Kids is the Data Controller for personal data processed in connection with our services.

Contact details:
Email: info@thrivingkids.co.uk
Website: https://www.thrivingkids.co.uk
Country of operation: United Kingdom

All data protection enquiries, including requests to exercise your rights, should be directed to the email address above.

Where Thriving Kids works in partnership with Body Mechanix Ltd, each organisation remains responsible for the personal data it controls within its own systems, and appropriate data protection arrangements are in place.

4. How We Obtain Personal Data

We collect personal data:

• Directly from parents or carers when you complete forms, provide information, or communicate with us
• During assessments, consultations, therapy sessions, or reviews (in clinic or at home)
• From other professionals involved in your child’s care, where you have provided consent
• Through our website, enquiry forms, and cookies

5. Personal Data We Collect

5.1 Children and Families (Service Users)

Depending on the services provided, we may collect and process:

• Child’s name, date of birth, and contact details
• Parent/carer names and contact details
• Information about parental responsibility
• Health, developmental, and therapy-related information (special category data)
• Assessment notes, reports, care plans, and progress records
• Photographs or videos used for clinical assessment, therapy delivery, or home programmes
• Correspondence relating to care and safeguarding considerations

Photographs or videos used for marketing or promotional purposes are only taken and used with separate, explicit consent.

5.2 Website Users and Enquiries

When you use our website or contact us online, we may collect:

• Name and contact details (where provided)
• Enquiry details
• IP address
• Date and time of access
• Pages visited and URLs
• Device, browser, and operating system information (user agent)

6. Children’s Data, Parental Responsibility, and Safeguarding

Thriving Kids primarily provides services to children. Personal data about a child is usually provided by a parent or carer with parental responsibility.

We:

• Act at all times in the best interests of the child
• Apply strict access controls to children’s records
• Carefully assess requests for access, amendments, or information sharing, particularly where parents are separated or where safeguarding issues may arise
• Consider a child’s competence and rights as they mature, in line with UK law and professional standards

Where safeguarding concerns arise, we may share information without consent where this is lawful and necessary to protect a child or another person from harm.

7. Lawful Bases for Processing

7.1 Article 6 UK GDPR – General Processing

We rely on one or more of the following lawful bases:

• Contract (Article 6(1)(b)) – to provide agreed services
• Legal obligation (Article 6(1)(c)) – including record-keeping and safeguarding duties
• Legitimate interests (Article 6(1)(f)) – for service administration, continuity of care, and safety
• Consent (Article 6(1)(a)) – where required, such as marketing communications or optional media use

7.2 Article 9 UK GDPR – Special Category Health Data

Health data is processed under:

• Article 9(2)(h) – provision of health or social care and treatment
• Article 9(2)(a) – explicit consent, where required

Once lawfully created, clinical records are not reliant on consent for ongoing processing where processing is necessary for healthcare provision, safeguarding, or legal obligations.

8. How We Use Personal Data

We use personal data to:

• Deliver safe, effective, and individualised care
• Communicate with parents and carers about appointments, progress, and home programmes
• Maintain accurate clinical and safeguarding records
• Liaise with other professionals involved in a child’s care (with consent where required)
• Improve and develop our services
• Respond to enquiries and manage our business operations

Marketing

• Marketing communications are sent only to adults
• Marketing is based on consent, which can be withdrawn at any time
• We do not market directly to children

We do not sell personal data.

9. Sharing Personal Data

We only share personal data where it is lawful, necessary, and proportionate.

Information may be shared:

• With your consent
• On a case-by-case basis
• Using the minimum data necessary
• Via secure methods

This may include sharing with:

• Medical and healthcare professionals
• Educational or special educational needs services
• Other therapists involved in your child’s care

We may share information without consent where required by law or where necessary to protect a child or another person from harm.

10. Data Processors and Partnership Working

We use reputable third-party systems to support service delivery and data management. These providers act only on our instructions and are subject to contractual data protection obligations.

Key systems may include:

• Jane App – used by Thriving Kids for appointment booking, clinical records, invoicing, and secure communications
• Cliniko – used by Body Mechanix Ltd where services are delivered in partnership or via their systems
• Website hosting, IT, and email service providers

Where personal data is processed outside the UK, appropriate safeguards are in place, such as UK adequacy regulations or standard contractual clauses.

11. Data Security

We take appropriate technical and organisational measures to protect personal data, including:

• Restricted access to records
• Password-protected systems and devices
• Secure storage of paper records
• Confidentiality and professional obligations

12. Data Retention

We retain personal data only for as long as necessary:

• Clinical records: 7 years after the last appointment or until the child reaches age 25 (whichever is longer)
• Enquiry data: up to 12 months
• Website logs and analytics: for limited periods as set out in our Cookie Policy

Data is securely deleted or destroyed when retention periods expire.

13. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Request erasure (in certain circumstances)
• Restrict processing
• Object to processing
• Data portability
• Withdraw consent (where consent is relied upon)
• Complain to the Information Commissioner’s Office (ICO)

Requests can be made by contacting info@thrivingkids.co.uk. We respond within one month.

14. Complaints

If you have concerns about how your data is used, please contact us first.

You may also complain to:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://www.ico.org.uk

15. Cookie Policy

Cookies are small text files placed on your device when you visit our website.

Essential Cookies

These cookies are necessary for the website to function and are used under legitimate interests. They include session, login, and security cookies.

Non‑Essential Cookies

Analytics or functionality cookies are used only with your consent and may collect information such as IP address, device type, browser information, pages visited, and timestamps.

Managing Cookies

You can manage or withdraw your cookie preferences at any time through our cookie banner or your browser settings. Disabling cookies may affect website functionality.

16. Changes to This Policy

We may update this Privacy Notice and Cookie Policy from time to time. The most current version will always be available on our website with the updated date.