CE Physio: Privacy Policy

Last updated: 15th May 2026

1. About this Policy

This Privacy Policy explains how Chloe Evans, trading as CE Physio ("CE Physio", "we", "us", or "our"), collects, uses, shares, and protects your personal data when you:

Visit the website at www.cephysio.com (the "Website");

Subscribe to our mailing list or download a free resource (for example, "Kegel26");

Purchase or use any of our services, including the Prolapse Reset mini-course, the Off The Kegel Membership, the 8-Week Programme, or 1:1 Rehab packages (the "Services");

Communicate with us by email, WhatsApp, social media, or any other channel;

Engage with any of our content on social media platforms; or

Participate in any community group, live class, programme cohort, or 1:1 session operated by us.

This Policy should be read alongside our Terms and Conditions.

We are committed to protecting your personal data. As a regulated healthcare professional, Chloe Evans is also bound by professional duties of confidentiality under the Health and Care Professions Council (HCPC) Standards of Conduct, Performance and Ethics.

2. Who We Are

CE Physio is the trading name of Chloe Evans, a sole practitioner pelvic health physiotherapist registered with the HCPC (registration number PH92062) and a Chartered Physiotherapist registered with the Chartered Society of Physiotherapy (CSP).

We are the data controller in respect of the personal data described in this Policy.

Contact details:

Data controller: Chloe Evans, trading as CE Physio

Email: [email protected]

Correspondence address: 28 Clumber Road, West Bridgford, Nottingham, NG2 6DQ

ICO registration number: C1934375

If you have any question about this Policy or your personal data, please contact us using the details above.

3. The Personal Data We Collect

We collect personal data in the following categories. Not all categories apply to every individual. The data we hold depends on how you interact with us.

3.1 Website visitors

When you visit the Website we may collect:

Technical data such as your IP address, browser type, device information, operating system, and approximate geographic location;

Usage data such as the pages you visit, the links you click, the time you spend on each page, and the source from which you arrived;

Information collected via cookies and similar technologies (see clause 12).

3.2 Mailing list subscribers and free resource downloaders

When you subscribe to our mailing list or download a free resource (including via the "Kegel26" keyword campaign), we collect:

Your name (where provided);

Your email address;

Records of the resource downloaded or the campaign joined;

Records of which marketing emails you have opened and which links you have clicked.

3.3 Customers of digital products and the Membership

When you purchase the Prolapse Reset, Off The Kegel Membership, or any other digital product, we collect:

Your name and email address;

Billing address (where required by our payment processor);

Payment confirmation data (the payment itself is processed by our payment processor, Stripe; we do not store full card details);

Records of your purchase, account, and access to the relevant content;

Records of your participation (for example, attendance at live classes, posts in community groups);

Any communication you send to us or post in the community group.

3.4 8-Week Programme participants

In addition to the data at clause 3.3, when you join the 8-Week Programme we collect:

Information you provide on the screening or intake form, which may include health data (a special category of personal data), such as relevant symptoms, obstetric history, surgical history, and current medications;

WhatsApp messages exchanged during the programme;

Notes made by Chloe Evans about your participation in the programme.

3.5 1:1 Rehab clients

In addition to the data at clauses 3.3 and 3.4, when you book the 1:1 Rehab package we collect:

A full health and clinical history, including pelvic health symptoms, obstetric history, surgical history, current medications, relevant medical conditions, and other special category (health) data;

Assessment findings and clinical observations;

Your custom rehabilitation plan and progress notes;

WhatsApp and email communications relating to your care;

Recordings of 1:1 sessions, where you have requested these;

Records of appointment scheduling, attendance, and cancellations.

3.6 Community group members

When you join a community group operated by us (including any private Facebook group), we (and the platform on which the group is hosted) may collect:

Your profile information as visible on that platform;

Posts, comments, reactions, and other contributions you make to the group;

Records of your membership of the group.

3.7 Social media followers and contacts

When you follow, message, or otherwise interact with us on Instagram, Facebook, or other social media platforms, we and those platforms collect information about that interaction. The data we receive depends on the platform's own settings and your privacy settings within it.

3.8 Prospective clients and warm leads

Where you have expressed interest in working with us (for example, via WhatsApp, Facebook Messenger, an enquiry form, or a screening form) but have not yet purchased a Service, we collect:

Your name and contact details as you have provided them;

The substance of your enquiry, including any symptoms or background information you have shared;

Notes of any conversations we have had with you about which Service might be appropriate.

4. How We Collect Your Personal Data

We collect personal data:

Directly from you, when you complete a form, send us an email, subscribe to our mailing list, purchase a Service, complete a screening or intake form, message us on WhatsApp or social media, or speak to us during a session;

Automatically when you visit the Website or interact with our emails (via cookies, tracking pixels, and similar technologies; see clause 12);

From third-party platforms we use to deliver the Services, for example our email marketing platform, our payment processor, and the social media platforms on which we maintain a presence.

We do not generally collect personal data from third-party sources other than the platforms we use to deliver the Services.

5. Lawful Bases for Processing

Under the UK GDPR we must have a lawful basis to process your personal data. We rely on the following lawful bases.

5.1 General personal data (Article 6 UK GDPR)

Purpose Lawful basis Performing a contract for a Service you have purchased Contract (Article 6(1)(b)) Sending you marketing emails Consent (Article 6(1)(a)) or legitimate interests under the PECR "soft opt-in" for existing customers in respect of similar Services Operating the Website and improving the Services Legitimate interests (Article 6(1)(f)) in operating a sustainable business Complying with our legal, tax, regulatory, and professional obligations Legal obligation (Article 6(1)(c)) Defending or pursuing legal claims Legitimate interests (Article 6(1)(f)) Responding to enquiries from prospective clients Legitimate interests (Article 6(1)(f)) in answering business enquiries

5.2 Special category data: health data (Article 9 UK GDPR)

We process health data in the following circumstances and rely on the following bases.

For 1:1 Rehab clients:

Article 9(2)(h) UK GDPR: processing is necessary for the provision of health care or treatment by, or under the responsibility of, a professional subject to a duty of professional secrecy. Chloe Evans is bound by professional secrecy under the HCPC Standards of Conduct.

Read together with Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018 (health or social care purposes).

For screening data collected before purchase of any Service, and for participants in the 8-Week Programme and Membership:

Article 9(2)(a) UK GDPR: explicit consent given at the point of completing the screening or intake form.

You may withdraw consent at any time by contacting us at [email protected]. Withdrawal will not affect the lawfulness of processing carried out before withdrawal, and may mean we are unable to continue providing the Service.

Other bases that may apply on a case-by-case basis include:

Article 9(2)(c): processing necessary to protect vital interests where you are physically or legally incapable of giving consent;

Article 9(2)(f): processing necessary for the establishment, exercise, or defence of legal claims.

6. Purposes of Processing

We process your personal data for the following purposes.

To provide, operate, and improve the Services, including assessing your suitability through screening, providing 1:1 clinical care, delivering courses and programmes, and running the Membership;

To take and manage payments and prevent payment fraud;

To communicate with you about your purchase, account, screening outcome, sessions, and any other operational matter relating to a Service you have purchased;

To send you marketing communications (where you have consented or where the PECR soft opt-in applies);

To respond to enquiries from prospective clients and route you to the appropriate Service;

To maintain professional records of clinical care in accordance with our regulatory obligations as a HCPC-registered physiotherapist;

To operate and moderate our community groups;

To improve our Website, content, marketing, and Services through analytics and feedback;

To comply with our legal, tax, regulatory, and professional obligations;

To establish, exercise, or defend legal claims, and to deal with complaints.

7. Who We Share Your Personal Data With

We share your personal data only with the categories of recipient below, and only to the extent necessary.

7.1 Service providers (data processors)

We use third-party service providers who process personal data on our behalf, under written data processing agreements. The current list of processors is set out below. This list is correct as at the date this Policy was last updated and is subject to change.

Processor Purpose Type of data Stripe Payment processing Name, email, billing address, payment data FunnelSketchers Email marketing, payment links, course platform, nurture sequences Name, email, marketing engagement data, course access data WhatsApp (Meta) Client communication for 1:1 Rehab and 8-Week Programme Name, phone number, message content (which may include health data) Meta (Facebook, Instagram) Community groups, social media presence, paid advertising Profile data, group participation, advertising audience data Google (Forms, Workspace) Screening forms, document storage, email infrastructure Name, email, screening responses (which may include health data) Zoom (if used) Online sessions and live classes Name, email, session participation data Membership platform Hosting the Off The Kegel Membership Name, email, access data, participation data Website hosting provider Hosting www.cephysio.com Technical data, contact form submissions

7.2 Professional and regulatory bodies

We may share personal data with our professional indemnity insurer, the HCPC, the CSP, the Information Commissioner's Office, or other regulators where required for the purposes of professional regulation, complaint investigation, or compliance with applicable law.

7.3 Legal and tax professionals

We may share personal data with our solicitor, accountant, or other professional advisers where necessary to obtain advice, defend or pursue legal claims, or comply with tax or regulatory obligations.

7.4 Government and law enforcement

We may share personal data with government agencies, courts, or law enforcement where required by law or court order.

7.5 In connection with a business transfer

If CE Physio is sold, restructured, or transfers any of its assets, personal data may be transferred to the relevant successor or buyer, subject to compliance with applicable data protection law.

We do not sell your personal data to any third party, and we do not share your data with third parties for their own independent marketing purposes.

8. International Transfers

Some of our processors operate or store data outside the United Kingdom, including in the European Economic Area (EEA) and the United States.

Where personal data is transferred outside the UK, we rely on one of the following legal mechanisms:

A UK adequacy decision (for transfers to countries the UK Government has designated as providing adequate protection, including the EEA);

The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by appropriate supplementary measures and a Transfer Risk Assessment where required;

Another lawful transfer mechanism permitted by UK data protection law.

If you would like more information about international transfers in respect of a specific processor, please contact us at [email protected].

9. How Long We Keep Your Personal Data

We keep personal data only for as long as necessary for the purposes for which we collected it, taking into account our legal, professional, regulatory, and tax obligations. Indicative retention periods are set out below.

Category of data Retention period Marketing data for active mailing list subscribers Until you unsubscribe, plus a short suppression period to honour your unsubscribe Prospective client enquiry data (no purchase) Up to 24 months from last contact, then deleted Records of purchases (excluding clinical records) 6 years from the end of the relevant tax year (UK tax law) Membership account data (after cancellation) 12 months from cancellation, then deleted, save where we are required to retain it for tax or legal purposes 8-Week Programme records 8 years from end of programme, in line with physiotherapy clinical records guidance 1:1 Rehab clinical records (adults) 8 years from your last appointment, in line with physiotherapy clinical records guidance 1:1 Rehab records relating to maternity care 25 years, in line with NHS Records Management Code of Practice WhatsApp messages relating to clinical care Retained as part of your clinical record for the period above Recordings of 1:1 sessions Until the end of the 12-week package window, save where retained as part of your clinical record by agreement Complaints and legal claims 6 years from resolution, or longer where required by limitation periods or our insurer Website analytics data As set out in the cookie information at clause 12

After the relevant retention period, we will securely delete or anonymise your personal data.

10. Your Rights

Under the UK GDPR you have the following rights in respect of your personal data. Some rights only apply in certain circumstances.

Right of access: to obtain a copy of the personal data we hold about you.

Right to rectification: to ask us to correct inaccurate or incomplete personal data.

Right to erasure ("right to be forgotten"): to ask us to delete your personal data, subject to certain exceptions (for example, where we are required by law or our professional obligations to retain clinical records).

Right to restrict processing: to ask us to limit our processing of your personal data in certain circumstances.

Right to data portability: to receive certain personal data in a structured, commonly used, machine-readable format, and to ask us to transmit it to another controller, where technically feasible.

Right to object: to object to our processing of your personal data on the basis of legitimate interests, or to object to direct marketing at any time.

Right to withdraw consent: where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right not to be subject to a decision based solely on automated processing: see clause 13.

To exercise any of these rights, please email [email protected]. We will respond within one month of receiving your request, save where the law permits an extension. We may need to verify your identity before responding.

There is no fee for exercising your rights, save where a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request, as permitted by law.

11. Right to Complain to the ICO

If you are unhappy with the way we have handled your personal data, you have the right to complain to the UK supervisory authority for data protection:

The Information Commissioner's Office (ICO)

Website: www.ico.org.uk

Helpline: 0303 123 1113

We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at [email protected].

12. Cookies and Tracking

The Website uses cookies and similar technologies to operate effectively and to help us understand how visitors use the site.

A cookie is a small text file placed on your device when you visit a website. We use the following categories:

Strictly necessary cookies: required for the Website to function. These do not require your consent.

Analytics cookies: help us understand how visitors use the Website (for example, via Google Analytics or similar). These rely on your consent.

Marketing cookies: used to deliver and measure paid advertising, including via Meta and similar platforms. These rely on your consent.

You can manage your cookie preferences at any time via the cookie banner on the Website [confirm banner is in place before publishing], and you can also block or delete cookies through your browser settings. Blocking cookies may affect the functionality of the Website.

For more detail on the specific cookies in use, please see our Cookie Notice at www.cephysio.com/cookies [confirm link and content, or merge into this Policy].

13. Artificial Intelligence and Automated Decision-Making

We occasionally use artificial intelligence tools (including large language models) to support the operation of the business, as described in our Terms and Conditions (clause 10).

We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 UK GDPR.

In particular:

No automated clinical decisions. All clinical decisions, including screening outcomes, programme recommendations, exercise prescription, and 1:1 treatment planning, are made personally by Chloe Evans as a HCPC-registered physiotherapist.

Care taken with identifiable data. We do not knowingly input identifiable clinical information about you into any general-purpose AI tool.

Marketing analytics, including audience segmentation for advertising on platforms like Meta, may involve automated processing carried out by the platform itself in accordance with the platform's own policies, but does not constitute Article 22 automated decision-making by us.

14. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or destruction. Measures include:

Use of reputable, security-vetted third-party processors;

Access controls and strong, unique passwords for accounts holding personal data;

Encryption in transit where supported by the platform;

Multi-factor authentication where supported;

Limiting access to clinical records to Chloe Evans;

Secure storage of clinical records in line with HCPC and CSP guidance.

No method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we work to maintain appropriate safeguards.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO as required by law and, where legally required, we will notify you.

15. Children's Data

The Services are intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will take appropriate steps to delete it.

16. Marketing Communications

Where you have given us your email address, we may send you marketing communications about CE Physio Services on the lawful basis of:

Consent, where you have opted in (for example, by subscribing via a free resource or signing up to our mailing list); or

The soft opt-in under regulation 22(3) of PECR, where you have purchased a Service from us and we are marketing similar Services, provided you were given the opportunity to opt out at the time of purchase and in every subsequent communication.

Every marketing email includes a clear and free unsubscribe option. You may also unsubscribe at any time by emailing [email protected].

Unsubscribing from marketing emails will not affect transactional emails relating to a Service you have purchased (for example, payment confirmations, programme delivery emails, appointment reminders).

17. Linked Websites and Third-Party Platforms

The Website may contain links to third-party websites and social media platforms. This Policy applies only to CE Physio's processing of your personal data. We are not responsible for the privacy practices of third parties. Please review the privacy policy of any third-party website or platform before providing your personal data to it.

In particular, please note that:

Facebook, Instagram, and WhatsApp are operated by Meta Platforms and have their own privacy policies. Your interactions with us on those platforms are also subject to Meta's policies.

Stripe processes payment data under its own privacy policy and data processing terms.

Google Forms is used for screening and is subject to Google's privacy policy.

18. Changes to this Policy

We may update this Policy from time to time, for example to reflect changes in our Services, our processors, or applicable law. The "Last updated" date at the top of this document will reflect the most recent revision. Where the change is material, we will notify you by email or via the Website.

You should check this Policy periodically. Your continued use of the Services after any change constitutes acceptance of the revised Policy, save where your consent is required for any specific processing, in which case we will seek that consent separately.

19. Contact

If you have any question about this Policy, want to exercise any of your rights, or want to make a complaint, please contact:

Data controller: Chloe Evans, trading as CE Physio

Email: [email protected]

Correspondence address: 28 Clumber Road, West Bridgford, Nottingham, NG2 6DQ

HCPC registration number: PH92062

End of Privacy Policy.