Privacy Policy
Last updated: 1 March 2026
1. Who we are
This website is operated by Inna MediSync Limited, a company registered in England and Wales.
- Company Number: 16979781
- Registered address: 205 South Street, Romford, Essex, RM1 1QX
- Part of: Inna Care Ltd
We are the Data Controller for your personal information as described in this policy.
ICO registration: Registration pending — application submitted
For any questions about how we handle your data, contact us at info@innamedisync.co.uk.
2. What data we collect
We collect the following categories of personal data:
Personal details
Name, email address, phone number, date of birth, postal address.
Health data (Special Category Data)
Intake forms, symptom descriptions, medical history, session notes, brain mapping (QEEG) results.
Booking data
Appointment dates and times, services booked, cancellation history.
Payment references
Transaction IDs. We do not store card details — payments are processed by Pabau.
Communication preferences
WhatsApp, SMS, and email opt-in status; consent timestamps.
Website usage data
IP address, browser type, pages visited, cookies (see our Cookie Policy).
3. How we use your data
We process your personal data under the following lawful bases:
Contract — Article 6(1)(b)
Processing bookings, delivering services, and managing your portal account.
Consent — Article 6(1)(a)
WhatsApp and SMS notifications, email marketing, and communication preferences. You can withdraw consent at any time by contacting us or updating your preferences in the client portal.
Legitimate interest — Article 6(1)(f)
Service improvement, security monitoring, and internal analytics.
Legal obligation — Article 6(1)(c)
Record keeping, regulatory compliance, and tax obligations.
Health data — Special Category Data
Health data is processed under Article 9(2)(h) UK GDPR — provision of healthcare or treatment. This includes intake forms, brain mapping results, session notes, and medical history needed to deliver your neurotherapy programme.
4. Who we share data with
We use the following sub-processors to deliver our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt) |
| Vercel | Website hosting | Global CDN |
| Pabau | CRM, booking, payments | UK/EU |
| QuickBooks | Invoicing | UK |
| Meta / WhatsApp | Client notifications | EU/US |
| Twilio | SMS notifications | US |
| Resend | Email delivery | US |
We never sell your personal data. Health data is stored exclusively in Supabase (EU Frankfurt).
5. International transfers
Where data is transferred outside the UK, we rely on UK adequacy decisions or Standard Contractual Clauses (SCCs) to ensure your data receives an equivalent level of protection.
- Health data remains within the EU (Frankfurt) at all times.
- US-based processors (Twilio, Resend) operate under the UK-US Data Bridge.
6. How long we keep your data
We retain your data only for as long as necessary for the purposes set out in this policy:
| Data type | Retention period |
|---|---|
| Patient accounts | Duration of relationship + 2 years |
| Health records | 8 years minimum (NHS guidelines) |
| Booking history | Duration of relationship + 2 years |
| Communication logs | 12 months |
| Consent records | Duration of relationship + 6 years |
| Financial records | 7 years (HMRC requirements) |
After the retention period expires, data is securely deleted or anonymised.
7. Your rights
Under UK GDPR you have the right to:
- Access your data (Subject Access Request)
- Rectification — correct inaccurate data
- Erasure — request deletion (“right to be forgotten”)
- Restriction — limit how we process your data
- Data portability — receive your data in a structured, commonly used format
- Object — object to processing based on legitimate interest
- Automated decision-making — we do not make automated decisions about your care
To exercise any of these rights, email info@innamedisync.co.uk or use the client portal. We will respond within 30 days.
9. Children's data
We provide neurotherapy services to children aged 5 and over. For children under 13, we require parental or guardian consent before collecting any personal data.
Parents and guardians can exercise data rights on behalf of their child at any time.
We store children's health data with the same protections and retention periods as adult data.
10. How to complain
If you have concerns about how we handle your data, please contact us first at info@innamedisync.co.uk.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
- Information Commissioner's Office
- Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Website: ico.org.uk
- Helpline: 0303 123 1113
11. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated via email or a notification in the client portal.
Last updated: 1 March 2026