Privacy Policy
Pender Rehab
Effective date: 23/4/26
1. Introduction
This Privacy Policy explains how Pender Rehab ("we", "us", "our") collects, uses, stores and protects your personal information when you attend the clinic, contact us, book an appointment, or use our website.
Pender Rehab is operated by Ciaran Pender as a sole trader trading as Pender Rehab, based in Ireland. Ciaran Pender is the data controller responsible for your personal data under this policy.
We take your privacy seriously and are committed to handling your information in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Irish Data Protection Act 2018.
2. Who we are and how to contact us
Data Controller: Ciaran Pender t/a Pender Rehab
Address: Ryland Road, Bunclody, Wexford
Email: ciaranpenderat@gmail.com
Phone: +353862251357
If you have any questions about this policy or how your personal data is handled, please contact us using the details above.
3. Information we collect
The categories of personal data we collect depend on how you interact with us.
3.1 Information you provide directly
• Identification information: your name, date of birth and gender.
• Contact details: postal address, email address and telephone number.
• Emergency contact details where you provide them.
• Occupation, sport, training history and lifestyle information relevant to your assessment.
• Payment details (processed through a third-party payment processor — we do not store full card details).
• Information submitted through contact forms, email, social media messages or when you sign up to our newsletter.
3.2 Health and clinical information (special category data)
As an athletic therapy clinic, we necessarily collect health-related data, which GDPR classifies as a special category of personal data requiring additional protection. This may include:
• Medical history, previous injuries, surgeries and relevant medications.
• Presenting complaint, symptoms and pain history.
• Physical assessment findings, measurements and clinical observations.
• Treatment plans, rehabilitation programmes and progress notes.
• Imaging reports, GP/consultant letters or other clinical documents you share with us.
• Video or photographic analysis of movement where used as part of your assessment (only with your consent).
3.3 Information collected automatically
• Appointment booking records (date, time, service booked) via our online booking system.
• Email engagement data (whether newsletter emails are opened or links clicked), collected by our email marketing provider.
• Basic website usage data such as IP address, browser type and pages visited, where applicable.
4. Why we collect your data and our lawful basis
Under GDPR, we must have a lawful basis for processing your personal data. The basis depends on the purpose.
4.1 To provide athletic therapy services
Lawful basis: performance of a contract (Article 6(1)(b)) for general personal data, and explicit consent (Article 9(2)(a)) for health data. In certain cases we may also rely on Article 9(2)(h) — processing necessary for the provision of health care by, or under the responsibility of, a health professional subject to a duty of confidentiality.
We use your information to assess, diagnose, treat and rehabilitate your condition, to design training and rehab programmes, to keep clinical records as required by our professional standards, and to communicate with you about your appointments and care.
4.2 To manage bookings and appointments
Lawful basis: performance of a contract (Article 6(1)(b)) and our legitimate interests (Article 6(1)(f)) in running the clinic efficiently.
Your details are used to confirm appointments, send reminders, and manage cancellations or rescheduling through our online booking system.
4.3 To send marketing emails and newsletters
Lawful basis: consent (Article 6(1)(a)). You will only receive marketing emails from Pender Rehab if you have opted in.
You can withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us directly. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
4.4 To comply with legal and regulatory obligations
Lawful basis: legal obligation (Article 6(1)(c)).
We are required to retain certain records to comply with tax law, professional regulatory requirements, and applicable healthcare record-keeping standards.
4.5 To establish, exercise or defend legal claims
Lawful basis: legitimate interests (Article 6(1)(f)) and, for health data, Article 9(2)(f).
5. Who we share your information with
We do not sell your personal data. We only share it where necessary for the purposes set out in this policy, and only with the following categories of recipient:
• Other healthcare professionals (such as your GP, consultant, physiotherapist or strength coach) — only with your explicit consent, where a referral or coordinated care is in your interest.
• Our online booking system provider — to manage appointments and reminders.
• Our email marketing provider — to deliver newsletters you have subscribed to.
• Our accountant and accounting software provider — for tax, bookkeeping and financial compliance.
• Payment processors — to take and process payments securely.
• Regulatory or legal bodies — where disclosure is required by law, court order or a legitimate request from a competent authority.
• Professional insurers or legal advisors — where necessary to establish, exercise or defend a legal claim.
All third-party providers we use are bound by written contracts and required to handle your data securely and in line with GDPR.
6. International data transfers
Some of our service providers (for example, our email marketing provider or online booking system) may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses or an adequacy decision, so that your data continues to receive a level of protection equivalent to that under GDPR.
7. How long we keep your information
We retain your personal data only for as long as necessary for the purposes for which it was collected, or to meet legal, regulatory, or professional obligations.
• Clinical records (adults): retained for a minimum of 8 years after your last appointment, in line with recommended healthcare record-keeping standards.
• Clinical records (minors): retained until the client reaches 25 years of age, or 8 years after the last appointment, whichever is longer.
• Financial and tax records: retained for 6 years in line with Revenue requirements.
• Marketing contact data: retained until you unsubscribe or ask us to delete it.
• Website enquiry and general correspondence: retained for up to 2 years unless it becomes part of a clinical record.
At the end of the applicable retention period, your data will be securely deleted or anonymised.
8. How we protect your information
We take appropriate technical and organisational measures to keep your personal data secure, including:
• Storing clinical records in secure, access-controlled systems.
• Using strong, unique passwords and multi-factor authentication where available.
• Encrypting devices used to access client data.
• Limiting access to personal data on a need-to-know basis.
• Using reputable third-party providers who meet GDPR and security standards.
• Regularly reviewing our data handling practices.
While we take reasonable steps to protect your information, no method of transmission or storage is completely secure. If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the Data Protection Commission in line with our legal obligations.
9. Your rights under GDPR
You have the following rights in relation to your personal data:
• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to ask us to correct inaccurate or incomplete information.
• Right to erasure — to request deletion of your data, subject to legal and clinical retention obligations.
• Right to restrict processing — to ask us to limit how we use your data in certain circumstances.
• Right to data portability — to receive your data in a structured, commonly used format.
• Right to object — to processing based on legitimate interests, including marketing.
• Right to withdraw consent — at any time, where processing is based on consent.
• Right to lodge a complaint — with the Irish Data Protection Commission (see Section 11).
To exercise any of these rights, please contact us using the details in Section 2. We will respond within one month. We may ask you to verify your identity before releasing any information.
10. Cookies and website tracking
Our website and online booking system may use cookies and similar technologies to help the site function properly and to understand how visitors use it. Where cookies are not strictly necessary, we will ask for your consent before setting them. You can change your cookie preferences at any time through your browser settings.
11. Making a complaint
If you are unhappy with how your personal data has been handled, we would like the opportunity to address your concerns directly. Please contact us first using the details in Section 2.
You also have the right to lodge a complaint with the Irish Data Protection Commission:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Website: www.dataprotection.ie
Phone: +353 (0)761 104 800
12. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on request and (where applicable) on our website. The "Effective date" at the top of this policy indicates when it was last updated.
— End of Policy —