Privacy Policy

Independent Pet Clinics Limited-is a veterinary practice providing veterinary services to animals  and their owners.

Independent pet clinics limited is the data controller for the personal data described in this privacy policy. 

Registered address: 4/5 Rose and Crown walk, Saffron walden, Essex, CB10 JH

Contact email for data protection enquires: contact@IPC-saffronwalden.co.uk

CLIENTS 

What information do we process about you? 

We may collect and process the following personal data:

Client (animal and owner details), including name, address, email address and telephone number.

Clinical and treatment records, including consultation notes, diagnostic images, test results and treatment history

Referral  records and correspondance from specialists.

Communications with us by phone, email, writing or in person.

NB information relating solely to an animal is not personal  data under UK data protection law, however, we do not routinely give to another vet your animals notes without your consent.

For what purposes? 

How is it lawful for us to do it? 

- Contact information and Forms: When you choose to fill in a form on the Website or on third party websites featuring our advertising, we will collect the information included in the form usually - name, address, phone number, email or equivalent. 

- Behavioural and tracking details: e.g. location data, behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use the Services and our Websites. For more information visit our Cookie Policy. 

1. Communicating about products, Services and projects, responding to inquiries or requests. 

2. Providing and marketing our Services and/or products to you. 

3. Confirming your identity and verifying your personal and contact details. 

4. Advertising, Analyzing and Personalization. We use information about you that we gather from cookies and similar technologies to measure engagement with the content on the Sites, to improve relevancy and navigation, to personalize your experience and to tailor content  and our Services to you. With your permission or where allowed by law, we use and share Visitor Personal Data with others so that we may advertise and market our products and Services to you, including through interest-based advertising where allowed by applicable law, including subject to any consent requirements. See our Cookie Policy. 

Unless indicated otherwise, the legal basis for the processing of personal data is: 

- compliance with applicable laws and pursue our legitimate interest (purpose 3) 

- legitimate interest and consent (purpose 1, 2, 4). 

Our legitimate interests are (unless stated otherwise): 

- Marketing and providing new products and Services that might interest you (purpose 1, 2, 4). 

- Protecting against fraud, to develop and improve how we deal with financial crime and meet our legal responsibilities - (purpose 3). 

Children’s personal information 

Our Services are not directed at children under the age of 18. If we learn that any information we collect has been provided by a child under the age of 18, we will promptly delete that information. 

Your rights and privacy choices 

a. Choices related to communication and marketing 

If you have received marketing from us, you may at any time object to the marketing. The easiest way to do so is to opt out by following the instructions in the marketing material that you have received or by contacting us at karen@IPC-Clare.co.uk. 

Please note that we may continue sending you communication that is required or necessary for the provision of our Services, including providing such notifications that include important information and other communication that you request from us. You may not opt out of receiving these communications. 

b. Your data protection related rights 

We are happy to assist you in exercising your rights under data protection law. You have the right to: 

• Be informed – you have the right to be informed about how we process personal data about you. We do this in this Privacy Policy. Nevertheless, you may always contact us if you have any further questions. 
• Access to your personal information that we process. 
• Rectification – you can ask us to update, complete or correct any inaccurate personal information. This right always applies. 
• Erasure – have your personal data deleted under certain circumstances, if your data is no longer necessary for the purposes for which it was collected, and we have no legal ground for processing the data. Just to let you know, we may not be able to agree to your request. As a regulated payment services provider, we must keep certain customer personal data even when you ask us to delete it. We may not be able to delete your entire file because these regulatory responsibilities take priority. We will always let you know if we can't delete your personal data. 
• Data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is carried out by automated means. 
• Restrict the processing of your information under certain conditions. 
• Object to the processing of your personal information (if we are using it for our legitimate interests). If our legal basis for using your personal data is 'legitimate interests' and you disagree with us using it, you can object. However, if there is an overriding reason why we need to process your personal data, we will not accept your request. 
• Withdraw your consent to us using your personal information (please note, if you take back your consent, this will not affect our use of your personal information before you notified us that you no longer consent).  
• Carry out a human review of an automated decision we make about you. If we make an automated decision about you that significantly affects you, you can ask us to carry out a manual review of this decision. 

You can exercise your rights by sending an email to Karen@IPC-Clare.co.uk   

For security reasons, we can’t deal with your request if we are not sure of your identity, so we may ask you for additional data to verify you, if this is proportionate to the request. If a third-party exercises one of these rights on your behalf, we may need to ask for proof that a third party has been validly authorized to act on your behalf.  

When you exercise one of these rights, we have one month to respond to you. We will usually not charge you a fee when you exercise your rights. However, we are allowed by law to charge a reasonable fee or refuse to act on your request if it is manifestly unfounded or excessive. 

If you are not satisfied with how we process your data, you have the right to lodge a complaint with us and/or with the relevant data protection authority. IPC will cooperate fully with any such investigation and endeavor to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080. 

Please note that we only are directly responsible to you in cases where we are the controller of your personal information. Where we are acting as a data processor, you should contact the third party who is the data controller of your personal information. 

General Data Protection Regulation 

We have been carefully studying the General Data Protection Regulation (the “GDPR”) to understand the necessary actions we need to take to satisfy our obligations under the GDPR.  Here is a summary of what we’ve learned and the actions that we are taking when collecting data. 

GDPR Background 

The GDPR, the EU’s new privacy law that replaces the Data Protection Directive 95/46/EC, aims to bring order to a patchwork of privacy rules across the EU. If you would like to read the full GDPR, please find it here. 

The GDPR is legislation designed to harmonize data protection. It imposes new regulations for companies to protect consumers regarding data processing, access, and security. 

The GDPR was created around six core principles (Article 5) for personal data and the belief that personal data should be: 

1. Lawfulness, Fairness and Transparency – Processed lawfully, fairly, and in a transparent manner in relation to individuals. 
2. Purpose Limitation – Collected for specified, explicit, and legitimate purposes and not processed beyond those purposes. 
3. Data Minimization – Adequate, relevant, and limited to what’s necessary in relation to the purposes for which they are processed; 
4. Accuracy – Accurate and, where necessary, kept up to date. 
5. Storage Limitation – Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 
6. Integrity and Confidentiality – Processed in a manner that ensures appropriate security of the personal data. 

Independent Pet Clinics takes its legal and regulatory obligations seriously. Moreover, we take great care to ensure data privacy and security. The core of our business involves the collection of visitor data to help us to help your pets, which almost always includes personal data. We constantly work to ensure we collect, process, and share the data we deal with in a lawful, transparent manner. 

We collect data from visitors, and as such, we are considered the Controller. To that end, we wanted to share with our clients our practices and procedures related to data collection and GDPR compliance. There are two important features of our technology that allow us to satisfy key requirements of the GDPR: 

• Remove visitor records– Through the account administration area, we can remove individual visit records so that they are no longer accessible. Those deleted visits then enter a Visit Log Trash, where we can then permanently incinerate them.  
• Set a visitor data retention period– Included in our software is the ability to automatically remove visit records that are older than a certain date. This does not permanently delete the record from our database.  

Security: Our partners have implemented appropriate technical and organizational measures to satisfy the requirements of the GDPR, to ensure the level of security of personal data is appropriate to the level of risk, and to help ensure the protection of the rights of individuals. 

Some of the highlights of the security measures we’ve put in place include: 

• All information is stored on a secure AWS Amazon server via the Heroku hosting environment. 
• All traffic to the application from the iPad and browser is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism. 
• The Receptionist employs two layers of penetration testing and vulnerability assessment: Third-party security testing of the Heroku application is performed by independent and reputable security consulting firms and CodeClimate to perform code analysis and security assessments of our application prior to deploying to our production environment. 
• Our hosting partner, Heroku, utilizes ISO 27001 and FISMA certified data centers managed by Amazon. 
• The Receptionist contracts with a third party to perform Penetration Testing as an additional security measure. 

Why we process personal data: 

To provide veterinary care and treatment

To maintain accurate clinical records

To communicate with clients about appointments, treatment and ongoing care.

To arrange and manage referrals

To manage billing and payments

To comply with legal, regulatory, and professional obligations

We rely on the following lawful bases under UK GDPR

performance of a contract

to provide veterinary services requested by the client

legitimate interests-to ensure appropriate clinical decision making, continuity of care and professional referrals

legal obligation-including record-keeping and regulatory requirements

consent, where required for specific communication or activities

Whos we share personal data with

specialists

diagnostic laboratories

professional advisors

Data retention

We retain client and clinical records only for as long as necessary to fulfil the purposes outlined, including compliance with RCVS guidance, legal obligations and best practice.

We review records periodically and data is securely deleted when no longer required

YOUR Rights under UK data protection law

Right to access to your personal data

Right to request correction or erasure 

Right to object to processing

Right to request data portability

Right to withdraw consent where processing is based on consent

To exercise these rights please contact@IPC-saffronwalden.co.uk

Right to complain

If you are unhappy with how we handle your personal data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.

Compliance with RCVS Professional Requirements:

Independent Pet Clinics Limited operates in accordance with the Royal College of Veterinary Surgeons (RCVS) Code of Professional Conduct and supporting guidance, including requirements relating to client confidentiality, clinical records and data protection.

We recognise our professional duty to maintain confidentiality of client and clinical information and only disclose such information where:

• it is necessary for the provision of appropriate veterinary care, including referral to specialist veterinary professionals;

• the client has provided consent, where required; or

• disclosure is required by law or professional obligation.

Clinical and client records are maintained accurately, securely and objectively, and clients have the right to request access to their personal data in accordance with UK data protection law.

Referral data and RCVS confidentiality

Where animals are referred for specialist procedures, diagnostics or expert opinions, IPC will share only the relevant clinical and client information necessary to support continuity of care.

Such sharing is carried out in line with RCVS guidance on client confidentiality and UK GDPR transparency requirements.

Specialist or referral veterinary professionals act as independent data controllers in respect of the personal data they process following a referral and are responsible for complying with their own professional and legal obligations.

What has been changed

The privacy policy has been updated to clearly reflect IPC’s role as a veterinary practitioner operating under RCVS professional standards, and to accurately describe how client and clinical data is processed in the course of treatment and referrals. The amendments clarify the distinction between animal data and personal data, confirm IPC’s status as data controller, and explain how information is shared with specialist referral vets in a controlled and professional manner.

Why the changes were necessary

RCVS guidance requires veterinary practices to maintain client confidentiality, ensure transparency around the use of client information, and justify disclosures to third parties such as referral specialists. At the same time, UK GDPR requires clear explanation of lawful bases, data sharing and individual rights. These amendments align the privacy policy with both RCVS professional expectations and data protection law, and support best practice by recommending a Referral Privacy Notice to provide clients with clear, focused information when their data is shared outside the primary practice.

Dr Karen Edwards MRCVS