Privacy Policy

Privacy Policy — McNally Performance & Recovery (UK GDPR & DUAA 2025 Compliant)

Last updated: February 2026

McNally Performance & Recovery (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal information safely, lawfully, and transparently. This Privacy Policy explains how we collect, use, store, and protect your data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data Use and Access Act 2025 (DUAA). 

 

1. Who We Are

McNally Performance & Recovery

London, United Kingdom

Email: jmcnally2407@outlook.com

Phone: 07483224858

We provide sports massage, soft tissue therapy, and rehabilitation services.

We act as the Data Controller, meaning we decide how your personal data is used.

 

2. What Data We Collect

We collect the minimum information necessary to provide safe and effective treatment.

Personal Identification Data

  • Name
  • Date of birth
  • Address
  • Phone number
  • Email address
  • Emergency contact details

Health & Medical Information (Special Category Data)

  • PAR‑Q responses
  • Medical history
  • Medication and allergies
  • Treatment notes
  • GP or consultant information
  • Injury details and rehabilitation progress

Booking & Payment Information

  • Appointment history
  • Payment records (we do not store card details)

Website & Digital Data

  • Cookies and analytics (in line with DUAA updates to cookie consent rules) 
  • IP address and device information (if using online booking)

 

3. Why We Collect Your Data (Lawful Bases)

We process your data under the following lawful bases:

a) Consent

You provide explicit consent when completing health forms and agreeing to treatment.

b) Legitimate Interests

To manage appointments, maintain business records, and ensure safe practice.

DUAA 2025 introduces “recognised legitimate interests,” which simplify processing for safety, security, and service delivery. 

c) Provision of Health Care

We process special category data because it is necessary for providing therapeutic treatment.

d) Legal Obligations

We must retain treatment records for regulatory and insurance purposes.

 

4. How We Use Your Data

We use your information to:

  • Assess suitability for treatment
  • Provide safe and effective therapy
  • Maintain accurate clinical records
  • Contact you about appointments
  • Provide aftercare advice
  • Manage billing and administration
  • Meet insurance, legal, and regulatory requirements
  • Improve our services

We do not use your data for automated decision-making or profiling.

 

5. How We Store and Protect Your Data

Your data is stored securely in encrypted digital systems and/or locked physical files.

We implement:

  • Access controls
  • Password protection
  • Encrypted storage
  • Secure disposal procedures
  • Staff confidentiality obligations

 

6. How Long We Keep Your Data

In line with UK GDPR and industry standards:

  • Adults: Records are kept for 7 years after your last appointment.
  • Minors: Records are kept until age 25 (or 26 if treatment occurred at age 17).

These retention rules align with UK GDPR and the Data Protection Act 2018. 

 

7. Sharing Your Data

We only share your data when necessary and lawful:

  • With your GP or healthcare provider (only with your consent or in emergencies)
  • With our insurer for legal or claims purposes
  • With regulatory bodies if legally required
  • With service providers (e.g., booking software) under strict data‑processing agreements

We never sell your data.

 

8. Your Rights Under UK GDPR

You have the right to:

  • Access your data
  • Request corrections
  • Request deletion (where legally permitted)
  • Restrict processing
  • Object to processing
  • Request data portability
  • Withdraw consent at any time

DUAA 2025 introduced updated rules for subject access requests, meaning we must respond clearly and promptly. 

To exercise your rights, contact us at: jmcnally2407@outlook.com

 

9. Children’s Data

We only treat clients under 18 with parental/guardian consent.

DUAA 2025 includes enhanced protections for children’s data, which we follow. 

 

10. Cookies & Website Tracking

Our website may use cookies for:

  • Functionality
  • Analytics
  • Booking system performance

DUAA 2025 updates cookie consent rules, and we comply with the latest requirements. 

You can manage cookie preferences through your browser settings.

 

11. Complaints

If you have concerns about how your data is handled, contact us first so we can resolve the issue.

You also have the right to complain to the Information Commissioner’s Office (ICO).

 

12. Updates to This Policy

We may update this Privacy Policy to reflect changes in law or our practices.

The latest version will always be available upon request.

 

Data Controller

Joshua McNally

 

Purpose of collecting data

jmcnally@mcnallyperformanceandrecovery.co.uk

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.