Privacy Policy

Last updated: December 2025

Birch Health & Wellness is committed to safeguarding your privacy.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you:

• use our website (https://tokibirch.com)
• access our Patient Portal via Practice Better (https://www.tokibirch.practicebetter.io)
• sign up for our email list or free resources
• purchase digital products or services
• engage with any other part of our business

By using our website, Patient Portal, signing up for our mailing list, or purchasing a product or service, you agree to this Privacy Policy.

If you have any questions about this Policy, please contact us at:
support@tokibirch.com

---

1. Who We Are / Data Controller Information

Our website address is: https://tokibirch.com

Birch Health & Wellness is the Data Controller for the purposes of UK data protection law.

Business Name: Birch Health & Wellness
Website: https://tokibirch.com
Email: support@tokibirch.com

2. What Information We Collect

a) Personal Information

We may collect personal information that you voluntarily provide, including:

• Name
• Email address
• Contact details
• Billing and payment information
• Account login details (where applicable)
• Any information you choose to submit via forms, surveys, programme enrolments, or support requests

b) Protected Health Information (Special Category Data)

If you are a client, we may collect and store:

• Information shared during consultations and health services
• Functional test data
• Practitioner notes and clinical records within Practice Better
• Billing and payment records related to healthcare services

This information is treated as confidential medical data and stored securely in line with healthcare and legal requirements.

c) Website and Marketing Data

We may automatically collect:

• IP address
• Browser type and device information
• Referral source
• Interaction data (pages viewed, links clicked, emails opened)
• Purchase history for digital products

3. How We Use Your Information

We use your information to:

• Provide health services (where applicable)
• Manage your Patient Portal account
• Communicate regarding appointments, services, and results
• Process payments and deliver purchases
• Send free resources and requested content
• Send marketing communications where you have opted in
• Improve our website and services
• Meet legal and regulatory requirements

4. Lawful Bases for Processing (UK GDPR – Article 6 & 9)

We process your data under the following lawful bases:

• Consent – for marketing and free resources
• Contract – where you purchase services or products
• Legal Obligation – for financial, medical, or regulatory compliance
• Legitimate Interests – to operate, secure, and improve our business

For special category data (health information), we rely on:

• Explicit consent
• Provision of healthcare
• Medical and professional record-keeping obligations

5. Marketing Communications & PECR Compliance

If you opt in to receive emails, you may receive:

• Educational content
• News and updates
• Product and service information
• Promotions and special offers

You may unsubscribe at any time using the link in any email or by contacting support@tokibirch.com.

Our email communications comply with the Privacy and Electronic Communications Regulations (PECR).

We do not sell your data and do not share it with third-party marketers.

6. Condition-Specific Communications

Where you have explicitly consented, we may send content relating to a health condition you have disclosed. You can withdraw this consent at any time.

7. Automated Processing & Profiling

We may use limited automation (such as email segmentation based on opt-ins or link clicks) solely for communication relevance.
We do not use automated decision-making that produces legal or significant effects.

8. Anonymous & Aggregate Data

We may use anonymised data for:

• Website analytics
• Performance optimisation
• Trend analysis
  This data cannot identify you personally.

9. Comments

When visitors leave comments on the site, we collect the data shown in the comments form, along with the visitor’s IP address and browser user agent string to help with spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to check if you use it. The Gravatar service may process personal data in accordance with their own privacy policy. After approval of your comment, your profile picture may be visible to the public in the context of your comment.

10. Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS). Visitors to the website can download and extract any location data from images on the website.

11. Cookies & Tracking

Our website uses cookies to:

• Recognise returning visitors
• Remember preferences
• Analyse traffic
• Improve marketing performance

If you leave a comment, you may opt in to saving your name, email address, and website in cookies for your convenience. These cookies last for one year.

If you visit our login page, a temporary cookie is set to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, cookies are set to save your login details and display preferences.

• Login cookies last two days
• Screen option cookies last one year
• Selecting “Remember Me” extends login for two weeks
• Logging out removes these cookies

If you edit or publish an article, an additional cookie is stored indicating the post ID. It expires after one day.

Where required by law, we operate a cookie consent banner for non-essential cookies. You may control cookies through your browser settings.

12. Children’s Privacy

Our website and services are not directed at children under 18.
Where services are provided for minors, data is processed only with verified parental consent.

13. Embedded Content from Other Websites

Articles on this website may include embedded content (e.g. videos, images, articles). Embedded content behaves in the same way as if you visited the other website directly.

These websites may:

• Collect data about you
• Use cookies
• Embed additional third-party tracking
• Monitor your interaction with that embedded content

This includes tracking if you have an account and are logged in to that external platform.

14. Sharing Your Information

We may share necessary data only with:

• Practice Better (EMR platform)
• Email service providers
• Payment processors
• Legal or regulatory authorities where required

If you request a password reset, your IP address will be included in the reset email.

All vendors operate under strict confidentiality and GDPR-compliant agreements.

15. EHR Maintenance & Vendor Access

Technical service providers may access systems only as strictly required for maintenance, under binding confidentiality and security obligations.

16. Imminent Harm

We may disclose limited information where we reasonably believe disclosure is necessary to prevent serious harm to you or another person or to prevent unlawful activity.

16. Legal Requirement

We will disclose your information where required by law, court order, or regulatory authority and will notify you unless legally prohibited.

17. International Data Transfers

Some of our service providers operate outside the UK. In such cases, we ensure appropriate legal safeguards are in place in accordance with UK GDPR.

18. Data Retention

• Medical records: Typically retained for a minimum of 7 years following last contact
• Financial records: Retained for 6–7 years for tax and accounting
• Marketing records: Retained until you unsubscribe or request erasure
• Website comments: Retained indefinitely to allow follow-up comment approval

For registered users (if applicable), personal information is stored in user profiles. Users can view, edit, or delete personal information at any time (except their username). Website administrators can also access and edit this information.

19. Security Measures

We use:

• SSL encryption
• Password-protected systems
• Secure cloud-based EMR
• Vendor GDPR agreements
• Regular monitoring and backups

While we take every reasonable step to protect your data, no system can guarantee absolute security.

20. Account Responsibility

You are responsible for maintaining the confidentiality of your login credentials. Anyone with your credentials may access your account.

21. Data Breach Notification

In the event of a data breach, we will notify both affected individuals and the Information Commissioner’s Office (ICO)in line with UK GDPR.

22. Your Rights Under UK GDPR

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request erasure where legally permitted
• Restrict or object to processing
• Withdraw marketing consent at any time

If you have an account or have left comments, you may request an exported file of the personal data we hold about you.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
https://ico.org.uk

23. Where Your Data Is Sent

Visitor comments may be checked through an automated spam detection service.

24. Policy Updates

We may update this Privacy Policy periodically. The latest version will always be posted on our website. Continued use of our services constitutes acceptance of any updates.

25. Contact

For all privacy-related enquiries:
support@tokibirch.com

---

End of Privacy Policy