Legal
Privacy Policy
Last updated: March 2026
This Privacy Policy explains how Costa Health collects, uses, stores, and protects your personal data when you visit our website or book an appointment with us. It has been written in accordance with the EU General Data Protection Regulation (GDPR), the Spanish Organic Law 3/2018 on Data Protection and Digital Rights (LOPD-GDD), and guidance from the Spanish Data Protection Agency (AEPD).
Please read this policy carefully. If you have any questions, contact us at [email protected].
1. Data Controller
The data controller responsible for your personal data is:
Business name: Costa Health
Legal entity: Sarah Monaghan, autónoma (sole trader), trading as Costa Health
Tax identification number (NIE): Y7920999C
Registered address: The Clubhouse Marbella, C. Juan Belmonte, Nueva Andalucía, 29660 Marbella, Málaga
Email: [email protected]
Phone: +34 711 079 431
Data Protection Officer (DPO): No DPO has been appointed. Direct all data enquiries to the email address above.
2. Personal Data We Collect
We collect the following categories of personal data:
Identity and contact data
- Full name, email address, and telephone number (provided when booking)
- Whether you are a new or returning patient
Health data (Special Category under GDPR Article 9)
- The type of appointment booked (e.g. chiropractic consultation, osteopathy) - this implies health-related information
- Clinical notes and assessment records held within our practice management system (Cliniko)
Payment data
- Deposit payment details are processed directly by our payment provider, Stripe. Costa Health does not store payment card numbers or full payment data. We retain only a transaction reference and the deposit amount paid.
Technical and usage data
- IP address, browser type, and device information collected automatically when you visit the site
- Pages visited, session duration, and click behaviour - collected only with your consent via analytics cookies (see our Cookie Policy)
3. Legal Basis for Processing
| Data category | Legal basis |
|---|---|
| Booking and contact data | Article 6(1)(b) GDPR - necessary to perform the service contract you have entered into |
| Health data (appointment type) | Article 9(2)(h) GDPR - necessary for the provision of healthcare by a health professional, subject to professional secrecy obligations |
| Clinical records (held in Cliniko) | Article 9(2)(h) GDPR - healthcare provision under professional secrecy obligations |
| Payment transaction references | Article 6(1)(c) GDPR - compliance with legal obligations (Spanish tax law) |
| Analytics and marketing cookies | Article 6(1)(a) GDPR - consent, given via the cookie banner. You may withdraw consent at any time. |
4. Data Processors and Third Parties
We use the following third-party service providers ("data processors") who process personal data on our behalf. Each is bound by a Data Processing Agreement and may only process data for the purposes we specify.
Cliniko (Redguava Pty Ltd - Australia)
Practice management and appointment scheduling. Patient identity, contact, and clinical data is stored within Cliniko. As an Australian company (Red Guava Pty Ltd), Cliniko does not benefit from an EU adequacy decision; transfers are governed by Standard Contractual Clauses (SCCs) set out in Cliniko's publicly available Data Processing Addendum (DPA), incorporated by reference into their Terms of Service. Costa Health is hosted on Cliniko's eu1 shard; patient data is stored in Ireland (AWS eu-west-1) and does not leave the EU at rest.
Stripe Inc (USA)
Payment processing. Stripe handles all card payment data. Costa Health receives only a transaction reference and confirmation of payment. Transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
Resend Inc (USA)
Transactional email delivery (booking confirmations). Your name and email address are passed to Resend to deliver appointment confirmation emails. Transfer is governed by Standard Contractual Clauses.
Google LLC (USA) - Analytics and Advertising
Google Analytics 4 (via Google Tag Manager) is used to understand how visitors use our website. This only activates when you grant analytics consent via the cookie banner. Transfer is governed by Standard Contractual Clauses.
Microsoft Corporation (USA) - Clarity Analytics
Session recording and heatmap analytics (Microsoft Clarity), loaded via Google Tag Manager only when analytics consent is given. Clarity records anonymised session replays and aggregated click heatmaps to help us improve the website experience. Transfer is governed by Standard Contractual Clauses.
Cloudflare Inc (USA)
Website hosting, content delivery network (CDN), and security. All web traffic passes through Cloudflare's network. Transfer relies on Standard Contractual Clauses and Cloudflare's participation in applicable data transfer mechanisms.
We do not sell your personal data to any third party, nor do we share it for marketing purposes without your explicit consent.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects about you (GDPR Article 22). All clinical and booking decisions involve a human practitioner or member of staff.
5. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Booking and appointment records | 5 years from appointment date | Spanish healthcare records requirements |
| Payment transaction references | 5 years from transaction date | Spanish tax law (Ley 37/1992) |
| Analytics data (Google Analytics) | Up to 14 months | GA4 data retention setting |
| Cookie consent records | 12 months (renewed annually) | GDPR consent requirements |
| Manage-booking access tokens | Until appointment time or 30 days, whichever is sooner | Purpose limitation |
6. Your Rights
Under the GDPR and LOPD-GDD, you have the following rights regarding your personal data:
- Right of access (Article 15): request a copy of the personal data we hold about you.
- Right of rectification (Article 16): request that we correct inaccurate or incomplete data.
- Right of erasure (Article 17): request deletion of your personal data where there is no legitimate reason for us to continue processing it.
- Right to restriction of processing (Article 18): request that we pause processing of your data in certain circumstances.
- Right to data portability (Article 20): request that we transfer your data to you or a third party in a structured, machine-readable format.
- Right to object (Article 21): object to processing where we rely on legitimate interests as a legal basis.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, please email us at [email protected] with the subject line "Data Rights Request". We will respond within one month.
We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.
7. Right to Complain to the AEPD
If you believe that your data protection rights have been breached, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Espanola de Proteccion de Datos, AEPD):
We would, however, welcome the opportunity to address your concerns directly before you approach the AEPD. Please contact us first at [email protected].
8. International Data Transfers
Some of our data processors (Stripe, Resend, Google, and Cloudflare) are based in the United States. Transfers of personal data to these providers are made under Standard Contractual Clauses (SCCs) adopted by the European Commission, which provide equivalent data protection safeguards to those within the EU.
You may request a copy of the relevant transfer mechanism by emailing [email protected].
9. Cookies
We use cookies and similar tracking technologies on our website. For full details of the cookies we use, their purposes and how to manage your preferences, please see our Cookie Policy.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we offer. The date at the top of this page will always indicate the most recent revision. Where changes are material, we will take reasonable steps to notify you.
We encourage you to review this policy periodically.