Privacy

A clear summary of how FM Doctor handles personal data: what’s collected, why it’s needed, how it’s protected, and the rights you have under UK GDPR.

No analytics/marketing cookies. Details below.

Last updated: 2 Mar 2026

Important: Please do not send personal, patient, or confidential information unless we’ve explicitly agreed it’s required for the work. If you need to share examples, redact names and identifiers first.

In plain English

What I do with your details

I use your details to respond to your enquiry and deliver agreed work.
I keep collection to a minimum — if I don’t need it, I don’t ask for it.
I don’t sell personal data or use it for unsolicited marketing.
I only share data when it’s necessary to deliver the service (or legally required).
Working files are kept for a limited period, then securely deleted.

Full document (PDF): FMD Privacy and Data Note

Who and how

Who is responsible for the data?

FM Doctor is the trading name of a UK sole trader. For enquiries, downloads, and general business correspondence, FM Doctor is the data controller.

If you provide personal data inside client materials purely so FM Doctor can deliver agreed services, FM Doctor may act as a data processor on your instructions.

Contact: [email protected]

ICO registration number: ZC092109

The practical detail

What data may be collected

Name, role/job title, organisation, and contact details.
Project communications and materials you provide (e.g. notes, documents, examples).
Working documents and deliverables produced as part of agreed services.
Invoicing and payment records (where applicable).

Please avoid sending special category data (e.g. health/medical, biometric, safeguarding) unless explicitly agreed in writing.

Why it’s processed (lawful basis)

Contract — to scope, deliver, and support the services you request.
Legal obligation — to meet tax, accounting, and regulatory requirements.
Legitimate interests — to operate the business and keep proportionate records (e.g. for quality, queries, or disputes).

Cookies, similar technologies, and analytics

FM Doctor does not use behavioural advertising cookies.
FM Doctor does not use third-party analytics cookies or marketing/profiling tracking cookies.
Strictly necessary cookie: fmdoctor_dl_t is set when you request a gated download. It stores a signed access token so the requested file can be delivered securely. It is HttpOnly, SameSite=Strict, set as Secure on HTTPS, scoped to /api/download, and has a short lifespan (typically 30 minutes, configuration-limited to 1 minute to 24 hours).
The download token cookie is cleared after use and cannot be read by site JavaScript.
Some forms use Cloudflare Turnstile for bot protection. Cloudflare may set strictly necessary security cookies where required by challenge flow. See Cloudflare's cookie information: Cloudflare cookies.
Accessibility preferences (for example text size, contrast, motion, and font settings) are stored in your browser's local storage on your device. This is not used for advertising.
If non-essential cookies are introduced in future (for example analytics or marketing), this notice will be updated and consent will be requested where required.

Retention

Project files and communications: typically retained for up to 12 months after completion (unless needed for support, disputes, or legal reasons).
Financial and tax records: retained for longer where legally required (typically up to 6 years).
AI-Assisted Enquiry submissions are processed to generate a summary. FM Doctor does not intend to store form entries beyond what is needed to provide the service (for example, if you email the summary to yourself or FM Doctor, that email becomes business correspondence).
You can request earlier deletion of non-essential working files once delivery is complete.

Security

How data is protected

Access controls (strong passwords, device lock, and account security measures).
Use of reputable storage and communication tools suitable for a small consultancy.
Password protection / encryption for documents where appropriate.
Keeping data access limited to what’s necessary for delivery.

No system is risk-free, but reasonable technical and organisational measures are used to reduce risk.

Sharing and AI tools

Sharing, transfers, and AI-assisted drafting

Data is not sold.
Data is shared only where needed to deliver services or meet legal obligations.
Some third-party tools may process data outside the UK. Where data is transferred internationally, appropriate safeguards are used (for example, contractual protections and transfer risk assessment).
Key service providers may include website hosting/CDN, email provider, AI processing provider (OpenAI), and document storage tools (where applicable).
AI-enabled tools may be used to support drafting/structuring; outputs are reviewed before delivery.

AI-Assisted Enquiry form (specific)

When you use the AI-Assisted Enquiry form, your answers are sent securely to FM Doctor and OpenAI API services to generate a draft summary and recommendation.
OpenAI acts as a third-party processor/service provider for this processing step.
Requests are configured to not request storage of prompts/outputs where supported. Service providers may still retain limited logs for security/abuse monitoring in line with their policies.
Please include only your name and organisation. Do not enter patient data, special-category personal data, or other confidential information into the AI-Assisted Enquiry form.

FM Doctor does not provide automated decision-making or profiling as a service.

Your rights

Your rights and how to raise concerns

Under UK GDPR you may have rights including access, correction, deletion, restriction, objection, and (where applicable) data portability.

To make a request, email: [email protected]
To opt out of updates, use: unsubscribe page
Requests are normally responded to within one month.
If you have concerns, contact FM Doctor first — you may also complain to the UK Information Commissioner’s Office (ICO).