JK

Privacy Policy

JK Arthroplasty Ltd — Mr Jakub Kozdryk, Consultant Hip & Knee Surgeon

Last updated: 15 May 2026

ICO Registration Number: ZC016717

1. Who We Are

This Privacy Policy explains how JK Arthroplasty Ltd (trading as Mr Jakub Kozdryk — Hip & Knee Surgeon) collects, uses, stores, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller:

  • Company name: JK Arthroplasty Ltd
  • Registered address: Studio 9, 50-54 St Pauls Square, Birmingham, B3 1QS
  • Consulting locations: The Chase, Old Milverton Lane, Leamington Spa / Meriden Hospital, Coventry / Nuffield Health Warwickshire Hospital
  • Website: https://kozdryk.co.uk
  • Email: info@kozdryk.co.uk
  • Telephone: 024 7661 2681
  • ICO Registration Number: ZC016717
  • Registration expires: 17 October 2026

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

Contact and identity data

  • Full name
  • Email address
  • Telephone number
  • Postal address

Special category health data

  • Details of your hip or knee condition, symptoms, or surgical history — only where voluntarily provided in an enquiry, referral, or consultation
  • Referral letters or medical records shared with us by you or your GP

Financial data

  • Insurance provider and policy details
  • Payment information (processed securely through our billing system)

Technical and usage data

  • IP address and browser type (via website analytics)
  • Pages visited and time spent on the website
  • Cookie data (see Section 9)

Communications data

  • Records of emails, telephone calls, and form submissions between you and JK Arthroplasty Ltd

3. How We Collect Your Data

We collect your personal data through:

  • Enquiry and contact forms on kozdryk.co.uk
  • Telephone calls to the practice secretary
  • Emails sent directly to the practice
  • Referrals from your GP or another healthcare professional
  • Your private medical insurer
  • Google Ads and website analytics tools (anonymised)

4. Legal Basis for Processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Legitimate interests (Article 6(1)(f)) — to respond to your enquiry and manage the practice
  • Contract (Article 6(1)(b)) — to provide consultation and treatment services you have requested
  • Legal obligation (Article 6(1)(c)) — to comply with healthcare regulations, GMC requirements, and HMRC obligations
  • Consent (Article 6(1)(a)) — for marketing communications where applicable

For special category health data, we rely on:

  • Explicit consent (Article 9(2)(a) UK GDPR)
  • Provision of healthcare (Article 9(2)(h) UK GDPR)

5. How We Use Your Data

JK Arthroplasty Ltd uses your personal data to:

  • Respond to your enquiry about a consultation or treatment
  • Book and manage your appointments
  • Provide clinical assessment and medical treatment
  • Communicate with your GP or referring clinician
  • Process invoices and payments through your insurer or directly
  • Comply with our legal and regulatory obligations as a GMC-registered clinician
  • Improve the website through anonymised analytics

We will never sell your personal data to any third party.

6. Who We Share Your Data With

We may share your data with:

  • Nuffield Health Warwickshire Hospital — for the purposes of arranging and delivering your treatment
  • Meriden Hospital (Circle Health Group) — for the purposes of arranging and delivering your treatment
  • University Hospitals Coventry & Warwickshire NHS Trust (UHCW) — where clinically relevant
  • Your GP or referring clinician — for clinical continuity of care
  • Your private medical insurer (e.g. Bupa, AXA Health, Vitality, Aviva, WPA) — to process pre-authorisation or claims
  • Google LLC — anonymised analytics and advertising data only (see Section 9)
  • Our IT and administrative service providers — under data processing agreements

All third parties are required to process your data in compliance with UK GDPR. We do not transfer your identifiable health data outside the UK without appropriate safeguards in place.

7. How Long We Keep Your Data

  • Medical and clinical records: minimum 8 years after last treatment (GMC / NHS guidance), or until age 25 for patients treated as children
  • Enquiry data where no consultation takes place: deleted after 12 months
  • Financial and billing records: 7 years (HMRC requirement)
  • Marketing consents: until you withdraw consent
  • Website analytics data: 26 months (Google Analytics default)

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — to request a copy of the personal data we hold about you (Subject Access Request)
  • Right to rectification — to correct inaccurate or incomplete data
  • Right to erasure — to request deletion of your data in certain circumstances
  • Right to restrict processing — to request we limit how we use your data
  • Right to data portability — to receive your data in a structured, machine-readable format
  • Right to object — to processing based on legitimate interests
  • Rights related to automated decision-making — we do not use automated decision-making or profiling

To exercise any of these rights, please contact us at: info@kozdryk.co.uk. We will respond to all requests within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

9. Cookies and Website Tracking

Our website (kozdryk.co.uk) uses cookies to improve your browsing experience and understand how visitors use the site. We use:

  • Essential cookies — required for the website to function correctly
  • Analytics cookies — via Google Analytics, to understand visitor behaviour in anonymised, aggregated form
  • Advertising cookies — via Google Ads, to measure the effectiveness of our advertising campaigns

For more information on how Google uses data from advertising cookies, visit policies.google.com/technologies/ads.

10. International Data Transfers

Some of our service providers, including Google LLC, may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place — including UK adequacy decisions and Standard Contractual Clauses — to protect your personal data in accordance with UK GDPR.

11. Data Security

JK Arthroplasty Ltd takes the security of your personal data seriously. We implement appropriate technical and organisational measures, including:

  • Encrypted email and document storage
  • Secure handling of medical records
  • Restricted access to patient data on a need-to-know basis
  • Regular review of our data protection practices

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals as required by law.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The date at the top of this document indicates when it was last revised. We encourage you to review this policy periodically. Significant changes will be communicated via the website.

13. Our Secure Email & Document Platform — Google Workspace

JK Arthroplasty Ltd uses Google Workspace as its enterprise-grade cloud platform for managing patient communications and documents. Google Workspace is the professional, encrypted version of Google's services and is widely used across UK private healthcare practices for handling UK GDPR Special Category (health) data.

Why Google Workspace is appropriate for a private medical practice

  • NHS-aligned standards. Google Workspace meets the requirements of the NHS Data Security and Protection Toolkit (DSP Toolkit), the framework UK healthcare organisations use to demonstrate safe handling of patient-identifiable data.
  • Strict legal compliance. Google signs a UK GDPR Data Processing Amendment (DPA) that legally binds them to handle clinical data in accordance with UK privacy law. Patient information processed through Workspace is never used for advertising, profiling, or tracking.
  • Continuous encryption. Data is encrypted both in transit (while travelling across the internet) and at rest (while stored on Google's servers), preventing interception or unauthorised reading of medical correspondence.
  • Controlled access. Mr Kozdryk retains full ownership of all files. Access is restricted to authorised clinical and administrative staff on a need-to-know basis, and two-factor authentication is enforced to block unauthorised logins.
  • Automatic threat defence. Built-in AI filters block 99.9% of phishing emails, malware, and ransomware attacks before they reach the practice's inbox or devices.

Email communications

Our practice email is hosted by Google Workspace (info@kozdryk.co.uk), a secure platform certified under UK GDPR for the processing of special category health data. Google Workspace holds ISO 27001, ISO 27017, and ISO 27018 certifications and operates under a Cloud Data Processing Addendum (CDPA) in compliance with the UK Data Protection Act 2018. All patient communications are encrypted in transit and stored securely. JK Arthroplasty is registered with the Information Commissioner's Office (ICO).

Enquiries submitted through the website contact form, and any documents you email directly to info@kozdryk.co.uk, are delivered over a TLS-encrypted connection and stored only within this secure Google Workspace environment. No third-party mail server, database, or website provider stores or processes your medical information.

For more information about Google Workspace's healthcare and UK GDPR commitments, see workspace.google.com/security.

14. Contact Us

If you have any questions about this Privacy Policy, wish to make a Subject Access Request, or have concerns about how we handle your data, please contact:

ICO Registration Number: ZC016717
ICO Website: ico.org.uk | Telephone: 0303 123 1113

© 2026 JK Arthroplasty Ltd. All rights reserved. Registered in England & Wales.