Privacy Policy

Last updated: 21 May 2026

1. Who we are

This website (nevtheknee.co.uk) is owned and operated by Davies Williams Surgical Services Limited, trading as Nev the Knee. We are registered in England and Wales under company number 08400585, with our registered office at 7-9 The Avenue, Eastbourne, East Sussex, BN21 3YA.

For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), we are the data controller for the personal data we collect through this website. We are registered with the Information Commissioner's Office (ICO).

If you have any questions about this policy or about how we handle your personal data, you can contact us:

  • by email at nevdavies.secretary@gmail.com

  • or by using the contact form on the site.

2. What this policy covers

This policy explains:

  • what personal data we collect about you when you visit or use this website

  • why we collect it, and the legal basis we rely on

  • how long we keep it

  • who we share it with

  • your rights, and how to exercise them.

It does not cover personal data we collect about you in our clinical capacity. That is, when you become a patient and your information is held in your medical records, that information is governed separately by the privacy notices of the hospitals at which Mr Davies practises (for example Spire Healthcare, Circle Health Group, and the Royal Berkshire NHS Foundation Trust) and by professional and clinical regulation.

3. The personal data we collect
3.1 Information you give us directly

When you complete the enquiry form on our website, we collect:

  • your full name

  • your email address

  • your mobile telephone number (where provided)

  • your preferred method and time of reply

  • the category of your enquiry (for example: general enquiry about fees, second opinion request, post-operative question, or an enquiry about a specific condition)

  • for enquiries about a specific condition: whether the enquiry concerns an adult or a child, the body area concerned, and the specific condition selected

  • any information you choose to include in the free-text message field, which may include symptoms, clinical history, prior treatment, the identity of a child for whom you are enquiring as their parent or guardian, and any other context you provide.

Health data. The enquiry form may, by its nature, capture special category data about health under Article 9 of the UK GDPR, both because you may select a specific medical condition and because you may describe symptoms or clinical history in the message field. We treat this information with additional care; see section 5.

Children. Where you are completing the form on behalf of a child (your own child or a child for whom you have parental responsibility), the information you provide about that child will also constitute personal data about them, and where it relates to their health, special category data about them. By submitting the form, you confirm that you have the authority to provide that information.

3.2 Information we collect automatically

When you visit our website, certain information is collected automatically through cookies and similar technologies, and through third-party services embedded in the site. This may include:

  • your IP address

  • your approximate geographical location (derived from your IP address)

  • your device type, browser type and version, and operating system

  • the pages you visit on our site, the time and duration of your visit, and the referring website

  • your interactions with embedded widgets (such as review widgets or the Strava activity widget).

For details of the specific cookies and third-party scripts we use, please see our Cookies Policy.

We only use non-essential cookies and tracking technologies (including Google Analytics, Framer's built-in analytics, and the embedded widgets listed in our Cookies Policy) with your prior consent, which you can give, refuse or withdraw via the cookie banner on the site.

4. How we use your personal data, and our lawful basis

We process your personal data only where we have a lawful basis to do so. The purposes and lawful bases on which we rely are as follows.

4.1 Responding to your enquiry

We use the contact details and the information you provide in the enquiry form to:

  • understand the nature of your enquiry

  • reply to you by your chosen method (phone, WhatsApp or email)

  • arrange a consultation, if appropriate

  • pass relevant information to Mr Davies so he can review your enquiry and respond.

Lawful basis (Article 6 UK GDPR): Article 6(1)(b), processing necessary in order to take steps at your request prior to entering into a contract for the provision of clinical services; and, where you are not yet a prospective patient (for example, press or referral enquiries), Article 6(1)(f), our legitimate interest in operating our practice and responding to enquiries.

Lawful condition for health data (Article 9 UK GDPR): Where your enquiry includes information about health, we rely on Article 9(2)(h), processing necessary for the provision of healthcare or treatment and the management of healthcare systems and services, together with the corresponding condition in Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018 (health or social care purposes). This processing is carried out by, or under the responsibility of, a registered medical professional bound by a duty of confidentiality (Mr Davies, GMC-registered, and his medical secretary acting under his direction).

4.2 Operating, securing and improving the website

We process technical data (such as IP address, device information and pages visited) to keep the site running properly, to protect it against abuse and security incidents, and, where you consent, to understand how the site is used so we can improve it.

Lawful basis: Article 6(1)(f), our legitimate interests in operating and securing the website; and, for non-essential analytics and embedded widgets, Article 6(1)(a), your consent given via the cookie banner.

4.3 Complying with legal and regulatory obligations

We may process your personal data where we are required to do so to comply with a legal obligation. Examples include responding to a lawful request from a regulator, court, or law enforcement agency, or meeting our obligations under tax, accounting, professional regulatory and clinical governance rules.

Lawful basis: Article 6(1)(c), compliance with a legal obligation.

4.4 Establishing, exercising or defending legal claims

We may process your personal data, including health data, where this is necessary for the establishment, exercise or defence of legal claims (for example, in connection with a complaint or claim).

Lawful basis: Article 6(1)(f), our legitimate interests in protecting our legal position; and, for special category data, Article 9(2)(f), processing necessary for the establishment, exercise or defence of legal claims.

4.5 Insurance and professional advice

We may process your personal data where necessary to obtain or maintain medical indemnity or other insurance cover, to manage risk, or to obtain professional advice (for example, from solicitors or accountants).

Lawful basis: Article 6(1)(f), our legitimate interests; and, for special category data, Article 9(2)(f) or Article 9(2)(h) depending on the context.

5. How we protect health data

Because some of the data submitted through our enquiry form is special category health data, we apply additional safeguards:

  • access to enquiry data is limited to Mr Davies and his medical secretary, both bound by professional duties of confidentiality

  • enquiry data is not used for marketing

  • enquiry data is not shared with any third party except as set out in section 6, or where you give your specific consent (for example, to refer you to a physiotherapist)

  • we maintain an "appropriate policy document" as required by the Data Protection Act 2018 where we process special category data on the basis of Schedule 1 conditions.

6. Who we share your personal data with

We share your personal data only with:

  • Mr Nev Davies and his medical secretary, for the purpose of responding to your enquiry

  • Hospitals and clinics at which Mr Davies practises, where this is necessary to arrange your consultation or treatment (only with your knowledge and on a need-to-know basis)

  • Service providers ("processors") who help us operate our website and respond to enquiries. The main processors we use are:

    • Formspree, Inc. (USA), receives and forwards enquiry-form submissions to us by email

    • Framer B.V. (Netherlands), hosts the website and provides built-in site analytics

    • Google LLC / Google Ireland Limited, provides Google Analytics (only with your consent) and Google Fonts

    • Doctify Limited (UK), provides patient review widgets

    • Strava, Inc. (USA), provides the Strava activity widget on Mr Davies's profile page

    • Elfsight Ltd (Cyprus), provides the back-to-top, WhatsApp deep-link, and maps widgets

  • Email providers, currently Google (Gmail) for the secretary's mailbox, pending migration to a domain-hosted email solution

  • Our professional advisers, including solicitors, accountants, insurers and indemnity providers, where necessary and on a confidential basis

  • Regulatory, professional and law enforcement bodies, where we are required to do so by law, or where it is necessary to protect your or another person's vital interests.

Each of our processors is bound by a written contract that meets the requirements of Article 28 UK GDPR, including obligations of confidentiality and security.

We do not sell your personal data to anyone, and we do not use it for advertising or to build marketing profiles.

7. International transfers

Some of the third parties listed above are based outside the UK. Where personal data is transferred outside the UK, we rely on one of the following safeguards required by Article 46 UK GDPR:

  • a UK adequacy regulation (for example, transfers to the European Economic Area and to other countries that the UK government has determined provide an adequate level of protection)

  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission's Standard Contractual Clauses (for example, for transfers to processors in the USA such as Formspree, Google, and Strava)

  • another safeguard recognised under UK GDPR.

You can request a copy of the safeguards in place for any specific transfer by contacting us at the address in section 1.

8. How long we keep your personal data

We keep your personal data only for as long as is necessary for the purposes set out in this policy. Specifically:

  • Enquiry data submitted via the contact form (including any health information you include): we keep this for up to 3 years from the date of your last interaction with us. If your enquiry leads to a clinical consultation, the information relevant to your care will be transferred to your medical record at the relevant hospital and retained in accordance with that hospital's clinical retention schedule (typically a minimum of 8 years after the end of treatment for adults, or until the patient's 25th birthday for under-18s, under NHS retention guidance).

  • Analytics and technical data collected via cookies: retained for the periods set out in our Cookies Policy.

  • Records relating to legal claims, complaints, regulatory matters, tax or accounting: retained for as long as required by law and our professional obligations, typically 6 to 7 years, or longer where the relevant matter has not yet concluded.

After the relevant retention period, we will securely delete or anonymise your personal data.

9. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access. You can ask us for a copy of the personal data we hold about you.

  • Right to rectification. You can ask us to correct inaccurate personal data or complete incomplete data.

  • Right to erasure ("right to be forgotten"). You can ask us to delete your personal data in certain circumstances.

  • Right to restrict processing. You can ask us to limit the way we use your personal data in certain circumstances.

  • Right to object. You can object to our processing where we rely on legitimate interests, and you can object at any time to processing for direct marketing purposes (which we do not do in any event).

  • Right to data portability. Where we process your personal data on the basis of consent or contract and by automated means, you can ask us to provide it to you, or to transfer it to another controller, in a structured, commonly used, machine-readable format.

  • Right to withdraw consent. Where we rely on your consent (for example, for analytics cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

  • Right to lodge a complaint. You can complain to the Information Commissioner's Office (ICO), the UK's data protection regulator, at any time. Their contact details are:

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline: 0303 123 1113 Website: https://ico.org.uk

We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO. Please contact us using the details in section 1.

To exercise any of these rights, please contact us at nevdavies.secretary@gmail.com. We will respond within one month of receiving your request. Some of these rights are subject to legal exceptions, and we will explain if any of those apply when we respond to you.

10. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure or destruction. These include limiting access to those who need it, using reputable hosting and form-handling services, and applying confidentiality obligations on everyone with access to enquiry data.

No transmission of data over the internet can be guaranteed to be completely secure. In particular, please bear in mind that ordinary email (including the email address listed in this policy) is not encrypted end-to-end. If you have highly sensitive clinical information to share, please consider arranging a consultation rather than sending it by email or web form.

11. Children

Our website is intended for use by adults. Where an enquiry concerns a child, we expect the form to be completed by a parent or guardian on the child's behalf, as set out in section 3.1.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this policy shows when the most recent change was made. Where the changes are significant, we will take reasonable steps to bring them to your attention.

13. Contact us

Davies Williams Surgical Services Limited (trading as Nev the Knee) Registered office: 7-9 The Avenue, Eastbourne, East Sussex, BN21 3YA Company number: 08400585

Email: nevdavies.secretary@gmail.com

Partnered with