Effective Date: November 10th, 2025
Data Controller: Castle Craig Hospital Ltd
ICO Registration No.: Z497039X
Clinic Address: CATCH Recovery Ltd, London, England
Contact Email: info@castlehealth.eu
1. Introduction
CATCH Recovery (“CATCH”, “we”, “us”, “our”) is part of the Castle Health Group. Castle Craig Hospital Ltd acts as the data controller responsible for the personal data processed through this website and related counselling or treatment services.
This notice explains what information we collect, how and why we use it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all website visitors, patients, referrers, and anyone communicating with CATCH Recovery.
2. Data Controller and Contact
Castle Craig Hospital Ltd
Blyth Bridge, West Linton, Peeblesshire EH46 7DH, Scotland
Email: info@castlehealth.eu
Telephone: 01721 546 263
3. What Information We Collect
We may collect and process the following categories of personal data:
| Category | Examples |
| Identity and Contact Data | Name, date of birth, address, email, telephone number |
| Health Data | Relevant medical history, symptoms, treatment plans, clinical notes |
| Administrative Data | Payment details, billing address, insurer or referrer information |
| Technical & Usage Data | IP address, browser type, device information, pages visited, cookies |
| Marketing Preferences | Newsletter opt-in status, consent records |
4. How We Use Your Information
| Purpose | Lawful Basis (UK GDPR) |
| Responding to enquiries and referrals | Art. 6(1)(b) – Contract |
| Providing counselling, treatment and support | Art. 6(1)(b); Art. 9(2)(h) – Healthcare provision |
| Managing billing and administration | Art. 6(1)(f) – Legitimate interest |
| Meeting legal and regulatory obligations | Art. 6(1)(c) – Legal obligation |
| Sending marketing communications (optional) | Art. 6(1)(a) – Consent |
| Operating and improving our website (cookies / analytics) | Art. 6(1)(a) – Consent (non-essential cookies); Art. 6(1)(f) – Legitimate interest (essential cookies) |
5. Cookies and Tracking
We use cookies to make our website work properly and—to improve it—only if you consent.
– Essential cookies enable basic site functions and are always active.
– Analytics cookies help us understand usage; these load only with your consent.
You can manage or withdraw consent at any time via our Cookie Settings link or browser controls. See our Cookie Policy for full details.
6. Data Sharing
We share personal data only when necessary and under written data-processing agreements with:
– Clinical and administrative staff within Castle Health Group
– Referrers, insurers or allied professionals (with consent)
– IT service providers, CRM systems, secure cloud platforms, and billing partners
– Regulators, auditors, or law enforcement when legally required
All third parties must maintain confidentiality and data-security standards equivalent to ours.
7. International Transfers
If personal data is transferred outside the UK (for example, to cloud providers), we use approved safeguards such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) with the UK addendum.
8. Data Retention
We keep data only as long as needed for each purpose or as required by law.
– Clinical records: usually 8 years after treatment (or longer for mental health records as mandated).
– Website and enquiry data: typically up to 12 months after resolution of your query.
Retention is reviewed regularly and data securely deleted when no longer needed.
9. Your Rights
You have the right to:
– Access your data
– Request correction of inaccuracies
– Request erasure (“right to be forgotten”)
– Restrict processing
– Request data portability
– Object to certain processing (including direct marketing)
– Withdraw consent at any time for non-essential processing
To exercise these rights, email info@castlehealth.eu.
If you are not satisfied, you can contact the Information Commissioner’s Office (ICO) via https://ico.org.uk.
10. Security
We apply technical and organisational measures to protect your data, including encryption, secure servers, access controls, audit logs, and staff training on confidentiality and data protection.
11. Marketing Communications
Marketing emails are sent only with your explicit consent. You can unsubscribe at any time using the link in our messages or by contacting us directly. We do not sell or trade personal data for marketing purposes.
12. Updates
We may update this policy periodically. The latest version will always be posted on our website with a clear “Last Updated” date. Significant changes will be notified on our homepage or by email where appropriate.
13. Contact
Data Protection Officer
Castle Craig Hospital Ltd (on behalf of CATCH Recovery Ltd)
Blyth Bridge, West Linton, Peeblesshire EH46 7DH, Scotland
Email: info@castlehealth.eu