Privacy Policy

What data we collect

• Account and login details (such as username and role).
• Patient details (such as name, contact information, demographic information, and activity level).
• Clinical and EMR data (such as cases, musculoskeletal assessments, appointments, and related documentation).
• Financial and billing information (such as invoices, receipts, and payment status, but not full payment card details).
• Technical data (such as logs required to secure and operate the service, including IP address and device information).

How we use your data

We process personal and health data to provide and improve our clinical and operational services, including:

• Registering and managing patient and staff accounts.
• Scheduling and documenting appointments and treatments.
• Generating clinical and operational reports and dashboards.
• Handling invoicing, payments, and receipts.
• Ensuring the security, monitoring, and reliability of the platform.

Legal bases for processing

Depending on the context, we rely on one or more of the following legal bases under the GDPR:

• Performance of a contract and provision of healthcare services.
• Compliance with legal obligations (for example, financial record keeping).
• Legitimate interests (for example, service improvement and security).
• Explicit consent where required for specific types of processing.

Your rights

Subject to applicable law, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion or restriction of your data in certain circumstances.
• Object to certain kinds of processing, including direct marketing.
• Receive a copy of your data in a portable format.

To exercise these rights, please contact your clinic or provider, or use the options available in your account where implemented.

Third-party processors

We use the following third-party services to operate our platform. These services may process your data on our behalf:

• Cloud hosting & storage: AWS (Amazon Web Services) and DigitalOcean for servers, database, and media file storage. Data may be stored in regions including India, EU, and US.
• Email delivery: AWS SES (Simple Email Service) for sending transactional and notification emails. Data is processed in AWS regions.
• Payment processing: Stripe for processing payments. Stripe receives payment-related data including name, contact information, and invoice references. Payment card details are handled directly by Stripe and are not stored by us.
• Push notifications: Firebase/Google Cloud Messaging (FCM) for sending push notifications to mobile devices. Device tokens and notification content are processed by Google.
• Logging and monitoring: Logtail for centralized logging and error tracking. We take measures to avoid logging sensitive personal information.
• WhatsApp messaging: Otpless for WhatsApp-based communication. This service is currently used for Indian operations only and is not used for UK patients.
• Analytics: Microsoft Clarity for website analytics and session replay. This service helps us understand how users interact with our platform. You can opt out via the consent banner.

International transfers: Some of these services may process data outside the UK/EU. Where applicable, we use appropriate safeguards such as Data Processing Agreements (DPAs) and standard contractual clauses to ensure your data is protected in accordance with GDPR requirements. Please contact us if you need more details about specific transfers.

Contact

For questions about this policy, GDPR compliance, or to exercise your data protection rights, please contact us:

• Email: [email protected] (for privacy and GDPR queries)
• You can use this contact channel for:
  • Access requests
  • Correction/rectification requests
  • Deletion/anonymisation requests
  • Restriction/objection requests
  • Data portability requests