This Privacy Policy explains how ThePhysiobot Limited (“Physiobot®”, “we”, “us” or “our”) collects, uses, stores, and protects your personal data when you use the Physiobot® website (www.thephysiobot.com) and the Physiobot Rehabilitation Tracker App (“Tracker App”). It also explains the rights you have under UK data protection law.

This Privacy Policy should be read alongside our Terms of Use, which set out the contractual terms governing your use of the Service. Where the Terms of Use describe a feature or process that involves personal data, this Privacy Policy provides further detail about how that data is handled.

The primary laws that govern how we collect and use personal data (“Data”) about you are:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018

A note on the difference between the Website and the Tracker App

Throughout this Policy we draw a clear distinction between two very different ways of using Physiobot:

• The Physiobot® Website (www.thephysiobot.com) is our public website, which hosts rehabilitation programme pages, exercise content, equipment suggestions, the symptom checker, the newsletter signup, and general information about Physiobot. You can browse the Website and use all of its tools without creating an account, and we collect very little personal data from Website visitors beyond what is necessary for analytics, security, and any contact form or newsletter you choose to submit.
• The Physiobot Tracker App is our subscription-based rehabilitation tracking mobile app. To use the Tracker App you must register an account, and the Service is provided on the basis of the personal data described in section 4 below, including health and rehabilitation data, which is treated with the enhanced protections required for special category data under Article 9 of the UK GDPR.

The two sections that follow (sections 3 and 4) describe what we collect in each of these contexts.

1. Who we are and how to contact us

ThePhysiobot Limited is the data controller responsible for your personal data. Our company registration number is 16071111 and our registered address is on file with Companies House.

For any question or request relating to your personal data, including the exercise of any of the rights set out in section 11 below, please contact us at support@thephysiobot.com.

2. Scope of this Policy

This Policy applies to:

• Visitors to the Physiobot® website at www.thephysiobot.com
• Users of any tool hosted on the Website, including the symptom checker, the rehabilitation programme pages, the equipment guide, the newsletter signup, and any contact or request form
• Registered users of the Physiobot Tracker App
• Anyone who corresponds with us by email or signs up to our newsletter

This Policy does not apply to third-party websites or services to which the Service may link. Those services are governed by their own privacy policies.

3. Personal data we collect – Physiobot® Website and website tools

You can browse www.thephysiobot.com and use most of its content without registering, signing in, or providing any personal information. We collect only the limited categories of data set out below.

3.1 Cookies and analytics

The Website uses cookies and similar tracking technologies. Strictly necessary cookies (for security, session management, and abuse prevention) are set automatically. Analytics cookies are set only where you have given consent.

Where Google Analytics is used, we collect:

• Pages visited and time spent on each page
• General device and browser information
• Approximate region (country / city level)
• Anonymised IP address – IP anonymisation is enabled, so the last octet of your IP address is removed before storage

We do not use cookies on the Website to identify you personally as an individual. Read more here for our full Cookie Policy.

3.2 The Symptom Checker and other interactive tools

The Physiobot® symptom checker, programme pages, equipment guide, and similar interactive tools on the Website are designed to be used anonymously. We do not require you to register or sign in to use them, and we do not keep records of your responses to questions within these tools that identify you as an individual.

The symptom checker is a Class I medical device regulated in the UK by the MHRA (Reference Number 33652, GMDN Code 64275). Aggregate, non-identifying technical telemetry may be collected for the purpose of monitoring the safe operation of the medical device, in accordance with our regulatory obligations.

Where the symptom checker is opened from inside the Tracker App, the resulting programme suggestion is passed back to your account so it can be added to your rehabilitation programmes, but only on your action and only if you choose to add it.

3.3 Newsletter signup

If you sign up to the Physiobot newsletter from the Website, we collect your email address (and, optionally, your name) for the sole purpose of sending you the newsletter. Your address is stored by our email provider Brevo (see section 13). You may unsubscribe at any time using the link in any newsletter, or by contacting us at support@thephysiobot.com.

3.4 Contact forms and “Request an Exercise”

If you complete a form on the Website (for example, a contact form or the “Request an Exercise” form), we collect the information you voluntarily choose to submit, typically your name, email address, and the contents of your message. This is used solely to respond to your enquiry or request. We do not use it for any other purpose without your further consent and providing this information is entirely optional.

3.5 Correspondence

If you email us, we receive and store your email address, your name (if provided), and the contents of your message, for the purpose of responding to you and for record-keeping.

4. Personal data we collect – Physiobot Tracker App

The Physiobot Rehab Tracker App is a subscription-based application that requires you to register an account. To deliver the rehabilitation tracking features described in our Terms of Use, we collect the categories of data set out below.

4.1 Account data

Your name, email address, date of birth, and a hashed password. We never store passwords in plain text. Where you sign in using a third-party identity provider (for example, Google or Apple), we receive a verified email address and the basic profile fields that provider returns; we do not receive your third-party account password. If you sign in with Apple and choose Apple’s “Hide My Email” option, we receive an anonymised Apple relay email address rather than your personal email address, and we use that relay address to communicate with you.

4.2 Health and rehabilitation data

Exercise logs, pain scores, daily check-ins (mood, sleep, pain, return-to-work status, optional notes), phase progress, adherence data, milestones, and the rehabilitation programmes you add to your account or build yourself. This is “special category” data under Article 9 of the UK GDPR and is treated with enhanced protection (see section 5).

4.3 Subscription and payment data

Subscription tier (Standard, Premium, or Enterprise), trial status, billing dates, and a Stripe customer reference. Card numbers and other payment credentials are entered directly into Stripe and are not stored on our systems.

4.4 Communications and support data

The contents of any correspondence you send to us through the App, support tickets, feedback you submit through the App, and your in-App newsletter and notification preferences.

4.5 Usage and device data

Device type, browser type, approximate region (derived from your connection for security and localisation), and your IANA timezone (used to schedule reminders and notifications at locally appropriate times). We do not operate an analytics service within the Tracker App, so we do not track in-app page views, feature usage, or session duration for analytics purposes. (Analytics on the public Website is described in section 3.1.)

4.6 Security and integrity data

Authentication events (sign-ins, sign-outs, failed login attempts), reCAPTCHA scores, App Check tokens, and limited diagnostic information used to detect abuse, prevent fraud, and investigate security incidents.

4.7 Practitioner and Enterprise relational data

If you are a Premium user with Practitioner Licences, or an Enterprise account holder, we record the email addresses you invite, the licence link between you and each accepted user, and the rehabilitation summary data each user has explicitly consented to share with you (see section 7).

4.8 Device permissions and on-device features (mobile Tracker App)

The mobile Tracker App may request the following device permissions, each used only for the stated purpose:

Camera – used solely to scan a QR code that adds a rehabilitation programme to your account. The camera image is processed on your device in real time to read the code; it is not stored, recorded, or transmitted to us.
Notifications – used to deliver push notifications and locally scheduled exercise reminders at the times you set. To deliver push notifications we store a push notification token (issued by Firebase Cloud Messaging, and on iOS by the Apple Push Notification service) against your account. You can disable notifications at any time within the App or in your device settings.
Exact alarm scheduling (Android) – used so that your exercise reminders fire reliably at the time you choose.

You can decline or later revoke any of these permissions in your device settings; the rest of the App continues to function without them.

5. Special Category Data – Health and Medical Information (Tracker App only)

Health and rehabilitation data is “special category” personal data under Article 9 of the UK GDPR and requires a higher standard of protection. We collect special category data only within the Tracker App, and only where it is strictly necessary for the rehabilitation tracking features you have subscribed to.
We process this data on the basis of your explicit consent, which you provide by accepting our Terms of Use and using the health-tracking features of the App. Without collecting this data we are unable to provide rehabilitation programme tracking, phase progression, exercise logging, pain trend analysis, or progress reporting, the fundamental functions to which you have subscribed.

We apply the principle of data minimisation under Article 5(1)(c) of the UK GDPR and collect only the health information directly required to deliver these features. Your health data is held separately from general usage data, stored with enhanced access controls, and is never used for advertising, profiling, or any purpose unrelated to your own rehabilitation support.
You may withdraw your consent at any time by deleting your account or contacting us at support@thephysiobot.com.

Withdrawal will not affect the lawfulness of any processing carried out before the withdrawal.

6. Lawful bases for processing

We rely on the following lawful bases under Article 6 (and, where applicable, Article 9) of the UK GDPR:

• Contract: to provide the Tracker App you have subscribed to and to manage your account, billing, and communications related to the Service
• Explicit consent (Article 9(2)(a)): for special category health and rehabilitation data within the Tracker App, which is strictly necessary for delivery of the Service. This consent is freely given, specific, and informed, and may be withdrawn at any time
• Explicit consent: for analytics cookies on the Website and within the App, optional marketing communications, and any employer or clinician data sharing you choose to enable
• Legitimate interests: to improve the Service, prevent fraud and abuse, and maintain the security of our systems, where these interests are not overridden by your rights and freedoms
• Legal obligation: where processing is required to comply with UK law (for example, retention of financial records for tax purposes)

7. Employer, Clinician, and Enterprise data sharing (Tracker App only)

Where your employer or clinician has invited you to use the Tracker App, or has purchased a subscription on your behalf, you may choose, entirely at your own discretion, to grant them access to a summary of your rehabilitation progress data. This feature is disabled by default and must be explicitly enabled by you.
What is shared, if you choose to enable sharing:

• Rehabilitation programme name(s)
• Exercise completion and adherence rates
• Phase progression and milestone completion

Anonymised aggregate trends (in the case of Enterprise accounts, only aggregated data across all employees is shown, never individual records)

What is never shared:

• Pain scores
• Mood, sleep, and other check-in ratings
• Personal notes
• Date of birth

Sharing is based solely on your explicit consent under Article 9(2)(a) of the UK GDPR. You may withdraw consent at any time within your account settings; withdrawal takes effect immediately and does not affect the lawfulness of sharing carried out before withdrawal.

Premium users and Enterprise account holders who access shared data are subject to the obligations set out in section 3.8.3 of our Terms of Use, including a strict prohibition on using shared data for any purpose other than directly supporting the individual’s rehabilitation, and on sharing or disclosing the data to any third party.

8. How we use your data

We use your personal data to:

• Operate and maintain the Website and the Tracker App
• Manage your account and subscription (Tracker App)
• Enable exercise tracking, phase progression, milestone tracking, and progress reporting (Tracker App)
• Send service-related communications, including account verification, password reset, subscription confirmations, subscription renewal and expiry reminders, trial expiry reminders, phase advancement notifications, notices about changes to any complimentary access and any scheduled account or data deletion, and technical notices (Tracker App)
• Send marketing communications (including our newsletter) where you have given consent. You may opt out at any time via your profile settings or by contacting us
• Respond to enquiries and “Request an Exercise” submissions made through the Website
• Improve and develop the Website and the Tracker App, including through anonymised analytics
• Detect and prevent fraud, abuse, and security incidents
• Comply with our legal and regulatory obligations

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, and we do not engage in profiling for advertising or marketing purposes.

9. Data storage and security

The Tracker App stores its data on Google Firebase (Cloud Firestore), hosted in the European Economic Area in the europe-west2 (London) region. The public Website is hosted by a third-party WordPress hosting provider whose servers are located in the United States; data collected through the Website (for example newsletter sign-ups and contact-form submissions) is therefore transferred to and stored in the United States under the safeguards described in section 13.

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or destruction, including:

• Encryption in transit (TLS) and at rest
• Role-based access controls and authentication for our systems
• Custom claims and Firestore security rules to enforce per-user access boundaries within the Tracker App
• Application-level abuse protection through Firebase App Check and Google reCAPTCHA
• Logging of administrative actions to an immutable audit trail
• Logging of security-relevant events (including failed logins, rate-limit events, and data export events) for ICO breach-tracking purposes
• Regular review of security controls and dependencies

While we take reasonable steps to protect your data, no system is completely secure. You are responsible for safeguarding your own login credentials and the device you use to access the Service. You must not share your password with any other person, see section 3.8 of our Terms of Use.

10. Data retention

We retain your personal data only for as long as is necessary for the purpose for which it was collected.

• Website analytics: anonymised analytics data is retained in line with the default retention period set within Google Analytics. Strictly necessary cookies are session-scoped or short-lived
• Newsletter subscribers: until you unsubscribe or ask us to remove your details
• Contact Form submissions: until the enquiry is resolved, and for a reasonable period thereafter for record-keeping
• Tracker App account data and health data: for as long as your account is active. If you delete your account, we will delete your personal data within 30 days
• Financial and subscription records: 7 years, in accordance with UK tax law
• Audit and breach logs: retained for as long as required to demonstrate compliance and to investigate security incidents

You may request deletion at any time via the GDPR data tools in the Tracker App, or by contacting us at support@thephysiobot.com.

11. Your rights under UK GDPR

You have the following rights in relation to your personal data:

• The right to be informed – to know how and why your data is collected and used (this Policy)
• The right of access – to request a copy of the personal data we hold about you
• The right to rectification – to ask us to correct inaccurate or incomplete data
• The right to erasure – to request deletion of your data in certain circumstances
• The right to restrict processing – to ask us to limit how we use your data while a query or correction is being investigated
• The right to data portability – to receive your data in a structured, commonly used, machine-readable format
• The right to object – to object to processing based on legitimate interests, or to direct marketing
• The right to withdraw consent – where processing is based on consent (including special category health data), you may withdraw that consent at any time without affecting the lawfulness of prior processing
• Rights in relation to automated decision-making and profiling – we do not make solely automated decisions that significantly affect you

To exercise any of these rights, please contact us at support@thephysiobot.com. We will respond within one calendar month. There is normally no charge, although we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: www.ico.org.uk
Helpline: 0303 123 1113

12. Third-party processors

We share your data with the following third-party processors, who act on our behalf and are bound by data processing agreements requiring them to handle your data in accordance with UK GDPR. The “applies to” column indicates whether each processor is engaged for the Website, the Tracker App, or both.

• Google Firebase (Google LLC) – applies to: Tracker App. Authentication, database storage, push notifications, and app security; data processed in the EEA (europe-west2 / London)
• Stripe (Stripe Payments Europe Ltd) – applies to: Tracker App. Payment processing; data processed in the EEA. Card numbers are entered directly into Stripe and are not stored on our systems
• Google Analytics (Google LLC) – applies to: Website only. Usage analytics. Analytics cookies are set only with your consent. IP anonymisation is enabled. You can opt out at any time via your cookie preferences or by installing the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout
• Google reCAPTCHA (Google LLC) – applies to: Website and Tracker App. Abuse, bot, and fraud protection on registration, sign-in, and contact forms
• Brevo (Sendinblue SAS) – applies to: Website and Tracker App. Transactional and newsletter email delivery; data processed in the EEA. Brevo receives your email address and the contents of any email we send you
• WordPress hosting provider – applies to: Website. Web hosting and standard WordPress operational logs (access logs, error logs); servers located in the United States
• Capgo (Digital Shift OÜ, Estonia) – applies to: Tracker App. Over-the-air delivery of app updates to the installed mobile apps; data processed within the EEA. Receives app and device identifiers and aggregate active-user counts to determine which update to serve; it does not receive your account or health data
• Apple (Apple Inc. / Apple Distribution International Ltd) – applies to: Tracker App (iOS). “Sign in with Apple” authentication (only where you choose it) and delivery of push notifications via the Apple Push Notification service. Where you use Apple’s “Hide My Email” feature, we receive an anonymised relay email address rather than your personal address

We do not sell your personal data to any third party.

13. International transfers

Your data is processed within the United Kingdom and the European Economic Area wherever possible – in particular, your Tracker App account and health data are stored on Google Firebase in the europe-west2 (London) region, and our over-the-air app-update provider processes data within the EEA. Some of our processors are located outside the UK / EEA: in particular, our Website hosting provider, and on iOS, Apple’s authentication and push-notification services, may process limited data in the United States. Where data is transferred outside the UK we rely on appropriate safeguards as required by UK GDPR, including UK adequacy regulations, the UK International Data Transfer Agreement, or Standard Contractual Clauses with the UK Addendum.

14. Children and age requirement

You must be at least 18 years of age to register for an account on the Physiobot Rehab Tracker App. We do not knowingly collect personal data from anyone under the age of 18 through the Tracker App. The Website is suitable for general audiences and does not require registration. If you believe a person under 18 has registered for a Tracker App account, please contact us at support@thephysiobot.com and we will take prompt steps to remove the account and any data held against it.

15. Marketing communications

Marketing communications – such as our newsletter, rehabilitation tips, product news, and new-programme announcements – are sent only where you have given your consent by opting in. When you register for a Tracker App account, the marketing opt-in is presented separately from your acceptance of the Terms of Use and is switched off by default; you are not added to any marketing list unless you actively choose to opt in, and opting in is never a condition of using the Service. You may also subscribe to the newsletter directly from the Website. Marketing preferences are granular – you can opt in or out of each category at any time:

• From within your profile settings in the Tracker App
• By using the unsubscribe link in any newsletter we send
• By contacting us at support@thephysiobot.com

Withdrawing consent to marketing does not affect the service-related communications we are required or permitted to send under our contract with you (for example, account verification, billing, or trial expiry).

16. Cookies

The Website and the Tracker App use cookies and similar tracking technologies for authentication, security, and analytics. Strictly necessary cookies (for sign-in and abuse prevention) are set automatically. Analytics and other non-essential cookies are set only where you have given consent.

For full details of the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.

17. Data breaches

We have procedures in place to detect, contain, and investigate suspected personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours of becoming aware of it, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our services, technology, or legal obligations. Where changes are material, we will notify registered users who have provided contact information by email or through a prominent notice in the App before the changes take effect.

19. Terms of Use

Please note, by accessing or using the Service, you acknowledge that you have read, understood, and agreed to our Terms of Use. If you do not agree to the Terms of Use, you may not access or use the Service.

20. Contact us

If you have any question about this Privacy Policy, your data, or the Service, please contact us:

ThePhysiobot Limited
Email: support@thephysiobot.com
Website: https://www.thephysiobot.com

Company Registration Number: 16071111

You have the right to complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk if you believe your data protection rights have been violated.