This Privacy Policy explains how ThePhysiobot Limited (“Physiobot®”, “we”, “us” or “our”) collects, uses, stores, and protects your personal data when you use the Physiobot® website (www.thephysiobot.com) and the Physiobot Rehabilitation Tracker App (“Tracker App”). It also explains the rights you have under UK data protection law.
This Privacy Policy should be read alongside our Terms of Use, which set out the contractual terms governing your use of the Service. Where the Terms of Use describe a feature or process that involves personal data, this Privacy Policy provides further detail about how that data is handled.
The primary laws that govern how we collect and use personal data (“Data”) about you are:
Throughout this Policy we draw a clear distinction between two very different ways of using Physiobot:
The two sections that follow (sections 3 and 4) describe what we collect in each of these contexts.
ThePhysiobot Limited is the data controller responsible for your personal data. Our company registration number is 16071111 and our registered address is on file with Companies House.
For any question or request relating to your personal data, including the exercise of any of the rights set out in section 11 below, please contact us at support@thephysiobot.com.
This Policy applies to:
This Policy does not apply to third-party websites or services to which the Service may link. Those services are governed by their own privacy policies.
You can browse www.thephysiobot.com and use most of its content without registering, signing in, or providing any personal information. We collect only the limited categories of data set out below.
The Website uses cookies and similar tracking technologies. Strictly necessary cookies (for security, session management, and abuse prevention) are set automatically. Analytics cookies are set only where you have given consent.
Where Google Analytics is used, we collect:
We do not use cookies on the Website to identify you personally as an individual. Read more here for our full Cookie Policy.
The Physiobot® symptom checker, programme pages, equipment guide, and similar interactive tools on the Website are designed to be used anonymously. We do not require you to register or sign in to use them, and we do not keep records of your responses to questions within these tools that identify you as an individual.
The symptom checker is a Class I medical device regulated in the UK by the MHRA (Reference Number 33652, GMDN Code 64275). Aggregate, non-identifying technical telemetry may be collected for the purpose of monitoring the safe operation of the medical device, in accordance with our regulatory obligations.
Where the symptom checker is opened from inside the Tracker App, the resulting programme suggestion is passed back to your account so it can be added to your rehabilitation programmes, but only on your action and only if you choose to add it.
If you sign up to the Physiobot newsletter from the Website, we collect your email address (and, optionally, your name) for the sole purpose of sending you the newsletter. Your address is stored by our email provider Brevo (see section 13). You may unsubscribe at any time using the link in any newsletter, or by contacting us at support@thephysiobot.com.
If you complete a form on the Website (for example, a contact form or the “Request an Exercise” form), we collect the information you voluntarily choose to submit, typically your name, email address, and the contents of your message. This is used solely to respond to your enquiry or request. We do not use it for any other purpose without your further consent and providing this information is entirely optional.
If you email us, we receive and store your email address, your name (if provided), and the contents of your message, for the purpose of responding to you and for record-keeping.
The Physiobot Rehab Tracker App is a subscription-based application that requires you to register an account. To deliver the rehabilitation tracking features described in our Terms of Use, we collect the categories of data set out below.
Your name, email address, date of birth, and a hashed password. We never store passwords in plain text. Where you sign in using a third-party identity provider (for example, Google or Apple), we receive a verified email address and the basic profile fields that provider returns; we do not receive your third-party account password. If you sign in with Apple and choose Apple’s “Hide My Email” option, we receive an anonymised Apple relay email address rather than your personal email address, and we use that relay address to communicate with you.
Exercise logs, pain scores, daily check-ins (mood, sleep, pain, return-to-work status, optional notes), phase progress, adherence data, milestones, and the rehabilitation programmes you add to your account or build yourself. This is “special category” data under Article 9 of the UK GDPR and is treated with enhanced protection (see section 5).
Subscription tier (Standard, Premium, or Enterprise), trial status, billing dates, and a Stripe customer reference. Card numbers and other payment credentials are entered directly into Stripe and are not stored on our systems.
The contents of any correspondence you send to us through the App, support tickets, feedback you submit through the App, and your in-App newsletter and notification preferences.
Device type, browser type, approximate region (derived from your connection for security and localisation), and your IANA timezone (used to schedule reminders and notifications at locally appropriate times). We do not operate an analytics service within the Tracker App, so we do not track in-app page views, feature usage, or session duration for analytics purposes. (Analytics on the public Website is described in section 3.1.)
Authentication events (sign-ins, sign-outs, failed login attempts), reCAPTCHA scores, App Check tokens, and limited diagnostic information used to detect abuse, prevent fraud, and investigate security incidents.
If you are a Premium user with Practitioner Licences, or an Enterprise account holder, we record the email addresses you invite, the licence link between you and each accepted user, and the rehabilitation summary data each user has explicitly consented to share with you (see section 7).
The mobile Tracker App may request the following device permissions, each used only for the stated purpose:
Camera – used solely to scan a QR code that adds a rehabilitation programme to your account. The camera image is processed on your device in real time to read the code; it is not stored, recorded, or transmitted to us.
Notifications – used to deliver push notifications and locally scheduled exercise reminders at the times you set. To deliver push notifications we store a push notification token (issued by Firebase Cloud Messaging, and on iOS by the Apple Push Notification service) against your account. You can disable notifications at any time within the App or in your device settings.
Exact alarm scheduling (Android) – used so that your exercise reminders fire reliably at the time you choose.
You can decline or later revoke any of these permissions in your device settings; the rest of the App continues to function without them.
Health and rehabilitation data is “special category” personal data under Article 9 of the UK GDPR and requires a higher standard of protection. We collect special category data only within the Tracker App, and only where it is strictly necessary for the rehabilitation tracking features you have subscribed to.
We process this data on the basis of your explicit consent, which you provide by accepting our Terms of Use and using the health-tracking features of the App. Without collecting this data we are unable to provide rehabilitation programme tracking, phase progression, exercise logging, pain trend analysis, or progress reporting, the fundamental functions to which you have subscribed.
We apply the principle of data minimisation under Article 5(1)(c) of the UK GDPR and collect only the health information directly required to deliver these features. Your health data is held separately from general usage data, stored with enhanced access controls, and is never used for advertising, profiling, or any purpose unrelated to your own rehabilitation support.
You may withdraw your consent at any time by deleting your account or contacting us at support@thephysiobot.com.
Withdrawal will not affect the lawfulness of any processing carried out before the withdrawal.
We rely on the following lawful bases under Article 6 (and, where applicable, Article 9) of the UK GDPR:
Where your employer or clinician has invited you to use the Tracker App, or has purchased a subscription on your behalf, you may choose, entirely at your own discretion, to grant them access to a summary of your rehabilitation progress data. This feature is disabled by default and must be explicitly enabled by you.
What is shared, if you choose to enable sharing:
Anonymised aggregate trends (in the case of Enterprise accounts, only aggregated data across all employees is shown, never individual records)
What is never shared:
Sharing is based solely on your explicit consent under Article 9(2)(a) of the UK GDPR. You may withdraw consent at any time within your account settings; withdrawal takes effect immediately and does not affect the lawfulness of sharing carried out before withdrawal.
Premium users and Enterprise account holders who access shared data are subject to the obligations set out in section 3.8.3 of our Terms of Use, including a strict prohibition on using shared data for any purpose other than directly supporting the individual’s rehabilitation, and on sharing or disclosing the data to any third party.
We use your personal data to:
We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, and we do not engage in profiling for advertising or marketing purposes.
The Tracker App stores its data on Google Firebase (Cloud Firestore), hosted in the European Economic Area in the europe-west2 (London) region. The public Website is hosted by a third-party WordPress hosting provider whose servers are located in the United States; data collected through the Website (for example newsletter sign-ups and contact-form submissions) is therefore transferred to and stored in the United States under the safeguards described in section 13.
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or destruction, including:
While we take reasonable steps to protect your data, no system is completely secure. You are responsible for safeguarding your own login credentials and the device you use to access the Service. You must not share your password with any other person, see section 3.8 of our Terms of Use.
We retain your personal data only for as long as is necessary for the purpose for which it was collected.
You may request deletion at any time via the GDPR data tools in the Tracker App, or by contacting us at support@thephysiobot.com.
You have the following rights in relation to your personal data:
To exercise any of these rights, please contact us at support@thephysiobot.com. We will respond within one calendar month. There is normally no charge, although we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk
Helpline: 0303 123 1113
We share your data with the following third-party processors, who act on our behalf and are bound by data processing agreements requiring them to handle your data in accordance with UK GDPR. The “applies to” column indicates whether each processor is engaged for the Website, the Tracker App, or both.
We do not sell your personal data to any third party.
Your data is processed within the United Kingdom and the European Economic Area wherever possible – in particular, your Tracker App account and health data are stored on Google Firebase in the europe-west2 (London) region, and our over-the-air app-update provider processes data within the EEA. Some of our processors are located outside the UK / EEA: in particular, our Website hosting provider, and on iOS, Apple’s authentication and push-notification services, may process limited data in the United States. Where data is transferred outside the UK we rely on appropriate safeguards as required by UK GDPR, including UK adequacy regulations, the UK International Data Transfer Agreement, or Standard Contractual Clauses with the UK Addendum.
You must be at least 18 years of age to register for an account on the Physiobot Rehab Tracker App. We do not knowingly collect personal data from anyone under the age of 18 through the Tracker App. The Website is suitable for general audiences and does not require registration. If you believe a person under 18 has registered for a Tracker App account, please contact us at support@thephysiobot.com and we will take prompt steps to remove the account and any data held against it.
Marketing communications – such as our newsletter, rehabilitation tips, product news, and new-programme announcements – are sent only where you have given your consent by opting in. When you register for a Tracker App account, the marketing opt-in is presented separately from your acceptance of the Terms of Use and is switched off by default; you are not added to any marketing list unless you actively choose to opt in, and opting in is never a condition of using the Service. You may also subscribe to the newsletter directly from the Website. Marketing preferences are granular – you can opt in or out of each category at any time:
Withdrawing consent to marketing does not affect the service-related communications we are required or permitted to send under our contract with you (for example, account verification, billing, or trial expiry).
The Website and the Tracker App use cookies and similar tracking technologies for authentication, security, and analytics. Strictly necessary cookies (for sign-in and abuse prevention) are set automatically. Analytics and other non-essential cookies are set only where you have given consent.
For full details of the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.
We have procedures in place to detect, contain, and investigate suspected personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours of becoming aware of it, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
We may update this Privacy Policy from time to time to reflect changes to our services, technology, or legal obligations. Where changes are material, we will notify registered users who have provided contact information by email or through a prominent notice in the App before the changes take effect.
Please note, by accessing or using the Service, you acknowledge that you have read, understood, and agreed to our Terms of Use. If you do not agree to the Terms of Use, you may not access or use the Service.
20. Contact us
If you have any question about this Privacy Policy, your data, or the Service, please contact us:
ThePhysiobot Limited
Email: support@thephysiobot.com
Website: https://www.thephysiobot.com
Company Registration Number: 16071111
You have the right to complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk if you believe your data protection rights have been violated.
Physiobot is a free digital tool designed to inform, guide, and educate and not a substitute for professional medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional for personal advice regarding your health, diagnosis, or treatment options. By continuing to use this website and the Physiobot tools, you agree to our Terms of use.
