Skip to main content

Privacy Policy

Last updated: 1 March 2026

1. Introduction

RehabSync Ltd ("RehabSync", "we", "us", or "our") is committed to protecting the privacy and security of the personal data we process. This Privacy Policy explains how we collect, use, store, and share information when you use our AI-powered physiotherapy platform, visit our website, or interact with our services.

We act as a data processor on behalf of the clinics and practitioners ("Customers") who use RehabSync to manage their practices. For clinical and patient data, our Customers are the data controllers and determine the purposes and means of processing. This policy covers data we collect directly from you as a visitor, account holder, or platform user.

2. Information We Collect

2.1 Personal Information

When you create an account or interact with our platform, we may collect:

  • Full name, email address, and phone number
  • Professional credentials and registration numbers
  • Billing address and payment information
  • Job title and clinic affiliation
  • Profile photograph (optional)

2.2 Usage Data

We automatically collect certain information about how you interact with our services:

  • Device type, browser, operating system, and IP address
  • Pages visited, features used, and session duration
  • Referring URLs and search terms
  • Crash reports and performance metrics

2.3 Clinical Data

On behalf of our Customers, the platform processes clinical and patient data including:

  • Patient names, contact details, and demographic information
  • Clinical notes, assessment records, and treatment plans
  • Exercise prescriptions and adherence data
  • Outcome measures, progress photographs, and uploaded documents

Clinical data is processed strictly in accordance with the Data Processing Agreement between RehabSync and the Customer. We do not use clinical data for our own purposes outside of providing the agreed services.

3. How We Use Your Information

We process personal data for the following purposes:

  • Service delivery: To provide, operate, and maintain the RehabSync platform and its features
  • Account management: To create and manage your user account, authenticate access, and provide customer support
  • Billing: To process payments, send invoices, and manage subscriptions
  • Communication: To send transactional emails, service updates, and (with consent) marketing communications
  • Improvement: To analyse usage patterns, diagnose technical issues, and improve our platform
  • Security: To detect, prevent, and respond to fraud, abuse, or security incidents
  • Legal compliance: To comply with applicable laws, regulations, and legal processes

4. Data Storage and Security

All data is stored on servers located within the United Kingdom and the European Economic Area. We use industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Strict access controls with role-based permissions and multi-factor authentication
  • Regular security audits, penetration testing, and vulnerability assessments
  • Automated backups with point-in-time recovery capabilities
  • Tenant isolation ensuring each clinic's data is logically separated at the database level

While we take every reasonable precaution to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any breaches in accordance with our obligations under UK GDPR.

5. Data Sharing

We do not sell your personal data. We may share information with the following categories of recipients:

  • Service providers: Trusted third parties who help us deliver the platform (e.g., cloud hosting, payment processing, email delivery), bound by contractual obligations to protect your data
  • Your organisation: If you use RehabSync through a clinic or practice, your account administrator may access certain information related to your use of the service
  • Legal authorities: When required by law, court order, or to protect our rights, safety, or property
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction

6. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances
  • Right to data portability: Request your data in a structured, commonly used, and machine-readable format
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes
  • Rights related to automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects

To exercise any of these rights, please contact us at privacy@rehabsync.com. We will respond to your request within 30 days. If you are a patient whose data is processed through RehabSync on behalf of a clinic, please direct your request to the relevant clinic in the first instance.

7. Cookies

We use cookies and similar tracking technologies to enhance your experience, analyse usage, and support our marketing efforts. Essential cookies are required for the platform to function correctly. Analytics and marketing cookies are only set with your consent.

For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods include:

  • Account data: Retained for the duration of your account and up to 90 days after deletion, to allow for account recovery
  • Clinical data: Retained in accordance with the Customer's data retention policies and applicable healthcare regulations (typically a minimum of 8 years for adult records under NHS guidelines)
  • Billing records: Retained for 7 years to comply with HMRC requirements
  • Usage and analytics data: Retained in anonymised or aggregated form for up to 26 months

When data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

9. Children's Privacy

RehabSync is designed for use by healthcare professionals and adult patients. We do not knowingly collect personal data from children under the age of 16 without verifiable parental or guardian consent. Where a clinic uses RehabSync to manage the care of a patient under 16, the clinic is responsible for ensuring appropriate consent has been obtained in line with their professional obligations.

If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or by posting a prominent notice within the platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

RehabSync Ltd
Data Protection Officer
Email: privacy@rehabsync.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed. You can contact the ICO at ico.org.uk.