Privacy Policy – Physio From Home
Last Updated: February 2026

1. Introduction

Physio From Home (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website (www.physiofromhome.com) and our AI-assisted physiotherapy assessment tool (collectively, the “Service”).

We are the data controller for the personal data we process. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1. Information You Provide Directly

When using our Service, you may provide us with:

• Personal details: title, name, date of birth, sex, email address
• Occupation information
• Health information: symptoms, pain locations, medical history, current medications, hobbies and exercise habits
• Physical measurements: height and weight (used to calculate Body Mass Index)
• Medical photographs: optional images of your injury or condition that you choose to upload
• Assessment conversation transcript
• Payment information (processed securely by Stripe)
• NHS/Corporate referral codes (where applicable)

2.2. Information Collected Automatically

When you visit our website, we may automatically collect:

• Device information: IP address, browser type, operating system
• Usage data: pages visited, time spent on pages, click patterns
• Cookies and similar technologies (see our Cookie Policy for details)

2.3. Medical Image Uploads

You may optionally choose to upload a photograph of your injury or condition during the assessment process. If you choose to upload an image:

• We require your separate, explicit consent at the point of upload before any image is stored or processed
• You must confirm that the image is of your own body and does not include any other individuals
• Your image will be securely stored in our encrypted database and transferred to our clinical management system (Cliniko) where it is attached to your patient record for review by the qualified physiotherapist assigned to your assessment
• Images are stored separately from your other assessment data as an additional security measure
• Images are retained for a maximum of 12 months in our assessment database from the date of upload, after which they are automatically deleted. Images held within Cliniko are retained in accordance with our clinical records retention policy (see Section 7)
• You may request deletion of your uploaded image at any time by contacting help@physiofromhome.com with your patient reference number
• We accept JPG and PNG image formats only, with a maximum file size of 5MB

We will never share your medical images with any third party other than the qualified physiotherapist reviewing your assessment and the clinical management system (Cliniko) used to manage your care.

2.4. AI-Assisted Assessment Processing

Our assessment service uses an AI model (Anthropic Claude) to conduct a structured clinical conversation with you and generate a provisional diagnosis. You should be aware that:

• Your conversation responses are transmitted to Anthropic’s AI service for processing in real time during the chat assessment
• Anthropic processes your data transiently and does not retain your conversation data beyond the processing window, in accordance with their data processing agreement
• The AI-generated provisional diagnosis is a preliminary assessment only — it is always reviewed and verified by a qualified physiotherapist before any rehabilitation program is created
• The AI does not make treatment decisions. All clinical decisions are made by qualified human physiotherapists
• Your personal details (title, name, date of birth, sex, email, occupation, medical history, medications, hobbies) are provided to the AI as clinical context to support a more accurate assessment
• Your height, weight, and BMI are not shared with the AI — these are only visible to the reviewing physiotherapist
• Medical images you upload are not processed by the AI — they are only viewed by the qualified physiotherapist

3. Special Category Data

Health-related information you provide is classified as “special category data” under UK GDPR. We process this data on the basis of your explicit consent, which you provide when you agree to our terms during the assessment process. This data is necessary for us to provide you with our physiotherapy assessment service.

4. How We Use Your Information

We use your personal information to:

• Provide our AI-assisted physiotherapy assessment service
• Enable qualified physiotherapists to review your assessment
• Create and deliver your personalised rehabilitation program via Physitrack
• Process payments (via Stripe)
• Send you confirmation emails with your reference number and next steps
• Arrange follow-up appointments (Premium package)
• Calculate your Body Mass Index (BMI) from your height and weight to provide clinical context for the reviewing physiotherapist
• Store your assessment data securely in our encrypted database for review by qualified physiotherapists
• Display uploaded medical images to the reviewing physiotherapist to assist with creating your rehabilitation program
• Transfer your assessment data, including personal details, clinical summary, conversation transcript, and uploaded images, to our clinical management system (Cliniko) to create a patient record and draft treatment note for the reviewing physiotherapist
• Generate an AI-assisted clinical summary from your conversation transcript to aid the reviewing physiotherapist
• Respond to your enquiries and provide customer support
• Improve our Service and develop new features
• Comply with legal obligations

5. Legal Basis for Processing

We process your personal data on the following legal bases:

Contract: Processing is necessary to provide you with our Service.

Consent: For processing special category health data and sending marketing communications.

Legitimate Interests: To improve our Service and for business administration.

Legal Obligation: Where required by law.

6. Data Sharing

We may share your information with the following parties:

Qualified Physiotherapists: To review your assessment and create your rehabilitation program. Physiotherapists access your data through our clinical management system (Cliniko) and/or our secure assessment viewer.

Cliniko (Clinical Management System): Your personal details, assessment data, clinical summary, conversation transcript, and any uploaded medical images are transferred to Cliniko to create a patient record and treatment note. Cliniko is a practice management system used by healthcare practitioners worldwide. Cliniko stores data on secure servers within the EU (eu1 region) and is compliant with GDPR. For more information, see Cliniko’s privacy policy at www.cliniko.com/policies/privacy.

Physitrack: To deliver your video rehabilitation program.

Stripe: To process payments securely.

Email Communications (Resend): To send assessment notification emails. Important: Our notification emails to the physiotherapy team contain no patient health data — only your reference number and a secure link to view your assessment behind authentication. Your patient confirmation email contains only your reference number and next steps information.

Anthropic (Claude AI): To power our AI-assisted assessment tool. Your conversation data is processed transiently by Anthropic and is not retained beyond the processing window. Anthropic processes data in accordance with their privacy policy and data processing agreements. Anthropic’s servers are located in the USA; appropriate safeguards (Standard Contractual Clauses) are in place for this transfer.

NHS Trusts/Corporate Partners: Where you have used a referral code, we may share anonymised usage data with the referring organisation.

We do not sell your personal data to third parties.

7. Data Retention

We retain your personal data for as long as necessary to:

• Provide you with our Service
• Comply with legal, accounting, or reporting requirements
• Resolve disputes and enforce our agreements

Assessment data stored in our secure assessment database (Upstash Redis) is automatically deleted after 12 months. Medical images in our assessment database follow the same retention period unless earlier deletion is requested.

Assessment data and medical images transferred to Cliniko are retained in accordance with standard UK healthcare records retention guidelines. Health-related assessment data in Cliniko is typically retained for 7 years in line with NHS guidelines for healthcare records, unless you request earlier deletion.

You may exercise your right to erasure at any time (subject to any overriding legal retention requirements) by contacting help@physiofromhome.com.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure hosting on UK/EU-based servers (Vercel, London region)
• Access controls and authentication
• Regular security assessments
• Health data stored in encrypted database (Upstash Redis) with automatic expiry
• No patient health data transmitted via email — secure authenticated viewer used instead
• Medical images stored in separate encrypted database records from assessment data
• Assessment viewer protected by password authentication
• Automatic data expiry after 12 months in assessment database
• Cliniko data encrypted in transit (TLS) and at rest, hosted on secure EU servers
• Cliniko access restricted to authorised practitioners via individual API keys and user accounts
• Medical images transferred to Cliniko via secure presigned URLs with time-limited access tokens

8.1. Email Security

To protect your health data, we have implemented a data-minimisation approach to email communications:

• Physiotherapy team notifications contain only your name, reference number, package type, and a secure link to view your full assessment. No health data, diagnoses, conversation transcripts, or medical images are included in email communications.
• Patient confirmation emails contain only your reference number, package information, and next steps. Your conversation transcript and clinical details are not included.
• Full assessment data is accessible only through our secure, password-protected assessment viewer and our clinical management system (Cliniko).

This approach ensures that even if an email account were compromised, no patient health data would be exposed.

8.2. AI Data Security

The AI assessment component of our service processes your data with the following safeguards:

• All data transmitted to the AI service (Anthropic) is encrypted in transit via HTTPS/TLS
• Anthropic does not retain your conversation data beyond the processing window required to generate a response
• The AI does not have access to your medical images, height, weight, or BMI data
• AI-generated diagnoses and clinical summaries are always reviewed by a qualified human physiotherapist before any clinical action is taken
• Anthropic’s data processing agreement includes Standard Contractual Clauses for international data transfers

9. International Transfers

We primarily process your data within the UK and European Economic Area:

• Upstash Redis (assessment database): EU-hosted servers
• Cliniko (clinical management): EU-hosted servers (eu1 region)
• Vercel (hosting): London region (lhr1)

Where data is transferred outside the UK/EEA:

• Anthropic (USA): AI conversation processing. Data is transient and not stored beyond the processing window. Standard Contractual Clauses are in place.
• Stripe (USA): Payment processing only. Stripe is PCI DSS compliant and certified under the EU-US Data Privacy Framework.
• Resend (USA): Transactional email delivery. Emails contain no patient health data (reference numbers and secure links only).

All international transfers are subject to appropriate safeguards as required by UK GDPR, including Standard Contractual Clauses approved by the UK Information Commissioner’s Office where applicable.

10. Your Rights

Under UK GDPR, you have the following rights:

Right of Access: Request a copy of your personal data.

Right to Rectification: Request correction of inaccurate data.

Right to Erasure: Request deletion of your data (subject to legal retention requirements).

Right to Restrict Processing: Request limitation of processing in certain circumstances.

Right to Data Portability: Request your data in a machine-readable format.

Right to Object: Object to processing based on legitimate interests.

Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent).

To exercise any of these rights, please contact us at help@physiofromhome.com with your patient reference number.

11. Children’s Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Visit ico.org.uk or call 0303 123 1113.

However, we would appreciate the opportunity to address your concerns first, so please contact us at help@physiofromhome.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: help@physiofromhome.com

Website: www.physiofromhome.com

Data Protection Queries: Please include “Data Protection” in your email subject line.

By using Physio From Home, you acknowledge that you have read, understood, and agree to this Privacy Policy.