Privacy Policy

How we collect, use, and protect your personal data

Last Updated: February 2026

1. Introduction

Physio From Home, operated by Physio From Home AI Ltd (“we”, “us”, “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website (www.physiofromhome.com) and our AI-assisted physiotherapy assessment tool (collectively, the “Service”).

Physio From Home AI Ltd is the data controller for the personal data we process. We are registered in England and Wales (Company No. pending). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1. Information You Provide Directly

When using our Service, you may provide us with:

Personal details: title, name, date of birth, sex, email address, mobile phone number
GP surgery details: GP surgery name and address (used for GP referral letters if your symptoms are not improving)
Occupation information
Health information: symptoms, pain locations, medical history, current medications, hobbies and exercise habits
Physical measurements: height and weight (used to calculate Body Mass Index)
Medical photographs: optional images of your injury or condition that you choose to upload
Assessment conversation transcript
Payment information (processed securely by Stripe)
NHS/Corporate referral codes (where applicable)

2.2. Information Collected Automatically

When you visit our website, we may automatically collect:

Device information: IP address, browser type, operating system
Usage data: pages visited, time spent on pages, click patterns
Cookies and similar technologies (see our Cookie Policy for details)

2.3. Medical Image Uploads

You may optionally choose to upload a photograph of your injury or condition during the assessment process. If you choose to upload an image:

We require your separate, explicit consent at the point of upload before any image is stored or processed
You must confirm that the image is of your own body and does not include any other individuals
Your image will be securely stored in our encrypted database and transferred to our clinical management system (Cliniko) where it is attached to your patient record for review by the qualified physiotherapist assigned to your assessment
Images are stored separately from your other assessment data as an additional security measure
Images are retained for a maximum of 12 months in our assessment database from the date of upload, after which they are automatically deleted. Images held within Cliniko are retained in accordance with our clinical records retention policy (see Section 7)
You may request deletion of your uploaded image at any time by contacting admin@physiofromhome.com with your patient reference number
We accept JPG and PNG image formats only, with a maximum file size of 5MB

We will never share your medical images with any third party other than the qualified physiotherapist reviewing your assessment and the clinical management system (Cliniko) used to manage your care.

2.4. AI-Assisted Assessment Processing

Our assessment service uses an AI model (Anthropic Claude) to conduct a structured clinical conversation with you and generate a provisional diagnosis. You should be aware that:

Your conversation responses are transmitted to Anthropic’s AI service for processing in real time during the chat assessment
Anthropic processes your data transiently and does not retain your conversation data beyond the processing window, in accordance with their data processing agreement
The AI-generated provisional diagnosis is a preliminary assessment only — it is always reviewed and verified by a qualified physiotherapist before any rehabilitation program is created
The AI does not make treatment decisions. All clinical decisions are made by qualified human physiotherapists
Your personal details (title, name, date of birth, sex, email, occupation, medical history, medications, hobbies) are provided to the AI as clinical context to support a more accurate assessment
Your height, weight, and BMI are not shared with the AI — these are only visible to the reviewing physiotherapist
Medical images you upload are not processed by the AI — they are only viewed by the qualified physiotherapist

3. Special Category Data

Health-related information you provide is classified as “special category data” under UK GDPR. We process this data on the basis of your explicit consent, which you provide when you agree to our terms during the assessment process. This data is necessary for us to provide you with our physiotherapy assessment service.

4. How We Use Your Information

We use your personal information to:

Provide our AI-assisted physiotherapy assessment service
Enable qualified physiotherapists to review your assessment
Create and deliver your personalised rehabilitation program via Physitrack
Process payments (via Stripe)
Send you confirmation emails with your reference number and next steps
Send SMS progress check-ins at Week 1 and Week 6 containing a personalised link to a check-in page where you rate your symptom improvement on a scale of 0-10 (via Twilio)
Generate and send GP referral letters if your symptoms are not improving, sent to your registered email and forwarded to your GP surgery on your behalf
Deliver your password-secured results PDF containing your confirmed provisional diagnosis, information about your condition, and your personalised rehab program code
Calculate your Body Mass Index (BMI) from your height and weight to provide clinical context for the reviewing physiotherapist
Store your assessment data securely in our encrypted database for review by qualified physiotherapists
Display uploaded medical images to the reviewing physiotherapist to assist with creating your rehabilitation program
Transfer your assessment data, including personal details, clinical summary, conversation transcript, and uploaded images, to our clinical management system (Cliniko) to create a patient record and draft treatment note for the reviewing physiotherapist
Generate an AI-assisted clinical summary from your conversation transcript to aid the reviewing physiotherapist
Respond to your enquiries and provide customer support
Request your feedback after discharge to help us improve our service. Any feedback you provide is entirely voluntary and will only be shared publicly (e.g. as a testimonial on our website) with your explicit permission
Improve our Service and develop new features
Comply with legal obligations

5. Legal Basis for Processing

We process your personal data on the following legal bases:

Contract: Processing is necessary to provide you with our Service.

Consent: For processing special category health data and sending

marketing communications.

Legitimate Interests: To improve our Service, request feedback from discharged patients, and for business administration.

Legal Obligation: Where required by law.

6. Data Sharing

We may share your information with the following parties:

Qualified Physiotherapists: To review your assessment and create

your rehabilitation program. Physiotherapists access your data through our clinical management system (Cliniko) and/or our secure assessment viewer.

Cliniko (Clinical Management System): Your personal details,

assessment data, clinical summary, conversation transcript, and any uploaded medical images are transferred to Cliniko to create a patient record and treatment note. Cliniko is a practice management system used by healthcare practitioners worldwide. Cliniko stores data on secure servers within the EU (eu1 region) and is compliant with GDPR. For more information, see Cliniko’s privacy policy at www.cliniko.com/policies/privacy.

Physitrack: To deliver your video rehabilitation program.

Stripe: To process payments securely.

Email Communications (Resend): To send assessment notification

emails. Important: Our notification emails to the physiotherapy team contain no patient health data — only your reference number and a secure link to view your assessment behind authentication. Your patient confirmation email contains only your reference number and next steps information.

Twilio: To validate your mobile phone number during sign-up

(confirming it is a valid UK mobile number capable of receiving SMS) and to send SMS progress check-ins at Week 1 and Week 6. Your phone number is sent to Twilio for validation purposes only — no clinical data is included. SMS messages contain a personalised link to a check-in page and your reference number — no clinical data is included in the SMS itself. Your check-in responses (improvement score and optional comments) are stored securely in our encrypted database.

Postcodes.io: To provide postcode lookup functionality when

entering your GP surgery address. Only the GP surgery postcode is sent to Postcodes.io — no personal or clinical data is shared. Postcodes.io is a free, open-source service based on UK public sector open data (Office for National Statistics and Ordnance Survey). No authentication or account is required, and no personal data is processed by this service.

Anthropic (Claude AI): To power our AI-assisted assessment tool.

Your conversation data is processed transiently by Anthropic and is not retained beyond the processing window. Anthropic processes data in accordance with their privacy policy and data processing agreements. Anthropic’s servers are located in the USA; appropriate safeguards (Standard Contractual Clauses) are in place for this transfer.

NHS Trusts/Corporate Partners: Where you have used a referral code,

we may share anonymised usage data with the referring organisation.

We do not sell your personal data to third parties.

7. Data Retention

We retain your personal data for as long as necessary to:

Provide you with our Service
Comply with legal, accounting, or reporting requirements
Resolve disputes and enforce our agreements

Assessment data stored in our secure assessment database (Upstash Redis) is automatically deleted after 12 months. Medical images in our assessment database follow the same retention period unless earlier deletion is requested.

Assessment data and medical images transferred to Cliniko are retained in accordance with standard UK healthcare records retention guidelines. Health-related assessment data in Cliniko is typically retained for 7 years in line with NHS guidelines for healthcare records, unless you request earlier deletion.

You may exercise your right to erasure at any time (subject to any overriding legal retention requirements) by contacting admin@physiofromhome.com.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (HTTPS/TLS) and at rest
Secure hosting on UK/EU-based servers (Vercel, London region)
Access controls and authentication
Regular security assessments
Health data stored in encrypted database (Upstash Redis) with automatic expiry
No patient health data transmitted via email — secure authenticated viewer used instead
Medical images stored in separate encrypted database records from assessment data
Assessment viewer protected by password authentication
Automatic data expiry after 12 months in assessment database
Cliniko data encrypted in transit (TLS) and at rest, hosted on secure EU servers
Cliniko access restricted to authorised practitioners via individual API keys and user accounts
Medical images transferred to Cliniko via secure presigned URLs with time-limited access tokens

8.1. Email Security

To protect your health data, we have implemented a data-minimisation approach to email communications:

Physiotherapy team notifications contain only your name, reference number, and a secure link to view your full assessment. No health data, diagnoses, conversation transcripts, or medical images are included in team notification emails.
Patient confirmation emails contain only your reference number and next steps information. Your conversation transcript and clinical details are not included.
Patient results emails include a password-secured PDF attachment containing your confirmed provisional diagnosis, clinical summary, assessment transcript, and Physitrack program code. The PDF is encrypted with your date of birth as the password.
GP referral letters are sent as PDF attachments to your registered email (for your records) and to our admin team for manual forwarding to your GP surgery. These letters contain your name, date of birth, provisional diagnosis, and clinical recommendations.
SMS progress check-ins contain a personalised link to a check-in page and your reference number — no clinical data is included in the SMS itself.
Full assessment data is accessible only through our secure, password-protected assessment viewer and our clinical management system (Cliniko).

8.2. AI Data Security

The AI assessment component of our service processes your data with the following safeguards:

All data transmitted to the AI service (Anthropic) is encrypted in transit via HTTPS/TLS
Anthropic does not retain your conversation data beyond the processing window required to generate a response
The AI does not have access to your medical images, height, weight, or BMI data
AI-generated diagnoses and clinical summaries are always reviewed by a qualified human physiotherapist before any clinical action is taken
Anthropic’s data processing agreement includes Standard Contractual Clauses for international data transfers

9. International Transfers

We primarily process your data within the UK and European Economic Area:

Upstash Redis (assessment database): EU-hosted servers
Cliniko (clinical management): EU-hosted servers (eu1 region)
Vercel (hosting): London region (lhr1)

Where data is transferred outside the UK/EEA:

Anthropic (USA): AI conversation processing. Data is transient and not stored beyond the processing window. Standard Contractual Clauses are in place.
Stripe (USA): Payment processing only. Stripe is PCI DSS compliant and certified under the EU-US Data Privacy Framework.
Resend (USA): Transactional email delivery. Emails contain no patient health data (reference numbers and secure links only).

All international transfers are subject to appropriate safeguards as required by UK GDPR, including Standard Contractual Clauses approved by the UK Information Commissioner’s Office where applicable.

10. Your Rights

Under UK GDPR, you have the following rights:

Right of Access: Request a copy of your personal data.

Right to Rectification: Request correction of inaccurate data.

Right to Erasure: Request deletion of your data (subject to legal

retention requirements).

Right to Restrict Processing: Request limitation of processing in

certain circumstances.

Right to Data Portability: Request your data in a machine-readable

format.

Right to Object: Object to processing based on legitimate interests.

Right to Withdraw Consent: Withdraw consent at any time (where

processing is based on consent).

To exercise any of these rights, please contact us at admin@physiofromhome.com with your patient reference number.

11. Children’s Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Visit ico.org.uk or call 0303 123 1113.

However, we would appreciate the opportunity to address your concerns first, so please contact us at admin@physiofromhome.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: admin@physiofromhome.com

Website: www.physiofromhome.com

Data Protection Queries: Please include “Data Protection” in your

email subject line.

By using Physio From Home, you acknowledge that you have read, understood, and agree to this Privacy Policy.