Rose Physio HUB — Privacy Policy

Effective Date: [Insert: November 2025 or updated date]

Rose Physio HUB is committed to protecting your personal data and ensuring full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the professional standards of the Health and Care Professions Council (HCPC).

As a secure and comprehensive physiotherapy management platform (SaaS), we process personal data to enable digital physiotherapy services, appointment management, communication, and personalised treatment planning.

1. Legal Compliance

We design and operate the platform with strict adherence to UK data protection law.

• Rose Physio HUB complies with UK GDPR, the Data Protection Act 2018, HCPC data standards, and recognised UK physiotherapy data-handling guidelines.
• The platform includes a GDPR compliance banner and cookie consent mechanism at deployment.
• Platform Admins are authorised to review GDPR audit logs, manage flagged content, and monitor data compliance.
• Terms & Conditions are visible during registration and may be updated by platform administrators.

2. Data We Collect and User Roles

We collect data to create accounts, process appointments, facilitate treatment, and ensure communication between Clients, Practitioners, Clinics, and Admins.

A. Data Collected from Clients

Clients may register independently or be added by a Practitioner/Staff member. Independently submitted data includes:

• Identity information: Full name, email (used as username), password, date of birth, mobile number, gender, and country.
• Transaction data: Appointment payments, programme purchases, invoices, and payment history processed via Stripe.
• Health and therapy data: Progress logs, pain levels, daily exercise tracking, and personalised programme forms.

B. Data Collected from Practitioners

Practitioners must provide accurate professional details:

• Identity & professional information: Full name, country, professional grade, professional registration body (e.g., HCPC), licence/registration number, mobile number, email.
• Financial information: Stripe account details for direct payments.
• Professional content: Biography, specialty, address.
• Verification documents: Any required credentials or certificates.

Practitioner accounts remain inactive until manually reviewed and approved by a platform Admin.

C. Clinical & Treatment Data (SOAP Notes & Videos)

• SOAP Notes: Used by Practitioners to document session outcomes (Subjective, Objective, Assessment, Plan).
• These notes are secure, encrypted, and not visible to Clients.
• Private videos: Uploaded by Practitioners for personalised programmes.
  • Visible only to the uploading Practitioner and the assigned Client.
  • Not visible to other Practitioners or staff within the same clinic.

3. Data Security & Role-Based Access

We use strict role-based access control to ensure that only authorised users can access specific data.

A. Encryption & Technical Safeguards

• All data and traffic are encrypted using AES-256 and SSL/TLS.
• Sensitive health data is encrypted at rest and in transit.
• In-app chat messages between Clients and Practitioners/Staff are end-to-end encrypted (E2EE).

B. Role-Based Permissions

Access is limited strictly by user role:

Clients

• Cannot access SOAP Notes, practitioner calendars, or other clients’ videos.

Practitioners

• Can access full Client history: appointments, payments, chats, treatment plans.

Clinic Staff

• Can view full Client and Practitioner data within their own clinic.
• Can access and respond to all Client–Practitioner chat threads.

Clinic Managers

• Can view and supervise all Client and Practitioner records within their clinic.

Platform Admins

• Access to audit logs, payments overview, messaging logs, and platform analytics.
• Cannot access therapy content for clinical purposes.

4. Payments & Financial Data

All payments (appointments, programme requests, subscriptions) are processed securely through Stripe Connect.

• Rose Physio HUB does not take commission from Client appointments.
• 100% of appointment fees are transferred directly to the Practitioner’s Stripe account.
• Invoices are automatically generated for each appointment or programme request and downloadable by both Client and Practitioner.
• Admins may review platform-wide payment records for compliance purposes.

5. Your Rights Under UK GDPR

All users (Clients, Practitioners, Clinic managers, Staff) have legal rights regarding their personal data:

• Right of Access & Data Portability:
  You may download your full account data, including payment history and communications.
  SOAP Notes may be exported by the Practitioner (e.g., Excel file).
• Right to Rectification:
  You may edit and update your profile details at any time.
• Right to Restrict Processing:
  Accounts may be deactivated by Admins upon user request or due to policy violations.
• Cookie Consent Rights:
  Cookies are only used with your explicit consent.

6. Transparency & Security Analogy (for clarity)

Think of your personal data inside Rose Physio HUB as being stored in a secure digital vault:

• Client data is locked and accessible only by the assigned Practitioner.
• Practitioners act like authorised key holders who can access data only for treatment purposes.
• Admins are auditors who oversee safety and compliance—but do not use clinical data themselves.