The General Data Protection Regulation is an EU regulation that will be in force as of May 25th 2018 and will supersede the Data Protection Directive of 1995.
GDPR relates to the collection and use of data which may include but is not limited to names, photos, email addresses, bank details, social media accounts and posts, medical information, genetics, biometric data, computer IP addresses.
If you’re using Rehab Guru to prescribe exercises to your clients and patients then GDPR applies to you, even if you aren’t physically located in the EU.
It’s worth noting that privacy and security policies are live documents and are constantly updated, this page and it’s linked policies will be constantly updated to accurately reflect how we comply with GDPR.
GDPR separate entities into Controllers and Processors. In some cases Rehab Guru Ltd, serves as both. We endeavour to provide you with the documentation, information and policies you require in order to assist you in being compliant yourself.
There have been a number of updates to our policies, terms and practices over the last 6 months, an outline of which can be found below:
Updated Privacy Policy and Terms of Service
We’ve updated our Privacy Policy and Terms of Service to meet the requirements of GDPR. We’ve cross referenced our information with the ICO in order to ensure both compliance but also provide you with a jargon-free, open and honest appraisal of the data we need to operate (and no more) as well as giving information on the platforms and services we use to remain compliant.
Appointment of Data Protection Officer (DPO)
We’ve appointed a member of our team who resides in the United Kingdom to the role of DPO and EU representative. Our DPO oversees all aspects of our in-house data usage as well as wider privacy and GDPR compliance issues.
Our DPO can be contacted at dpo@rehabguru.com.
Ensuring third-party vendors meet GDPR requirements.
Rehab Guru relies upon a number of industry-standard services and infrastructure in order to operate. As part of our GDPR preparation, we have ensured that they are all GDPR compliant themselves we well as reviewing our agreement with them in the processing of both our data and the data processed on your behalf.
We rely on services such as cloud services and transactional email providers in order to provide our service. You can read more about our third-party vendors further down this page.
Jargon Buster: “We process the data that you are the controller of” — we provide the tools, services and infrastructure to allow you to comply with the 7 pillars of GDPR.
Control over marketing communications - It is Rehab Guru’s policy to not contact patients with marketing related communications. You are the controller of their data, not us therefore, we have no right to contact them directly. That includes the communication of our GDPR compliance, it is your responsibility to inform your clients and patients of where and how their data is held.
Ability to modify personal information — personal information can be modified at the request of the patient. This fulfils the GDPR requirement of Right to Rectification.
Providing patients with a copy of all their personal information — In the situation where a patient requests a copy of all the data you hold on them under their GDPR Right to Access, it must be provided in an easy to transfer / read format as defined under the Right to Portability. We assist you in fulfilling such requests by providing an export service. Simply email your request to dpo@rehabguru.com including any relevant information (such as client name, email etc).
Deletion of all patient information (The Right to Erasure / to be Forgotten)
A patient may request the deletion of all the data you hold on them, including that held on platforms such as EHRs and Rehab Guru.
We give you the tools to perform a full deletion of a client from within all our apps. Please note that this process is irreversible and we cannot restore any information that has been deleted in error. Note: Some enterprise clients may have your authority to delete prescriptions superseded by a higher authority.
Jargon Buster: In addition to us processing the patient data that you control via our services, we are also controller of your data, for example, your name, email address, clinic information etc. As a controller, we have the same responsibility to you as you do to your patients. Below is an outline of how we comply with our data controller responsibilities under GDPR.
Full deletion of your Rehab Guru account.
On your explicit request we are able to delete your entire account and all data that we hold on you and for you (Note: This is irreversible!).
If there is a legal requirement or standing instruction from a higher authority (in the case of our Enterprise users) some data may be retained in an archive.
Control over marketing communication
We offer the option to opt out of all marketing, product updates and special offers from within our Web App account panel. This does not include correspondence which directly relates to your account such as payments, security, or we are forwarding a client request that has been sent to you via us or sent to us by mistake.
The below bullet points provide a very brief summary of how we comply with GDPRs 7 pillars. We have much more verbose information on our GDPR preparation and compliance, however, this list provides a quick compliance checklist.
Consent
We endeavour to write our Terms of Service and Privacy Policies in plain English and keep jargon to a minimum. We request your consent when signing up and provide numerous tools in order to manage both your own and your patients’ data.
Breach Notification
We have gone through an extensive Business Continuity and Risk Management Planning process in order to both identify risks as well as plan our recovery. As part of this plan, we have a communication plan and required infrastructure to inform all users of potential breaches.
Right to Access
All requests for data are handled by our staff. We handle them on a one to one basis in order to ensure that you get the data in a readable, transferable format as stipulated by the right to portability — see below.
Right to Erasure (To be forgotten)
Within your account, you have all the features to delete a client. The option to delete your whole account and all data associated with it can be done by contacting our Data Protection Officer at dpo@rehabguru.com (account deletion is irreversible and explicit consent from the account holder is required as evidence of this request).
Data Portability
We export your data in the format you require (within the bounds of what is technologically possible). Export requests can be performed by submitting a help ticket from our support portal (https://support.rehabguru.com).
Data Protection Officers
Whilst not strictly necessary by the letter of the law, we’ve still appointed a member of our team who resides in the United Kingdom to the role of DPO and EU representative. Our DPO oversees all aspects of our in-house data usage as well as wider privacy and GDPR compliance issues.
Our DPO can be contacted at dpo@rehabguru.com.
Privacy by Design
The Rehab Guru founders all originate from a clinical background. Therefore privacy and principles such as Caldicott, patient confidentiality and clinical governance have all being considered in the design and creation the services provided by Rehab Guru Ltd.
In order to deliver a global service Rehab Guru Ltd may engage with sub-processors, who may have access to Customer Data through the delivery of their service (i.e. Our email service, Mailchimp would process your name and email in order to send out a welcome email to you). Details of all our sub-processors can be found below, where relevant we have also linked to their own GDPR and Privacy Policies for completeness.
Algolia
Service: Search Service
Location: France
Policy
Amazon Web Services
Service: Cloud Service Provider
Location: London, UK
Policy
Braintree
Service: Payment Processor
Location: USA
Policy
BugSnag
Service: Error Logging
Location: UK, USA
Policy
Chargebee
Service: Subscription Management
Location: USA
Policy
Cloudflare
Service: Network provider
Location: USA
Policy
Featurebase
Service: Changelog and Feature reuquest service
Location: EU
Policy
Google Analytics
Service: Analytics (anonymised)
Location: USA
Policy
Google Firebase
Service: Push Notifications
Location: USA
Policy
Hostpresto
Service: Server Provider
Location: UK
Policy
HubSpot
Service: CRM
Location: USA
Policy
Intercom
Service: Helpdesk
Location: USA
Policy
Mailjet
Service: Email
Location: Paris, France
Policy
MongoDB
Service: Database Provider
Location: London
Policy
Posthog
Service: Application analytics
Location: USA
Policy
Postmark
Service: Transactional Email
Location: USA
Policy
Stripe
Service: Payment Processor
Location: UK, USA
Policy
Twillio
Service: Telehealth Provider
Location: USA
Policy
8X8
Service: Telehealth Provider
Location: USA
Policy
