Rehab Guru's General Data Protection Regulation (GDPR) Policy

The Gen­er­al Data Pro­tec­tion Reg­u­la­tion is an EU reg­u­la­tion that will be in force as of May 25th 2018 and will super­sede the Data Pro­tec­tion Direc­tive of 1995.

GDPR relates to the col­lec­tion and use of data which may include but is not lim­it­ed to names, pho­tos, email address­es, bank details, social media accounts and posts, med­ical infor­ma­tion, genet­ics, bio­met­ric data, com­put­er IP addresses.

If you’re using Rehab Guru to pre­scribe exer­cis­es to your clients and patients then GDPRapplies to you, even if you aren’t phys­i­cal­ly locat­ed in the EU.

It’s worth not­ing that pri­va­cy and secu­ri­ty poli­cies are live doc­u­ments and are con­stant­ly updat­ed, this page and it’s linked poli­cies will be con­stant­ly updat­ed to accu­rate­ly reflect how we com­ply with GDPR.

GDPR sep­a­rate enti­ties into Con­trollers and Proces­sors. In some cas­es Rehab Guru Ltd, serves as both. We endeav­our to pro­vide you with the doc­u­men­ta­tion, infor­ma­tion and poli­cies you require in order to assist you in being com­pli­ant yourself.

There have been a num­ber of updates to our poli­cies, terms and prac­tices over the last 6 months, an out­line of which can be found below:

Updat­ed Pri­va­cy Pol­i­cy and Terms of Service

We’ve updat­ed our Pri­va­cy Pol­i­cy and Terms of Ser­vice to meet the require­ments of GDPR. We’ve cross ref­er­enced our infor­ma­tion with the ICO in order to ensure both com­pli­ance but also pro­vide you with a jar­gon-free, open and hon­est appraisal of the data we need to oper­ate (and no more) as well as giv­ing infor­ma­tion on the plat­forms and ser­vices we use to remain compliant.

Appoint­ment of Data Pro­tec­tion Offi­cer (DPO)

We’ve appoint­ed a mem­ber of our team who resides in the Unit­ed King­dom to the role of DPO and EU rep­re­sen­ta­tive. Our DPO over­sees all aspects of our in-house data usage as well as wider pri­va­cy and GDPR com­pli­ance issues.

Our DPO can be con­tact­ed at dpo@​rehabguru.​com.

Ensur­ing third-par­ty ven­dors meet GDPR requirements.

Rehab Guru relies upon a num­ber of indus­try-stan­dard ser­vices and infra­struc­ture in order to oper­ate. As part of our GDPR prepa­ra­tion, we have ensured that they are all GDPR com­pli­ant them­selves we well as review­ing our agree­ment with them in the pro­cess­ing of both our data and the data processed on your behalf.

We rely on ser­vices such as cloud ser­vices and trans­ac­tion­al email providers in order to pro­vide our ser­vice. You can read more about our third-par­ty ven­dors fur­ther down this page.


Jar­gon Buster: ​“We process the data that you are the con­troller of” — we pro­vide the tools, ser­vices and infra­struc­ture to allow you to com­ply with the 7 pil­lars of GDPR.

Con­trol over mar­ket­ing com­mu­ni­ca­tions - It is Rehab Guru’s pol­i­cy to not con­tact patients with mar­ket­ing relat­ed com­mu­ni­ca­tions. You are the con­troller of their data, not us there­fore, we have no right to con­tact them direct­ly. That includes the com­mu­ni­ca­tion of our GDPR com­pli­ance, it is your respon­si­bil­i­ty to inform your clients and patients of where and how their data is held.

Abil­i­ty to mod­i­fy per­son­al infor­ma­tion — per­son­al infor­ma­tion can be mod­i­fied at the request of the patient. This ful­fils the GDPR require­ment of Right to Rectification.

Pro­vid­ing patients with a copy of all their per­son­al infor­ma­tion — In the sit­u­a­tion where a patient requests a copy of all the data you hold on them under their GDPR Right to Access, it must be pro­vid­ed in an easy to trans­fer / read for­mat as defined under the Right to Porta­bil­i­ty. We assist you in ful­fill­ing such requests by pro­vid­ing an export ser­vice. Sim­ply email your request to dpo@​rehabguru.​com includ­ing any rel­e­vant infor­ma­tion (such as client name, email etc).

Dele­tion of all patient infor­ma­tion (The Right to Era­sure / to be Forgotten)

A patient may request the dele­tion of all the data you hold on them, includ­ing that held on plat­forms such as EHRs and Rehab Guru.

We give you the tools to per­form a full dele­tion of a client from with­in all our apps. Please note that this process is irre­versible and we can­not restore any infor­ma­tion that has been delet­ed in error. Note: Some enter­prise clients may have your author­i­ty to delete pre­scrip­tions super­seded by a high­er authority.


Jar­gon Buster: In addi­tion to us pro­cess­ing the patient data that you con­trol via our ser­vices, we are also con­troller of your data, for exam­ple, your name, email address, clin­ic infor­ma­tion etc. As a con­troller, we have the same respon­si­bil­i­ty to you as you do to your patients. Below is an out­line of how we com­ply with our data con­troller respon­si­bil­i­ties under GDPR.

Full dele­tion of your Rehab Guru account.

On your explic­it request we are able to delete your entire account and all data that we hold on you and for you (Note: This is irreversible!).

If there is a legal require­ment or stand­ing instruc­tion from a high­er author­i­ty (in the case of our Enter­prise users) some data may be retained in an archive.

Con­trol over mar­ket­ing communication

We offer the option to opt out of all mar­ket­ing, prod­uct updates and spe­cial offers from with­in our Web App account pan­el. This does not include cor­re­spon­dence which direct­ly relates to your account such as pay­ments, secu­ri­ty, or we are for­ward­ing a client request that has been sent to you via us or sent to us by mistake.


The below bul­let points pro­vide a very brief sum­ma­ry of how we com­ply with GDPRs 7 pil­lars. We have much more ver­bose infor­ma­tion on our GDPR prepa­ra­tion and com­pli­ance, how­ev­er, this list pro­vides a quick com­pli­ance checklist.


We endeav­our to write our Terms of Ser­vice and Pri­va­cy Poli­cies in plain Eng­lish and keep jar­gon to a min­i­mum. We request your con­sent when sign­ing up and pro­vide numer­ous tools in order to man­age both your own and your patients’ data.

Breach Noti­fi­ca­tion

We have gone through an exten­sive Busi­ness Con­ti­nu­ity and Risk Man­age­ment Plan­ning process in order to both iden­ti­fy risks as well as plan our recov­ery. As part of this plan, we have a com­mu­ni­ca­tion plan and required infra­struc­ture to inform all users of poten­tial breaches.

Right to Access

All requests for data are han­dled by our staff. We han­dle them on a one to one basis in order to ensure that you get the data in a read­able, trans­fer­able for­mat as stip­u­lat­ed by the right to porta­bil­i­ty — see below.

Right to Era­sure (To be forgotten)

With­in your account, you have all the fea­tures to delete a client. The option to delete your whole account and all data asso­ci­at­ed with it can be done by con­tact­ing our Data Pro­tec­tion Offi­cer at dpa@​rehabguru.​com (account dele­tion is irre­versible and explic­it con­sent from the account hold­er is required as evi­dence of this request).

Data Porta­bil­i­ty

We export your data in the for­mat you require (with­in the bounds of what is tech­no­log­i­cal­ly pos­si­ble). Export requests can be per­formed by sub­mit­ting a help tick­et from our sup­port por­tal (https://​sup​port​.rehabgu​ru​.com).

Data Pro­tec­tion Officers

Whilst not strict­ly nec­es­sary by the let­ter of the law, we’ve still appoint­ed a mem­ber of our team who resides in the Unit­ed King­dom to the role of DPO and EU rep­re­sen­ta­tive. Our DPO over­sees all aspects of our in-house data usage as well as wider pri­va­cy and GDPR com­pli­ance issues.

Our DPO can be con­tact­ed at dpo@​rehabguru.​com.

Pri­va­cy by Design

The Rehab Guru founders all orig­i­nate from a clin­i­cal back­ground. There­fore pri­va­cy and prin­ci­ples such as Caldicott, patient con­fi­den­tial­i­ty and clin­i­cal gov­er­nance have all being con­sid­ered in the design and cre­ation the ser­vices pro­vid­ed by Rehab Guru Ltd.


In order to deliv­er a glob­al ser­vice Rehab Guru Ltd may engage with sub­proces­sors, who may have access to Cus­tomer Data through the deliv­ery of their ser­vice (i.e. Our email ser­vice, Mailchimp would process your name and email in order to send out a wel­come email to you). Details of all our sub­proces­sors can be found below, where rel­e­vant we have also linked to their own GDPR and Pri­va­cy Poli­cies for completeness.

Ama­zon Web Ser­vices
Ser­vice: Cloud Ser­vice Provider
Loca­tion: USA, Ire­land

Ser­vice: Trans­ac­tion­al Email
Loca­tion: USA

Ser­vice: Email
Loca­tion: USA

Ser­vice: Data­base Provider
Loca­tion: Lon­don

Google Ana­lyt­ics
Ser­vice: Ana­lyt­ics (anonymised)
Loca­tion: USA

Heap Ana­lyt­ics
Ser­vice: Ana­lyt­ics (anonymised)
Loca­tion: USA

Ser­vice: Ana­lyt­ics (anonymised unless response to poll where email is option­al)
Loca­tion: Mal­ta

Ser­vice: Sup­port Ser­vices
Loca­tion: USA

Ser­vice: Pay­ment Proces­sor
Loca­tion: USA


Pri­va­cy Policy

Terms of Service