Privacy Policy
Last updated: 11 June 2026
Bruno Physical Rehabilitation Ltd ("we", "our", "us") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal data when you visit our website (bpr.rehab) or use our clinical services.
We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
1. Data Controller
The data controller is: Bruno Physical Rehabilitation Ltd, based in Ipswich, Suffolk, United Kingdom.
For data protection enquiries, contact: admin@bpr.rehab
2. Data We Collect
a) Data you provide to us:
- Identity data: name, email, phone, date of birth, address
- Medical screening data: health history, medications, allergies, conditions
- Clinical data: assessments, body images, foot scans, blood pressure readings
- Payment data: processed via Stripe (we do not store card details)
- Communications: emails, messages, contact form submissions
b) Data collected automatically (with consent):
- IP address and approximate geolocation (country, city)
- Browser fingerprint (technical identifier, no cookies used)
- Pages visited, time on page, and scroll depth
- Click positions (for heatmap generation)
- Device type, browser, operating system
- Referrer data and UTM parameters
Note: Analytics data collection only occurs after you give explicit consent via our cookie banner.
3. Lawful Basis for Processing
For website analytics data, non-essential cookies, and marketing communications.
To provide clinical services you have requested, manage appointments and treatments.
To improve our services and website, ensure security, and prevent fraud.
To comply with healthcare regulatory and record-keeping requirements.
In emergency situations where your health may be at risk.
Special category data (health data):
Your health data is "special category data" under Article 9 of the UK GDPR. In addition to an Article 6 lawful basis, we process this data under Article 9(2)(h) — necessary for the provision of health care and treatment by a health professional bound by a duty of confidentiality. Where applicable, we also rely on your explicit consent (Article 9(2)(a)).
4. How We Use Your Data
- Provide and manage physiotherapy services
- Process appointments and payments
- Send appointment reminders and clinical communications
- Generate AI-assisted clinical analyses (reviewed by physiotherapist)
- Analyse website usage to improve user experience (with consent only)
- Generate click heatmaps for site optimisation (with consent only)
- Detect and prevent fraudulent activity
- Comply with legal and regulatory obligations
5. Website Analytics & Tracking
We use a proprietary analytics system (not Google Analytics or third-party services) to understand how visitors interact with our website. This helps us improve our services and user experience.
What we track (after consent):
- Pages visited and time spent on each page
- Scroll depth (how much of the page you viewed)
- Click positions (for heatmaps)
- Device type, browser, and operating system
- Approximate country and city (via IP)
- Referral source (how you arrived at our site)
What we do NOT do:
- We do not use third-party tracking cookies
- We do not sell your data to anyone
- We do not share analytics data with advertising networks
- We do not track you across other websites
- We do not collect analytics data without your explicit consent
We use browser fingerprinting (a technique that creates an identifier from technical characteristics of your browser) instead of cookies. This is treated as a "similar technology" under PECR and requires your consent, which we request via our cookie banner.
6. Data Sharing
We may share your data with:
- Payment processors (Stripe) for secure transactions
- Anthropic (Claude) — our primary AI provider for AI-assisted clinical analysis and structured transcription, under a Data Processing Agreement (DPA) with zero data-retention for training
- Groq — audio transcription (speech-to-text) for consultations and patient recordings
- Google (Gemini) — fallback AI provider for clinical analysis and image generation
- IP geolocation service (ip-api.com) — only IP address, no personal data
- Your GP or other healthcare providers (with your explicit consent)
- Regulatory bodies when required by law
Your clinical and health data is processed only by AI providers with appropriate data-protection safeguards (Anthropic, Groq, and Google). We do NOT use AI providers under jurisdictions lacking adequate data-protection guarantees for any patient clinical data. Additional providers may be used solely for non-clinical marketing content, never for patient data.
We never sell your personal data.
7. Data Retention
8. Your Rights
Under the UK GDPR, you have the following rights:
- Right of access — Request a copy of your personal data
- Right to rectification — Correct inaccurate data
- Right to erasure — Request deletion of your data (subject to legal obligations)
- Right to restrict processing — Limit how we use your data
- Right to data portability — Receive your data in a machine-readable format
- Right to object — Object to processing for marketing or legitimate interest
- Right to withdraw consent — At any time, without affecting the lawfulness of prior processing
Automated decision-making and AI:
We use AI to help generate clinical analyses, transcriptions, and report drafts. We do NOT make decisions with legal or similarly significant effects about you based solely on automated processing — all AI-generated clinical analyses and decisions are reviewed and approved by a qualified physiotherapist before any action is taken. You have the right (Article 22 of the UK GDPR) not to be subject to solely automated decisions.
To exercise any of these rights, contact: admin@bpr.rehab. We will respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures:
- Encrypted transmission (TLS/SSL) on all pages
- Role-based access controls
- Passwords stored with hash (bcrypt)
- Secure server infrastructure with regular updates
- Automatic face blurring on body assessment images
- Regular security reviews
10. Children
Our services are not directed to children under 16. We do not knowingly collect personal data from children without parental consent. If you believe we have collected data from a child, please contact us immediately.
11. International Data Transfers
Your data may be processed by service providers located outside the United Kingdom (e.g., Anthropic, Groq, and Google for AI analysis and transcription; Stripe for payments — all US-based). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), Data Processing Agreements (DPAs), or UK adequacy recognition.
12. Changes to This Policy
We may update this policy periodically. Significant changes will be notified on the website. The "Last updated" date at the top indicates when it was last revised.
13. Complaints
If you have concerns about how we handle your personal data, please contact us first at admin@bpr.rehab. If you are not satisfied with our response, you may complain to the:
Contact
Bruno Physical Rehabilitation Ltd
Email: admin@bpr.rehab
Address: Ipswich, Suffolk, United Kingdom