Back to Home

Privacy Policy

Last updated: 11 June 2026

Bruno Physical Rehabilitation Ltd ("we", "our", "us") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal data when you visit our website (bpr.rehab) or use our clinical services.

We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1. Data Controller

The data controller is: Bruno Physical Rehabilitation Ltd, based in Ipswich, Suffolk, United Kingdom.

For data protection enquiries, contact: admin@bpr.rehab

2. Data We Collect

a) Data you provide to us:

  • Identity data: name, email, phone, date of birth, address
  • Medical screening data: health history, medications, allergies, conditions
  • Clinical data: assessments, body images, foot scans, blood pressure readings
  • Payment data: processed via Stripe (we do not store card details)
  • Communications: emails, messages, contact form submissions

b) Data collected automatically (with consent):

  • IP address and approximate geolocation (country, city)
  • Browser fingerprint (technical identifier, no cookies used)
  • Pages visited, time on page, and scroll depth
  • Click positions (for heatmap generation)
  • Device type, browser, operating system
  • Referrer data and UTM parameters

Note: Analytics data collection only occurs after you give explicit consent via our cookie banner.

3. Lawful Basis for Processing

Consent

For website analytics data, non-essential cookies, and marketing communications.

Performance of Contract

To provide clinical services you have requested, manage appointments and treatments.

Legitimate Interest

To improve our services and website, ensure security, and prevent fraud.

Legal Obligation

To comply with healthcare regulatory and record-keeping requirements.

Vital Interests

In emergency situations where your health may be at risk.

Special category data (health data):

Your health data is "special category data" under Article 9 of the UK GDPR. In addition to an Article 6 lawful basis, we process this data under Article 9(2)(h) — necessary for the provision of health care and treatment by a health professional bound by a duty of confidentiality. Where applicable, we also rely on your explicit consent (Article 9(2)(a)).

4. How We Use Your Data

  • Provide and manage physiotherapy services
  • Process appointments and payments
  • Send appointment reminders and clinical communications
  • Generate AI-assisted clinical analyses (reviewed by physiotherapist)
  • Analyse website usage to improve user experience (with consent only)
  • Generate click heatmaps for site optimisation (with consent only)
  • Detect and prevent fraudulent activity
  • Comply with legal and regulatory obligations

5. Website Analytics & Tracking

We use a proprietary analytics system (not Google Analytics or third-party services) to understand how visitors interact with our website. This helps us improve our services and user experience.

What we track (after consent):

  • Pages visited and time spent on each page
  • Scroll depth (how much of the page you viewed)
  • Click positions (for heatmaps)
  • Device type, browser, and operating system
  • Approximate country and city (via IP)
  • Referral source (how you arrived at our site)

What we do NOT do:

  • We do not use third-party tracking cookies
  • We do not sell your data to anyone
  • We do not share analytics data with advertising networks
  • We do not track you across other websites
  • We do not collect analytics data without your explicit consent

We use browser fingerprinting (a technique that creates an identifier from technical characteristics of your browser) instead of cookies. This is treated as a "similar technology" under PECR and requires your consent, which we request via our cookie banner.

6. Data Sharing

We may share your data with:

  • Payment processors (Stripe) for secure transactions
  • Anthropic (Claude) — our primary AI provider for AI-assisted clinical analysis and structured transcription, under a Data Processing Agreement (DPA) with zero data-retention for training
  • Groq — audio transcription (speech-to-text) for consultations and patient recordings
  • Google (Gemini) — fallback AI provider for clinical analysis and image generation
  • IP geolocation service (ip-api.com) — only IP address, no personal data
  • Your GP or other healthcare providers (with your explicit consent)
  • Regulatory bodies when required by law

Your clinical and health data is processed only by AI providers with appropriate data-protection safeguards (Anthropic, Groq, and Google). We do NOT use AI providers under jurisdictions lacking adequate data-protection guarantees for any patient clinical data. Additional providers may be used solely for non-clinical marketing content, never for patient data.

We never sell your personal data.

7. Data Retention

Clinical records
8 years from last treatment (CSP/NHS guidelines)
Consultation audio recordings
Transcribed then deleted; the transcript is retained with clinical records
Website analytics data
24 months, then anonymised or deleted
Account data
While your account is active + 12 months
Consent records
6 years (legal compliance)
Payment data
7 years (HMRC tax requirement)

8. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of accessRequest a copy of your personal data
  • Right to rectificationCorrect inaccurate data
  • Right to erasureRequest deletion of your data (subject to legal obligations)
  • Right to restrict processingLimit how we use your data
  • Right to data portabilityReceive your data in a machine-readable format
  • Right to objectObject to processing for marketing or legitimate interest
  • Right to withdraw consentAt any time, without affecting the lawfulness of prior processing

Automated decision-making and AI:

We use AI to help generate clinical analyses, transcriptions, and report drafts. We do NOT make decisions with legal or similarly significant effects about you based solely on automated processing — all AI-generated clinical analyses and decisions are reviewed and approved by a qualified physiotherapist before any action is taken. You have the right (Article 22 of the UK GDPR) not to be subject to solely automated decisions.

To exercise any of these rights, contact: admin@bpr.rehab. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organisational measures:

  • Encrypted transmission (TLS/SSL) on all pages
  • Role-based access controls
  • Passwords stored with hash (bcrypt)
  • Secure server infrastructure with regular updates
  • Automatic face blurring on body assessment images
  • Regular security reviews

10. Children

Our services are not directed to children under 16. We do not knowingly collect personal data from children without parental consent. If you believe we have collected data from a child, please contact us immediately.

11. International Data Transfers

Your data may be processed by service providers located outside the United Kingdom (e.g., Anthropic, Groq, and Google for AI analysis and transcription; Stripe for payments — all US-based). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), Data Processing Agreements (DPAs), or UK adequacy recognition.

12. Changes to This Policy

We may update this policy periodically. Significant changes will be notified on the website. The "Last updated" date at the top indicates when it was last revised.

13. Complaints

If you have concerns about how we handle your personal data, please contact us first at admin@bpr.rehab. If you are not satisfied with our response, you may complain to the:

Information Commissioner's Office (ICO)

Phone: 0303 123 1113

Website: ico.org.uk

Contact

Bruno Physical Rehabilitation Ltd
Email: admin@bpr.rehab
Address: Ipswich, Suffolk, United Kingdom