At Agile Kinetic Limited our mission is to make learning from movement accessible and sustainable. We achieve this by making it as simple as possible for our users to share information with their clinical, coaching or research teams via our platforms, for effective monitoring, better informed decision making and recommendations. We strive to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
Purpose of this privacy policy
This privacy notice aims to give you information on how Agile Kinetic Limited collects and processes your personal data through your use of this website, including any data you may provide through our platforms (jointly referred to as the "Service") when you sign up to use them following a referral by a Health Care Provider, Sports Coach, Researcher (collectively referred to as "HCP"), or if you are using the Service as a HCP.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
Controller
If you are an "End-User" such as a patient, the HCP who referred you to use our Service is the data controller and responsible for your personal data provided by you when registering to use the Service and when you are using the Service. Agile Kinetic is the data processor in such circumstances. There may be limited instances where you contact us directly or where we ask you to complete surveys that we use for research purposes where Agile Kinetic may be the data controller. If you are a HCP then we are the data controller and responsible for your personal data provided by you when registering to use the Service, but we will be a data processor of any patient data processed through the patients use of the Service.
We have an appointed Data Protection Officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our Data Protection Officer using the details set out below.
This policy covers:
- Who we are;
- What personal data we hold;
- Anonymised Data and Its Use;
- How your personal data is collected;
- What we use your personal data for;
- Sharing your personal data;
- Retention;
- Data security and transfers; and
- Your rights.
If you have any further questions about how we process your information, please don't hesitate to get in touch by contacting our Data Protection Officer:
Address: Data Protection Officer, Agile Kinetic Limited, Tramshed Tech Griffin Lodge, Griffin Street, Newport, Wales, NP20 1GL
Email: DPO@agilekinetic.com
1. Who we are
Agile Kinetic Limited is a Private Limited Company registered in England & Wales (Company number 10024755). When this policy talks about 'Agile Kinetic', 'us' or 'we', it means Agile Kinetic Limited.
2. What personal data we hold
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Financial Data (HCPs only) includes bank account and payment card details of HCPs.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us or services of ours that you have accessed. In some instances, transaction data may include personal data relating to your health that you provide during the course of your use of the Service or indeed may be added to the Service by the HCP in the course of prescribing you the exercises or activities.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includes your username and/or password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our website, products and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Fitbit Data Where users choose to connect a Fitbit account, MoveLab may receive activity and movement data (such as daily activity levels and time spent in activity categories) from Fitbit via their APIs. Our use and transfer of information received from Fitbit APIs complies with the Fitbit User Data and Developer Policy.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not seek to collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) but these categories of data may be shared by you directly with your HCP while you use the Service or indeed may be added to the Service by the HCP in the course of prescribing you exercises or activities and therefore we are considered a data processor of such personal data.
If you use our App, we may retain records and/or recordings of our interactions with you. This can include video and audio recordings or images/video you upload or capture when using our App. This is in order to provide you and your clinical team with an efficient way to check your progress, so that we can enable the provision of high quality care to you, and, to allow us to learn from interactions to improve our services. To monitor our service quality, we may retain records of when you contact our support teams via email, phone or any interactive livechat service on the App. Any recordings will be held securely in accordance with our retention policy and we are considered a data processor of such personal data.
We may also hold information about you and your activity levels from other apps, devices and services where you have given your consent to that data being shared with us. Examples include where you decide to share information collected from a smart watch or similar device with our App.
3. Anonymised Data and Its Use
We may collect and retain anonymised data from your interactions with our services, including data related to your health, movement, and interactions with healthcare providers. Anonymised data refers to data that has been processed to remove any personally identifiable information and cannot be used to identify you.
We use this anonymised data to:
- Develop and enhance our products and services.
- Build predictive models for healthcare providers to assist in diagnosing conditions, predicting outcomes of interventions, and flagging progress or deterioration following treatments.
- Conduct internal research and analysis to improve the quality of care provided through our platform.
Anonymised data is aggregated and used solely for research, analysis, and system improvements. This data is never shared with third parties in a manner that could identify you, and all processes are carried out in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
You have the right to opt-out of anonymised data collection at any time. For more information, please contact our Data Protection Officer at DPO@agilekinetic.com.
4. How your personal data is collected
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity Data, Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you may provide when you:
- create an account on our website;
- subscribe to our service or publications;
- interact with a HCP using the Service;
- request marketing to be sent to you; and/or
- give us some feedback or complete a survey.
- Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy for further details.
- Third parties or publicly available sources. We may receive personal data about you from various third parties as set out below:
- Technical Data from the following parties:
- analytics providers such as Google; and
- our sub processors such as AWS.
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services such as Stripe.
- Fitbit — if you have given explicit consent for that data to be shared with us.
- Technical Data from the following parties:
5. What we use your personal data for
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you or your HCP.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
- Where you have provided consent to your HCP through use of the Service.
Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to the processing of special categories of personal data such as data relating to your health that you may volunteer to your HCP or that they may provide to you as part of their services.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
| Purpose / Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
| To register you as a new customer | (a) Identity (b) Contact | Performance of a contract with you and your HCP |
| To process and deliver the Service for HCPs including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us | (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications | (a) Performance of a contract with HCPs (b) Necessary for our legitimate interests (to recover debts due to us if you are a HCP) |
| Providing the Service including movement analysis, to enable the HCP to contact you, and for you the End-User and your HCP to gain insight into your movements using the Service | Data relating to your health volunteered by you or by the HCP or inferred from any movements you perform for analysis / prescribed to you as part of your use of the Service | Performance of a contract with you and your HCP. Where activity data is received from third-party wearable providers such as Fitbit, this data is used solely to provide contextual activity information within MoveLab to support rehabilitation monitoring and clinical review. Fitbit-derived data is not used for advertising, profiling, or unrelated analytics. |
| To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey | (a) Identity (b) Contact (c) Profile (d) Marketing and Communications | (a) Performance of a contract with you and your HCP (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) |
| To enable you to complete a survey | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications | (a) Performance of a contract with you and HCPs (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) |
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity (b) Contact (c) Technical | (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation |
| To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical | Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) |
| To use data analytics to improve our website, products/services, marketing, customer relationships and experiences | (a) Technical (b) Usage | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
| To make suggestions and recommendations to you about goods or services that may be of interest to you | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile | Necessary for our legitimate interests (to develop our products/services and grow our business) |
6. Retention periods
We retain your personal data including medical records in accordance with national best practice guidance — in particular, advice provided by the Department of Health (2006) Records management: NHS code of practice, and summary guidance issued by the British Medical Association. We may retain records and aggregate information that does not identify you for legitimate business purposes such as managing or planning our business, or records for other periods as required by law or regulation.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, contractual, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data. Below is a table outlining the retention periods for different types of records, based on guidance from the NHSE Records Management Code of Practice.
| Record Type | Retention Period | NHSE Records Management Code of Practice 2023 Reference (Page) |
|---|---|---|
| Adult Health Records | 8 years after last patient interaction | Page 51 |
| Children's Records | Until patient's 25th birthday or 26th if treatment ended at 17 | Page 52 |
Retention of Anonymised Data
Anonymised data is retained indefinitely to support the ongoing improvement of our services and predictive models, as this data is no longer considered personal data under the GDPR. We ensure that anonymised data is stored securely and in a manner that complies with all relevant data protection regulations.
7. Data storage, security and transfers
We do not store your personal health data on your mobile device. We store all your personal health data, including your diagnostic information on secure servers.
Where you have chosen a password that enables you to access certain parts of our App, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
We do not store any credit or debit card information. We encrypt data transmitted to and from the App. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.
Your data may be processed or stored via destinations outside of the UK and the European Economic Area (EEA), but always in accordance with data protection law, including mechanisms to lawfully transfer data across borders, and subject to strict safeguards. DPO@agilekinetic.com.
8. Your rights
As indicated above, whenever we rely on your consent to process your personal data, you have specific rights under the GDPR and DPA to:
- withdraw that consent at any time. You can do this by emailing DPO@agilekinetic.com;
- understand and request a copy of information we hold about you. Subject to our retention periods, certain information related to your range of motion, and recovery process will be accessible via the App. For other information, you can make a request by email;
- ask us to rectify or erase information we hold about you, subject to limitations relating to our obligation to store medical or health records for prescribed periods of time;
- ask us to restrict our processing of your personal data or object to our processing; and
- ask for your data to be provided on a portable basis.
- where you have connected a Fitbit account, you may disconnect it at any time. On request, we will delete Fitbit-derived data from our systems in accordance with our data retention obligations.
If you would like to make a complaint you may contact the Information Commissioners Office (the data protection regulator in the UK): Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113 (local rate). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
Contact us
For any questions or concerns, you can contact us by sending an email to DPO@agilekinetic.com.
