Legal

Privacy Policy

Last updated: 23 Dec 2025

1. Who we are

Nova Physio Lounge ("we", "us", "our") provides physiotherapy, massage, and AI assisted recovery services through our clinics and digital platforms. This Privacy Policy explains how we collect and use personal data when you visit our website, book sessions, or use our membership and AI features.

Data controller: Nova Physio Lounge, Croydon, London, United Kingdom. For privacy requests, contact support@novaphysiolounge.com.

2. What this policy covers

This policy applies to our website, booking and contact forms, membership services, AI assisted symptom analysis, recovery plans, messaging, our online store featuring Amazon fulfilled products, and any related communications or uploads.

3. Personal data we collect

  • Identity and contact data: name, email, phone number, address, date of birth.
  • Account and membership data: login details, plan type, billing status, usage counters.
  • Health and clinical data: injury details, symptoms, medical history, treatment notes, recovery plans.
  • Communications: emails, chat messages, call notes, support tickets.
  • Media and documents: photos, videos, files you upload for assessments or rehab.
  • Appointments and bookings: session dates, preferences, attendance, cancellations.
  • Technical and usage data: IP address, device and browser data, cookies, analytics events.
  • Payment data: billing metadata, transaction IDs, and payment status. We do not store full card details.

4. Special category data (health)

We process health data to provide physiotherapy and AI assisted recovery services. Where required, we rely on explicit consent and the health care provision basis under UK and EU GDPR (Article 9(2)(h)).

5. How we use your data

  • Provide services, assessments, treatment plans, and session management.
  • Operate AI assisted triage and recovery recommendations.
  • Manage memberships, billing, and account access.
  • Communicate with you about appointments and support requests.
  • Improve and secure our services and prevent fraud.
  • Comply with legal, regulatory, and safeguarding obligations.
  • Send marketing updates when you opt in, and let you opt out at any time.

6. Legal bases for processing

  • Contract: to deliver booked services and memberships.
  • Consent: for marketing or optional features requiring consent.
  • Legitimate interests: improving services, security, and analytics.
  • Legal obligation: compliance with medical, tax, and regulatory duties.
  • Vital interests: protecting your safety when needed.

7. Store purchases and Amazon fulfillment

  • Products in our store link to Amazon for purchase. Amazon processes transactions under its own terms and privacy policy.
  • We do not receive or store your full payment details, delivery updates, or packaging choices from Amazon.
  • We may log which store products you view or click to improve recommendations and measure interest.
  • Fulfillment—including packaging, shipping, delivery, and returns—is managed by Amazon, not Nova Physio Lounge.

8. Sharing your data

We do not sell personal data. We may share data with:

  • Clinicians and staff involved in your care.
  • Service providers for hosting, analytics, communications, and security.
  • Scheduling and booking providers (such as Setmore) to manage appointments.
  • Payment providers to process fees and subscriptions.
  • Regulators, insurers, or law enforcement where required.

9. International transfers

Some providers may process data outside the UK or EEA. Where this occurs, we use approved safeguards such as the UK IDTA or EU Standard Contractual Clauses.

10. Data retention

We keep data only as long as needed for the purposes described. Typical retention periods include:

  • Clinical records: at least 8 years after your last treatment, or longer if required.
  • Membership and account records: while active plus up to 24 months.
  • Uploads and media: 12, 24, or 36 months depending on your plan, then archived or deleted.
  • Billing records: up to 6 years for tax and legal compliance.
  • Support and communications: up to 24 months.

11. Security

We use technical and organizational safeguards such as access controls, encryption in transit, and monitoring. No system is 100 percent secure, but we work to protect your information.

12. Your rights

You have rights under UK and EU GDPR, including to access, correct, delete, restrict, or object to processing, and to request portability. You can withdraw consent at any time. To exercise your rights, email support@novaphysiolounge.com.

You may also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

13. Cookies and analytics

We use essential cookies for site functionality and, where enabled, analytics cookies to understand usage. You can manage preferences through our cookie banner.

14. Automated decision making and AI

Our AI features provide guidance to support your recovery. We do not make decisions with legal or similarly significant effects solely by automated means. You can request human review at any time.

We do not use your health data to train general AI models without your explicit consent.

15. Children

Our services are not intended for children under 16 without parental or guardian involvement. If we learn that a child has provided data without consent, we will delete it.

16. Changes to this policy

We may update this policy to reflect changes in our services or legal requirements. We will post updates on this page with a new effective date.

Contact

If you have questions about this policy, please contact support@novaphysiolounge.com.