Privacy Policy: The Complete Knee Physiotherapy Plan

1. Introduction

This Privacy Policy explains how Complete Knee Physiotherapy Ltd (“we”, “us”, or “our”) collects, uses, stores, and protects personal data when you access or participate in The Complete Knee Physiotherapy Plan (“the Programme”). We are committed to handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025. We adhere to the professional and ethical standards of the Health and Care Professions Council (HCPC) and the Chartered Society of Physiotherapy (CSP).

2. What Data We Collect

We may collect and process the following types of personal data:

- Identity & Contact Data: Name, email address, and contact details.

- Clinical Screening Data: Information provided during onboarding and Outcome Measure assessments (e.g., KOOS, PSFS), including health history relevant to programme safety.

- Participation Data: Progress, engagement, and module completion.

- Communication Data: Emails, platform messages, and AI interaction logs (communications sent via the “Kirsty AI” Knowledge Assistant).

- Technical Data: IP address, device type, and browser information.

3. How We Use Your Data

Your personal data is used to:

- Deliver and manage the Programme pathways.

- Assess clinical suitability and support participant safety.

- Provide 24/7 educational guidance via AI-assisted tools.

- Perform anonymised service evaluations for clinical audit or NHS commissioning.

- Meet legal, regulatory, and professional record-keeping obligations.

4. Lawful Basis for Processing

We process personal data under the following lawful bases:

- Article 6(1)(b) (Contract): To deliver the Programme you have enrolled in.

- Article 6(1)(c) (Legal Obligation): Where required by law or professional regulatory bodies.

- Article 9(2)(h) (Health or Social Care): For Special Category (health) data, necessary for the provision of health care or treatment, managed by a regulated health professional.

5. Health and Medical Data (Special Category Data)

Health data is treated with the highest level of confidentiality. Access is strictly limited to regulated clinical professionals involved in the delivery of the Programme. We do not use health data for marketing purposes.

6. AI-Assisted Support & Safety (Kirsty AI)

The Programme utilises an AI Knowledge Assistant trained on proprietary clinical protocols.

- Non-Diagnostic: AI tools provide educational guidance and do not provide automated medical diagnoses or clinical decisions.

- Human-in-the-Loop: All AI interactions are logged and periodically reviewed by a Chartered Physiotherapist.

- Safety Guardrails: Our AI includes ‘Red Flag’ detection logic. If symptoms indicative of a medical emergency are detected, the AI is programmed to pause guidance and provide instructions for seeking emergency medical attention.

- Right to Intervention: In accordance with the Data (Use and Access) Act 2025, participants have the right to contest AI-generated guidance and request a review by a human Chartered Physiotherapist.

7. Data Sharing

We do not sell or rent your personal data. Data is shared with trusted third-party providers (e.g., hosting, payment processors) only where necessary. If participating in a funded NHS Pathway Evaluation, only anonymised, aggregated data is shared with the referring Trust/Consultant.

8. Data Storage and Security

All special category health data is stored on secure servers located within the United Kingdom. We employ encryption and strict access controls. We do not transfer health data outside of the UK without ensuring equivalent levels of protection.

9. Data Retention

Personal data is retained only as long as necessary to deliver the Programme and meet statutory medical record-keeping requirements (typically 8 years for physiotherapy records in accordance with clinical guidelines).

10. Your Rights

Under UK GDPR, you have the right to access, correct, or delete your data, and the right to object to processing. You specifically have the right to human intervention regarding AI-generated interactions. To exercise these rights, contact [email protected]

11. Cookies and Tracking Technologies (Meta Pixel)

We use cookies and the Meta Pixel to improve website functionality and measure advertising effectiveness.

- Privacy Guardrail: We have configured our tracking to ensure that no Special Category Health Data (e.g., specific knee symptoms or medical history) is transmitted to Meta.

- Control: You can manage your preferences via our on-site cookie banner. For information on how Meta handles data, please visit their Privacy Policy.

12. How We Manage Cookie Consent

- Consent Mechanism: We use a consent management platform (cookie banner) to allow you to control which non-essential cookies are placed on your device.

- Withdrawal of Consent: You have the right to change your mind at any time. You can clear your browser cache to "reset" the banner or adjust your preferences via our on-site settings.

- Duration: We typically store your consent preference for 12 months, after which we will ask for your preference again.

- Third-Party Opt-Out: For more information on how to opt-out of interest-based advertising across the web, you can visit youronlinechoices.eu.

13. Changes to this Policy

We may update this Privacy Policy to reflect technological updates (including AI developments) or legal requirements. Changes will be published on our website with a revised "Last Updated" date.

14. Contact Details

Complete Knee Physiotherapy Ltd

Data Protection Lead: Kirsty Harris

Email: [email protected]