Privacy Policy

Last updated: May 30, 2026

1. Introduction

This Privacy Policy describes how Kinesia collects, uses, stores, and protects personal information when you use our platform.

In this policy, "Kinesia," "we," "us," and "our" refer to the Kinesia platform and its operators. "You" refers to clinicians (physiotherapists, chiropractors, osteopaths, and other rehabilitation professionals) who use the Kinesia mobile app and web portal. "Patients" refers to individuals whose information clinicians enter into Kinesia.

2. Information We Collect

2a. Clinician Information (collected directly from you)

• Account information: name, email address, password (hashed using bcrypt — never stored in plain text)
• Professional profile: professional title, registration number, phone number, bio, social media links, profile photo
• Clinic information: clinic name, address, phone number, email, logo, brand colours
• Content: exercise programs, clinical notes, video recordings, exercise templates, document attachments
• Billing information: managed entirely by Stripe (see Third-Party Services below). Kinesia stores your billing email address and Stripe customer ID, but we never see or store your credit card number, expiry date, or CVC.

2b. Patient Information (entered by clinicians)

• Patient details: name, email address, phone number — entered by the treating clinician, not by patients directly
• Exercise program content assigned to the patient
• Progress updates submitted by patients through the patient portal, including pain levels, difficulty ratings, and written notes
• Patient authentication: one-time email verification codes (OTPs) for portal access. No patient passwords or persistent accounts are created.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Kinesia service
• To deliver exercise programs to patients via email and the patient portal
• To send daily exercise reminders to patients (configurable by clinicians)
• To send progress update notifications to clinicians when patients submit feedback
• To generate AI-assisted exercise programs using anonymised clinical notes (see the AI and Your Data section below)
• To process subscription payments through Stripe
• To communicate with you about your account, service updates, and support requests

4. Third-Party Services

Kinesia uses the following third-party services to operate the platform. Each service receives only the data necessary to perform its function:

• Supabase (database and clinician authentication) — stores all application data including clinician profiles, patient records, exercise programs, and authentication credentials. Hosted on Amazon Web Services (AWS) in the United States. Supabase Privacy Policy
• Cloudflare (video and file storage via R2, static site hosting via Pages, CDN) — stores exercise videos, file attachments, and public assets (clinic logos, clinician avatars). Also hosts the patient portal, web app, and landing page. Global CDN with primary storage in the United States. Cloudflare Privacy Policy
• Stripe (payment processing) — receives clinician billing email and processes subscription payments. Stripe handles PCI compliance — Kinesia never receives or stores credit card numbers. Stripe Privacy Policy
• Anthropic (AI program generation via Claude) — receives anonymised clinical notes only. No patient names, email addresses, phone numbers, or other identifiers are sent to Anthropic. AI requests contain exercise descriptions, body regions, and clinical observations without personal information. Anthropic Privacy Policy
• Resend (transactional email) — receives patient and clinician email addresses for the purpose of delivering exercise programs, OTP verification codes, exercise reminders, and progress notifications. Resend Privacy Policy
• Expo / EAS (mobile app distribution) — receives app binaries only for building and distributing the mobile application. No patient or clinician data is transmitted to Expo. Expo Privacy Policy
• YouTube / Google (embedded exercise video playback) — part of the exercise library consists of videos published on YouTube by third-party physiotherapy creators, played inside Kinesia using YouTube's embedded player. When you watch one of these videos, YouTube and Google may receive your IP address, device identifiers, and viewing activity, and may set cookies, in accordance with Google's policies. Kinesia does not control the data YouTube collects through its embedded player. Google Privacy Policy

5. AI and Your Data

Kinesia uses AI to generate exercise programs from clinical notes you provide. Before any notes are sent to the AI, Kinesia removes all patient-identifying information. The AI receives only anonymised clinical observations, body regions, and exercise preferences — never patient names, email addresses, phone numbers, or other identifiers.

AI-generated content is a clinical suggestion and must be reviewed and approved by the clinician before being prescribed to patients.

Kinesia does not use your data to train AI models. Anthropic's data processing terms for API customers prohibit the use of API inputs and outputs for model training.

6. Data Storage and Security

We take the security of your data seriously. The following measures are in place:

• Server location: all data is stored on servers in the United States (Supabase on AWS, Railway, Cloudflare R2).
• Encryption in transit: all data is encrypted using TLS/HTTPS for every connection between your device and our servers.
• Video security: exercise videos are served via time-limited signed URLs that expire after a set period, preventing unauthorised access via direct links.
• Row-level security: every database table uses row-level security (RLS) policies to ensure clinicians can only access their own data and their own patients' data.
• Clinician authentication: secure email/password authentication with hashed passwords and session tokens.
• Patient portal authentication: one-time email verification codes with 7-day sliding session windows. No passwords are stored for patients.

7. Data Retention

Your data is retained for as long as your account is active.

Account deletion: when you delete your account, all associated data is permanently removed, including programs, exercises, video recordings, exercise templates, document attachments, patient records, and clinic information. Exercise videos stored on Cloudflare R2 are deleted when the associated exercise or account is deleted.

Lapsed subscription: if your subscription lapses (account frozen), your data is preserved indefinitely. You can reactivate at any time by subscribing, or delete your account to remove all data.

8. Cookies and Local Storage

• The Kinesia mobile app stores authentication tokens locally on your device.
• The patient portal (patient.kinesia.app) stores authentication tokens and exercise completion progress in browser localStorage.
• The web portal (my.kinesia.app) stores authentication tokens in browser localStorage.

Kinesia does not use advertising cookies, tracking pixels, or its own analytics scripts. However, exercise videos sourced from YouTube are shown via YouTube's embedded player, which may set its own cookies and collect viewing data, as described in "Third-Party Services" above.

9. Your Rights Under PIPEDA

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights regarding your personal information:

• Access: you can request a copy of the personal information we hold about you.
• Correction: you can request correction of inaccurate or incomplete personal information.
• Deletion: you can delete your account at any time from the mobile app or web portal, which permanently removes all your data. You can also request deletion by contacting us.
• Withdrawal of consent: you can stop using Kinesia at any time. Deleting your account removes all your data from our systems.

To exercise any of these rights, contact us at hello@kinesia.app.

10. International Users

Kinesia is operated from Canada and data is processed and stored in the United States. By using Kinesia, you consent to the transfer and processing of your information in the United States.

If you are located in a jurisdiction with data protection laws (such as the EU/UK GDPR), please be aware that using Kinesia involves transferring your data to the United States, which may not offer the same level of data protection as your home jurisdiction.

11. Children

Kinesia is a professional tool for healthcare providers. The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13.

Clinicians who treat patients under 18 are responsible for obtaining appropriate parental or guardian consent before entering minor patients' information into Kinesia, as required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email at the address associated with your account.

The "Last updated" date at the top of this page indicates the most recent revision.

13. Contact

If you have questions about this Privacy Policy or would like to exercise your data rights, please contact us at hello@kinesia.app.