Your Health DataIs Your Business

We protect it like our physiotherapists protect their patient records.

Last updated: January 1, 2025 • GDPR Compliant • Norwegian Data Protection Authority Registered

The Quick Version

We collect health data to provide physiotherapy services. We never sell your data. Video analysis happens in real-time and raw footage is never stored. Your data stays in Europe. You can delete everything anytime.

Health Data We Collect

Health Assessments

• Your health conditions and injury history
• Daily pain levels and locations (0-10 scale)
• Mobility limitations and recovery goals
• Age, height, weight for exercise customization

Why: To create safe, personalized rehabilitation programs

Movement Analysis

• 33 skeletal points extracted from video
• Joint angles and movement patterns
• Exercise form scores and corrections

Important: We analyze movement data (skeletal points only). We do NOT store raw video footage of you or your home. Video is processed in real-time and immediately discarded.

Exercise Performance

• Completed exercises and adherence rates
• Progress metrics and improvement trends
• Session duration and frequency
• Difficulty adjustments and modifications

Why: To track your progress and adapt your program

Ada Conversations

• Your questions about exercises and pain
• Ada's recommendations and modifications
• Feedback on exercise difficulty

Why: To provide continuous, contextual guidance

How We Protect Your Data

Encryption Everywhere

256-bit encryption in transit and at rest. Bank-level security for all health data.

European Servers Only

All data stored in EU data centers. No transfers outside Europe.

Limited Access

Only essential personnel with signed NDAs can access data for support.

Anonymization

Analytics data is anonymized. Personal identifiers are separated from health records.

Your GDPR Rights

You Can Always:

✓
Access Your Data: Download everything we have about you
✓
Delete Everything: Complete removal within 30 days
✓
Export Records: Get your data in standard formats (PDF, CSV)
✓
Correct Information: Update any incorrect data
✓
Restrict Processing: Limit how we use your data
✓
Opt Out: Refuse data use for product improvements

To exercise any right, email: privacy@capable.health

Who We Share With

Never Shared:

• No selling to third parties
• No sharing with advertisers
• No data brokers
• No marketing lists

Your Choice:

• Export to your physiotherapist
• Share with your doctor
• Anonymous research (opt-in)
• Insurance reports (if requested)

Required Processors:

We use trusted services to operate Capable. All have signed data processing agreements:

• Stripe: Payment processing (no health data shared)
• Google Cloud: European servers for data storage
• SendGrid: Email notifications (no health data)

Legal Basis (GDPR Article 6 & 9)

Explicit Consent

For processing health data and movement analysis (special category data under Article 9)

Contract Performance

To provide the physiotherapy services you've subscribed to

Legitimate Interest

For safety monitoring and service improvements (with opt-out available)

How Long We Keep Data

Active Accounts

As long as you use Capable

After Cancellation

30 days (for account recovery)

Anonymized Data

Indefinite (for research)

Video recordings: Never stored • Movement patterns: Until account deletion • Legal records: 5 years (Norwegian law)

Cookies & Tracking

We use minimal cookies for essential functions only:

• Authentication: To keep you logged in
• Preferences: Language and accessibility settings
• Security: Preventing fraud and abuse

No advertising cookies. No cross-site tracking. No profiling.

Contact Our Data Protection Officer

Data Protection Officer

Email: support@capablehealth.ai
Response time: Within 72 hours

Company Details

Capable Health Technologies AS
Organization number: [Your Org Number]
Oslo, Norway

Supervisory Authority

Norwegian Data Protection Authority (Datatilsynet)
Website: datatilsynet.no