The Rehab Lab online exercise prescription software tool is a comprehensive software package which uses data in order to best meet the requirements of its users and their clients. The Rehab Lab, at all times, takes the utmost care and security when it comes to our users' data. The Rehab Lab core business is in providing a software service to its paying subscribers and does not share user data with third parties.
The General Data Protection Regulation (GDPR) is an EU regulation that will be in force as of May 25th 2018. The GDPR relates to the collection and use of data which may include, but is not limited to names, images, email addresses and computer IP addresses.
The Rehab Lab's privacy and policy have been updated to meet the requirements of the GDPR.
The Rehab Lab has appointed a team member, based in New Zealand, to the role of Data Protection Officer (DPO). The Rehab Lab's DPO oversees all in-house data actions as well as wider privacy and GDPR compliance issues.
You can contact our DPO at the following e-mail address:
data.protection@therehablab.com
The Rehab Lab collects and stores subscriber data (such as name, contact e-mail, contact address, username and password). As a Controller, we have the responsibility to, when requested by a subscriber, delete the subscriber's account on The Rehab Lab: this will fully, and permanently delete all the subscriber's account data
We offer the option to opt out of all marketing and product updates and special offer e-mails. This does not include correspondence which relates directly to your account such as payments, security or forwarding of client requests that have been sent to The Rehab Lab in error.
The Rehab Lab is a Processor of data (such as your client's name and e-mail address), of which, you are the Controller (note: you can opt-out of this feature by contacting The Rehab Lab's DPO at the e-mail address below). With this information, The Rehab Lab will not contact a client. You are the controller of their data so it is your responsibility to contact them. It is also your responsibility to contact them regarding any GDPR compliance correspondence.
The Rehab Lab can, at the request of a subscriber's client, modify personal information or provide them with a copy of their personal information.
In instances where a subscriber's client requests a copy of all the data you hold on them under their GDPR 'Right to Access', it is a requirement, under the GDPR's 'Right to Data Portability', that this information be provided in a format that easy to transfer and read. In these situations, The Rehab Lab will assist you in executing such requests by providing an export service.
Simply email your request to data.protection@therehablab.com and include all relevant information (such as client name, email etc) that will aid us in expediting this task for you.
In a situation where a subscriber's client requests the deletion of all the data you hold on them, which may include those held on The Rehab Lab platform, The Rehab Lab will carry out this task in order to satisfy the GDPR's 'Right to Erasure'.
The Rehab Lab has provided, through our Software, a fast and simple way of deleting client records that our subscribers can utilise as Controllers of this data. We provide these processes to perform a full deletion of a client from within The Rehab Lab Software. This process is irreversible and once deleted, this data cannot be recovered, whether the deletion was intention or occurred due to a subscriber's error.
It is left to the subscribers' discretion whether they choose to use the 'Client' section of The Rehab Lab and, therefore, it is up to them whether they become a Controller of their client data. The Rehab Lab has designed features to eliminate our subscribers' ability to process their client's data (the processing of client names and e-mail addresses). This feature removes the 'Client' section of The Rehab Lab. To 'turn-off' the 'Client' section, please contact The Rehab Lab Support or DPO (data.protection@therehablab.com).
All communication to and from The Rehab Lab is transferred securely via encrypted communications. The Rehab Lab data is collected on our server (located in London, England). This database is remotely backed up daily to the GDPR-compliant Amazon Web Services (AWS) which is one of the most secure data storage centres in the world. Below is a list of the data collected by The Rehab Lab:
Data Collected
Comments
First & Last Name
Used for correspondence and creation of subscriber's subscription invoice/receipt
Username
For logging into The Rehab Lab
Password
For logging into The Rehab Lab (encrypted)
E-mail Address
Used for sending subscription invoice/receipt and correspondence regarding account expiration, updates and software maintenance notifications (encrypted)
Timezone
For rehabilitation protocol heading date
Contact Address
Used for creation of subscriber's subscription invoice/receipt (encrypted)
Data Collected
Comments
First & Last Name
(encrypted)
E-mail Address
For sending rehabilitation protocols (encrypted)
Note: Subscribers can 'turn off' the 'Client' section of The Rehab Lab, prevent all users within their subscription account from processing client data. To turn this feature off, please contact The Rehab Lab Support or The Rehab Lab's DPO (data.protection@therehablab.com).
Third-party vendors that process information on The Rehab Lab's behalf and their GDPR requirements. The Rehab Lab relies upon these industry-standard services and infrastructure in order to operate and best provide services to our users. A list of our third-party vendors are as follows:
Amazon Web Services
Service: Cloud Service Provider
Location: North Virginia, USA
Policy link
Google Analytics
Service: Analytics (anonymised)
Location: USA
Policy link
Windcave (Payment Express)
Service: Payment Processing
Location: Australia/New Zealand
Policy link
HotJar
Service: Analytics (anonymised)
Location: Malta
Policy link
Klaviyo
Service: Email
Location: Boston, USA
Policy link
The Rehab Lab has completed a thorough review of the technical and legal impacts of the GPDR to ensure compliance. We have made all required adjustments to our products, services, and documentation to ensure full compliance with the GDPR. This ensures our subscribers have full control over their personal data.
We have done our best to word our Terms & Conditions and Privacy Policies in plain English with minimal jargon.
We have gone through an assessment process and order to identify possible risks. As a result, we have a recovery process and a communication strategy in place to inform all subscribers of potential breaches.
Our staff handles all requests for data. To satisfy subscribers' Right To Portability (see below), our staff will provide this information in a format that easy to transfer and read.
The Rehab Lab has provided you with the tools to delete a client record; a process that is permanent and irreversible. You also have the option of removing the 'client' section from your account which will prevent the ability to store client data; this can be done by contacting The Rehab Lab Support or Data Protection Officer (DPO).
You can also delete your account and all its associated data by contacting our DPO at data.protection@therehablab.com (account deletion is also permanent and irreversible. This requires explicit consent from the account holder as evidence of confirmation).
We will export your data in a format you require (within the bounds of what is technologically possible). To request a data export please contact The Rehab Lab Support or DPO (data.protection@therehablab.com).
The Rehab Lab has taken steps to ensure privacy and security features were considered in the design and creation of the services we provide.
The Rehab Lab has appointed a staff member (residing in Auckland, New Zealand) to the role of DPO. Our DPO supervises all facets of internal data storage and privacy and GDPR compliance as a whole.
Our DPO can be contacted at data.protection@therehablab.com.