Privacy Policy

1. Introduction

This Privacy Policy explains how the West 6 Pelvic Floor Rehabilitation Programme ("we", "our", or "the Programme") collects, uses, stores, and protects your personal information when you use our rehabilitation platform.

We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

Data Controller: Gemma West, trading as Gemma West Physiotherapy (West 6), acts as the Data Controller for all personal data processed within the West 6 Pelvic Floor Rehabilitation Programme.

We are not required to appoint a Data Protection Officer under applicable law; however, we take data protection seriously and handle all personal data in accordance with the UK GDPR and the Data Protection Act 2018.

Contact: support@thewest6.com

This means we only collect and use your personal data where necessary to provide your rehabilitation programme, support your care, and meet our legal obligations.

2. What Information We Collect

2.1 Account Information

To provide you with access to the rehabilitation programme, we collect:

• Full name
• Email address
• Contact telephone number
• Account credentials (username and encrypted password)

2.2 Health and Progress Data

To monitor your rehabilitation progress and provide personalised care, we collect:

• Symptom Assessment Responses - Your answers to questionnaires about pelvic floor symptoms, including:
  • Incontinence symptoms

  • Pelvic Organ Prolapse Symptom Scores
  • Quality of life scores
• Exercise Progress Data - Records of:
  • Which exercise levels you've completed
  • Exercise types performed (squats, lunges, marches)
  • Dates of completion
  • Your progression through the programme
• Assessment History - Timestamped records of your symptom checker and outcome quiz responses to track improvement over time

2.3 Technical Information

Our learning management system (Moodle) automatically collects:

• Login dates and times
• Course access records - Which pages and activities you viewed
• Session data - Stored temporarily via essential cookies (see Section 5)
• Browser and device information - For technical support purposes only

2.4 Payment and Billing Information

When you purchase a subscription or lifetime access, payments are processed by our payment provider, Stripe. Stripe collects and processes your card details directly — we do not see or store your full card number, expiry date, or security code.

We receive and store the following limited transaction data from Stripe:

• Name on card and billing email
• Billing country and postcode (for tax and fraud-prevention purposes)
• Last 4 digits of card and card type (for your receipts and for handling disputes)
• Transaction ID, amount, date, and subscription status

Stripe's own privacy policy is available at https://stripe.com/gb/privacy.

2.5 How We Collect Your Information

We collect personal data directly from you when you:

• Register for an account
• Complete questionnaires or assessments
• Use the rehabilitation programme
• Contact us for support

Some technical data is collected automatically when you use the platform (see Section 2.3).

3. Why We Collect This Information (Legal Basis)

Purpose	Legal Basis
Providing access to the rehabilitation programme	Contract Performance - Necessary to deliver the service you've enrolled in
Tracking your exercise progress and symptoms	Contract Performance — necessary to deliver the rehabilitation programme you have enrolled in
Clinical assessment and treatment monitoring	Health/Medical Care - Processing necessary for health and medical care purposes under the supervision of a health professional
Communicating with you about your programme	Contract Performance - Necessary to provide support and updates
Platform security and technical support	Legitimate Interest - Ensuring platform security and functionality
Processing payments and managing subscriptions	Contract Performance - Necessary to take payment and give you access to your chosen plan
Keeping financial records (invoices, receipts, transaction logs)	Legal Obligation - UK tax and accounting law (HMRC requires 6 years of records)
Anonymised research (if you consent separately)	Explicit Consent - You will be asked separately for this (see Section 8)

Special Category Data: Your symptom and health data is classified as "special category" health data under the UK GDPR.

We process this data under Article 9(2)(h) — processing necessary for the provision of health or social care and treatment by a qualified health professional — and in accordance with Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018.

In simple terms, this means we process your health data because it is necessary to deliver your rehabilitation programme and support your care.

4. How We Use Your Information

Essential Programme Functions:

• Account Management - Creating and maintaining your user account
• Progress Tracking - Recording which exercises you've completed and at what level
• Symptom Monitoring - Tracking your symptoms over time to assess improvement
• Clinical Assessment - Storing your POPSS scores and assessment responses for your healthcare provider to review
• Personalised Experience - Showing you your progress dashboards and determining which exercises to unlock next
• Communication - Sending you programme-related information (e.g., password resets, important updates)

What We Do NOT Do:

• We do not sell your data to third parties
• We do not use your data for marketing purposes
• We do not share your identifiable health data with anyone outside your direct care team without your explicit consent
• We do not use your data for automated decision-making or profiling

5. Cookies

What Are Cookies?

Cookies are small text files stored on your device that help websites function properly. The West 6 platform uses only essential cookies required for the platform to work.

Essential Cookies We Use:

Cookie Name	Purpose	Duration
MoodleSession	Maintains your login session so you don't have to log in on every page	Session (deleted when you close your browser)
MoodleID	Remembers your login preferences	Persistent (up to 1 year)
w6_pending_plan	Stores your chosen plan ("monthly" or "lifetime") when you click to subscribe while logged out, so we can send you to the correct Stripe checkout after you log in or register. Contains no personal information and is deleted immediately after use.	Up to 30 minutes (deleted as soon as you are redirected to payment or close the checkout flow)

Do You Need to Accept Cookies? These cookies are strictly necessary for the platform to function and are exempt from consent requirements under Regulation 6(4) of the Privacy and Electronic Communications Regulations (PECR). However, if you block cookies in your browser, login and checkout will not work.

Analytics/Marketing Cookies: We do not use any analytics, advertising, or tracking cookies. If we introduce these in future, we will update this policy and ask for your separate consent via a cookie banner before any such cookies are set.

6. Who Has Access to Your Information

Your Healthcare Provider

Your designated physiotherapist/healthcare provider (Gemma West) has access to your:

• Account details
• Exercise progress
• Symptom assessment responses
• POPSS scores
• Timeline of improvement

This access is necessary to monitor programme outcomes and access data for research purposes (if agreed)

Platform Administrators

Technical administrators have access to your data for:

• Technical support
• Platform maintenance
• Security purposes

Administrators are bound by confidentiality agreements and data protection policies.

Third Parties

We use the following third-party services (each bound by a Data Processing Agreement and required to comply with UK GDPR):

• Moodle Hosting Provider — Krystal Hosting Ltd (data centre: London, UK) — hosts the platform infrastructure, stores your account, symptom, and progress data, and sends system emails (such as password resets and programme updates) directly from the hosting server
• Stripe Payments Europe, Ltd. — processes subscription and one-off payments. Stripe is the data controller for your full card details; we receive only the limited transaction information described in Section 2.4. Stripe is certified to PCI DSS Level 1 and complies with applicable UK GDPR and data protection requirements. See https://stripe.com/gb/privacy.

Legal Requirements

We may disclose your information if required by law, court order, or regulatory authority.

7. How We Protect Your Information

Technical Safeguards:

• Encryption - All data is transmitted over secure HTTPS connections
• Password Protection - Your password is encrypted and never stored in plain text
• Access Controls - Only authorised personnel can access patient data
• Regular Backups - Your data is backed up regularly to prevent loss
• Secure Hosting - Our platform is hosted on secure, UK-based servers (Krystal Hosting Ltd, London data centre)

Organisational Safeguards:

• Staff training on data protection
• Confidentiality agreements
• Regular security reviews
• Incident response procedures

Personal Data Breach Notification:

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR;
• Notify you directly and without undue delay where the breach is likely to result in a high risk to your rights and freedoms, in accordance with Article 34;
• Record the breach, our assessment, and actions taken in an internal breach log, regardless of whether external notification is required.

8. Research Consent (Optional)

We may seek your separate, optional consent to use your anonymised data for research purposes to improve pelvic floor rehabilitation methods and outcomes.

What This Means:

• Your data would be anonymised or de-identified so that you cannot be identified — no names, email addresses, or identifying information
• Only aggregated and anonymised statistics and trends would be analysed (e.g., "70% of patients improved by Level 5")
• Results may be published in medical journals or conferences
• You can opt out at any time without affecting your access to the programme

This is completely voluntary. You will be asked separately whether you agree to this when you first log in, and you can change your mind at any time in your account preferences.

9. How Long We Keep Your Information

Data Type	Retention Period	Reason
Account Information	Duration of treatment + 7 years after completion	Medical records retention requirements (UK NHS standard)
Health/Symptom Data	Duration of treatment + 7 years after completion	Medical records retention requirements
Exercise Progress Data	Duration of treatment + 7 years after completion	Clinical audit and continuity of care
Technical Logs	12 months	Security and troubleshooting
Payment and Transaction Records (invoices, receipts, Stripe transaction IDs)	6 years from the end of the financial year in which the transaction occurred	HMRC tax and accounting law (Companies Act 2006 / VAT record-keeping requirements)
Anonymised Research Data (if consented)	Indefinitely	Cannot be re-identified; contributes to medical research

After these periods, your data will be securely deleted unless there is a legal requirement to retain it longer.

10. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Access

You can request a copy of all personal data we hold about you (known as a "Subject Access Request").

Right to Rectification

If your information is inaccurate or incomplete, you can ask us to correct it.

Right to Erasure ("Right to be Forgotten")

You can ask us to delete your data in certain circumstances. However, we may need to retain some data to comply with medical records retention requirements.

Right to Restrict Processing

You can ask us to limit how we use your data in certain situations.

Right to Data Portability

You can request your data in a machine-readable format to transfer to another provider.

Right to Object

You can object to processing based on legitimate interests. For research consent, you can withdraw consent at any time.

Right to Complain

If you're unhappy with how we've handled your data, you can complain to the UK Information Commissioner's Office (ICO):

• Website: https://ico.org.uk
• Phone: 0303 123 1113

11. Data Transfers

Your data is stored on servers located in the UK (Krystal Hosting Ltd, London data centre).

We do not transfer your personal data outside the UK/EEA. If we need to do so in future, we will:

• Inform you in advance
• Ensure adequate safeguards are in place (e.g., Standard Contractual Clauses)
• Obtain your consent if required

12. Children's Privacy

The West 6 programme is intended for individuals aged 18 and over.

We do not knowingly collect or process personal data from individuals under the age of 18.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or prominent notice on the platform
• Ask you to review and accept the updated policy when you next log in

You can always access the current version of this policy via the footer link on every page.

14. Questions and Contact