Body Navigator — Privacy Policy
Last updated: 8 June 2026
1. Introduction
This Privacy Policy explains how Andrew Jackson Physiotherapy (“we”, “us”, “our”), the developer and operator of the Body Navigator platform (“the Platform”), collects, uses, stores, shares, and protects personal data in connection with the Platform.
Andrew Jackson Physiotherapy is a sole trader business operated by Andrew Jackson. It may in future incorporate as a limited company, in which case we will notify you in advance of any change in the identity of the data controller.
We are committed to protecting your privacy and to handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
This Policy applies to:
(a) registered healthcare professionals who hold an account with us (“Users”, “Subscribers”, “Clinicians”);
(b) visitors to our website;
(c) prospective users who contact us, sign up to a waitlist, or attend a demonstration; and
(d) — to the extent we process patient data on behalf of Clinicians — patients of those Clinicians (“Patients”).
We are the data controller in respect of personal data about Users and website visitors. We act as a data processor in respect of Patient data that Users input into the Platform; the User remains the data controller for that information. This distinction is set out in more detail in section 9 below.
2. Who we are and how to contact us
Andrew Jackson Physiotherapy UNTIL, 1 Orchard Street London W1H 6HJ ICO registration number: ZC164950
Data protection contact: The Data Protection Contact Email: [email protected]
If you have any questions about this Policy, wish to exercise your rights under UK GDPR, or have a concern about how we handle your data, please contact us using the details above.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you approach the ICO.
3. The personal data we collect
3.1 Information you provide directly
When you register for an Account, communicate with us, or use the Platform, we collect:
- Full name and professional title
- Professional registration details (e.g. HCPC number) where relevant
- Employment context (practice or organisation, role)
- Contact details (email address, telephone number)
- Username and securely hashed password
- Billing and payment information (processed by our payment provider — see section 5)
- Communications you send to us (support requests, feedback, correspondence)
- Information you input into the Platform during clinical use, including text describing patient consultations, case notes, and clinical reasoning
3.2 Information collected automatically
When you use the Platform, we automatically collect:
- Authentication and session data (logins, session timestamps)
- Technical data necessary for the Platform to function (IP address, browser type, device type, operating system)
- Usage data relating to your interaction with the Platform (features used, prompts run, timestamps)
- Error logs and diagnostic information
3.3 Patient data
When you use the Platform in the course of clinical work, you may input information about Patients. The Platform separates Patient information into two areas, which are handled differently:
Patient identifier field (e.g. patient name, age)
This information is stored in our application database hosted by Google Firebase in the European Economic Area (Belgium). It is not transmitted to our US-based AI sub-processors. It remains within the EEA throughout its life on the Platform.
Case notes and clinical content
This includes clinical history, presenting complaint, examination findings, imaging or test results entered by you, working diagnoses, hypotheses, treatment plans, and any other clinical information you record in the case notes. Case notes are processed by our AI sub-processors, including OpenAI in the United States and Pinecone (for knowledge retrieval), to provide the Platform’s clinical reasoning support functions. International transfer safeguards apply to this processing — see section 6.
Important — keeping identifiers out of case notes
To minimise the international transfer of identifiable Patient data, you must not enter direct Patient identifiers into the case notes field. Direct identifiers include patient full names, dates of birth, NHS numbers, addresses, telephone numbers, email addresses, and any other information that would, on its own, identify the Patient. These should be kept in the Patient identifier field only.
This includes information pasted into case notes from external documents such as scan reports, referral letters, or prior clinical records — please redact direct identifiers before pasting.
Your responsibilities
You are responsible for the lawful basis and any necessary consents for inputting Patient Data. We process Patient Data only on your documented instructions, as your data processor (see section 9). Where you input identifiable Patient information, this constitutes special category personal data under UK GDPR. By inputting this data, you confirm that you have the lawful basis to do so under Article 9(2)(h) of UK GDPR (provision of health or social care by a health professional subject to professional confidentiality obligations) or another applicable lawful basis. We strongly recommend that you minimise identifiable information where it is not clinically necessary, in line with the data minimisation principle.
3.4 Special category data
Health data is special category data under UK GDPR Article 9. Both User information about your professional role in healthcare and Patient clinical information fall into this category. We process special category data only where one of the lawful conditions in Article 9(2) applies — most commonly Article 9(2)(h) (provision of health or social care) for Patient data, and Article 9(2)(a) (explicit consent) for User professional information.
4. How we use your personal data and our lawful basis
We use personal data for the following purposes:
| Purpose | Lawful basis (UK GDPR Article 6) | Special category condition (Article 9) where applicable |
|---|---|---|
| Creating and administering your Account | Contract performance | Explicit consent (Art. 9(2)(a)) for professional health-related role information |
| Providing the Platform’s clinical reasoning support functions to you | Contract performance | Provision of health or social care (Art. 9(2)(h)) for Patient data, on your instructions as Controller |
| Processing payments and managing subscriptions | Contract performance; legitimate interests in operating our business | — |
| Communicating with you about the Platform (service updates, security notices, billing) | Contract performance; legal obligation | — |
| Improving and developing the Platform using de-identified and aggregated data | Legitimate interests in maintaining a safe, accurate, and useful clinical reasoning tool | — |
| Responding to support requests and feedback | Contract performance; legitimate interests | — |
| Sending marketing communications (only where you have opted in) | Consent | — |
| Complying with legal, regulatory, and professional obligations | Legal obligation | Substantial public interest where relevant (Art. 9(2)(g)) |
| Establishing, exercising, or defending legal claims | Legitimate interests | Legal claims (Art. 9(2)(f)) |
| Maintaining the security and integrity of the Platform | Legitimate interests | — |
5. How we share your data — sub-processors and third parties
We share personal data with carefully selected third-party service providers (“sub-processors”) who help us operate the Platform. Each is bound by a written contract requiring them to handle data in accordance with UK GDPR and to provide appropriate security measures.
| Sub-processor | Role | Data processed | Location of processing |
|---|---|---|---|
| Google (Firebase / Google Cloud — EU region) | Application database (Firestore) — storage of User accounts, Patient identifier fields, and case notes | User account information; Patient identifier fields (e.g. patient name, age); case notes | European Economic Area (Belgium) |
| Google (Firebase Authentication) | User authentication | User email address (authentication only) | United States, with safeguards under the UK Addendum to EU Standard Contractual Clauses |
| OpenAI, L.L.C. | Large language model processing of case notes content to generate clinical reasoning outputs | Case notes content only (Patient identifier fields are not transmitted to OpenAI) | United States, with safeguards under the UK Addendum to EU Standard Contractual Clauses |
| Pinecone Systems, Inc. | Vector database for retrieval of curated knowledge in response to case notes content | Vector embeddings derived from case notes content | United States (AWS us-east-1), with safeguards under the UK Addendum to EU Standard Contractual Clauses |
| Google (Drive, Colab) | Document storage and processing pipeline for the curated clinical knowledge base — no User or Patient data is processed in this pipeline | Curated knowledge base content only | EEA / Worldwide, with safeguards under the UK Addendum to EU Standard Contractual Clauses |
| Stripe Payments Europe Ltd / Stripe, Inc. | Payment processing | Billing information (name, email, payment method, billing address — no Patient data) | EU (primary) / US (Stripe HQ) |
| Microsoft 365 (Microsoft Ireland Operations Ltd) | Email and support communications | User correspondence (no Patient data unless included by you) | EU (primary) / Worldwide |
We may share personal data with additional categories of recipient where necessary:
- Professional advisers (lawyers, accountants, auditors) under duties of confidentiality
- Regulators, law enforcement, and courts where required by law
- Acquirers or investors in connection with a sale, merger, or financing of our business, subject to appropriate confidentiality
We do not sell your personal data, and we do not share it for advertising purposes.
5.1 OpenAI specifically
When you use the Platform, the case notes content you enter is transmitted to OpenAI’s API for processing by their large language models. Patient identifier fields (such as patient name and age) are stored separately within our EU-based application database and are not transmitted to OpenAI. We are bound by OpenAI’s Data Processing Addendum, which is automatically incorporated into our OpenAI Services Agreement. Our integration is configured so that:
- Data sent via the API is not used to train OpenAI’s models (this is OpenAI’s default position for API customers since March 2023);
- Data is retained by OpenAI only for the limited period and purposes set out in their API data usage policy;
- Standard Contractual Clauses with the UK Addendum govern the international transfer of personal data to the United States.
We strongly encourage Users to minimise identifiable Patient information in case notes content, in line with the data minimisation principle and the guidance in section 3.3 above.
6. International data transfers
Patient identifier fields (such as patient name and age) are stored in Google Firebase’s European Economic Area (Belgium) region. The UK has recognised the EEA as providing an adequate level of data protection, so this is not a restricted international transfer.
Case notes content is processed by OpenAI in the United States and by other sub-processors as set out in section 5.
User account email addresses are processed by Google Firebase Authentication in the United States for authentication purposes.
For each restricted international transfer, we rely on one or more of the following safeguards under UK GDPR Articles 44–49:
- UK Adequacy Regulations where the destination country has been deemed adequate by the UK government;
- The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, signed with each relevant sub-processor;
- Transfer Risk Assessments, documenting our assessment of the legal regime in the destination country and the supplementary measures in place; and
- For US transfers, where applicable, the recipient’s certification under the UK–US Data Bridge.
You can request a copy of the relevant safeguard documentation by contacting us at the address in section 2.
7. How long we keep your data
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
| Category | Retention period |
|---|---|
| Account information | For the life of your Account, plus 6 years after closure for tax and legal purposes |
| Billing records | 6 years from end of relevant tax year (UK statutory requirement) |
| Clinical inputs and Platform outputs | Retained for the duration of your Account, regardless of whether your subscription is currently active. A lapsed subscription does not trigger deletion — your case data remains intact if you return. On Account closure or receipt of a deletion request, clinical data is deleted without undue delay and in any event within one month. |
| Support correspondence | 3 years from last contact |
| Marketing preferences | Until you withdraw consent, plus a record of withdrawal for compliance |
| Server logs and security records | Up to 12 months |
| Backups | Rolling backups overwritten on a defined cycle, typically within 90 days |
When you actively close your Account, or on receipt of a deletion request, we will delete or anonymise your personal data without undue delay and in any event within one month, subject to the retention periods in the table above where those apply (for example, billing records are retained for 6 years as required by HMRC), and subject to longer retention where otherwise required by law or for the establishment, exercise, or defence of legal claims.
A lapsed subscription does not constitute Account closure and does not trigger deletion of your data. Your case data remains intact during any period where your subscription is not active, so that it is available to you if you choose to resubscribe. You may request deletion of your data at any time regardless of your subscription status — see section 11.
8. Security
We take the security of personal data seriously and have implemented technical and organisational measures appropriate to the risk of processing, including:
- Encryption in transit using TLS 1.2 / 1.3 for all data transmitted between your device and the Platform
- Encryption at rest using AES-256 for stored data
- Authenticated access — all Users must sign in with a valid account before any data can be accessed
- Server-side enforcement — every data request is validated at the server
- Per-User data isolation — each User account can only access their own patients
- Administrative access controls — each administrative interaction with the database is individually authorised and logged
- Access logging — all administrative interactions with Patient data are logged at application level; Google Cloud additionally provides independent infrastructure-level logs
- Sub-processor due diligence and written data processing agreements with each named sub-processor
- Backup and disaster recovery arrangements
- A documented process for responding to suspected security incidents
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the ICO within 72 hours of becoming aware, and notify affected individuals where required.
9. Our role: controller, processor, and your responsibilities
9.1 Where we are Controller
We are the data controller in respect of:
- Your User Account information and contact details
- Billing and payment data
- Your communications with us
- Website visitor and technical data
- Aggregated and de-identified data about Platform use
9.2 Where we are Processor
We are a data processor in respect of Patient data and clinical content that you input into the Platform. For this data, you (the Clinician or your employing organisation) are the data controller. This means:
- You are responsible for determining the lawful basis and obtaining any necessary consents for inputting Patient data;
- You are responsible for ensuring your use of the Platform complies with your professional obligations and the data protection policies of any organisation under whose authority you act;
- You are responsible for handling data subject rights requests from your Patients;
- We process Patient data only on your documented instructions, as set out in this Policy, our Terms and Conditions, and the Data Processing Agreement that forms part of your contract with us.
9.3 Administrative access to Patient data
The Body Navigator administrator has the technical ability to access Patient data stored in the Platform for legitimate operational purposes. We commit to the following:
- Administrative access is undertaken only for legitimate operational purposes — responding to a User support request, investigating a specific technical issue or security incident, or where required by law;
- We do not access Patient data for marketing, training of third-party AI models, or general product browsing;
- Administrative access to the database is individually logged at application level, with independent Google Cloud infrastructure-level logging;
- Other Users of the Platform have no ability to access your Patient data;
- The administrator acts in the capacity of a data processor when accessing Patient data.
10. Aggregated and de-identified data
We may de-identify and aggregate data and use it for purposes such as maintaining and improving the Platform, quality assurance, developing new functions, and producing internal analytics. We do not use identifiable Patient health information to train third-party large language models.
11. Your rights
Under UK GDPR, you have the following rights in respect of your personal data:
- Right of access — to obtain a copy of the personal data we hold about you
- Right to rectification — to correct inaccurate or incomplete data
- Right to erasure — to ask us to delete your data, subject to legal exceptions
- Right to restrict processing — to ask us to limit how we use your data
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format
- Right to object — to object to processing based on legitimate interests, or to direct marketing
- Rights in relation to automated decision-making — Body Navigator does not make automated decisions that produce legal or similarly significant effects
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please contact us at [email protected]. We will respond within one month.
12. Cookies and tracking
The Platform uses only cookies that are strictly necessary for the operation of the Platform. We do not use cookies for advertising, profiling, or non-essential analytics. Please see our Cookies Policy at [INSERT URL ONCE COOKIES POLICY IS LIVE].
13. Children
The Platform is intended for use by registered healthcare professionals only and is not directed at children.
14. Automated decision-making and AI
The Platform uses artificial intelligence, large language models, and a RAG pipeline to produce written outputs that support clinical reasoning. These outputs are not automated decisions within the meaning of UK GDPR Article 22, are intended to be reviewed by a registered Clinician, and do not replace clinical decision-making.
15. Changes to this Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates when it was last revised. The current version is always available at https://thebodynavigator.com/privacy-policy/. For our full regulatory information see https://thebodynavigator.com/regulatory-detail/.
16. Contact
Andrew Jackson Physiotherapy – [email protected]
If we cannot resolve your concern, you have the right to complain to the Information Commissioner’s Office (ico.org.uk).